shanduur/bootstrap.sh

## bootstrap.sh
#!/usr/bin/env bash

# default username / password combination is:
# ubuntu:ubuntu
export DEFAULT_USER="ubuntu"
echo "default user: ${DEFAULT_USER}"
export CURRENT_USER=$(whoami)
echo "current user: ${CURRENT_USER}"

# Configuration
export NEW_USER="${NEW_USER:-sat}"
export LIVEPATCH_TOKEN="${LIVEPATCH_TOKEN}"

echo "new user: ${NEW_USER}"
echo "livepatch token: ${LIVEPATCH_TOKEN}"

function create_new_user {
    getent passwd ${DEFAULT_USER} > /dev/null 2&>1

    if [ $? -eq 0 ]; then
        echo "the user already exists"
        exit 1
    fi

    sudo adduser ${NEW_USER}
    sudo usermod -aG sudo ${NEW_USER}
}

function delete_default_user {
    getent passwd ${DEFAULT_USER} > /dev/null 2&>1

    if [ $? -eq 0 ]; then
        echo "the user ${DEFAULT_USER} does not exists"
    else
        userdel -r ${DEFAULT_USER}
    fi
}

function update_tools {
    # install necessary components
    sudo apt-get update && \
    sudo apt-get dist-upgrade -y && \
    sudo apt-get install -y \
        ca-certificates \
        curl \
        gnupg \
        git \
        head \
        jq \
        lsb-release \
        make \
        neovim

    # install g go version manager
    curl -sSL https://git.io/g-install | sh -s
}

function install_log2ram {
    echo "deb http://packages.azlux.fr/debian/ bullseye main" | sudo tee /etc/apt/sources.list.d/azlux.list
    wget -qO - https://azlux.fr/repo.gpg.key | sudo apt-key add -
    sudo apt update
    sudo apt install log2ram
}

function install_argon_hat_driver {
    curl -fsSL https://download.argon40.com/argonfanhat.sh | bash
}

function install_tailscale {
    # add tailscale repo
    curl -fsSL https://pkgs.tailscale.com/stable/ubuntu/focal.gpg | sudo apt-key add -
    curl -fsSL https://pkgs.tailscale.com/stable/ubuntu/focal.list | sudo tee /etc/apt/sources.list.d/tailscale.list

    # install necessary components
    sudo apt-get update && sudo apt-get install -y \
        tailscale

    # start tailscale
    sudo tailscale up
}

function install_docker {
    # add docker repo
    curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg
    echo \
        "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu \
        $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null

    # install necessary components
    sudo apt-get update && sudo apt-get install -y \
        docker-ce \
        docker-ce-cli \
        containerd.io

    # add docker group
    sudo groupadd docker
    sudo usermod -aG docker ${USER}

    # configure docker api
    # sudo sed -i 's|ExecStart=/usr/bin/docker daemon -H fd://|ExecStart=/usr/bin/docker daemon -H fd:// -H tcp://0.0.0.0:|g' \
    #     /lib/systemd/system/docker.service
    # sudo systemctl daemon-reload
    # sudo systemctl restart docker.service

    # enable docker service
    sudo systemctl enable docker.service
    sudo systemctl enable containerd.service

    # install docker compose v2 plugin
    sudo mkdir -p /usr/local/lib/docker/cli-plugins
    LATEST=$(curl -s GET https://api.github.com/repos/docker/compose/tags | jq -r '.[].name' | head -n1)
    sudo curl -fsSL https://github.com/docker/compose/releases/download/$LATEST/docker-compose-linux-aarch64 -o /usr/local/lib/docker/cli-plugins/docker-compose
    sudo chmod +775 /usr/local/lib/docker/cli-plugins/docker-compose

    # install loki plugin
    # this is a super outdated version, might not work correctly or be prone to issues
    sudo docker plugin install grafana/loki-docker-driver:arm-64 --alias loki --grant-all-permissions
}

function install_fail2ban {
    # Fail2ban reads the configuration files in the following order.
    # Each .local file overrides the settings from the .conf file:
    #   - /etc/fail2ban/jail.conf
    #   - /etc/fail2ban/jail.d/*.conf
    #   - /etc/fail2ban/jail.local
    #   - /etc/fail2ban/jail.d/*.local

    # install fail2ban
    sudo apt-get update && sudo apt-get install -y \
        fail2ban

    # enable fail2ban service
    sudo systemctl enable fail2ban.service

    # we are modyfying /etc/fail2ban/jail.local only
    echo '[DEFAULT]
bantime = 1h
maxretry = 3
findtime = 5

[sshd]
enabled = true' | sudo tee /etc/fail2ban/jail.local
}

function enable_livepatch {
    sudo ua attach ${LIVEPATCH_TOKEN}
    sudo ua enable livepatch
}

function enable_automatic_updates {
    sudo apt-get update && sudo apt-get install -y \
        unattended-upgrades \
        update-notifier-common

    # enable in systemd
    sudo systemctl enable unattended-upgrades

    # configure
    echo 'Unattended-Upgrade::Allowed-Origins {
    "${distro_id}:${distro_codename}";
    "${distro_id}:${distro_codename}-security";
    "${distro_id}ESMApps:${distro_codename}-apps-security";
    "${distro_id}ESM:${distro_codename}-infra-security";
};
Unattended-Upgrade::Package-Blacklist {
    "docker-*";
    "containerd*";
};
Unattended-Upgrade::DevRelease "auto";
Unattended-Upgrade::AutoFixInterruptedDpkg "true";
Unattended-Upgrade::MinimalSteps "true";
Unattended-Upgrade::InstallOnShutdown "false";
Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
Unattended-Upgrade::Remove-New-Unused-Dependencies "true";
Unattended-Upgrade::Remove-Unused-Dependencies "true";
Unattended-Upgrade::Automatic-Reboot "true";
Unattended-Upgrade::Automatic-Reboot-WithUsers "true";
Unattended-Upgrade::Automatic-Reboot-Time "03:00";
Unattended-Upgrade::Allow-downgrade "false";
' | sudo tee /etc/apt/apt.conf.d/50unattended-upgrades
}

function configure_ssh {
    sudo sed -i 's|PermitRootLogin prohibit-password|PermitRootLogin no|g' /etc/ssh/sshd_config

    sudo sed -i 's|PasswordAuthentication yes|PasswordAuthentication yes|g' /etc/ssh/sshd_config

    sudo sed -i 's|ChallengeResponseAuthentication yes|ChallengeResponseAuthentication no|g' /etc/ssh/sshd_config

    sudo sed -i 's|UsePAM yes|UsePAM no|g' /etc/ssh/sshd_config
}

if [[ "$(uname -s)" != "Linux" ]]; then
    echo "OS not supported"
    exit 1
fi

if [[ "${CURRENT_USER}" == "${DEFAULT_USER}" ]]; then
    echo "Creating new user"
    read -p "Press enter to continue..."
    create_new_user
    echo "logoff from ${DEFAULT_USER} and login as ${NEW_USER}"
elif [[ "${CURRENT_USER}" == "root" ]]; then
    echo "logoff from root and login as ${NEW_USER} or ${DEFAULT_USER}"
    exit 1
else
    echo "Configuring SSH"
    read -p "Press enter to continue..."
    configure_ssh

    echo "Updating and installing tools"
    read -p "Press enter to continue..."
    update_tools

    echo "Installing Argon HAT driver"
    read -p "Press enter to continue..."
    install_argon_hat_driver

    echo "Installing log2ram"
    read -p "Press enter to continue..."
    install_log2ram

    echo "Installing Docker"
    read -p "Press enter to continue..."
    install_docker

    echo "Installing Tailscale"
    read -p "Press enter to continue..."
    install_tailscale

    echo "Installing fail2ban"
    read -p "Press enter to continue..."
    install_fail2ban

    echo "Enabling livepatch"
    read -p "Press enter to continue..."
    enable_livepatch

    echo "Enabling automatic updates"
    read -p "Press enter to continue..."
    enable_automatic_updates

    echo "Delete default user"
    read -p "Press enter to continue..."
    delete_default_user
fi
	#!/usr/bin/env bash

	# default username / password combination is:
	# ubuntu:ubuntu
	export DEFAULT_USER="ubuntu"
	echo "default user: ${DEFAULT_USER}"
	export CURRENT_USER=$(whoami)
	echo "current user: ${CURRENT_USER}"

	# Configuration
	export NEW_USER="${NEW_USER:-sat}"
	export LIVEPATCH_TOKEN="${LIVEPATCH_TOKEN}"

	echo "new user: ${NEW_USER}"
	echo "livepatch token: ${LIVEPATCH_TOKEN}"

	function create_new_user {
	getent passwd ${DEFAULT_USER} > /dev/null 2&>1

	if [ $? -eq 0 ]; then
	echo "the user already exists"
	exit 1
	fi

	sudo adduser ${NEW_USER}
	sudo usermod -aG sudo ${NEW_USER}
	}

	function delete_default_user {
	getent passwd ${DEFAULT_USER} > /dev/null 2&>1

	if [ $? -eq 0 ]; then
	echo "the user ${DEFAULT_USER} does not exists"
	else
	userdel -r ${DEFAULT_USER}
	fi
	}

	function update_tools {
	# install necessary components
	sudo apt-get update && \
	sudo apt-get dist-upgrade -y && \
	sudo apt-get install -y \
	ca-certificates \
	curl \
	gnupg \
	git \
	head \
	jq \
	lsb-release \
	make \
	neovim

	# install g go version manager
	curl -sSL https://git.io/g-install \| sh -s
	}

	function install_log2ram {
	echo "deb http://packages.azlux.fr/debian/ bullseye main" \| sudo tee /etc/apt/sources.list.d/azlux.list
	wget -qO - https://azlux.fr/repo.gpg.key \| sudo apt-key add -
	sudo apt update
	sudo apt install log2ram
	}

	function install_argon_hat_driver {
	curl -fsSL https://download.argon40.com/argonfanhat.sh \| bash
	}

	function install_tailscale {
	# add tailscale repo
	curl -fsSL https://pkgs.tailscale.com/stable/ubuntu/focal.gpg \| sudo apt-key add -
	curl -fsSL https://pkgs.tailscale.com/stable/ubuntu/focal.list \| sudo tee /etc/apt/sources.list.d/tailscale.list

	# install necessary components
	sudo apt-get update && sudo apt-get install -y \
	tailscale

	# start tailscale
	sudo tailscale up
	}

	function install_docker {
	# add docker repo
	curl -fsSL https://download.docker.com/linux/ubuntu/gpg \| sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg
	echo \
	"deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu \
	$(lsb_release -cs) stable" \| sudo tee /etc/apt/sources.list.d/docker.list > /dev/null

	# install necessary components
	sudo apt-get update && sudo apt-get install -y \
	docker-ce \
	docker-ce-cli \
	containerd.io

	# add docker group
	sudo groupadd docker
	sudo usermod -aG docker ${USER}

	# configure docker api
	# sudo sed -i 's\|ExecStart=/usr/bin/docker daemon -H fd://\|ExecStart=/usr/bin/docker daemon -H fd:// -H tcp://0.0.0.0:\|g' \
	# /lib/systemd/system/docker.service
	# sudo systemctl daemon-reload
	# sudo systemctl restart docker.service

	# enable docker service
	sudo systemctl enable docker.service
	sudo systemctl enable containerd.service

	# install docker compose v2 plugin
	sudo mkdir -p /usr/local/lib/docker/cli-plugins
	LATEST=$(curl -s GET https://api.github.com/repos/docker/compose/tags \| jq -r '.[].name' \| head -n1)
	sudo curl -fsSL https://github.com/docker/compose/releases/download/$LATEST/docker-compose-linux-aarch64 -o /usr/local/lib/docker/cli-plugins/docker-compose
	sudo chmod +775 /usr/local/lib/docker/cli-plugins/docker-compose

	# install loki plugin
	# this is a super outdated version, might not work correctly or be prone to issues
	sudo docker plugin install grafana/loki-docker-driver:arm-64 --alias loki --grant-all-permissions
	}

	function install_fail2ban {
	# Fail2ban reads the configuration files in the following order.
	# Each .local file overrides the settings from the .conf file:
	# - /etc/fail2ban/jail.conf
	# - /etc/fail2ban/jail.d/*.conf
	# - /etc/fail2ban/jail.local
	# - /etc/fail2ban/jail.d/*.local

	# install fail2ban
	sudo apt-get update && sudo apt-get install -y \
	fail2ban

	# enable fail2ban service
	sudo systemctl enable fail2ban.service

	# we are modyfying /etc/fail2ban/jail.local only
	echo '[DEFAULT]
	bantime = 1h
	maxretry = 3
	findtime = 5

	[sshd]
	enabled = true' \| sudo tee /etc/fail2ban/jail.local
	}

	function enable_livepatch {
	sudo ua attach ${LIVEPATCH_TOKEN}
	sudo ua enable livepatch
	}

	function enable_automatic_updates {
	sudo apt-get update && sudo apt-get install -y \
	unattended-upgrades \
	update-notifier-common

	# enable in systemd
	sudo systemctl enable unattended-upgrades

	# configure
	echo 'Unattended-Upgrade::Allowed-Origins {
	"${distro_id}:${distro_codename}";
	"${distro_id}:${distro_codename}-security";
	"${distro_id}ESMApps:${distro_codename}-apps-security";
	"${distro_id}ESM:${distro_codename}-infra-security";
	};
	Unattended-Upgrade::Package-Blacklist {
	"docker-*";
	"containerd*";
	};
	Unattended-Upgrade::DevRelease "auto";
	Unattended-Upgrade::AutoFixInterruptedDpkg "true";
	Unattended-Upgrade::MinimalSteps "true";
	Unattended-Upgrade::InstallOnShutdown "false";
	Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
	Unattended-Upgrade::Remove-New-Unused-Dependencies "true";
	Unattended-Upgrade::Remove-Unused-Dependencies "true";
	Unattended-Upgrade::Automatic-Reboot "true";
	Unattended-Upgrade::Automatic-Reboot-WithUsers "true";
	Unattended-Upgrade::Automatic-Reboot-Time "03:00";
	Unattended-Upgrade::Allow-downgrade "false";
	' \| sudo tee /etc/apt/apt.conf.d/50unattended-upgrades
	}

	function configure_ssh {
	sudo sed -i 's\|PermitRootLogin prohibit-password\|PermitRootLogin no\|g' /etc/ssh/sshd_config

	sudo sed -i 's\|PasswordAuthentication yes\|PasswordAuthentication yes\|g' /etc/ssh/sshd_config

	sudo sed -i 's\|ChallengeResponseAuthentication yes\|ChallengeResponseAuthentication no\|g' /etc/ssh/sshd_config

	sudo sed -i 's\|UsePAM yes\|UsePAM no\|g' /etc/ssh/sshd_config
	}

	if [[ "$(uname -s)" != "Linux" ]]; then
	echo "OS not supported"
	exit 1
	fi

	if [[ "${CURRENT_USER}" == "${DEFAULT_USER}" ]]; then
	echo "Creating new user"
	read -p "Press enter to continue..."
	create_new_user
	echo "logoff from ${DEFAULT_USER} and login as ${NEW_USER}"
	elif [[ "${CURRENT_USER}" == "root" ]]; then
	echo "logoff from root and login as ${NEW_USER} or ${DEFAULT_USER}"
	exit 1
	else
	echo "Configuring SSH"
	read -p "Press enter to continue..."
	configure_ssh

	echo "Updating and installing tools"
	read -p "Press enter to continue..."
	update_tools

	echo "Installing Argon HAT driver"
	read -p "Press enter to continue..."
	install_argon_hat_driver

	echo "Installing log2ram"
	read -p "Press enter to continue..."
	install_log2ram

	echo "Installing Docker"
	read -p "Press enter to continue..."
	install_docker

	echo "Installing Tailscale"
	read -p "Press enter to continue..."
	install_tailscale

	echo "Installing fail2ban"
	read -p "Press enter to continue..."
	install_fail2ban

	echo "Enabling livepatch"
	read -p "Press enter to continue..."
	enable_livepatch

	echo "Enabling automatic updates"
	read -p "Press enter to continue..."
	enable_automatic_updates

	echo "Delete default user"
	read -p "Press enter to continue..."
	delete_default_user
	fi