Add more scripts

scripts/beszel.sh

@@ -0,0 +1,31 @@
+#!/bin/bash
+
+set -euo pipefail
+
+sudo mkdir -p /srv/beszel
+sudo mkdir -p /run/beszel_socket
+sudo chown $(whoami):$(whoami) /srv/beszel
+sudo chown $(whoami):$(whoami) /run/beszel_socket
+
+# https://beszel.dev/guide/getting-started
+# https://beszel.dev/guide/hub-installation
+podman run -d \
+  --name beszel \
+  --restart=unless-stopped \
+  -v /srv/beszel:/beszel_data \
+  -v /run/beszel_socket:/beszel_socket \
+  -p 8090:8090 \
+  docker.io/henrygd/beszel
+
+# https://beszel.dev/guide/agent-installation
+read -p "Agent public key: " pub_key
+podman run -d \
+  --name beszel-agent \
+  --userns=keep-id \
+  --network host \
+  --restart unless-stopped \
+  -v $XDG_RUNTIME_DIR/podman/podman.sock:$XDG_RUNTIME_DIR/podman/podman.sock:ro \
+  -v /run/beszel_socket:/beszel_socket \
+  -e KEY="$pub_key" \
+  -e LISTEN=/beszel_socket/beszel.sock \
+  docker.io/henrygd/beszel-agent:latest

scripts/full.sh

@@ -0,0 +1,23 @@
+#!/bin/bash
+
+set -euo pipefail
+
+sudo apt update
+sudo apt upgrade
+
+sudo apt install -y \
+    btop \
+    fail2ban \
+    python3 \
+    python3-pip \
+    vim
+
+sudo cp "$HOME/.vimrc" /root/.vimrc
+
+./zfs.sh
+./sshd.sh
+./nginx.sh
+./ufw.sh
+./podman.sh
+./unattended.sh
+./beszel.sh

scripts/nginx.sh

@@ -0,0 +1,10 @@
+#!/bin/bash
+
+set -euo pipefail
+
+sudo apt install -y nginx certbot python3-certbot-nginx
+
+sudo systemctl status certbot.timer
+
+# sudo certbot --nginx -d example.com
+

scripts/podman.sh

@@ -0,0 +1,11 @@
+#!/bin/bash
+
+set -euo pipefail
+
+sudo apt install -y podman
+
+sudo mkdir -p /etc/containers/
+sudo cp "$HOME/.config/containers/storage.conf" /etc/containers/storage.conf
+
+systemctl --user enable podman.socket
+systemctl --user start podman.socket

scripts/sshd.sh

@@ -0,0 +1,10 @@
+#!/bin/bash
+
+set -euo pipefail
+
+# TODO: 'sed' automate the usual hardenings
+sudo vim /etc/ssh/sshd_config
+
+if ! sudo sshd -t; then
+    sudo systemctl restart sshd
+fi

scripts/ufw.sh

@@ -0,0 +1,25 @@
+#!/bin/bash
+
+set -euo pipefail
+
+sudo apt install -y ufw
+
+sudo ufw default deny incoming
+sudo ufw default allow outgoing
+
+# Allow SSH port
+port=$(cat /etc/ssh/sshd_config | grep -o 'Port [0-9]*' | grep -o '[0-9]*')
+sudo ufw allow "$port/tcp"
+
+# Allow Nginx if installed
+if ! which nginx; then
+    sudo ufw allow "Nginx Full"
+fi
+
+sudo ufw show added
+
+read -p "Rules good? [y/N]: " prompt
+if [[ $prompt == "y" ]]; then
+    sudo ufw enable
+fi
+

scripts/unattended.sh

@@ -0,0 +1,24 @@
+#!/bin/bash
+
+set -euo pipefail
+
+sudo apt install -y unattended-upgrades apt-listchanges
+
+echo "/etc/apt/apt.conf.d/50unattended-upgrades:"
+cat /etc/apt/apt.conf.d/50unattended-upgrades
+
+read -p "Unattended update mail address: " mail
+echo "Unattended-Upgrade::Mail \"$mail\";" >> /etc/apt/apt.conf.d/52unattended-upgrades-local
+echo "Unattended-Upgrade::MailReport \"always\";" >> /etc/apt/apt.conf.d/52unattended-upgrades-local
+
+echo "/etc/apt/apt.conf.d/52unattended-upgrades-local:"
+cat /etc/apt/apt.conf.d/52unattended-upgrades-local
+
+echo "/etc/apt/apt.conf.d/20auto-upgrades:"
+cat /etc/apt/apt.conf.d/20auto-upgrades
+
+read -p "Config good? [y/N]: " prompt
+if [[ $prompt == "y" ]]; then
+    echo unattended-upgrades unattended-upgrades/enable_auto_updates boolean true | debconf-set-selections
+    dpkg-reconfigure -f noninteractive unattended-upgrades
+fi

scripts/zfs.sh

@@ -0,0 +1,14 @@
+#!/bin/bash
+
+set -euo pipefail
+
+root_set=$(sudo zfs list -Ho name /)
+
+# danger zone
+mv "$HOME" "$HOME-backup"
+sudo zfs create -p "$root_set$HOME"
+sudo zfs allow $(whoami) mount,create,rollback,snapshot "$root_set$HOME"
+rsync -aAX "$HOME-backup" "$HOME"
+
+sudo zfs create -p "$root_set/srv/beszel"
+