Last active
November 25, 2021 16:56
-
-
Save dnviti/31454f5db7047e284665508b6ef7568d to your computer and use it in GitHub Desktop.
AlmaLinux Docker Post-Install
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
if [[ $USER != "root" ]] | |
then | |
echo "Script must be run as root" | |
exit 1 | |
fi | |
AAA=$(grep "Port " /etc/ssh/sshd_config) | |
OLD_SSH_PORT=${AAA:5:99} | |
NEW_SSH_PORT=$(( $RANDOM % 99 + 22100 )) | |
read -p "Please enter a non-root user to enable docker: " SCRIPT_USER | |
read -p "Please enter the VPN Gateway IP you are using: " VPN_GW_IP | |
if [[ $VPN_GW_IP == "" ]] | |
then | |
echo "You must enter a VPN Gateway IP" | |
exit 1 | |
fi | |
if [[ $SCRIPT_USER == "" ]] | |
then | |
echo "You must enter a non root user as parameter" | |
exit 1 | |
fi | |
## Docker Install | |
dnf config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo | |
dnf remove podman buildah | |
dnf install -y docker-ce docker-ce-cli containerd.io | |
systemctl start docker.service | |
systemctl enable docker.service | |
usermod -aG docker $SCRIPT_USER | |
curl -L "https://github.com/docker/compose/releases/download/1.27.4/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose | |
chmod +x /usr/local/bin/docker-compose | |
## Docker Post-Install | |
groupadd docker | |
usermod -aG docker $SCRIPT_USER | |
mkdir /home/docker | |
chown -R $SCRIPT_USER:docker /home/docker | |
## SSH Config | |
sed -i "s/Port $OLD_SSH_PORT/Port $NEW_SSH_PORT/g" /etc/ssh/sshd_config | |
sed -i "s/PermitRootLogin yes/PermitRootLogin no/g" /etc/ssh/sshd_config | |
dnf install policycoreutils-python-utils | |
semanage port -a -t ssh_port_t -p tcp $NEW_SSH_PORT | |
firewall-cmd --remove-service=ssh --zone=public --permanent | |
firewall-cmd --remove-service=cockpit --zone=public --permanent | |
firewall-cmd --remove-service=dhcpv6-client --zone=public --permanent | |
firewall-cmd --permanent --zone=work --add-port=$NEW_SSH_PORT/tcp | |
firewall-cmd --permanent --zone=work --add-source=$VPN_GW_IP/24 | |
dnf install epel-release -y | |
dnf install fail2ban -y | |
systemctl enable --now fail2ban | |
tee -a /etc/fail2ban/jail.conf > /dev/null <<EOT | |
[ssh] | |
enabled = true | |
port = $NEW_SSH_PORT | |
filter = sshd | |
logpath = /var/log/auth.log | |
EOT | |
## Forza DHCP | |
dnf install dhclient -y | |
dhclient -v | |
## User Output | |
echo "New SSH Port: $NEW_SSH_PORT" | |
echo "Warning! System will be restarted, please save the generated SSH port" | |
sudo read -p "Press [Enter] to reboot system" | |
sudo reboot |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment