From f4ce8ea0b8fc4c1a6d8af6b6f1737da9f8a17c94 Mon Sep 17 00:00:00 2001 From: Harry Vasanth Date: Tue, 11 Oct 2022 18:00:01 +0100 Subject: [PATCH] fix(configure): add packages, perform check and enable passing arguments --- sh/debian/configure.sh | 264 +++++++++++++++++++++++++++-------------- 1 file changed, 173 insertions(+), 91 deletions(-) diff --git a/sh/debian/configure.sh b/sh/debian/configure.sh index 0939cad61..76a762713 100755 --- a/sh/debian/configure.sh +++ b/sh/debian/configure.sh @@ -1,9 +1,11 @@ #!/usr/bin/env bash -# Unofficial Bash Strict Mode +# Bash Strict Mode set -euo pipefail IFS=' ' +cd -P "$(dirname "$0")" +PS4='-\D{%F %T} ' export DEBIAN_FRONTEND=noninteractive export DEBIAN_PRIORITY=critical @@ -11,20 +13,24 @@ export DEBIAN_PRIORITY=critical # Fix Debian 10 bug (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=905409) PATH=/sbin:/usr/sbin:$PATH -# Debian stable OS -apt-get update -apt-get -y -o "Dpkg::Options::=--force-confdef" -o "Dpkg::Options::=--force-confold" upgrade -apt-get -y dist-upgrade +function sysConfig() { + # Navigate to tmp + cd /tmp -# Disable OpenStack SSH malware -mv /home/debian/.ssh/authorized_keys /root/.ssh/authorized_keys ||: -sed -i '/Generated-by-Nova/d' /root/.ssh/authorized_keys ||: -chown root:root /root/.ssh/authorized_keys ||: + # Debian stable OS + apt-get update + apt-get -y -o "Dpkg::Options::=--force-confdef" -o "Dpkg::Options::=--force-confold" upgrade + apt-get -y dist-upgrade -# Terminal goodies -touch .hushlogin + # Disable OpenStack SSH malware + mv /home/debian/.ssh/authorized_keys /root/.ssh/authorized_keys || : + sed -i '/Generated-by-Nova/d' /root/.ssh/authorized_keys || : + chown root:root /root/.ssh/authorized_keys || : -cat <<'EOF'>> /root/.bashrc + # Terminal goodies + touch .hushlogin + + cat <<'EOF' >>/root/.bashrc export LS_OPTIONS="--color=auto" eval "`dircolors`" @@ -44,13 +50,13 @@ export HISTTIMEFORMAT="%F %T " export DOCKER_BUILDKIT=1 COMPOSE_DOCKER_CLI_BUILD=1 EOF -cat <<'EOF'>> /etc/inputrc + cat <<'EOF' >>/etc/inputrc set completion-ignore-case set show-all-if-ambiguous On set show-all-if-unmodified On EOF -cat <<'EOF'>> /etc/bash.bashrc + cat <<'EOF' >>/etc/bash.bashrc if ! shopt -oq posix; then if [ -f /usr/share/bash-completion/bash_completion ]; then . /usr/share/bash-completion/bash_completion @@ -60,93 +66,169 @@ if ! shopt -oq posix; then fi EOF -# Basic packages -apt-get -y install man bash-completion git ufw jq curl build-essential netcat wget psmisc lz4 file net-tools brotli unzip zip moreutils dnsutils fail2ban xauth sysfsutils rsync iperf pv tree mc screen ssh iotop whois sudo + # Basic packages + apt-get -y install man bash-completion git ufw jq curl build-essential netcat wget psmisc lz4 file net-tools brotli unzip zip moreutils dnsutils fail2ban xauth sysfsutils rsync iperf pv tree mc screen ssh iotop htop awscli whois sudo -# Enable time synchronization -timedatectl set-ntp true + # Enable time synchronization + timedatectl set-ntp true -# Configure screen -cat <<'EOF'>> /etc/screenrc + # Configure screen + cat <<'EOF' >>/etc/screenrc startup_message off shell -$SHELL defscrollback 100000 bind l eval clear "scrollback 0" "scrollback 100000" EOF -# Configure SSH -cat <<'EOF'>> /etc/ssh/sshd_config + # Configure SSH + cat <<'EOF' >>/etc/ssh/sshd_config Port 521 PasswordAuthentication no AllowUsers root X11UseLocalhost no EOF -systemctl restart ssh - -touch /root/.Xauthority - -# Firewall -ufw allow in 80/tcp -ufw allow in 443/tcp -ufw allow in 521/tcp -ufw allow in 8080/tcp -ufw allow in 8082/tcp -ufw logging off -ufw --force enable -ufw --force delete 6 -ufw --force delete 6 -ufw --force delete 6 -ufw --force delete 6 -ufw --force delete 6 - -# Optimize -systemctl disable unattended-upgrades.service apt-daily.timer apt-daily-upgrade.timer console-setup.service keyboard-setup.service remote-fs.target man-db.timer systemd-timesyncd.service -sed -i 's/MODULES=most/MODULES=dep/g' /etc/initramfs-tools/initramfs.conf -sed -i 's/COMPRESS=gzip/COMPRESS=lz4/g' /etc/initramfs-tools/initramfs.conf -echo 'RESUME=none' >> /etc/initramfs-tools/conf.d/resume -update-initramfs -u -echo 'GRUB_TIMEOUT=0' >> /etc/default/grub -update-grub -apt-get -y purge apparmor exim\* - -for i in $(seq 0 "$(nproc --ignore 1)"); do - echo "devices/system/cpu/cpu${i}/cpufreq/scaling_governor = performance" >> /etc/sysfs.conf -done - -# Disable sleep when closing laptop screen -echo HandleLidSwitch=ignore >> /etc/systemd/logind.conf - -# noatime -sed -i 's| / ext4 | / ext4 noatime,|g' /etc/fstab - -# Disable swap -swapoff -a -sed -i '/swap/d' /etc/fstab - -# Docker -apt-get -y install apt-transport-https ca-certificates curl gnupg2 software-properties-common -curl -fsSL https://download.docker.com/linux/debian/gpg | apt-key add - -add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/debian $(lsb_release -cs) stable" -apt-get update -apt-get -y install docker-ce docker-ce-cli containerd.io - -# Docker compose -curl -L "https://github.com/docker/compose/releases/download/1.29.1/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose -chmod +x /usr/local/bin/docker-compose -curl -L https://raw.githubusercontent.com/docker/compose/1.29.1/contrib/completion/bash/docker-compose -o /etc/bash_completion.d/docker-compose - -# Generate SSH key -ssh-keygen -ted25519 -f ~/.ssh/id_ed25519 -N '' - -# Use Cloudflare DNS server -echo 'supersede domain-name-servers 1.1.1.1;' >> /etc/dhcp/dhclient.conf - -# Cleanup -sed -i '/^deb-src/d' /etc/apt/sources.list -apt-get update -apt-get -y purge unattended-upgrades -apt-get -y autoremove --purge -apt-get clean - -# The end -reboot + systemctl restart ssh + + touch /root/.Xauthority + + # Firewall + ufw allow in 80/tcp + ufw allow in 443/tcp + ufw allow in 521/tcp + ufw allow in 8080/tcp + ufw allow in 8082/tcp + ufw logging off + ufw --force enable + ufw --force delete 6 + ufw --force delete 6 + ufw --force delete 6 + ufw --force delete 6 + ufw --force delete 6 + + # Optimize + systemctl disable unattended-upgrades.service apt-daily.timer apt-daily-upgrade.timer console-setup.service keyboard-setup.service remote-fs.target man-db.timer systemd-timesyncd.service + sed -i 's/MODULES=most/MODULES=dep/g' /etc/initramfs-tools/initramfs.conf + sed -i 's/COMPRESS=gzip/COMPRESS=lz4/g' /etc/initramfs-tools/initramfs.conf + echo 'RESUME=none' >>/etc/initramfs-tools/conf.d/resume + update-initramfs -u + echo 'GRUB_TIMEOUT=0' >>/etc/default/grub + update-grub + apt-get -y purge apparmor exim\* + + for i in $(seq 0 "$(nproc --ignore 1)"); do + echo "devices/system/cpu/cpu${i}/cpufreq/scaling_governor = performance" >>/etc/sysfs.conf + done + + # Disable sleep when closing laptop screen + echo HandleLidSwitch=ignore >>/etc/systemd/logind.conf + + # noatime + sed -i 's| / ext4 | / ext4 noatime,|g' /etc/fstab + + # Disable swap + swapoff -a + sed -i '/swap/d' /etc/fstab + + # Docker + apt-get -y install apt-transport-https ca-certificates curl gnupg2 software-properties-common + curl -fsSL https://download.docker.com/linux/debian/gpg | apt-key add - + add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/debian $(lsb_release -cs) stable" + apt-get update + apt-get -y install docker-ce docker-ce-cli containerd.io + + # Docker compose + curl -L "https://github.com/docker/compose/releases/download/1.29.1/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose + chmod +x /usr/local/bin/docker-compose + curl -L https://raw.githubusercontent.com/docker/compose/1.29.1/contrib/completion/bash/docker-compose -o /etc/bash_completion.d/docker-compose + + # NodeJS + curl -fsSL https://deb.nodesource.com/setup_18.x | bash && apt-get install -y nodejs + + # Git + echo deb http://deb.debian.org/debian buster-backports main | tee /etc/apt/sources.list.d/buster-backports.list + apt-get update && apt-get -y install -t buster-backports git + + # Generate SSH key + ssh-keygen -ted25519 -f ~/.ssh/id_ed25519 -N '' + + # Use Cloudflare DNS server + echo 'supersede domain-name-servers 1.1.1.1;' >>/etc/dhcp/dhclient.conf + + # Cleanup + sed -i '/^deb-src/d' /etc/apt/sources.list + apt-get update + apt-get -y purge unattended-upgrades + apt-get -y autoremove --purge + apt-get clean + + # SSH Keys Infra Team + curl https://github.com/{harryvasanth,frenchris,kigiri}.keys >>~/.ssh/authorized_keys +} + +# Check Config +function checkConfig() { + test "$(command -v "${1:-}")" && echo -n ✅ || echo -n ❌ + echo " $@" +} + +# Check configs in the List +function checkList() { + checkConfig docker-compose + checkConfig docker + checkConfig node + checkConfig git + checkConfig man + checkConfig ufw + checkConfig jq + checkConfig curl + checkConfig netcat + checkConfig wget + checkConfig lz4 + checkConfig file + checkConfig brotli + checkConfig unzip + checkConfig zip + checkConfig fail2ban-server + checkConfig xauth + checkConfig rsync + checkConfig iperf + checkConfig pv + checkConfig tree + checkConfig mc + checkConfig screen + checkConfig ssh + checkConfig iotop + checkConfig htop + checkConfig aws + checkConfig whois + checkConfig sudo + + test "$(ls ~/.ssh/*.pub 2>/dev/null)" && echo -n ✅ || echo -n ❌ + echo " SSH private/public key pair generated" +} +if [[ ! -n ${1:-} ]] || [[ "--check" = $1 ]]; then + echo -e "$(tput setaf 2)$(tput bold)\nCommencing configuration check: $(tput sgr0)\n" + checkList + echo -e "$(tput setaf 2)\nSystem configuration check complete! $(tput sgr0)" + exit 0 +elif [[ "--help" = $1 ]]; then + echo "$(tput setaf 2) --check : to check the current configuration. $(tput sgr0)" + echo "$(tput setaf 3) --run : to configure the system. $(tput sgr0)" + echo "$(tput setaf 1) --reboot : to configure the system and reboot. $(tput sgr0)" + echo "$(tput setaf 7) --help : to display this message. $(tput sgr0)" +elif [[ "--reboot" = $1 ]]; then + echo -e "$(tput setaf 1)$(tput bold)\nSystem will be configured and rebooted. $(tput sgr0)\n" + sysConfig + echo -e "$(tput setaf 1)\nSystem configuration complete. Rebooting now... $(tput sgr0)" + reboot +elif [[ "--run" = $1 ]]; then + echo -e "$(tput setaf 3)$(tput bold)\nSystem will be configured without rebooting. $(tput sgr0)\n" + sysConfig + echo -e "$(tput setaf 3)\nSystem configuration complete! $(tput sgr0)" + exit 0 +else + echo "$(tput setaf 1)$(tput bold) Unknown configuration option: $1 $(tput sgr0)" + echo "$(tput setaf 1)Please use --help for all available options. $(tput sgr0)" + echo "$(tput setaf 1)No changes are made $(tput sgr0)" + exit 0 +fi