blob: ca8c38196367a2b74bcf274a4f87dce7d27d7085 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
|
#!/bin/sh -eu
# This script runs under the server, Alpine Linux in this instance
username="admicos"
#
checkcmd() {
command -v "$1" >/dev/null
}
add_to_group() {
groups "$username" | grep "$1" >/dev/null || adduser "$username" "$1"
}
upload() {
echo "# Upload $1 => $2"
[ -e "$backup/$1" ] || cp "$2" "$backup/$1"
cp "$payload_root/extra/$1" "$2"
}
new_user() {
grep "$1\:x" /etc/passwd >/dev/null || {
echo "# Creating user $1"
adduser $@
}
}
#
payload_root="$(CDPATH= cd -- "$(dirname -- "$0")" && pwd -P)/../../"
backup="$HOME/backup"
mkdir -p "$backup"
upload sshd_config /etc/ssh/sshd_config
rc-service sshd restart
upload repositories /etc/apk/repositories
echo "# Check for packages"
_packages=""
checkcmd curl || _packages="$_packages curl"
checkcmd docker || _packages="$_packages docker"
checkcmd docker-compose || _packages="$_packages docker-compose"
checkcmd lego || _packages="$_packages lego@edgecommunity"
checkcmd rsync || _packages="$_packages rsync"
checkcmd sudo || _packages="$_packages sudo"
checkcmd ufw || _packages="$_packages ufw@edgecommunity"
checkcmd wg-quick || _packages="$_packages wireguard-tools wireguard-virt"
# wireguard-virt might need to be changed for other kernels.
[ -d "/etc/fail2ban/" ] || _packages="$_packages fail2ban"
if [ -n "$_packages" ]; then
echo "# Updating repositories"
apk update
apk upgrade
echo "# Installing missing packages '$_packages'"
apk add $_packages
else
echo "# All packages already installed"
fi
new_user "$username"
echo "# Copy SSH authorized_keys to $username"
if [ ! -e "/home/$username/.ssh/authorized_keys" ]; then
mkdir "/home/$username/.ssh"
cp "$HOME/.ssh/authorized_keys" "/home/$username/.ssh/authorized_keys"
chown "$username:$username" -R "/home/$username/.ssh"
fi
echo "# Give privileges to $username"
add_to_group docker
add_to_group wheel
upload sudoers /etc/sudoers
chmod 440 /etc/sudoers
visudo -c
echo "# Enable Docker service"
rc-update add docker
rc-service docker start
# Create git account for gitolite
new_user git -D
passwd -u git
mkdir -p "/home/git/.ssh"
chown git:git -R "/home/git/.ssh"
chmod 700 -R "/home/git/.ssh"
echo "# git: Sticking some glue"
mkdir -p /usr/lib/gitolite
cp "$payload_root/extra/gitolite-passthru" /usr/lib/gitolite/gitolite-passthru
cp "$payload_root/extra/gitolite-shell" /usr/lib/gitolite/gitolite-shell
if [ -e "$payload_root/extra/wg0.conf" ]; then
echo "# Configuring WireGuard"
cp "$payload_root/extra/wg0.conf" /etc/wireguard/wg0.conf
chmod 600 /etc/wireguard/wg0.conf
echo "# Enabling interface wg0"
cp "$payload_root/extra/wg-quick.init" /etc/init.d/wg-quick.wg0
rc-update add wg-quick.wg0
rc-service wg-quick.wg0 start
echo "# Configuring forwarding settings"
cp "$payload_root/extra/sysctl.conf" /etc/sysctl.d/99-admi.conf
sysctl -p
else
echo "!!! wireguard: extra/wg0.conf missing. Gitignored?"
fi
echo "# Configuring fail2ban"
cp "$payload_root/extra/fail2ban.jail.conf" /etc/fail2ban/jail.d/99-admicos.conf
cp "$payload_root/extra/fail2ban-nginx-x00.conf" /etc/fail2ban/filter.d/nginx-x00.conf
# todo: Remove this when released upstream
cp "$payload_root/extra/nginx-bad-request.conf" /etc/fail2ban/filter.d/nginx-bad-request.conf
rc-update add fail2ban
rc-service fail2ban start
echo "# Configuring logrotate"
cp "$payload_root/extra/logrotate-nginx" /etc/logrotate.d/nginx
echo "# Configuring ufw"
ufw default deny incoming
ufw limit 22/tcp
ufw allow 80/tcp
ufw allow 443/tcp
ufw allow 1965/tcp
ufw allow 10823/udp
ufw allow in on wg0 to any
ufw enable
rc-update add ufw
# this should _always_ be the last thing on this script
echo "# Disabling root SSH access"
sed -i "s/yes #no/no/" /etc/ssh/sshd_config
rc-service sshd restart
|
