summaryrefslogtreecommitdiff
path: root/x/setup/stage1
blob: ca8c38196367a2b74bcf274a4f87dce7d27d7085 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
#!/bin/sh -eu
# This script runs under the server, Alpine Linux in this instance

username="admicos"

#

checkcmd() {
    command -v "$1" >/dev/null
}

add_to_group() {
    groups "$username" | grep "$1" >/dev/null || adduser "$username" "$1"
}

upload() {
    echo "# Upload $1 => $2"
    [ -e "$backup/$1" ] || cp "$2" "$backup/$1"
    cp "$payload_root/extra/$1" "$2"
}

new_user() {
    grep "$1\:x" /etc/passwd >/dev/null || {
        echo "# Creating user $1"
        adduser $@
    }
}

#

payload_root="$(CDPATH= cd -- "$(dirname -- "$0")" && pwd -P)/../../"
backup="$HOME/backup"

mkdir -p "$backup"

upload sshd_config /etc/ssh/sshd_config
rc-service sshd restart

upload repositories /etc/apk/repositories

echo "# Check for packages"
_packages=""
checkcmd curl           || _packages="$_packages curl"
checkcmd docker         || _packages="$_packages docker"
checkcmd docker-compose || _packages="$_packages docker-compose"
checkcmd lego           || _packages="$_packages lego@edgecommunity"
checkcmd rsync          || _packages="$_packages rsync"
checkcmd sudo           || _packages="$_packages sudo"
checkcmd ufw            || _packages="$_packages ufw@edgecommunity"
checkcmd wg-quick       || _packages="$_packages wireguard-tools wireguard-virt"
# wireguard-virt might need to be changed for other kernels.

[ -d "/etc/fail2ban/" ] || _packages="$_packages fail2ban"

if [ -n "$_packages" ]; then
    echo "# Updating repositories"
    apk update
    apk upgrade

    echo "# Installing missing packages '$_packages'"
    apk add $_packages
else
    echo "# All packages already installed"
fi

new_user "$username"

echo "# Copy SSH authorized_keys to $username"
if [ ! -e "/home/$username/.ssh/authorized_keys" ]; then
    mkdir "/home/$username/.ssh"
    cp "$HOME/.ssh/authorized_keys" "/home/$username/.ssh/authorized_keys"
    chown "$username:$username" -R "/home/$username/.ssh"
fi

echo "# Give privileges to $username"
add_to_group docker
add_to_group wheel

upload sudoers /etc/sudoers
chmod 440 /etc/sudoers
visudo -c

echo "# Enable Docker service"
rc-update add docker
rc-service docker start

# Create git account for gitolite
new_user git -D
passwd -u git

mkdir -p "/home/git/.ssh"
chown git:git -R "/home/git/.ssh"
chmod 700 -R "/home/git/.ssh"

echo "# git: Sticking some glue"
mkdir -p /usr/lib/gitolite
cp "$payload_root/extra/gitolite-passthru" /usr/lib/gitolite/gitolite-passthru
cp "$payload_root/extra/gitolite-shell" /usr/lib/gitolite/gitolite-shell

if [ -e "$payload_root/extra/wg0.conf" ]; then
    echo "# Configuring WireGuard"
    cp "$payload_root/extra/wg0.conf" /etc/wireguard/wg0.conf
    chmod 600 /etc/wireguard/wg0.conf

    echo "# Enabling interface wg0"
    cp "$payload_root/extra/wg-quick.init" /etc/init.d/wg-quick.wg0
    rc-update add wg-quick.wg0
    rc-service wg-quick.wg0 start

    echo "# Configuring forwarding settings"
    cp "$payload_root/extra/sysctl.conf" /etc/sysctl.d/99-admi.conf
    sysctl -p
else
    echo "!!! wireguard: extra/wg0.conf missing. Gitignored?"
fi

echo "# Configuring fail2ban"
cp "$payload_root/extra/fail2ban.jail.conf" /etc/fail2ban/jail.d/99-admicos.conf
cp "$payload_root/extra/fail2ban-nginx-x00.conf" /etc/fail2ban/filter.d/nginx-x00.conf

# todo: Remove this when released upstream
cp "$payload_root/extra/nginx-bad-request.conf" /etc/fail2ban/filter.d/nginx-bad-request.conf

rc-update add fail2ban
rc-service fail2ban start

echo "# Configuring logrotate"
cp "$payload_root/extra/logrotate-nginx" /etc/logrotate.d/nginx

echo "# Configuring ufw"
ufw default deny incoming
ufw limit 22/tcp
ufw allow 80/tcp
ufw allow 443/tcp
ufw allow 1965/tcp
ufw allow 10823/udp
ufw allow in on wg0 to any
ufw enable
rc-update add ufw

# this should _always_ be the last thing on this script
echo "# Disabling root SSH access"
sed -i "s/yes #no/no/" /etc/ssh/sshd_config
rc-service sshd restart