Last active
October 3, 2024 18:51
-
-
Save rameerez/f92ada0c83c2ecf9654cbadbc6adbbca to your computer and use it in GitHub Desktop.
This script sets up a secure, production-ready Docker host on Ubuntu Server 22.04 LTS
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# Production Docker Host Setup Script | |
# This script sets up a secure, production-ready Docker host on Ubuntu Server 22.04 LTS | |
# It includes security hardening, performance optimizations, and best practices | |
# CAUTION: This script makes significant system changes. Use at your own risk. | |
set -euo pipefail | |
# --- AESTHETICS --- | |
# Define color codes for echo messages | |
GREEN='\033[0;32m' | |
YELLOW='\033[1;33m' | |
RED='\033[0;31m' | |
# Define the escape sequence for the alien emoji (U+1F47D) | |
ALIEN='\xF0\x9F\x91\xBD' | |
# Define the variable for resetting the color back to the default | |
NC='\033[0m' | |
# Function to print colorized output with alien emoji | |
print_message() { | |
local color=$1 | |
local message=$2 | |
echo -e "${color}${ALIEN} ${message}${NC}" | |
} | |
# Function to handle errors | |
handle_error() { | |
print_message "${RED}" "An error occurred. Exiting..." | |
exit 1 | |
} | |
# Set up error handling | |
trap 'handle_error' ERR | |
# Check if script is run as root | |
if [[ $EUID -ne 0 ]]; then | |
print_message "${RED}" "This script must be run as root" | |
exit 1 | |
fi | |
# Fix for PS1 unbound variable | |
echo 'if [ -z "${PS1-}" ]; then return; fi' | cat - /etc/bash.bashrc > temp && mv temp /etc/bash.bashrc | |
# Update and upgrade system | |
print_message "${YELLOW}" "Updating and upgrading system..." | |
apt-get update -y && apt-get upgrade -y | |
# Install essential packages | |
print_message "${YELLOW}" "Installing essential packages..." | |
apt-get install -y ufw fail2ban curl wget gnupg lsb-release ca-certificates apt-transport-https software-properties-common | |
# Set up firewall | |
print_message "${YELLOW}" "Configuring firewall..." | |
ufw --force reset | |
ufw default deny incoming | |
ufw default allow outgoing | |
ufw allow ssh | |
ufw allow http | |
ufw allow https | |
ufw allow 2376/tcp # Docker TLS port | |
echo "y" | ufw enable | |
# Configure fail2ban | |
print_message "${YELLOW}" "Configuring fail2ban..." | |
cat <<EOF > /etc/fail2ban/jail.local | |
[sshd] | |
enabled = true | |
port = ssh | |
filter = sshd | |
logpath = /var/log/auth.log | |
maxretry = 3 | |
bantime = 3600 | |
EOF | |
systemctl enable fail2ban | |
systemctl restart fail2ban | |
# Harden SSH configuration | |
print_message "${YELLOW}" "Hardening SSH configuration..." | |
if [ -f /etc/ssh/sshd_config ]; then | |
sed -i 's/#PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config | |
sed -i 's/#PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config | |
if systemctl is-active --quiet ssh; then | |
systemctl restart ssh | |
elif systemctl is-active --quiet sshd; then | |
systemctl restart sshd | |
else | |
print_message "${RED}" "SSH service not found. Please check your SSH configuration." | |
fi | |
else | |
print_message "${RED}" "SSH configuration file not found. Please check your SSH installation." | |
fi | |
# Install and configure Docker | |
print_message "${YELLOW}" "Installing Docker..." | |
curl -fsSL https://get.docker.com -o get-docker.sh | |
sh get-docker.sh | |
# Configure Docker daemon | |
print_message "${YELLOW}" "Configuring Docker daemon..." | |
mkdir -p /etc/docker | |
cat <<EOF > /etc/docker/daemon.json | |
{ | |
"log-driver": "json-file", | |
"log-opts": { | |
"max-size": "10m", | |
"max-file": "3" | |
}, | |
"icc": false, | |
"live-restore": true, | |
"userland-proxy": false, | |
"no-new-privileges": true | |
} | |
EOF | |
systemctl enable docker | |
systemctl restart docker | |
# Install Docker Compose | |
print_message "${YELLOW}" "Installing Docker Compose..." | |
DOCKER_COMPOSE_VERSION=$(curl -s https://api.github.com/repos/docker/compose/releases/latest | grep 'tag_name' | cut -d\" -f4) | |
curl -L "https://github.com/docker/compose/releases/download/${DOCKER_COMPOSE_VERSION}/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose | |
chmod +x /usr/local/bin/docker-compose | |
# Create docker user and group | |
print_message "${YELLOW}" "Creating docker user and group..." | |
adduser --system --group --shell /bin/bash docker | |
usermod -aG docker docker | |
# Set up Docker network | |
print_message "${YELLOW}" "Setting up Docker network..." | |
docker network create --driver bridge private | |
# Install and configure Nginx | |
print_message "${YELLOW}" "Installing and configuring Nginx..." | |
apt-get install -y nginx certbot python3-certbot-nginx | |
# Set up SSL certificate renewal | |
print_message "${YELLOW}" "Setting up SSL certificate renewal..." | |
echo "0 0,12 * * * root python3 -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew -q" | sudo tee -a /etc/crontab > /dev/null | |
# Install additional useful tools | |
# print_message "${YELLOW}" "Installing additional tools..." | |
# apt-get install -y bat btop lsd | |
# Basic monitoring | |
print_message "${YELLOW}" "Setting up basic system monitoring..." | |
apt-get install -y sysstat | |
systemctl enable sysstat | |
systemctl start sysstat | |
# Enable and configure auditd | |
print_message "${YELLOW}" "Configuring auditd..." | |
apt-get install -y auditd audispd-plugins | |
auditctl -e 1 | |
systemctl enable auditd | |
systemctl start auditd | |
# Set up log rotation | |
print_message "${YELLOW}" "Configuring log rotation..." | |
cat <<EOF > /etc/logrotate.d/docker-logs | |
/var/lib/docker/containers/*/*.log { | |
rotate 7 | |
daily | |
compress | |
missingok | |
delaycompress | |
copytruncate | |
} | |
EOF | |
# Harden kernel parameters | |
print_message "${YELLOW}" "Hardening kernel parameters..." | |
cat <<EOF >> /etc/sysctl.conf | |
net.ipv4.conf.all.send_redirects = 0 | |
net.ipv4.conf.default.send_redirects = 0 | |
net.ipv4.conf.all.accept_redirects = 0 | |
net.ipv4.conf.default.accept_redirects = 0 | |
net.ipv4.icmp_ignore_bogus_error_responses = 1 | |
EOF | |
sysctl -p | |
# Set up automatic security updates | |
print_message "${YELLOW}" "Setting up automatic security updates..." | |
apt-get install -y unattended-upgrades | |
echo 'Unattended-Upgrade::Allowed-Origins { | |
"${distro_id}:${distro_codename}-security"; | |
};' > /etc/apt/apt.conf.d/50unattended-upgrades | |
# Set up aliases | |
# print_message "${YELLOW}" "Setting up aliases..." | |
# cat <<EOF >> /etc/bash.bashrc | |
# Aliases | |
# alias ls='lsd -lah' | |
# alias cat='batcat' | |
# alias top='btop' | |
# EOF | |
# Apply aliases to current session | |
source /etc/bash.bashrc | |
# Clean up | |
print_message "${YELLOW}" "Cleaning up..." | |
apt-get autoremove -y | |
apt-get clean | |
# Final message | |
print_message "${GREEN}" "Setup complete! Please reboot the system to apply all changes." | |
print_message "${YELLOW}" "Note: Some changes may require a logout/login to take effect." |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment