Init

2025-04-27 01:19:08 +03:00 · 2025-04-27 01:19:08 +03:00 · 58328a42d5
commit 58328a42d5
6 changed files with 89 additions and 0 deletions
--- a/full.sh
+++ b/full.sh
@ -0,0 +1,19 @@
+#!/bin/bash
+
+set -euo pipefail
+
+sudo apt update
+sudo apt upgrade
+
+sudo apt install -y \
+    btop \
+    fail2ban \
+    python3 \
+    python3-pip \
+    vim
+
+./sshd.sh
+./nginx.sh
+./ufw.sh
+./podman.sh
+./unattended.sh
--- a/nginx.sh
+++ b/nginx.sh
@ -0,0 +1,5 @@
+#!/bin/bash
+
+set -euo pipefail
+
+sudo apt install -y nginx
--- a/podman.sh
+++ b/podman.sh
@ -0,0 +1,8 @@
+#!/bin/bash
+
+set -euo pipefail
+
+sudo apt install -y podman
+
+systemctl --user enable podman.socket
+systemctl --user start podman.socket
--- a/sshd.sh
+++ b/sshd.sh
@ -0,0 +1,10 @@
+#!/bin/bash
+
+set -euo pipefail
+
+# TODO: just 'sed' the usual hardenings
+sudo vim /etc/ssh/sshd_config
+
+if ! sudo sshd -t; then
+    sudo systemctl restart sshd
+fi
--- a/ufw.sh
+++ b/ufw.sh
@ -0,0 +1,23 @@
+#!/bin/bash
+
+set -euo pipefail
+
+sudo apt install -y ufw
+
+sudo ufw default deny incoming
+sudo ufw default allow outgoing
+
+port=$(cat /etc/ssh/sshd_config | grep -o 'Port [0-9]*' | grep -o '[0-9]*')
+sudo ufw allow "$port/tcp"
+
+if ! which nginx; then
+    sudo ufw allow "Nginx Full"
+fi
+
+sudo ufw show added
+
+read -p "Rules good? [y/N]: " prompt
+if [[ $prompt == "y" ]]; then
+    sudo ufw enable
+fi
+
--- a/unattended.sh
+++ b/unattended.sh
@ -0,0 +1,24 @@
+#!/bin/bash
+
+set -euo pipefail
+
+sudo apt install -y unattended-upgrades apt-listchanges
+
+echo "/etc/apt/apt.conf.d/50unattended-upgrades:"
+cat /etc/apt/apt.conf.d/50unattended-upgrades
+
+read -p "Unattended update mail address: " mail
+echo "Unattended-Upgrade::Mail \"$mail\";" >> /etc/apt/apt.conf.d/52unattended-upgrades-local
+echo "Unattended-Upgrade::MailReport \"always\";" >> /etc/apt/apt.conf.d/52unattended-upgrades-local
+
+echo "/etc/apt/apt.conf.d/52unattended-upgrades-local:"
+cat /etc/apt/apt.conf.d/52unattended-upgrades-local
+
+echo "/etc/apt/apt.conf.d/20auto-upgrades:"
+cat /etc/apt/apt.conf.d/20auto-upgrades
+
+read -p "Config good? [y/N]: " prompt
+if [[ $prompt == "y" ]]; then
+    echo unattended-upgrades unattended-upgrades/enable_auto_updates boolean true | debconf-set-selections
+    dpkg-reconfigure -f noninteractive unattended-upgrades
+fi