tlongren/README.md

## README.md

      
    Raw
  

              README.md
            
          
    Server initial setup script

Configuration

This script was made for personal purposes, but it can still be useful to many. You NEED to change variables inside the script, like the SSH public key.
Usage

On a new Ubuntu server, run the following command:
wget "https://gist.githubusercontent.com/simonesestito/a15d11ca544e04865118b86834624084/raw/server_setup.sh"
chmod +x server_setup.sh
./server_setup.sh

Note Do not pipe curl output directly to bash (curl ... | bash) since if it needs to re-run the script as a different user, it wouldn't be able to.
Steps performed


Upgrade system packages
Install basic and useful packages
Creates a non-root user if running as root
Set SSH authentication via public key only
Install Docker and Docker Compose
Add current user to the docker group
Install Nginx server
Disable Nginx default_server
Create a basic Nginx configuration to later use Nginx as reverse proxy
Install ufw firewall tool
Create a 2GB swap file
Update vim settings to use spaces instead of tabs
Clean the server_setup.sh script itself
Reboot the system

See also

Do you need a minimal piece of software to manage all your Docker Compose projects? Check out docker-projects-manager

  
## server_setup.sh
#!/bin/bash
set -e

SCRIPT_PATH="$(realpath "$0")"

# -------------     CONFIGURATION     -------------
LOGIN_USER_NAME=tyler
PUBLIC_KEY="ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDkyDCzLELjv40vZSD0Hkj2bsQi0wR6WUs/xIG347cbPIMWbwCExeBgXpKyo9jQcd6zcr4dHCVdCgSR3gDkrKP3i0iKWp3cuvpkekGnxfkBax1+h2AqxCe4JqvEiwnCpHUmBxUyiExGJM87QKPpGrrVJ3T9bqm476SE5q1dAEqCOnLLMm8DbCqKyE81U+l3FK01LdmFl0xCysKx1K0w0wTGknrwBsouRLnQwJpD6/beC5VKXpsQ8V6F55WlxM7SZv3VQMl7wcQ2lnaOMYxMSFRcic/tJb7o1KbiG6ERtYWpNvZaV8jJgLiCTCbBAgZNjRiYXt+CxCYvVs0RGAyZd3th tlongren@gmail.com"
SSH_KEYS_FILE=".ssh/authorized_keys"
SSHD_FILE="/etc/ssh/sshd_config"
SWAP_FILE="/swapfile"
function main {
    # Choose which steps to execute
    trap 'echo; echo "> $BASH_COMMAND"' DEBUG
    upgrade_packages
    install_basic_packages
    create_standard_user
    ssh_public_key_auth
    install_docker
    install_docker_compose
    #install_nginx
    #disable_nginx_default_site
    #add_nginx_proxy_snippet
    install_ufw
    create_swap
    #update_vim_settings
    cleanup
    trap - DEBUG
}
# -------------     END OF CONFIGURATION     -------------

function upgrade_packages {
    sudo apt-get update -y
    sudo apt-get upgrade -y
}

function install_basic_packages {
    sudo apt-get update -y
    sudo apt-get install curl grep wget gpg sed git vim zsh -y
}

function create_standard_user {
    # Check if I'm root
    if [[ "$UID" == "0" ]]; then
        # Running as root
        adduser $LOGIN_USER_NAME \
            --shell /bin/zsh \
            --disabled-password \
            --gecos ""
        usermod -aG sudo $LOGIN_USER_NAME

        if ! grep -R -E "^$LOGIN_USER_NAME (.*) NOPASSWD" /etc/sudoers* >/dev/null 2>&1; then
            echo "$LOGIN_USER_NAME ALL=(ALL) NOPASSWD:ALL" >>/etc/sudoers.d/$LOGIN_USER_NAME
        fi

        # Re-run as the new user
        mv "$SCRIPT_PATH" "/home/$LOGIN_USER_NAME/server_setup.sh"
        SCRIPT_PATH="/home/$LOGIN_USER_NAME/server_setup.sh"
        chown "$LOGIN_USER_NAME:$LOGIN_USER_NAME" "$SCRIPT_PATH"
        chmod +x "$SCRIPT_PATH"
        su -l $LOGIN_USER_NAME -c "$SCRIPT_PATH"
        exit
    fi
}

function ssh_public_key_auth {
    # Set SSH auth only via publickey
    if ! grep "$PUBLIC_KEY" "$HOME/$SSH_KEYS_FILE" >/dev/null 2>&1; then
        if [ ! -f $HOME/$SSH_KEYS_FILE ]; then
            mkdir -p $(dirname $HOME/$SSH_KEYS_FILE)
        fi
        echo "$PUBLIC_KEY" >>$HOME/$SSH_KEYS_FILE
    fi
    # Remove settings that we're going to change in a moment
    sudo sed -i '/^ChallengeResponseAuthentication /d' $SSHD_FILE
    sudo sed -i '/^PasswordAuthentication /d' $SSHD_FILE
    sudo sed -i '/^PermitRootLogin /d' $SSHD_FILE
    sudo sed -i '/^PubkeyAuthentication /d' $SSHD_FILE
    sudo sed -i '/^AuthorizedKeysFile /d' $SSHD_FILE
    # Set new settings
    sudo bash -c "echo ChallengeResponseAuthentication no >> $SSHD_FILE"
    sudo bash -c "echo PasswordAuthentication no >> $SSHD_FILE"
    sudo bash -c "echo PermitRootLogin no >> $SSHD_FILE"
    sudo bash -c "echo PubkeyAuthentication yes >> $SSHD_FILE"
    sudo bash -c "echo PasswordAuthentication no >> $SSHD_FILE"
    # Apply new settings
    sudo systemctl restart sshd
}

function install_docker {
    sudo apt-get install -y \
        ca-certificates \
        curl \
        gnupg \
        lsb-release
    sudo rm -f /usr/share/keyrings/docker-archive-keyring.gpg
    curl -fsSL https://download.docker.com/linux/ubuntu/gpg |
        sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg
    echo \
        "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu \
  $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list >/dev/null
    sudo apt-get update
    sudo apt-get install -y \
        docker-ce \
        docker-ce-cli \
        containerd.io
    sudo usermod -aG docker $USER
    sudo docker run hello-world
    sudo systemctl enable docker.service
    sudo systemctl enable containerd.service
}

function install_docker_compose {
    DOCKER_CONFIG=${DOCKER_CONFIG:-$HOME/.docker}
    mkdir -p $DOCKER_CONFIG/cli-plugins
    rm -f $DOCKER_CONFIG/cli-plugins/docker-compose
    curl -SL https://github.com/docker/compose/releases/download/v2.2.3/docker-compose-linux-x86_64 -o $DOCKER_CONFIG/cli-plugins/docker-compose
    chmod +x $DOCKER_CONFIG/cli-plugins/docker-compose
    docker compose version
}

function install_nginx {
    sudo apt-get update
    sudo apt-get install nginx -y
    sudo systemctl start nginx
    sudo systemctl enable nginx
    curl -4 icanhazip.com
}

function disable_nginx_default_site {
    sudo bash -c 'cat << EOF > /etc/nginx/sites-available/default
server {
    listen 80 default_server;
    server_name _;
    location / {
        deny all;
    }
}
EOF'

    # Apply nginx configuration
    sudo nginx -t
    sudo systemctl restart nginx
}

function add_nginx_proxy_snippet {
    # Add basic nginx proxy config snippet
    sudo bash -c 'cat << EOF > /etc/nginx/proxy-config-snippet.conf
proxy_set_header Host \$host;
proxy_set_header X-Real-IP \$remote_addr;
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto \$scheme;
proxy_buffering off;
proxy_request_buffering off;
proxy_http_version 1.1;
proxy_intercept_errors on;
EOF'

    # Apply nginx configuration
    sudo nginx -t
    sudo systemctl restart nginx
}

function install_ufw {
    # Install ufw firewall
    sudo apt install ufw -y
    sudo ufw default deny incoming
    sudo ufw allow OpenSSH
    sudo ufw allow "Nginx Full"
    yes | sudo ufw enable
    sudo ufw status verbose
}

function create_swap {
    # Create 2GB swap file
    if [ ! -f $SWAP_FILE ]; then
        sudo fallocate -l 2G "$SWAP_FILE"
        sudo chmod 600 "$SWAP_FILE"
        sudo mkswap "$SWAP_FILE"
        sudo swapon "$SWAP_FILE"
        if ! grep swap /etc/fstab >/dev/null 2>&1; then
            sudo bash -c "echo $SWAP_FILE swap swap defaults 0 0 >> /etc/fstab"
        fi
    fi
    sudo swapon --show
    sudo free -h
}

function update_vim_settings {
    # Change vim settings
    cat <<EOF >$HOME/.vimrc
filetype plugin indent on
set tabstop=4
set shiftwidth=4
set expandtab
EOF
}

function cleanup {
    # Clean script
    sudo rm -f "$SCRIPT_PATH"
}

# Run actual script
main
	#!/bin/bash
	set -e

	SCRIPT_PATH="$(realpath "$0")"

	# ------------- CONFIGURATION -------------
	LOGIN_USER_NAME=tyler
	PUBLIC_KEY="ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDkyDCzLELjv40vZSD0Hkj2bsQi0wR6WUs/xIG347cbPIMWbwCExeBgXpKyo9jQcd6zcr4dHCVdCgSR3gDkrKP3i0iKWp3cuvpkekGnxfkBax1+h2AqxCe4JqvEiwnCpHUmBxUyiExGJM87QKPpGrrVJ3T9bqm476SE5q1dAEqCOnLLMm8DbCqKyE81U+l3FK01LdmFl0xCysKx1K0w0wTGknrwBsouRLnQwJpD6/beC5VKXpsQ8V6F55WlxM7SZv3VQMl7wcQ2lnaOMYxMSFRcic/tJb7o1KbiG6ERtYWpNvZaV8jJgLiCTCbBAgZNjRiYXt+CxCYvVs0RGAyZd3th tlongren@gmail.com"
	SSH_KEYS_FILE=".ssh/authorized_keys"
	SSHD_FILE="/etc/ssh/sshd_config"
	SWAP_FILE="/swapfile"
	function main {
	# Choose which steps to execute
	trap 'echo; echo "> $BASH_COMMAND"' DEBUG
	upgrade_packages
	install_basic_packages
	create_standard_user
	ssh_public_key_auth
	install_docker
	install_docker_compose
	#install_nginx
	#disable_nginx_default_site
	#add_nginx_proxy_snippet
	install_ufw
	create_swap
	#update_vim_settings
	cleanup
	trap - DEBUG
	}
	# ------------- END OF CONFIGURATION -------------

	function upgrade_packages {
	sudo apt-get update -y
	sudo apt-get upgrade -y
	}

	function install_basic_packages {
	sudo apt-get update -y
	sudo apt-get install curl grep wget gpg sed git vim zsh -y
	}

	function create_standard_user {
	# Check if I'm root
	if [[ "$UID" == "0" ]]; then
	# Running as root
	adduser $LOGIN_USER_NAME \
	--shell /bin/zsh \
	--disabled-password \
	--gecos ""
	usermod -aG sudo $LOGIN_USER_NAME

	if ! grep -R -E "^$LOGIN_USER_NAME (.) NOPASSWD" /etc/sudoers >/dev/null 2>&1; then
	echo "$LOGIN_USER_NAME ALL=(ALL) NOPASSWD:ALL" >>/etc/sudoers.d/$LOGIN_USER_NAME
	fi

	# Re-run as the new user
	mv "$SCRIPT_PATH" "/home/$LOGIN_USER_NAME/server_setup.sh"
	SCRIPT_PATH="/home/$LOGIN_USER_NAME/server_setup.sh"
	chown "$LOGIN_USER_NAME:$LOGIN_USER_NAME" "$SCRIPT_PATH"
	chmod +x "$SCRIPT_PATH"
	su -l $LOGIN_USER_NAME -c "$SCRIPT_PATH"
	exit
	fi
	}

	function ssh_public_key_auth {
	# Set SSH auth only via publickey
	if ! grep "$PUBLIC_KEY" "$HOME/$SSH_KEYS_FILE" >/dev/null 2>&1; then
	if [ ! -f $HOME/$SSH_KEYS_FILE ]; then
	mkdir -p $(dirname $HOME/$SSH_KEYS_FILE)
	fi
	echo "$PUBLIC_KEY" >>$HOME/$SSH_KEYS_FILE
	fi
	# Remove settings that we're going to change in a moment
	sudo sed -i '/^ChallengeResponseAuthentication /d' $SSHD_FILE
	sudo sed -i '/^PasswordAuthentication /d' $SSHD_FILE
	sudo sed -i '/^PermitRootLogin /d' $SSHD_FILE
	sudo sed -i '/^PubkeyAuthentication /d' $SSHD_FILE
	sudo sed -i '/^AuthorizedKeysFile /d' $SSHD_FILE
	# Set new settings
	sudo bash -c "echo ChallengeResponseAuthentication no >> $SSHD_FILE"
	sudo bash -c "echo PasswordAuthentication no >> $SSHD_FILE"
	sudo bash -c "echo PermitRootLogin no >> $SSHD_FILE"
	sudo bash -c "echo PubkeyAuthentication yes >> $SSHD_FILE"
	sudo bash -c "echo PasswordAuthentication no >> $SSHD_FILE"
	# Apply new settings
	sudo systemctl restart sshd
	}

	function install_docker {
	sudo apt-get install -y \
	ca-certificates \
	curl \
	gnupg \
	lsb-release
	sudo rm -f /usr/share/keyrings/docker-archive-keyring.gpg
	curl -fsSL https://download.docker.com/linux/ubuntu/gpg \|
	sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg
	echo \
	"deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu \
	$(lsb_release -cs) stable" \| sudo tee /etc/apt/sources.list.d/docker.list >/dev/null
	sudo apt-get update
	sudo apt-get install -y \
	docker-ce \
	docker-ce-cli \
	containerd.io
	sudo usermod -aG docker $USER
	sudo docker run hello-world
	sudo systemctl enable docker.service
	sudo systemctl enable containerd.service
	}

	function install_docker_compose {
	DOCKER_CONFIG=${DOCKER_CONFIG:-$HOME/.docker}
	mkdir -p $DOCKER_CONFIG/cli-plugins
	rm -f $DOCKER_CONFIG/cli-plugins/docker-compose
	curl -SL https://github.com/docker/compose/releases/download/v2.2.3/docker-compose-linux-x86_64 -o $DOCKER_CONFIG/cli-plugins/docker-compose
	chmod +x $DOCKER_CONFIG/cli-plugins/docker-compose
	docker compose version
	}

	function install_nginx {
	sudo apt-get update
	sudo apt-get install nginx -y
	sudo systemctl start nginx
	sudo systemctl enable nginx
	curl -4 icanhazip.com
	}

	function disable_nginx_default_site {
	sudo bash -c 'cat << EOF > /etc/nginx/sites-available/default
	server {
	listen 80 default_server;
	server_name _;
	location / {
	deny all;
	}
	}
	EOF'

	# Apply nginx configuration
	sudo nginx -t
	sudo systemctl restart nginx
	}

	function add_nginx_proxy_snippet {
	# Add basic nginx proxy config snippet
	sudo bash -c 'cat << EOF > /etc/nginx/proxy-config-snippet.conf
	proxy_set_header Host \$host;
	proxy_set_header X-Real-IP \$remote_addr;
	proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
	proxy_set_header X-Forwarded-Proto \$scheme;
	proxy_buffering off;
	proxy_request_buffering off;
	proxy_http_version 1.1;
	proxy_intercept_errors on;
	EOF'

	# Apply nginx configuration
	sudo nginx -t
	sudo systemctl restart nginx
	}

	function install_ufw {
	# Install ufw firewall
	sudo apt install ufw -y
	sudo ufw default deny incoming
	sudo ufw allow OpenSSH
	sudo ufw allow "Nginx Full"
	yes \| sudo ufw enable
	sudo ufw status verbose
	}

	function create_swap {
	# Create 2GB swap file
	if [ ! -f $SWAP_FILE ]; then
	sudo fallocate -l 2G "$SWAP_FILE"
	sudo chmod 600 "$SWAP_FILE"
	sudo mkswap "$SWAP_FILE"
	sudo swapon "$SWAP_FILE"
	if ! grep swap /etc/fstab >/dev/null 2>&1; then
	sudo bash -c "echo $SWAP_FILE swap swap defaults 0 0 >> /etc/fstab"
	fi
	fi
	sudo swapon --show
	sudo free -h
	}

	function update_vim_settings {
	# Change vim settings
	cat <<EOF >$HOME/.vimrc
	filetype plugin indent on
	set tabstop=4
	set shiftwidth=4
	set expandtab
	EOF
	}

	function cleanup {
	# Clean script
	sudo rm -f "$SCRIPT_PATH"
	}

	# Run actual script
	main