|
#!/bin/bash |
|
set -e |
|
|
|
SCRIPT_PATH="$(realpath "$0")" |
|
|
|
# ------------- CONFIGURATION ------------- |
|
LOGIN_USER_NAME=tyler |
|
PUBLIC_KEY="ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDkyDCzLELjv40vZSD0Hkj2bsQi0wR6WUs/xIG347cbPIMWbwCExeBgXpKyo9jQcd6zcr4dHCVdCgSR3gDkrKP3i0iKWp3cuvpkekGnxfkBax1+h2AqxCe4JqvEiwnCpHUmBxUyiExGJM87QKPpGrrVJ3T9bqm476SE5q1dAEqCOnLLMm8DbCqKyE81U+l3FK01LdmFl0xCysKx1K0w0wTGknrwBsouRLnQwJpD6/beC5VKXpsQ8V6F55WlxM7SZv3VQMl7wcQ2lnaOMYxMSFRcic/tJb7o1KbiG6ERtYWpNvZaV8jJgLiCTCbBAgZNjRiYXt+CxCYvVs0RGAyZd3th tlongren@gmail.com" |
|
SSH_KEYS_FILE=".ssh/authorized_keys" |
|
SSHD_FILE="/etc/ssh/sshd_config" |
|
SWAP_FILE="/swapfile" |
|
function main { |
|
# Choose which steps to execute |
|
trap 'echo; echo "> $BASH_COMMAND"' DEBUG |
|
upgrade_packages |
|
install_basic_packages |
|
create_standard_user |
|
ssh_public_key_auth |
|
install_docker |
|
install_docker_compose |
|
#install_nginx |
|
#disable_nginx_default_site |
|
#add_nginx_proxy_snippet |
|
install_ufw |
|
create_swap |
|
#update_vim_settings |
|
cleanup |
|
trap - DEBUG |
|
} |
|
# ------------- END OF CONFIGURATION ------------- |
|
|
|
function upgrade_packages { |
|
sudo apt-get update -y |
|
sudo apt-get upgrade -y |
|
} |
|
|
|
function install_basic_packages { |
|
sudo apt-get update -y |
|
sudo apt-get install curl grep wget gpg sed git vim zsh -y |
|
} |
|
|
|
function create_standard_user { |
|
# Check if I'm root |
|
if [[ "$UID" == "0" ]]; then |
|
# Running as root |
|
adduser $LOGIN_USER_NAME \ |
|
--shell /bin/zsh \ |
|
--disabled-password \ |
|
--gecos "" |
|
usermod -aG sudo $LOGIN_USER_NAME |
|
|
|
if ! grep -R -E "^$LOGIN_USER_NAME (.*) NOPASSWD" /etc/sudoers* >/dev/null 2>&1; then |
|
echo "$LOGIN_USER_NAME ALL=(ALL) NOPASSWD:ALL" >>/etc/sudoers.d/$LOGIN_USER_NAME |
|
fi |
|
|
|
# Re-run as the new user |
|
mv "$SCRIPT_PATH" "/home/$LOGIN_USER_NAME/server_setup.sh" |
|
SCRIPT_PATH="/home/$LOGIN_USER_NAME/server_setup.sh" |
|
chown "$LOGIN_USER_NAME:$LOGIN_USER_NAME" "$SCRIPT_PATH" |
|
chmod +x "$SCRIPT_PATH" |
|
su -l $LOGIN_USER_NAME -c "$SCRIPT_PATH" |
|
exit |
|
fi |
|
} |
|
|
|
function ssh_public_key_auth { |
|
# Set SSH auth only via publickey |
|
if ! grep "$PUBLIC_KEY" "$HOME/$SSH_KEYS_FILE" >/dev/null 2>&1; then |
|
if [ ! -f $HOME/$SSH_KEYS_FILE ]; then |
|
mkdir -p $(dirname $HOME/$SSH_KEYS_FILE) |
|
fi |
|
echo "$PUBLIC_KEY" >>$HOME/$SSH_KEYS_FILE |
|
fi |
|
# Remove settings that we're going to change in a moment |
|
sudo sed -i '/^ChallengeResponseAuthentication /d' $SSHD_FILE |
|
sudo sed -i '/^PasswordAuthentication /d' $SSHD_FILE |
|
sudo sed -i '/^PermitRootLogin /d' $SSHD_FILE |
|
sudo sed -i '/^PubkeyAuthentication /d' $SSHD_FILE |
|
sudo sed -i '/^AuthorizedKeysFile /d' $SSHD_FILE |
|
# Set new settings |
|
sudo bash -c "echo ChallengeResponseAuthentication no >> $SSHD_FILE" |
|
sudo bash -c "echo PasswordAuthentication no >> $SSHD_FILE" |
|
sudo bash -c "echo PermitRootLogin no >> $SSHD_FILE" |
|
sudo bash -c "echo PubkeyAuthentication yes >> $SSHD_FILE" |
|
sudo bash -c "echo PasswordAuthentication no >> $SSHD_FILE" |
|
# Apply new settings |
|
sudo systemctl restart sshd |
|
} |
|
|
|
function install_docker { |
|
sudo apt-get install -y \ |
|
ca-certificates \ |
|
curl \ |
|
gnupg \ |
|
lsb-release |
|
sudo rm -f /usr/share/keyrings/docker-archive-keyring.gpg |
|
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | |
|
sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg |
|
echo \ |
|
"deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu \ |
|
$(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list >/dev/null |
|
sudo apt-get update |
|
sudo apt-get install -y \ |
|
docker-ce \ |
|
docker-ce-cli \ |
|
containerd.io |
|
sudo usermod -aG docker $USER |
|
sudo docker run hello-world |
|
sudo systemctl enable docker.service |
|
sudo systemctl enable containerd.service |
|
} |
|
|
|
function install_docker_compose { |
|
DOCKER_CONFIG=${DOCKER_CONFIG:-$HOME/.docker} |
|
mkdir -p $DOCKER_CONFIG/cli-plugins |
|
rm -f $DOCKER_CONFIG/cli-plugins/docker-compose |
|
curl -SL https://github.com/docker/compose/releases/download/v2.2.3/docker-compose-linux-x86_64 -o $DOCKER_CONFIG/cli-plugins/docker-compose |
|
chmod +x $DOCKER_CONFIG/cli-plugins/docker-compose |
|
docker compose version |
|
} |
|
|
|
function install_nginx { |
|
sudo apt-get update |
|
sudo apt-get install nginx -y |
|
sudo systemctl start nginx |
|
sudo systemctl enable nginx |
|
curl -4 icanhazip.com |
|
} |
|
|
|
function disable_nginx_default_site { |
|
sudo bash -c 'cat << EOF > /etc/nginx/sites-available/default |
|
server { |
|
listen 80 default_server; |
|
server_name _; |
|
location / { |
|
deny all; |
|
} |
|
} |
|
EOF' |
|
|
|
# Apply nginx configuration |
|
sudo nginx -t |
|
sudo systemctl restart nginx |
|
} |
|
|
|
function add_nginx_proxy_snippet { |
|
# Add basic nginx proxy config snippet |
|
sudo bash -c 'cat << EOF > /etc/nginx/proxy-config-snippet.conf |
|
proxy_set_header Host \$host; |
|
proxy_set_header X-Real-IP \$remote_addr; |
|
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for; |
|
proxy_set_header X-Forwarded-Proto \$scheme; |
|
proxy_buffering off; |
|
proxy_request_buffering off; |
|
proxy_http_version 1.1; |
|
proxy_intercept_errors on; |
|
EOF' |
|
|
|
# Apply nginx configuration |
|
sudo nginx -t |
|
sudo systemctl restart nginx |
|
} |
|
|
|
function install_ufw { |
|
# Install ufw firewall |
|
sudo apt install ufw -y |
|
sudo ufw default deny incoming |
|
sudo ufw allow OpenSSH |
|
sudo ufw allow "Nginx Full" |
|
yes | sudo ufw enable |
|
sudo ufw status verbose |
|
} |
|
|
|
function create_swap { |
|
# Create 2GB swap file |
|
if [ ! -f $SWAP_FILE ]; then |
|
sudo fallocate -l 2G "$SWAP_FILE" |
|
sudo chmod 600 "$SWAP_FILE" |
|
sudo mkswap "$SWAP_FILE" |
|
sudo swapon "$SWAP_FILE" |
|
if ! grep swap /etc/fstab >/dev/null 2>&1; then |
|
sudo bash -c "echo $SWAP_FILE swap swap defaults 0 0 >> /etc/fstab" |
|
fi |
|
fi |
|
sudo swapon --show |
|
sudo free -h |
|
} |
|
|
|
function update_vim_settings { |
|
# Change vim settings |
|
cat <<EOF >$HOME/.vimrc |
|
filetype plugin indent on |
|
set tabstop=4 |
|
set shiftwidth=4 |
|
set expandtab |
|
EOF |
|
} |
|
|
|
function cleanup { |
|
# Clean script |
|
sudo rm -f "$SCRIPT_PATH" |
|
} |
|
|
|
# Run actual script |
|
main |