naoty/gist:1562930

## gistfile1.sh
# login as root
naoty@local% ssh-keygen -R xxx.xxx.xxx.xxx
naoty@local% ssh root@xxx.xxx.xxx.xxx

# add admin user
root@sakura% useradd naoty
root@sakura% passwd naoty

# limit su, sudo
root@sakura% usermod -G wheel naoty
root@sakura% visudo
    - # %wheel ALL=(ALL) ALL
    + %wheel ALL=(ALL) ALL
root@sakura% vi /etc/login.defs
    + SU_WHEEL_ONLY yes
root@sakura% exit

# public key authentication
naoty@local% scp .ssh/id_rsa.pub naoty@xxx.xxx.xxx.xxx:~
naoty@local% ssh naoty@xxx.xxx.xxx.xxx
naoty@sakura% mkdir .ssh
naoty@sakura% chmod 700 .ssh
naoty@sakura% mv id_rsa.pub .ssh/authorized_keys
naoty@sakura% chmod 600 .ssh/authorized_keys
naoty@sakura% sudo vi /etc/ssh/sshd_config
    - #PermitRootLogin yes
    + PermitRootLogin no
    - #PasswordAuthentication yes
    + PasswordAuthentication no
    - UsePAM yes
    - #UsePAM no
    + UsePAM no
naoty@sakura% sudo /etc/init.d/sshd restart
naoty@sakura% exit
naoty@local% ssh sakura

# vim, git, tig, tmux
naoty@sakura% sudo yum -y update
naoty@sakura% sudo yum -y install yum-priorities
naoty@sakura% sudo vi /etc/yum.repos.d/CentOS-Base.repo
    [base]
    + priority=1

    [updates]
    + priority=1

    [addons]
    + priority=1

    [extras]
    + priority=1

    [centosplus]
    + priority=1

    [contrib]
    + priority=2
naoty@sakura% sudo rpm -ihv http://download.fedora.redhat.com/pub/epel/5/x86_64/epel-release-5-4.noarch.rpm
naoty@sakura% sudo yum -y install vim-enhanced git tig tmux

# dotfiles
naoty@sakura% ssh-keygen -t rsa
naoty@sakura% cat .ssh/id_rsa.pub # put public key into github.com
naoty@sakura% git clone git@github.com:naoty/dotfiles.git -b server
naoty@sakura% ln -s dotfiles/.gitconfig ~/.gitconfig
naoty@sakura% ln -s dotfiles/.vimrc ~/.vimrc
naoty@sakura% rm .bashrc && ln -s dotfiles/.bashrc ~/.bashrc && source .bashrc
naoty@sakura% rm .bash_profile && ln -s dotfiles/.bash_profile ~/.bash_profile && source .bash_profile
naoty@sakura% mkdir -p .vim/colors
naoty@sakura% exit
naoty@local% scp .vim/colors/railscasts.vim sakura:.vim/colors/
naoty@local% ssh sakura

# iptables
naoty@sakura% sudo iptables -A INPUT -p tcp --dport sshd -j ACCEPT
naoty@sakura% sudo iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
naoty@sakura% sudo iptables -P INPUT DROP
naoty@sakura% sudo service iptables save
naoty@sakura% sudo service iptables restart

# rvm
naoty@sakura% cp /etc/pki/tls/certs/ca-bundle.crt .
naoty@sakura% sudo curl http://curl.haxx.se/ca/cacert.pem -o /etc/pki/tls/certs/ca-bundle.crt
naoty@sakura% sudo bash -s stable < <(curl -s https://raw.github.com/wayneeseguin/rvm/master/binscripts/rvm-installer )
naoty@sakura% su -
root@sakura% usermod -a -G rvm naoty
root@sakura% exit
naoty@sakura% exit
naoty@local% ssh sakura

# ruby
naoty@sakura% sudo yum install -y gcc-c++ patch readline readline-devel zlib zlib-devel libyaml-devel libffi-devel openssl-devel make bzip2 autoconf automake libtool bison
naoty@sakura% rvm install 1.9.3
naoty@sakura% rvm use 1.9.3 --default

# nginx
naoty@sakura% sudo yum -y install pcre pcre-devel zlib zlib-devel openssl openssl-devel
naoty@sakura% cd /usr/local/src
naoty@sakura% sudo wget http://nginx.org/download/nginx-1.0.11.tar.gz
naoty@sakura% sudo tar xzf nginx-1.0.11.tar.gz
naoty@sakura% cd nginx-1.0.11
naoty@sakura% sudo ./configure --prefix=/usr/local/nginx-1.0.11 --with-http_ssl_module --with-http_realip_module
naoty@sakura% sudo make
naoty@sakura% sudo make install
naoty@sakura% cd
naoty@sakura% sudo ln -s /usr/local/nginx-1.0.11 /usr/local/nginx
naoty@sakura% sudo mkdir /usr/local/nginx/conf/sites
naoty@sakura% git clone git://gist.github.com/1723415.git gist-1723415 && sudo mv gist-1723415/nginx.conf /usr/local/nginx/conf/nginx.conf && rm -rf gist-1723415
naoty@sakura% git clone git://gist.github.com/1730882.git gist-1730882 && sudo mv gist-1730882/nginx /etc/init.d/nginx && rm -rf gist-1730882
naoty@sakura% sudo chmod +x /etc/init.d/nginx
naoty@sakura% sudo chkconfig --add nginx
naoty@sakura% sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
naoty@sakura% sudo service iptables save
naoty@sakura% sudo service iptables restart
naoty@sakura% sudo /usr/local/nginx/sbin/nginx

# git server
naoty@sakura% sudo useradd git
naoty@sakura% sudo passwd git
naoty@sakura% sudo mkdir -m 700 /home/git/.ssh
naoty@sakura% sudo chown git:git /home/git/.ssh
naoty@sakura% sudo cp .ssh/authorized_keys /home/git/.ssh/
naoty@sakura% sudo chown git:git /home/git/.ssh/authorized_keys

# www
naoty@sakura% sudo mkdir /var/www
naoty@sakura% sudo chown naoty:naoty /var/www
	# login as root
	naoty@local% ssh-keygen -R xxx.xxx.xxx.xxx
	naoty@local% ssh root@xxx.xxx.xxx.xxx

	# add admin user
	root@sakura% useradd naoty
	root@sakura% passwd naoty

	# limit su, sudo
	root@sakura% usermod -G wheel naoty
	root@sakura% visudo
	- # %wheel ALL=(ALL) ALL
	+ %wheel ALL=(ALL) ALL
	root@sakura% vi /etc/login.defs
	+ SU_WHEEL_ONLY yes
	root@sakura% exit

	# public key authentication
	naoty@local% scp .ssh/id_rsa.pub naoty@xxx.xxx.xxx.xxx:~
	naoty@local% ssh naoty@xxx.xxx.xxx.xxx
	naoty@sakura% mkdir .ssh
	naoty@sakura% chmod 700 .ssh
	naoty@sakura% mv id_rsa.pub .ssh/authorized_keys
	naoty@sakura% chmod 600 .ssh/authorized_keys
	naoty@sakura% sudo vi /etc/ssh/sshd_config
	- #PermitRootLogin yes
	+ PermitRootLogin no
	- #PasswordAuthentication yes
	+ PasswordAuthentication no
	- UsePAM yes
	- #UsePAM no
	+ UsePAM no
	naoty@sakura% sudo /etc/init.d/sshd restart
	naoty@sakura% exit
	naoty@local% ssh sakura

	# vim, git, tig, tmux
	naoty@sakura% sudo yum -y update
	naoty@sakura% sudo yum -y install yum-priorities
	naoty@sakura% sudo vi /etc/yum.repos.d/CentOS-Base.repo
	[base]
	+ priority=1

	[updates]
	+ priority=1

	[addons]
	+ priority=1

	[extras]
	+ priority=1

	[centosplus]
	+ priority=1

	[contrib]
	+ priority=2
	naoty@sakura% sudo rpm -ihv http://download.fedora.redhat.com/pub/epel/5/x86_64/epel-release-5-4.noarch.rpm
	naoty@sakura% sudo yum -y install vim-enhanced git tig tmux

	# dotfiles
	naoty@sakura% ssh-keygen -t rsa
	naoty@sakura% cat .ssh/id_rsa.pub # put public key into github.com
	naoty@sakura% git clone git@github.com:naoty/dotfiles.git -b server
	naoty@sakura% ln -s dotfiles/.gitconfig ~/.gitconfig
	naoty@sakura% ln -s dotfiles/.vimrc ~/.vimrc
	naoty@sakura% rm .bashrc && ln -s dotfiles/.bashrc ~/.bashrc && source .bashrc
	naoty@sakura% rm .bash_profile && ln -s dotfiles/.bash_profile ~/.bash_profile && source .bash_profile
	naoty@sakura% mkdir -p .vim/colors
	naoty@sakura% exit
	naoty@local% scp .vim/colors/railscasts.vim sakura:.vim/colors/
	naoty@local% ssh sakura

	# iptables
	naoty@sakura% sudo iptables -A INPUT -p tcp --dport sshd -j ACCEPT
	naoty@sakura% sudo iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
	naoty@sakura% sudo iptables -P INPUT DROP
	naoty@sakura% sudo service iptables save
	naoty@sakura% sudo service iptables restart

	# rvm
	naoty@sakura% cp /etc/pki/tls/certs/ca-bundle.crt .
	naoty@sakura% sudo curl http://curl.haxx.se/ca/cacert.pem -o /etc/pki/tls/certs/ca-bundle.crt
	naoty@sakura% sudo bash -s stable < <(curl -s https://raw.github.com/wayneeseguin/rvm/master/binscripts/rvm-installer )
	naoty@sakura% su -
	root@sakura% usermod -a -G rvm naoty
	root@sakura% exit
	naoty@sakura% exit
	naoty@local% ssh sakura

	# ruby
	naoty@sakura% sudo yum install -y gcc-c++ patch readline readline-devel zlib zlib-devel libyaml-devel libffi-devel openssl-devel make bzip2 autoconf automake libtool bison
	naoty@sakura% rvm install 1.9.3
	naoty@sakura% rvm use 1.9.3 --default

	# nginx
	naoty@sakura% sudo yum -y install pcre pcre-devel zlib zlib-devel openssl openssl-devel
	naoty@sakura% cd /usr/local/src
	naoty@sakura% sudo wget http://nginx.org/download/nginx-1.0.11.tar.gz
	naoty@sakura% sudo tar xzf nginx-1.0.11.tar.gz
	naoty@sakura% cd nginx-1.0.11
	naoty@sakura% sudo ./configure --prefix=/usr/local/nginx-1.0.11 --with-http_ssl_module --with-http_realip_module
	naoty@sakura% sudo make
	naoty@sakura% sudo make install
	naoty@sakura% cd
	naoty@sakura% sudo ln -s /usr/local/nginx-1.0.11 /usr/local/nginx
	naoty@sakura% sudo mkdir /usr/local/nginx/conf/sites
	naoty@sakura% git clone git://gist.github.com/1723415.git gist-1723415 && sudo mv gist-1723415/nginx.conf /usr/local/nginx/conf/nginx.conf && rm -rf gist-1723415
	naoty@sakura% git clone git://gist.github.com/1730882.git gist-1730882 && sudo mv gist-1730882/nginx /etc/init.d/nginx && rm -rf gist-1730882
	naoty@sakura% sudo chmod +x /etc/init.d/nginx
	naoty@sakura% sudo chkconfig --add nginx
	naoty@sakura% sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
	naoty@sakura% sudo service iptables save
	naoty@sakura% sudo service iptables restart
	naoty@sakura% sudo /usr/local/nginx/sbin/nginx

	# git server
	naoty@sakura% sudo useradd git
	naoty@sakura% sudo passwd git
	naoty@sakura% sudo mkdir -m 700 /home/git/.ssh
	naoty@sakura% sudo chown git:git /home/git/.ssh
	naoty@sakura% sudo cp .ssh/authorized_keys /home/git/.ssh/
	naoty@sakura% sudo chown git:git /home/git/.ssh/authorized_keys

	# www
	naoty@sakura% sudo mkdir /var/www
	naoty@sakura% sudo chown naoty:naoty /var/www