commit 58328a42d50ff6f0f13a64ce534154ed69cc5479
Author: Lauri Räsänen <git@nullprop.sh>
Date:   Sun Apr 27 01:19:08 2025 +0300

    Init

diff --git a/full.sh b/full.sh
new file mode 100755
index 0000000..cde362c
--- /dev/null
+++ b/full.sh
@@ -0,0 +1,19 @@
+#!/bin/bash
+
+set -euo pipefail
+
+sudo apt update
+sudo apt upgrade
+
+sudo apt install -y \
+    btop \
+    fail2ban \
+    python3 \
+    python3-pip \
+    vim
+
+./sshd.sh
+./nginx.sh
+./ufw.sh
+./podman.sh
+./unattended.sh
diff --git a/nginx.sh b/nginx.sh
new file mode 100755
index 0000000..f6590bd
--- /dev/null
+++ b/nginx.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+
+set -euo pipefail
+
+sudo apt install -y nginx
diff --git a/podman.sh b/podman.sh
new file mode 100755
index 0000000..1e419df
--- /dev/null
+++ b/podman.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+
+set -euo pipefail
+
+sudo apt install -y podman
+
+systemctl --user enable podman.socket
+systemctl --user start podman.socket
diff --git a/sshd.sh b/sshd.sh
new file mode 100755
index 0000000..d3a7ff2
--- /dev/null
+++ b/sshd.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+
+set -euo pipefail
+
+# TODO: just 'sed' the usual hardenings
+sudo vim /etc/ssh/sshd_config
+
+if ! sudo sshd -t; then
+    sudo systemctl restart sshd
+fi
diff --git a/ufw.sh b/ufw.sh
new file mode 100755
index 0000000..cbff590
--- /dev/null
+++ b/ufw.sh
@@ -0,0 +1,23 @@
+#!/bin/bash
+
+set -euo pipefail
+
+sudo apt install -y ufw
+
+sudo ufw default deny incoming
+sudo ufw default allow outgoing
+
+port=$(cat /etc/ssh/sshd_config | grep -o 'Port [0-9]*' | grep -o '[0-9]*')
+sudo ufw allow "$port/tcp"
+
+if ! which nginx; then
+    sudo ufw allow "Nginx Full"
+fi
+
+sudo ufw show added
+
+read -p "Rules good? [y/N]: " prompt
+if [[ $prompt == "y" ]]; then
+    sudo ufw enable
+fi
+
diff --git a/unattended.sh b/unattended.sh
new file mode 100755
index 0000000..ebdb555
--- /dev/null
+++ b/unattended.sh
@@ -0,0 +1,24 @@
+#!/bin/bash
+
+set -euo pipefail
+
+sudo apt install -y unattended-upgrades apt-listchanges
+
+echo "/etc/apt/apt.conf.d/50unattended-upgrades:"
+cat /etc/apt/apt.conf.d/50unattended-upgrades
+
+read -p "Unattended update mail address: " mail
+echo "Unattended-Upgrade::Mail \"$mail\";" >> /etc/apt/apt.conf.d/52unattended-upgrades-local
+echo "Unattended-Upgrade::MailReport \"always\";" >> /etc/apt/apt.conf.d/52unattended-upgrades-local
+
+echo "/etc/apt/apt.conf.d/52unattended-upgrades-local:"
+cat /etc/apt/apt.conf.d/52unattended-upgrades-local
+
+echo "/etc/apt/apt.conf.d/20auto-upgrades:"
+cat /etc/apt/apt.conf.d/20auto-upgrades
+
+read -p "Config good? [y/N]: " prompt
+if [[ $prompt == "y" ]]; then
+    echo unattended-upgrades unattended-upgrades/enable_auto_updates boolean true | debconf-set-selections
+    dpkg-reconfigure -f noninteractive unattended-upgrades
+fi