vlucas/gist:3976934

## gistfile1.sh
#!/usr/bin/env bash

###
# Run this script as root
###

# Setup variables for this script
USER_NAME=vlucas
USER_EMAIL=vance@vancelucas.com
SSH_PUBLIC_KEY="ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAxoQkUlUr+GcEpY1Its3mXFq/xi6yUgknxcSfGx0Yl25zo9nLl5UpeA+r0SmTfnu5oj674i+Ccx7NgwIkhGONXyKZaWyQf7jQZRa6sAMyETQ8QFbkprLCcF6LXJ9B1Khj16ZgXgcuSjMQKmbi8FA3iCcP5jGeT/02x5QhC5hXNPZafODwR5Xty559mLqsZ3LwzQZ4YaQDi4fnEDz7z4iA5+2Xo44de4ypmAmRBsOJZ0mgiRyClDEa0TVCctIXLeOt5OU76DE/IXuKHmtpwWiAI+c6ZNLmXeidrMQzhS6XfDwtTS0YMNnXn4aSSSJNhuvRAhCj9qjAXT1lV1QPb2P84Q== vance@vancelucas.com"
GITHUB_USER=$USER_NAME
HOSTNAME=genesis.churchmint.com
LOCALE=en
TIMEZONE=US/Central

# Set a hostname
echo "$HOSTNAME" > /etc/hostname
hostname -F /etc/hostname

# Set the locale
locale-gen $LOCALE

# Set the timezone
echo $TIMEZONE > /etc/timezone
dpkg-reconfigure -f noninteractive tzdata

# Create an admin group
/usr/sbin/groupadd admin

# Add the admin group to the sudoers list (with no password)
sed 's/admin ALL=(ALL) ALL/admin  ALL=(ALL) NOPASSWD:ALL/g' /etc/sudoers > /tmp/sudoers.new
mv /tmp/sudoers.new /etc/sudoers && chmod 440 /etc/sudoers

# Create my admin user
/usr/sbin/useradd -m -G admin -s /bin/bash -d /home/$USER_NAME $USER_NAME

# Setup $USER for ssh access
su $USER_NAME -c "mkdir ~/.ssh"
su $USER_NAME -c "echo $SSH_PUBLIC_KEY >> ~/.ssh/authorized_keys"
su $USER_NAME -c "chmod 700 ~/.ssh && chmod 600 ~/.ssh/authorized_keys"

# Disable root login via SSH (now would be a good time to test your new user if running this script interactively)
#sed 's/PermitRootLogin yes/PermitRootLogin no/g' /etc/ssh/sshd_config > /tmp/sshd_config.new
#mv /tmp/sshd_config.new /etc/ssh/sshd_config && chmod 644 /etc/ssh/sshd_config
#service ssh restart

# Update package cache and upgrade packages
DEBIAN_FRONTEND=noninteractive
apt-get update
apt-get upgrade -y -q -o Dpkg::Options::="--force-confold"

# Install fail2ban (prevent repeated logins)
apt-get install -y fail2ban
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sed -i '/\[ssh-ddos\]/,+2 s/enabled  = false/enabled  = true/g' /etc/fail2ban/jail.local
service fail2ban restart

# Setup firewall
cat << 'EOF' > /etc/iptables.firewall.rules
*filter

#  Allow all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT

#  Accept all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#  Allow all outbound traffic - you can modify this to only allow certain traffic
-A OUTPUT -j ACCEPT

#  Allow HTTP and HTTPS connections from anywhere (the normal ports for websites and SSL).
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT

#  Allow ports for MOSH (mobile shell)
-A INPUT -p udp --dport 60000:61000 -j ACCEPT

#  Allow SSH connections
#  The -dport number should be the same port number you set in sshd_config
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT

#  Allow ping
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT

#  Log iptables denied calls
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

#  Reject all other inbound - default deny unless explicitly allowed policy
-A INPUT -j REJECT
-A FORWARD -j REJECT

COMMIT
EOF
iptables-restore < /etc/iptables.firewall.rules
echo '#!/bin/sh' > /etc/network/if-pre-up.d/firewall
echo '/sbin/iptables-restore < /etc/iptables.firewall.rules' >> /etc/network/if-pre-up.d/firewall
chmod +x /etc/network/if-pre-up.d/firewall

# Email me on sudo
echo "Defaults    mail_always" > /etc/sudoers.d/my_sudoers
echo "Defaults    mailto='$USER_EMAIL'" >> /etc/sudoers.d/my_sudoers
chmod 440 /etc/sudoers.d/my_sudoers

# Reboot server when out of memory
echo -e "vm.panic_on_oom=1\nkernel.panic=10" >> /etc/sysctl.conf

# Install essentials
apt-get install -y build-essential python-software-properties zsh curl netcat git htop ack-grep tmux vim-nox exuberant-ctags

# Install nginx
apt-get install -y nginx
/etc/init.d/nginx start

# Install databases
apt-get install -y mysql-client mysql-server libmysqlclient15-dev

# Install PHP + PHP-FPM
add-apt-repository -y ppa:ondrej/php5 && apt-get update
apt-get install -y php5-fpm php5-cli php5-common php5-mcrypt php5-mysql php5-memcache php-apc php-pear php5-curl php5-intl php5-gd

# Divert ack to ack-grep
dpkg-divert --local --divert /usr/bin/ack --rename --add /usr/bin/ack-grep
	#!/usr/bin/env bash

	###
	# Run this script as root
	###

	# Setup variables for this script
	USER_NAME=vlucas
	USER_EMAIL=vance@vancelucas.com
	SSH_PUBLIC_KEY="ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAxoQkUlUr+GcEpY1Its3mXFq/xi6yUgknxcSfGx0Yl25zo9nLl5UpeA+r0SmTfnu5oj674i+Ccx7NgwIkhGONXyKZaWyQf7jQZRa6sAMyETQ8QFbkprLCcF6LXJ9B1Khj16ZgXgcuSjMQKmbi8FA3iCcP5jGeT/02x5QhC5hXNPZafODwR5Xty559mLqsZ3LwzQZ4YaQDi4fnEDz7z4iA5+2Xo44de4ypmAmRBsOJZ0mgiRyClDEa0TVCctIXLeOt5OU76DE/IXuKHmtpwWiAI+c6ZNLmXeidrMQzhS6XfDwtTS0YMNnXn4aSSSJNhuvRAhCj9qjAXT1lV1QPb2P84Q== vance@vancelucas.com"
	GITHUB_USER=$USER_NAME
	HOSTNAME=genesis.churchmint.com
	LOCALE=en
	TIMEZONE=US/Central

	# Set a hostname
	echo "$HOSTNAME" > /etc/hostname
	hostname -F /etc/hostname

	# Set the locale
	locale-gen $LOCALE

	# Set the timezone
	echo $TIMEZONE > /etc/timezone
	dpkg-reconfigure -f noninteractive tzdata

	# Create an admin group
	/usr/sbin/groupadd admin

	# Add the admin group to the sudoers list (with no password)
	sed 's/admin ALL=(ALL) ALL/admin ALL=(ALL) NOPASSWD:ALL/g' /etc/sudoers > /tmp/sudoers.new
	mv /tmp/sudoers.new /etc/sudoers && chmod 440 /etc/sudoers

	# Create my admin user
	/usr/sbin/useradd -m -G admin -s /bin/bash -d /home/$USER_NAME $USER_NAME

	# Setup $USER for ssh access
	su $USER_NAME -c "mkdir ~/.ssh"
	su $USER_NAME -c "echo $SSH_PUBLIC_KEY >> ~/.ssh/authorized_keys"
	su $USER_NAME -c "chmod 700 ~/.ssh && chmod 600 ~/.ssh/authorized_keys"

	# Disable root login via SSH (now would be a good time to test your new user if running this script interactively)
	#sed 's/PermitRootLogin yes/PermitRootLogin no/g' /etc/ssh/sshd_config > /tmp/sshd_config.new
	#mv /tmp/sshd_config.new /etc/ssh/sshd_config && chmod 644 /etc/ssh/sshd_config
	#service ssh restart

	# Update package cache and upgrade packages
	DEBIAN_FRONTEND=noninteractive
	apt-get update
	apt-get upgrade -y -q -o Dpkg::Options::="--force-confold"

	# Install fail2ban (prevent repeated logins)
	apt-get install -y fail2ban
	cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
	sed -i '/\[ssh-ddos\]/,+2 s/enabled = false/enabled = true/g' /etc/fail2ban/jail.local
	service fail2ban restart

	# Setup firewall
	cat << 'EOF' > /etc/iptables.firewall.rules
	*filter

	# Allow all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
	-A INPUT -i lo -j ACCEPT
	-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT

	# Accept all established inbound connections
	-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

	# Allow all outbound traffic - you can modify this to only allow certain traffic
	-A OUTPUT -j ACCEPT

	# Allow HTTP and HTTPS connections from anywhere (the normal ports for websites and SSL).
	-A INPUT -p tcp --dport 80 -j ACCEPT
	-A INPUT -p tcp --dport 443 -j ACCEPT

	# Allow ports for MOSH (mobile shell)
	-A INPUT -p udp --dport 60000:61000 -j ACCEPT

	# Allow SSH connections
	# The -dport number should be the same port number you set in sshd_config
	-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT

	# Allow ping
	-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT

	# Log iptables denied calls
	-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

	# Reject all other inbound - default deny unless explicitly allowed policy
	-A INPUT -j REJECT
	-A FORWARD -j REJECT

	COMMIT
	EOF
	iptables-restore < /etc/iptables.firewall.rules
	echo '#!/bin/sh' > /etc/network/if-pre-up.d/firewall
	echo '/sbin/iptables-restore < /etc/iptables.firewall.rules' >> /etc/network/if-pre-up.d/firewall
	chmod +x /etc/network/if-pre-up.d/firewall

	# Email me on sudo
	echo "Defaults mail_always" > /etc/sudoers.d/my_sudoers
	echo "Defaults mailto='$USER_EMAIL'" >> /etc/sudoers.d/my_sudoers
	chmod 440 /etc/sudoers.d/my_sudoers

	# Reboot server when out of memory
	echo -e "vm.panic_on_oom=1\nkernel.panic=10" >> /etc/sysctl.conf

	# Install essentials
	apt-get install -y build-essential python-software-properties zsh curl netcat git htop ack-grep tmux vim-nox exuberant-ctags

	# Install nginx
	apt-get install -y nginx
	/etc/init.d/nginx start

	# Install databases
	apt-get install -y mysql-client mysql-server libmysqlclient15-dev

	# Install PHP + PHP-FPM
	add-apt-repository -y ppa:ondrej/php5 && apt-get update
	apt-get install -y php5-fpm php5-cli php5-common php5-mcrypt php5-mysql php5-memcache php-apc php-pear php5-curl php5-intl php5-gd

	# Divert ack to ack-grep
	dpkg-divert --local --divert /usr/bin/ack --rename --add /usr/bin/ack-grep