kittolau/add_deploy_user.sh

## add_deploy_user.sh
#!/bin/sh
sudo su
#============================
#Create deploy user
DEPLOY_USER=deploy
DEPLOY_USER_PASSWORD=deploy
#============================
#create deploy user
adduser --disabled-password --gecos "" ${DEPLOY_USER}
sudo adduser ${DEPLOY_USER} sudo
echo "${DEPLOY_USER}:${DEPLOY_USER_PASSWORD}" | chpasswd

#crreate .ssh folder
mkdir -p /home/${DEPLOY_USER}/.ssh
chmod 700 /home/${DEPLOY_USER}/.ssh
#cat the key for this user to .ssh/authorized_keys
touch /home/${DEPLOY_USER}/.ssh/authorized_keys

#change home file owned by deploy user
chown ${DEPLOY_USER}:${DEPLOY_USER} /home/${DEPLOY_USER} -R

#turnoff ssh password authentication
if grep -q '^PasswordAuthentication.*$' "/etc/ssh/sshd_config"; then
   echo "PasswordAuthentication is not commented, turning off explicitly..."
   sed -i 's/^PasswordAuthentication.*$/PasswordAuthentication no/g' /etc/ssh/sshd_config
elif grep -q '^#PasswordAuthentication' "/etc/ssh/sshd_config";
then
   echo "PasswordAuthentication is commented , turning off explicitly..."
   sed -i 's/^#PasswordAuthentication.*$/PasswordAuthentication no/g' /etc/ssh/sshd_config
else
   echo "PasswordAuthentication is not turned on , skipping..."
fi
sudo service ssh restart

#switch to deploy user
su - deploy
#exit deploy user
exit
#exit root
exit

## add_swap.sh
#check existing swap file
#sudo swapon -s

#check if existing disk has space
#df

#write empty to /swapfile
sudo dd if=/dev/zero of=/swapfile bs=1024 count=256k

# prepare the swap file by creating a linux swap area
sudo mkswap /swapfile

#activating the swap file
sudo swapon /swapfile

#This file will last on the virtual private server until the machine reboots.
#You can ensure that the swap is permanent by adding it to the fstab file
#sudo nano /etc/fstab
#Paste in the following line:
#/swapfile       none    swap    sw      0       0

#Swappiness in the file should be set to 10. Skipping this step may cause both poor performance,
#whereas setting it to 10 will cause swap to act as an emergency buffer, preventing out-of-memory crashes.
#You can do this with the following commands:
#echo 10 | sudo tee /proc/sys/vm/swappiness
#echo vm.swappiness = 10 | sudo tee -a /etc/sysctl.conf

#to prevent the file from being world-readable,
#you should set up the correct permissions on the swap file:
#sudo chown root:root /swapfile
#sudo chmod 0600 /swapfile

## add_system_user
#!/bin/sh
#============================
# no home dir, no login
# used to run service
USERNAME=mysysusr
#============================
sudo useradd -r $USERNAME
#may need to create home dir for running some application
#sudo mkdir /home/$USERNAME
#sudo chown $USERNAME:$USERNAME /home/$USERNAME

## clean_bash_history.sh
cat /dev/null > ~/.bash_history && history

## multiuser web server
vim /etc/httpd/conf/httpd.conf
#	User daemon -> User www
#	Group daemon -> Group wwwgroup
#add user and group
useradd www
groupadd wwwgroup

mkdir /www
chown -R www:wwwgroup /www
useradd wwwserver
useradd www
useradd alice
useradd bob
useradd charlie

# Q7
# http://serverfault.com/questions/6895/whats-the-best-way-of-handling-permissions-for-apache2s-user-www-data-in-var
mkdir /www/users/bob
mkdir /www/users/alice
touch /www/users/bob/url.html
touch /www/users/alice/url.html

# for multi user serverfault
# http://askubuntu.com/questions/44542/what-is-umask-and-how-does-it-work
# edit umask
# vim /etc/login.defs
# find UMASK, change from 022 to 007
groupadd www_bob
usermod -a -G www_bob www
usermod -a -G www_bob bob
chown -R wwwserver:www_bob /www/users/bob
chmod 2770 /www/users/bob

groupadd www_alice
usermod -a -G www_alice www
usermod -a -G www_alice alice
chown -R wwwserver:www_alice /www/users/alice
# setgid: http://www.toptip.ca/2010/03/linux-setgid-on-directory.html
chmod 2770 /www/users/alice
#restart webserver
/etc/httpd/bin/apachectl -k restart

## passwordless_sudo
#!/bin/sh
sudo su
#============================
#Create deploy user
DEPLOY_USER=deploy
#============================
#add %sudo if sudoers does not exist
if grep -q '^%sudo' "/etc/sudoers"; then
   echo "%sudo exists in sudoers, skip adding..."
else
   echo "%sudo does not exists in sudoers, adding..."
   chmod u+w /etc/sudoers
   echo "%sudo   ALL=(ALL:ALL) ALL" >> /etc/sudoers
   chmod u-w /etc/sudoers
fi

#add passwordless %{{DEPLOY_USER}}
if grep -q '^%${DEPLOY_USER}' "/etc/sudoers"; then
   echo "%${DEPLOY_USER} exists in sudoers, skip adding passwordless %{{DEPLOY_USER}} ..."
else
   echo "%${DEPLOY_USER} does not exists in sudoers, adding passwordless %{{DEPLOY_USER}} ..."
   chmod u+w /etc/sudoers
   echo "%${DEPLOY_USER}   ALL = (ALL) NOPASSWD: ALL" >> /etc/sudoers
   chmod u-w /etc/sudoers
fi

exit

## run_as_bg_job
#[1]+  Stopped                 myprogram
#where 1 is the number displayed in ctrl+z
# disown make the program ignore SIGHUP signal
$ disown -h %1
#bg: this resumes the running of the program in the background and a message is displayed confirming that.
$ bg 1
#[1]+ myprogram &

## run_script.sh
#!/bin/sh
#used bash login (bash -l) instead of bash stdin (bash -s) in order for rvm to work
ssh {{DEPLOY_USER}}@{{STAGE}}_{{SERVER_IP}} 'bash -l' < ./server/remote_repo_create.sh

## set_time_and_zone.sh
#!/bin/sh

#set timezone interactively
#dpkg-reconfigure tzdata

#install ntp
sudo apt-get install ntp

#set timezone
echo "Asia/Hong_Kong" | sudo tee /etc/timezone
sudo dpkg-reconfigure --frontend noninteractive tzdata

#for more ntp server http://www.pool.ntp.org/en/
#update time from ntp server
sudo service ntp stop
ntpdate stdtime.gov.hk 3.tw.pool.ntp.org 1.asia.pool.ntp.org 2.asia.pool.ntp.org
sudo service ntp start

#add to ntp pool
echo "server stdtime.gov.hk" >> /etc/ntp.conf
echo "server 3.tw.pool.ntp.org" >> /etc/ntp.conf
echo "server 1.asia.pool.ntp.org" >> /etc/ntp.conf
echo "server 2.asia.pool.ntp.org" >> /etc/ntp.conf
sudo service ntp restart

##set datetime manualy
#sudo date --set "25 Sep 2013 15:00:00"

##set time from system time to hardware time
#hwclock --systohc

## ssh-agent.sh
# SERVER_ROOT_PRIVATE_KEY_LOCATION=/vagrant/key/serverrootkey
# #vagrant cp root key to ~/.ssh
# #notice putty need to export OpenSSL key
# cp $SERVER_ROOT_PRIVATE_KEY_LOCATION ~/.ssh
# chmod 600 ~/.ssh/serverkey

#add a new key
ssh-add ~/.ssh/serverkey

#start key agent
eval `ssh-agent -s`

#delete all key
ssh-add -D

## ssh_key_auth.sh
#http://articles.slicehost.com/2010/4/30/ubuntu-lucid-setup-part-1
#generate key pair
ssh-keygen
#copy the public to the ~/.ssh/authorized_keys, which is the user your key is used to log in

#to turn off password login
sudo nano /etc/ssh/sshd_config
#then comment out the directive called PasswordAuthentication
#   PasswordAuthentication no

#restart the service
sudo service ssh restart

## watch_memory.sh
#!/bin/sh
watch -n 1 free -m

## webserver_firewall.sh
#!/bin/sh
sudo su - root

#Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT

#Accept all incoming connections from 127.0.0.1.
iptables -A INPUT -s 127.0.0.1 -j ACCEPT

#Allow SSH, HTTP/S and PING incoming connections.
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT

# Allow ping
iptables -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT

#Allows all outbound traffic
#You can modify this to only allow certain traffic
iptables -A OUTPUT -j ACCEPT

#If there are services already connnected, do not drop them.
#Accepts all established inbound connections
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

#Reject everything else.
iptables -A INPUT -j REJECT
iptables -A FORWARD -j REJECT

#The problem with IPTables is that it forgets your rules once you reboot.
#You need to save them and restore them during reboot when the network interface comes up.
#First, dump all the rules to a file using iptables-save.
#dump all rules using iptables-save
iptables-save > /etc/iptables.rules
#Now you need to add it just before the network interface comes up.
#You can do that by editing the /etc/network/interfaces file.
#vim /etc/network/interfaces
#Just after the definition of the eth0 interface add the a line for pre-up.
#This runs a command specified just before bringing up the interface.
#The last couple of lines of the file should now look something like this.
#iface eth0 inet dhcp
  #pre-up iptables-restore < /etc/iptables.rules
#OR
echo "#!/bin/sh" > /etc/network/if-up.d/iptables
echo "iptables-restore < /etc/iptables.rules" >> /etc/network/if-up.d/iptables
chmod +x /etc/network/if-up.d/iptables
#Now you can reboot the system and verify if the rules apply after reboot.
sudo iptables -L
	#!/bin/sh
	sudo su
	#============================
	#Create deploy user
	DEPLOY_USER=deploy
	DEPLOY_USER_PASSWORD=deploy
	#============================
	#create deploy user
	adduser --disabled-password --gecos "" ${DEPLOY_USER}
	sudo adduser ${DEPLOY_USER} sudo
	echo "${DEPLOY_USER}:${DEPLOY_USER_PASSWORD}" \| chpasswd

	#crreate .ssh folder
	mkdir -p /home/${DEPLOY_USER}/.ssh
	chmod 700 /home/${DEPLOY_USER}/.ssh
	#cat the key for this user to .ssh/authorized_keys
	touch /home/${DEPLOY_USER}/.ssh/authorized_keys

	#change home file owned by deploy user
	chown ${DEPLOY_USER}:${DEPLOY_USER} /home/${DEPLOY_USER} -R

	#turnoff ssh password authentication
	if grep -q '^PasswordAuthentication.*$' "/etc/ssh/sshd_config"; then
	echo "PasswordAuthentication is not commented, turning off explicitly..."
	sed -i 's/^PasswordAuthentication.*$/PasswordAuthentication no/g' /etc/ssh/sshd_config
	elif grep -q '^#PasswordAuthentication' "/etc/ssh/sshd_config";
	then
	echo "PasswordAuthentication is commented , turning off explicitly..."
	sed -i 's/^#PasswordAuthentication.*$/PasswordAuthentication no/g' /etc/ssh/sshd_config
	else
	echo "PasswordAuthentication is not turned on , skipping..."
	fi
	sudo service ssh restart

	#switch to deploy user
	su - deploy
	#exit deploy user
	exit
	#exit root
	exit
	#check existing swap file
	#sudo swapon -s

	#check if existing disk has space
	#df

	#write empty to /swapfile
	sudo dd if=/dev/zero of=/swapfile bs=1024 count=256k

	# prepare the swap file by creating a linux swap area
	sudo mkswap /swapfile

	#activating the swap file
	sudo swapon /swapfile

	#This file will last on the virtual private server until the machine reboots.
	#You can ensure that the swap is permanent by adding it to the fstab file
	#sudo nano /etc/fstab
	#Paste in the following line:
	#/swapfile none swap sw 0 0

	#Swappiness in the file should be set to 10. Skipping this step may cause both poor performance,
	#whereas setting it to 10 will cause swap to act as an emergency buffer, preventing out-of-memory crashes.
	#You can do this with the following commands:
	#echo 10 \| sudo tee /proc/sys/vm/swappiness
	#echo vm.swappiness = 10 \| sudo tee -a /etc/sysctl.conf

	#to prevent the file from being world-readable,
	#you should set up the correct permissions on the swap file:
	#sudo chown root:root /swapfile
	#sudo chmod 0600 /swapfile
	#!/bin/sh
	#============================
	# no home dir, no login
	# used to run service
	USERNAME=mysysusr
	#============================
	sudo useradd -r $USERNAME
	#may need to create home dir for running some application
	#sudo mkdir /home/$USERNAME
	#sudo chown $USERNAME:$USERNAME /home/$USERNAME
	vim /etc/httpd/conf/httpd.conf
	# User daemon -> User www
	# Group daemon -> Group wwwgroup
	#add user and group
	useradd www
	groupadd wwwgroup

	mkdir /www
	chown -R www:wwwgroup /www
	useradd wwwserver
	useradd www
	useradd alice
	useradd bob
	useradd charlie

	# Q7
	# http://serverfault.com/questions/6895/whats-the-best-way-of-handling-permissions-for-apache2s-user-www-data-in-var
	mkdir /www/users/bob
	mkdir /www/users/alice
	touch /www/users/bob/url.html
	touch /www/users/alice/url.html

	# for multi user serverfault
	# http://askubuntu.com/questions/44542/what-is-umask-and-how-does-it-work
	# edit umask
	# vim /etc/login.defs
	# find UMASK, change from 022 to 007
	groupadd www_bob
	usermod -a -G www_bob www
	usermod -a -G www_bob bob
	chown -R wwwserver:www_bob /www/users/bob
	chmod 2770 /www/users/bob

	groupadd www_alice
	usermod -a -G www_alice www
	usermod -a -G www_alice alice
	chown -R wwwserver:www_alice /www/users/alice
	# setgid: http://www.toptip.ca/2010/03/linux-setgid-on-directory.html
	chmod 2770 /www/users/alice
	#restart webserver
	/etc/httpd/bin/apachectl -k restart
	#[1]+ Stopped myprogram
	#where 1 is the number displayed in ctrl+z
	# disown make the program ignore SIGHUP signal
	$ disown -h %1
	#bg: this resumes the running of the program in the background and a message is displayed confirming that.
	$ bg 1
	#[1]+ myprogram &
	#!/bin/sh
	#used bash login (bash -l) instead of bash stdin (bash -s) in order for rvm to work
	ssh {{DEPLOY_USER}}@{{STAGE}}_{{SERVER_IP}} 'bash -l' < ./server/remote_repo_create.sh
	#!/bin/sh

	#set timezone interactively
	#dpkg-reconfigure tzdata

	#install ntp
	sudo apt-get install ntp

	#set timezone
	echo "Asia/Hong_Kong" \| sudo tee /etc/timezone
	sudo dpkg-reconfigure --frontend noninteractive tzdata

	#for more ntp server http://www.pool.ntp.org/en/
	#update time from ntp server
	sudo service ntp stop
	ntpdate stdtime.gov.hk 3.tw.pool.ntp.org 1.asia.pool.ntp.org 2.asia.pool.ntp.org
	sudo service ntp start

	#add to ntp pool
	echo "server stdtime.gov.hk" >> /etc/ntp.conf
	echo "server 3.tw.pool.ntp.org" >> /etc/ntp.conf
	echo "server 1.asia.pool.ntp.org" >> /etc/ntp.conf
	echo "server 2.asia.pool.ntp.org" >> /etc/ntp.conf
	sudo service ntp restart

	##set datetime manualy
	#sudo date --set "25 Sep 2013 15:00:00"

	##set time from system time to hardware time
	#hwclock --systohc
	# SERVER_ROOT_PRIVATE_KEY_LOCATION=/vagrant/key/serverrootkey
	# #vagrant cp root key to ~/.ssh
	# #notice putty need to export OpenSSL key
	# cp $SERVER_ROOT_PRIVATE_KEY_LOCATION ~/.ssh
	# chmod 600 ~/.ssh/serverkey

	#add a new key
	ssh-add ~/.ssh/serverkey

	#start key agent
	eval `ssh-agent -s`

	#delete all key
	ssh-add -D
	#http://articles.slicehost.com/2010/4/30/ubuntu-lucid-setup-part-1
	#generate key pair
	ssh-keygen
	#copy the public to the ~/.ssh/authorized_keys, which is the user your key is used to log in

	#to turn off password login
	sudo nano /etc/ssh/sshd_config
	#then comment out the directive called PasswordAuthentication
	# PasswordAuthentication no

	#restart the service
	sudo service ssh restart
	#!/bin/sh
	sudo su - root

	#Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
	iptables -A INPUT -i lo -j ACCEPT
	iptables -A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT

	#Accept all incoming connections from 127.0.0.1.
	iptables -A INPUT -s 127.0.0.1 -j ACCEPT

	#Allow SSH, HTTP/S and PING incoming connections.
	iptables -A INPUT -p tcp --dport 22 -j ACCEPT
	iptables -A INPUT -p tcp --dport 80 -j ACCEPT
	iptables -A INPUT -p tcp --dport 443 -j ACCEPT

	# Allow ping
	iptables -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT

	#Allows all outbound traffic
	#You can modify this to only allow certain traffic
	iptables -A OUTPUT -j ACCEPT

	#If there are services already connnected, do not drop them.
	#Accepts all established inbound connections
	iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
	iptables -A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
	iptables -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

	#Reject everything else.
	iptables -A INPUT -j REJECT
	iptables -A FORWARD -j REJECT

	#The problem with IPTables is that it forgets your rules once you reboot.
	#You need to save them and restore them during reboot when the network interface comes up.
	#First, dump all the rules to a file using iptables-save.
	#dump all rules using iptables-save
	iptables-save > /etc/iptables.rules
	#Now you need to add it just before the network interface comes up.
	#You can do that by editing the /etc/network/interfaces file.
	#vim /etc/network/interfaces
	#Just after the definition of the eth0 interface add the a line for pre-up.
	#This runs a command specified just before bringing up the interface.
	#The last couple of lines of the file should now look something like this.
	#iface eth0 inet dhcp
	#pre-up iptables-restore < /etc/iptables.rules
	#OR
	echo "#!/bin/sh" > /etc/network/if-up.d/iptables
	echo "iptables-restore < /etc/iptables.rules" >> /etc/network/if-up.d/iptables
	chmod +x /etc/network/if-up.d/iptables
	#Now you can reboot the system and verify if the rules apply after reboot.
	sudo iptables -L