Skip to content

Instantly share code, notes, and snippets.

@tlongren
Forked from simonesestito/README.md
Last active November 15, 2022 02:48
Show Gist options
  • Save tlongren/60b7470e50c5057abea3118a50f90a0a to your computer and use it in GitHub Desktop.
Save tlongren/60b7470e50c5057abea3118a50f90a0a to your computer and use it in GitHub Desktop.
Server setup script

Server initial setup script

Configuration

This script was made for personal purposes, but it can still be useful to many. You NEED to change variables inside the script, like the SSH public key.

Usage

On a new Ubuntu server, run the following command:

wget "https://gist.githubusercontent.com/simonesestito/a15d11ca544e04865118b86834624084/raw/server_setup.sh"
chmod +x server_setup.sh
./server_setup.sh

Note Do not pipe curl output directly to bash (curl ... | bash) since if it needs to re-run the script as a different user, it wouldn't be able to.

Steps performed

  • Upgrade system packages
  • Install basic and useful packages
  • Creates a non-root user if running as root
  • Set SSH authentication via public key only
  • Install Docker and Docker Compose
  • Add current user to the docker group
  • Install Nginx server
  • Disable Nginx default_server
  • Create a basic Nginx configuration to later use Nginx as reverse proxy
  • Install ufw firewall tool
  • Create a 2GB swap file
  • Update vim settings to use spaces instead of tabs
  • Clean the server_setup.sh script itself
  • Reboot the system

See also

Do you need a minimal piece of software to manage all your Docker Compose projects? Check out docker-projects-manager

#!/bin/bash
set -e
SCRIPT_PATH="$(realpath "$0")"
# ------------- CONFIGURATION -------------
LOGIN_USER_NAME=tyler
PUBLIC_KEY="ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDkyDCzLELjv40vZSD0Hkj2bsQi0wR6WUs/xIG347cbPIMWbwCExeBgXpKyo9jQcd6zcr4dHCVdCgSR3gDkrKP3i0iKWp3cuvpkekGnxfkBax1+h2AqxCe4JqvEiwnCpHUmBxUyiExGJM87QKPpGrrVJ3T9bqm476SE5q1dAEqCOnLLMm8DbCqKyE81U+l3FK01LdmFl0xCysKx1K0w0wTGknrwBsouRLnQwJpD6/beC5VKXpsQ8V6F55WlxM7SZv3VQMl7wcQ2lnaOMYxMSFRcic/tJb7o1KbiG6ERtYWpNvZaV8jJgLiCTCbBAgZNjRiYXt+CxCYvVs0RGAyZd3th tlongren@gmail.com"
SSH_KEYS_FILE=".ssh/authorized_keys"
SSHD_FILE="/etc/ssh/sshd_config"
SWAP_FILE="/swapfile"
function main {
# Choose which steps to execute
trap 'echo; echo "> $BASH_COMMAND"' DEBUG
upgrade_packages
install_basic_packages
create_standard_user
ssh_public_key_auth
install_docker
install_docker_compose
#install_nginx
#disable_nginx_default_site
#add_nginx_proxy_snippet
install_ufw
create_swap
#update_vim_settings
cleanup
trap - DEBUG
}
# ------------- END OF CONFIGURATION -------------
function upgrade_packages {
sudo apt-get update -y
sudo apt-get upgrade -y
}
function install_basic_packages {
sudo apt-get update -y
sudo apt-get install curl grep wget gpg sed git vim zsh -y
}
function create_standard_user {
# Check if I'm root
if [[ "$UID" == "0" ]]; then
# Running as root
adduser $LOGIN_USER_NAME \
--shell /bin/zsh \
--disabled-password \
--gecos ""
usermod -aG sudo $LOGIN_USER_NAME
if ! grep -R -E "^$LOGIN_USER_NAME (.*) NOPASSWD" /etc/sudoers* >/dev/null 2>&1; then
echo "$LOGIN_USER_NAME ALL=(ALL) NOPASSWD:ALL" >>/etc/sudoers.d/$LOGIN_USER_NAME
fi
# Re-run as the new user
mv "$SCRIPT_PATH" "/home/$LOGIN_USER_NAME/server_setup.sh"
SCRIPT_PATH="/home/$LOGIN_USER_NAME/server_setup.sh"
chown "$LOGIN_USER_NAME:$LOGIN_USER_NAME" "$SCRIPT_PATH"
chmod +x "$SCRIPT_PATH"
su -l $LOGIN_USER_NAME -c "$SCRIPT_PATH"
exit
fi
}
function ssh_public_key_auth {
# Set SSH auth only via publickey
if ! grep "$PUBLIC_KEY" "$HOME/$SSH_KEYS_FILE" >/dev/null 2>&1; then
if [ ! -f $HOME/$SSH_KEYS_FILE ]; then
mkdir -p $(dirname $HOME/$SSH_KEYS_FILE)
fi
echo "$PUBLIC_KEY" >>$HOME/$SSH_KEYS_FILE
fi
# Remove settings that we're going to change in a moment
sudo sed -i '/^ChallengeResponseAuthentication /d' $SSHD_FILE
sudo sed -i '/^PasswordAuthentication /d' $SSHD_FILE
sudo sed -i '/^PermitRootLogin /d' $SSHD_FILE
sudo sed -i '/^PubkeyAuthentication /d' $SSHD_FILE
sudo sed -i '/^AuthorizedKeysFile /d' $SSHD_FILE
# Set new settings
sudo bash -c "echo ChallengeResponseAuthentication no >> $SSHD_FILE"
sudo bash -c "echo PasswordAuthentication no >> $SSHD_FILE"
sudo bash -c "echo PermitRootLogin no >> $SSHD_FILE"
sudo bash -c "echo PubkeyAuthentication yes >> $SSHD_FILE"
sudo bash -c "echo PasswordAuthentication no >> $SSHD_FILE"
# Apply new settings
sudo systemctl restart sshd
}
function install_docker {
sudo apt-get install -y \
ca-certificates \
curl \
gnupg \
lsb-release
sudo rm -f /usr/share/keyrings/docker-archive-keyring.gpg
curl -fsSL https://download.docker.com/linux/ubuntu/gpg |
sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg
echo \
"deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu \
$(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list >/dev/null
sudo apt-get update
sudo apt-get install -y \
docker-ce \
docker-ce-cli \
containerd.io
sudo usermod -aG docker $USER
sudo docker run hello-world
sudo systemctl enable docker.service
sudo systemctl enable containerd.service
}
function install_docker_compose {
DOCKER_CONFIG=${DOCKER_CONFIG:-$HOME/.docker}
mkdir -p $DOCKER_CONFIG/cli-plugins
rm -f $DOCKER_CONFIG/cli-plugins/docker-compose
curl -SL https://github.com/docker/compose/releases/download/v2.2.3/docker-compose-linux-x86_64 -o $DOCKER_CONFIG/cli-plugins/docker-compose
chmod +x $DOCKER_CONFIG/cli-plugins/docker-compose
docker compose version
}
function install_nginx {
sudo apt-get update
sudo apt-get install nginx -y
sudo systemctl start nginx
sudo systemctl enable nginx
curl -4 icanhazip.com
}
function disable_nginx_default_site {
sudo bash -c 'cat << EOF > /etc/nginx/sites-available/default
server {
listen 80 default_server;
server_name _;
location / {
deny all;
}
}
EOF'
# Apply nginx configuration
sudo nginx -t
sudo systemctl restart nginx
}
function add_nginx_proxy_snippet {
# Add basic nginx proxy config snippet
sudo bash -c 'cat << EOF > /etc/nginx/proxy-config-snippet.conf
proxy_set_header Host \$host;
proxy_set_header X-Real-IP \$remote_addr;
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto \$scheme;
proxy_buffering off;
proxy_request_buffering off;
proxy_http_version 1.1;
proxy_intercept_errors on;
EOF'
# Apply nginx configuration
sudo nginx -t
sudo systemctl restart nginx
}
function install_ufw {
# Install ufw firewall
sudo apt install ufw -y
sudo ufw default deny incoming
sudo ufw allow OpenSSH
sudo ufw allow "Nginx Full"
yes | sudo ufw enable
sudo ufw status verbose
}
function create_swap {
# Create 2GB swap file
if [ ! -f $SWAP_FILE ]; then
sudo fallocate -l 2G "$SWAP_FILE"
sudo chmod 600 "$SWAP_FILE"
sudo mkswap "$SWAP_FILE"
sudo swapon "$SWAP_FILE"
if ! grep swap /etc/fstab >/dev/null 2>&1; then
sudo bash -c "echo $SWAP_FILE swap swap defaults 0 0 >> /etc/fstab"
fi
fi
sudo swapon --show
sudo free -h
}
function update_vim_settings {
# Change vim settings
cat <<EOF >$HOME/.vimrc
filetype plugin indent on
set tabstop=4
set shiftwidth=4
set expandtab
EOF
}
function cleanup {
# Clean script
sudo rm -f "$SCRIPT_PATH"
}
# Run actual script
main
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment