Skip to content

Instantly share code, notes, and snippets.

@mikilian

mikilian/ubuntu.sh

Last active December 29, 2020 01:39
Show Gist options
  • Save mikilian/3c26b3e0760be6864b2a63975f7f88ab to your computer and use it in GitHub Desktop.
Save mikilian/3c26b3e0760be6864b2a63975f7f88ab to your computer and use it in GitHub Desktop.
Download ZIP
A setup for ubuntu servers
Raw
ubuntu.sh
#!/usr/bin/env bash
set -e
printf -- "#########################################\n"
printf -- "# This script has only been tested with #\n"
printf -- "# Ubuntu 20.04 #\n"
printf -- "# It might work with other versions #\n"
printf -- "#########################################\n\n"
###################################################################################
# If you add your public SSH-Key here, password authentication to the server #
# will be disabled. Using password authentication is NOT recommend! #
# #
# Remote login as 'root' is disabled by default. If you need to use the root user #
# directly (not recommend), use 'sudo -i' to become root when needed. #
###################################################################################
export SCRIPT_USERNAME='michael'
export SCRIPT_SSH_KEY='ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMPyuOFkWQsezEhtCwUPdmmr2fK+iTDueO0nKgHKXjMz (michael.kilian2406@gmail.com)'
export SCRIPT_SSH_PORT='24695'
# allowed values: 'no' or 'yes'
# required for visual studio code remote development
export SCRIPT_ALLOW_TCP_FORWARDING='no'
# allowed values: 'no' or 'yes'
# will open ports:
# - 2377/TCP (for cluster management)
# - 7946 (TCP and UDP for communication among nodes)
# - 4789/UDP (for overlay network traffic)
export OPEN_DOCKER_SWARM_PORT='yes'
declare -a MULTIPLE_SSH_KEYS=(
"${SCRIPT_SSH_KEY}"
'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIFY3fr0p6A2sdynhFyy1v7nkKbECnkg7PDf0iMRs/2p (reactiion@haze-productions.com GPG)'
'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDqxRv5hEdg+oVpAfEIepVmF3JZTiAOA4WCs2t51bnjV (reactiion@haze-productions.com)'
)
printf -- "- Adding user '$SCRIPT_USERNAME'...\n\n"
adduser --quiet --gecos "" $SCRIPT_USERNAME
clear;
printf -- "#########################################\n"
printf -- "# This script has only been tested with #\n"
printf -- "# Ubuntu 20.04 #\n"
printf -- "# It might work with other versions #\n"
printf -- "#########################################\n\n"
printf -- "- Adding user '$SCRIPT_USERNAME'...ok\n"
cat <<EOF > /etc/apt/sources.list
deb mirror://mirrors.ubuntu.com/mirrors.txt focal main restricted universe multiverse
deb mirror://mirrors.ubuntu.com/mirrors.txt focal-updates main restricted universe multiverse
deb mirror://mirrors.ubuntu.com/mirrors.txt focal-backports main restricted universe multiverse
deb mirror://mirrors.ubuntu.com/mirrors.txt focal-security main restricted universe multiverse
EOF
gpasswd -a $SCRIPT_USERNAME sudo
gpasswd -a $SCRIPT_USERNAME www-data
cat <<'EOF' > /etc/apt/apt.conf.d/local
Dpkg::Options {
"--force-confdef";
"--force-confold";
}
EOF
cat <<EOF > /etc/sudoers.d/apt-toast
$SCRIPT_USERNAME ALL=NOPASSWD: /usr/bin/aptitude
$SCRIPT_USERNAME ALL=NOPASSWD: /usr/bin/apt-get
$SCRIPT_USERNAME ALL=NOPASSWD: /usr/bin/sudoedit
EOF
export DEBIAN_FRONTEND=noninteractive
apt-get -y update
apt-get -y install software-properties-common language-pack-en-base
timedatectl set-timezone Europe/Berlin
export LC_ALL='en_US.UTF-8'
export LANG='en_US.UTF-8'
update-locale LC_ALL="en_US.UTF-8" LANG="en_US.UTF-8"
apt-get -y update
apt-get -y upgrade
apt-get -y dist-upgrade
apt-get -y autoremove
apt-get -y install autoconf \
automake \
borgbackup \
build-essential \
checkinstall \
clang \
cmake \
curl \
dbus \
docker-compose \
docker.io \
fish \
gcc \
g++ \
gettext \
git \
gnupg \
htop \
iftop \
jq \
landscape-common \
libcrypto++-dev \
libcurl4-openssl-dev \
libevent-dev \
libgd-dev \
libgeoip-dev \
libiw-dev \
libnghttp2-dev \
libprotobuf-dev \
libsqlite3-dev \
libssl-dev \
libtool \
libz-dev \
lua5.2 \
m4 \
man \
mosh \
musl-tools \
ncurses-dev \
ncurses-term \
netcat \
ntp \
pax \
pkg-config \
python3 \
python3-dev \
python3-pip \
rclone \
rsync \
secure-delete \
software-properties-common \
sudo \
tmux \
tree \
ufw \
vim \
wget \
wireguard-tools \
zsh
apt-get -y purge nginx
rm -rf /etc/nginx
usermod -aG docker $SCRIPT_USERNAME
systemctl enable --now docker
if [[ ! "${OPEN_DOCKER_SWARM_PORT}" =~ ^(yes)$ ]]; then
docker network create webproxy
fi
if ! [ -x "$(command -v gpg2)" ]; then
ln -s $(which gpg) /usr/bin/gpg2
fi
pip3 install --upgrade pip
pip3 install --upgrade asciinema magic-wormhole python-swiftclient
curl https://rclone.org/install.sh | bash
curl -sSL http://git.io/git-extras-setup | bash
printf -- "ok\n"
curl -sSL http://git.io/git-extras-setup | bash
apt-get -yqq purge nginx nginx-common nginx-full
rm -rf /etc/nginx
printf -- "ok\n"
printf -- "- Configuring user profile..."
chsh -s $(which zsh) $SCRIPT_USERNAME
if [[ ! -z "$SCRIPT_SSH_KEY" ]]; then
cd /home/$SCRIPT_USERNAME
mkdir -p .ssh
touch .ssh/authorized_keys .ssh/known_hosts
for i in "${MULTIPLE_SSH_KEYS[@]}"
do
printf -- "${i}\n" >> .ssh/authorized_keys
done
chmod 700 .ssh
chmod 600 .ssh/authorized_keys
ssh-keyscan dev.unleashed.codes github.com gitlab.com > .ssh/known_hosts
fi
chown -R $SCRIPT_USERNAME: /home/$SCRIPT_USERNAME
printf -- "- Configuring openSSH server..."
cat <<'EOF' > /etc/ssh/sshd_config
HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key
Port 22
LogLevel VERBOSE
RekeyLimit 1G 1H
KexAlgorithms curve25519-sha256@libssh.org
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com
MaxAuthTries 2
MaxSessions 5
ClientAliveInterval 30
ClientAliveCountMax 6
TCPKeepAlive no
UsePAM yes
PasswordAuthentication no
ChallengeResponseAuthentication no
PubkeyAuthentication yes
AuthenticationMethods publickey
PermitRootLogin No
AllowAgentForwarding yes
AllowTcpForwarding no
X11Forwarding no
PrintMotd no
Compression no
StreamLocalBindUnlink yes
EOF
cat <<'EOF' > /etc/ssh/ssh_config
HashKnownHosts yes
HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,ssh-rsa
KexAlgorithms curve25519-sha256@libssh.org
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com
EOF
if [ -z "$SCRIPT_SSH_KEY" ]; then
sed -i "/AuthenticationMethods/s/publickey/publickey password/g" /etc/ssh/sshd_config
fi
if [[ ! -z "$SCRIPT_SSH_PORT" && "$SCRIPT_SSH_PORT" != "22" ]]; then
sed -i "/Port/s/22/${SCRIPT_SSH_PORT}/g" /etc/ssh/sshd_config
fi
sed -i "/AllowTcpForwarding/s/no/${SCRIPT_ALLOW_TCP_FORWARDING}/g" /etc/ssh/sshd_config
cd /etc/ssh
shred -u ssh_host_*key*
ssh-keygen -t ed25519 -f ssh_host_ed25519_key -N ''
ssh-keygen -t rsa -b 4096 -f ssh_host_rsa_key -N ''
systemctl restart sshd
printf -- "ok\n"
printf -- "- Configuring firewall..."
ufw logging on
ufw default deny incoming
ufw default allow outgoing
ufw allow ssh/tcp
ufw allow 80/tcp
ufw allow 443/tcp
if [[ ! -z "${OPEN_DOCKER_SWARM_PORT}" && "${OPEN_DOCKER_SWARM_PORT}" == "yes" ]]; then
ufw allow 2377/tcp
ufw allow 7946/tcp
ufw allow 7946/udp
ufw allow 4789/udp
fi
if [[ ! -z "$SCRIPT_SSH_PORT" && "$SCRIPT_SSH_PORT" != "22" ]]; then
ufw allow $SCRIPT_SSH_PORT/tcp
fi
ufw --force enable
printf -- "ok\n"
function from_mirror() {
wget https://raw.githubusercontent.com/frk1/mirrors/master/$1 -O /usr/local/bin/$1 && chmod a+x /usr/local/bin/$1
}
from_mirror exa
from_mirror fd
from_mirror rg
from_mirror tokei
from_mirror bat
curl -fLo /usr/local/bin/yadm https://github.com/TheLocehiliosan/yadm/raw/master/yadm && chmod a+x /usr/local/bin/yadm
printf -- "=> Done!\n\n"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment