|
|
@ -1,9 +1,11 @@ |
|
|
|
#!/usr/bin/env bash |
|
|
|
#!/usr/bin/env bash |
|
|
|
|
|
|
|
|
|
|
|
# Unofficial Bash Strict Mode |
|
|
|
# Bash Strict Mode |
|
|
|
set -euo pipefail |
|
|
|
set -euo pipefail |
|
|
|
IFS=' |
|
|
|
IFS=' |
|
|
|
' |
|
|
|
' |
|
|
|
|
|
|
|
cd -P "$(dirname "$0")" |
|
|
|
|
|
|
|
PS4='-\D{%F %T} ' |
|
|
|
|
|
|
|
|
|
|
|
export DEBIAN_FRONTEND=noninteractive |
|
|
|
export DEBIAN_FRONTEND=noninteractive |
|
|
|
export DEBIAN_PRIORITY=critical |
|
|
|
export DEBIAN_PRIORITY=critical |
|
|
@ -11,20 +13,24 @@ export DEBIAN_PRIORITY=critical |
|
|
|
# Fix Debian 10 bug (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=905409) |
|
|
|
# Fix Debian 10 bug (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=905409) |
|
|
|
PATH=/sbin:/usr/sbin:$PATH |
|
|
|
PATH=/sbin:/usr/sbin:$PATH |
|
|
|
|
|
|
|
|
|
|
|
# Debian stable OS |
|
|
|
function sysConfig() { |
|
|
|
apt-get update |
|
|
|
# Navigate to tmp |
|
|
|
apt-get -y -o "Dpkg::Options::=--force-confdef" -o "Dpkg::Options::=--force-confold" upgrade |
|
|
|
cd /tmp |
|
|
|
apt-get -y dist-upgrade |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# Disable OpenStack SSH malware |
|
|
|
# Debian stable OS |
|
|
|
mv /home/debian/.ssh/authorized_keys /root/.ssh/authorized_keys ||: |
|
|
|
apt-get update |
|
|
|
sed -i '/Generated-by-Nova/d' /root/.ssh/authorized_keys ||: |
|
|
|
apt-get -y -o "Dpkg::Options::=--force-confdef" -o "Dpkg::Options::=--force-confold" upgrade |
|
|
|
chown root:root /root/.ssh/authorized_keys ||: |
|
|
|
apt-get -y dist-upgrade |
|
|
|
|
|
|
|
|
|
|
|
# Terminal goodies |
|
|
|
# Disable OpenStack SSH malware |
|
|
|
touch .hushlogin |
|
|
|
mv /home/debian/.ssh/authorized_keys /root/.ssh/authorized_keys || : |
|
|
|
|
|
|
|
sed -i '/Generated-by-Nova/d' /root/.ssh/authorized_keys || : |
|
|
|
|
|
|
|
chown root:root /root/.ssh/authorized_keys || : |
|
|
|
|
|
|
|
|
|
|
|
cat <<'EOF'>> /root/.bashrc |
|
|
|
# Terminal goodies |
|
|
|
|
|
|
|
touch .hushlogin |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
cat <<'EOF' >>/root/.bashrc |
|
|
|
export LS_OPTIONS="--color=auto" |
|
|
|
export LS_OPTIONS="--color=auto" |
|
|
|
eval "`dircolors`" |
|
|
|
eval "`dircolors`" |
|
|
|
|
|
|
|
|
|
|
@ -44,13 +50,13 @@ export HISTTIMEFORMAT="%F %T " |
|
|
|
export DOCKER_BUILDKIT=1 COMPOSE_DOCKER_CLI_BUILD=1 |
|
|
|
export DOCKER_BUILDKIT=1 COMPOSE_DOCKER_CLI_BUILD=1 |
|
|
|
EOF |
|
|
|
EOF |
|
|
|
|
|
|
|
|
|
|
|
cat <<'EOF'>> /etc/inputrc |
|
|
|
cat <<'EOF' >>/etc/inputrc |
|
|
|
set completion-ignore-case |
|
|
|
set completion-ignore-case |
|
|
|
set show-all-if-ambiguous On |
|
|
|
set show-all-if-ambiguous On |
|
|
|
set show-all-if-unmodified On |
|
|
|
set show-all-if-unmodified On |
|
|
|
EOF |
|
|
|
EOF |
|
|
|
|
|
|
|
|
|
|
|
cat <<'EOF'>> /etc/bash.bashrc |
|
|
|
cat <<'EOF' >>/etc/bash.bashrc |
|
|
|
if ! shopt -oq posix; then |
|
|
|
if ! shopt -oq posix; then |
|
|
|
if [ -f /usr/share/bash-completion/bash_completion ]; then |
|
|
|
if [ -f /usr/share/bash-completion/bash_completion ]; then |
|
|
|
. /usr/share/bash-completion/bash_completion |
|
|
|
. /usr/share/bash-completion/bash_completion |
|
|
@ -60,93 +66,169 @@ if ! shopt -oq posix; then |
|
|
|
fi |
|
|
|
fi |
|
|
|
EOF |
|
|
|
EOF |
|
|
|
|
|
|
|
|
|
|
|
# Basic packages |
|
|
|
# Basic packages |
|
|
|
apt-get -y install man bash-completion git ufw jq curl build-essential netcat wget psmisc lz4 file net-tools brotli unzip zip moreutils dnsutils fail2ban xauth sysfsutils rsync iperf pv tree mc screen ssh iotop whois sudo |
|
|
|
apt-get -y install man bash-completion git ufw jq curl build-essential netcat wget psmisc lz4 file net-tools brotli unzip zip moreutils dnsutils fail2ban xauth sysfsutils rsync iperf pv tree mc screen ssh iotop htop awscli whois sudo |
|
|
|
|
|
|
|
|
|
|
|
# Enable time synchronization |
|
|
|
# Enable time synchronization |
|
|
|
timedatectl set-ntp true |
|
|
|
timedatectl set-ntp true |
|
|
|
|
|
|
|
|
|
|
|
# Configure screen |
|
|
|
# Configure screen |
|
|
|
cat <<'EOF'>> /etc/screenrc |
|
|
|
cat <<'EOF' >>/etc/screenrc |
|
|
|
startup_message off |
|
|
|
startup_message off |
|
|
|
shell -$SHELL |
|
|
|
shell -$SHELL |
|
|
|
defscrollback 100000 |
|
|
|
defscrollback 100000 |
|
|
|
bind l eval clear "scrollback 0" "scrollback 100000" |
|
|
|
bind l eval clear "scrollback 0" "scrollback 100000" |
|
|
|
EOF |
|
|
|
EOF |
|
|
|
|
|
|
|
|
|
|
|
# Configure SSH |
|
|
|
# Configure SSH |
|
|
|
cat <<'EOF'>> /etc/ssh/sshd_config |
|
|
|
cat <<'EOF' >>/etc/ssh/sshd_config |
|
|
|
Port 521 |
|
|
|
Port 521 |
|
|
|
PasswordAuthentication no |
|
|
|
PasswordAuthentication no |
|
|
|
AllowUsers root |
|
|
|
AllowUsers root |
|
|
|
X11UseLocalhost no |
|
|
|
X11UseLocalhost no |
|
|
|
EOF |
|
|
|
EOF |
|
|
|
systemctl restart ssh |
|
|
|
systemctl restart ssh |
|
|
|
|
|
|
|
|
|
|
|
touch /root/.Xauthority |
|
|
|
touch /root/.Xauthority |
|
|
|
|
|
|
|
|
|
|
|
# Firewall |
|
|
|
# Firewall |
|
|
|
ufw allow in 80/tcp |
|
|
|
ufw allow in 80/tcp |
|
|
|
ufw allow in 443/tcp |
|
|
|
ufw allow in 443/tcp |
|
|
|
ufw allow in 521/tcp |
|
|
|
ufw allow in 521/tcp |
|
|
|
ufw allow in 8080/tcp |
|
|
|
ufw allow in 8080/tcp |
|
|
|
ufw allow in 8082/tcp |
|
|
|
ufw allow in 8082/tcp |
|
|
|
ufw logging off |
|
|
|
ufw logging off |
|
|
|
ufw --force enable |
|
|
|
ufw --force enable |
|
|
|
ufw --force delete 6 |
|
|
|
ufw --force delete 6 |
|
|
|
ufw --force delete 6 |
|
|
|
ufw --force delete 6 |
|
|
|
ufw --force delete 6 |
|
|
|
ufw --force delete 6 |
|
|
|
ufw --force delete 6 |
|
|
|
ufw --force delete 6 |
|
|
|
ufw --force delete 6 |
|
|
|
ufw --force delete 6 |
|
|
|
|
|
|
|
|
|
|
|
# Optimize |
|
|
|
# Optimize |
|
|
|
systemctl disable unattended-upgrades.service apt-daily.timer apt-daily-upgrade.timer console-setup.service keyboard-setup.service remote-fs.target man-db.timer systemd-timesyncd.service |
|
|
|
systemctl disable unattended-upgrades.service apt-daily.timer apt-daily-upgrade.timer console-setup.service keyboard-setup.service remote-fs.target man-db.timer systemd-timesyncd.service |
|
|
|
sed -i 's/MODULES=most/MODULES=dep/g' /etc/initramfs-tools/initramfs.conf |
|
|
|
sed -i 's/MODULES=most/MODULES=dep/g' /etc/initramfs-tools/initramfs.conf |
|
|
|
sed -i 's/COMPRESS=gzip/COMPRESS=lz4/g' /etc/initramfs-tools/initramfs.conf |
|
|
|
sed -i 's/COMPRESS=gzip/COMPRESS=lz4/g' /etc/initramfs-tools/initramfs.conf |
|
|
|
echo 'RESUME=none' >> /etc/initramfs-tools/conf.d/resume |
|
|
|
echo 'RESUME=none' >>/etc/initramfs-tools/conf.d/resume |
|
|
|
update-initramfs -u |
|
|
|
update-initramfs -u |
|
|
|
echo 'GRUB_TIMEOUT=0' >> /etc/default/grub |
|
|
|
echo 'GRUB_TIMEOUT=0' >>/etc/default/grub |
|
|
|
update-grub |
|
|
|
update-grub |
|
|
|
apt-get -y purge apparmor exim\* |
|
|
|
apt-get -y purge apparmor exim\* |
|
|
|
|
|
|
|
|
|
|
|
for i in $(seq 0 "$(nproc --ignore 1)"); do |
|
|
|
for i in $(seq 0 "$(nproc --ignore 1)"); do |
|
|
|
echo "devices/system/cpu/cpu${i}/cpufreq/scaling_governor = performance" >> /etc/sysfs.conf |
|
|
|
echo "devices/system/cpu/cpu${i}/cpufreq/scaling_governor = performance" >>/etc/sysfs.conf |
|
|
|
done |
|
|
|
done |
|
|
|
|
|
|
|
|
|
|
|
# Disable sleep when closing laptop screen |
|
|
|
# Disable sleep when closing laptop screen |
|
|
|
echo HandleLidSwitch=ignore >> /etc/systemd/logind.conf |
|
|
|
echo HandleLidSwitch=ignore >>/etc/systemd/logind.conf |
|
|
|
|
|
|
|
|
|
|
|
# noatime |
|
|
|
# noatime |
|
|
|
sed -i 's| / ext4 | / ext4 noatime,|g' /etc/fstab |
|
|
|
sed -i 's| / ext4 | / ext4 noatime,|g' /etc/fstab |
|
|
|
|
|
|
|
|
|
|
|
# Disable swap |
|
|
|
# Disable swap |
|
|
|
swapoff -a |
|
|
|
swapoff -a |
|
|
|
sed -i '/swap/d' /etc/fstab |
|
|
|
sed -i '/swap/d' /etc/fstab |
|
|
|
|
|
|
|
|
|
|
|
# Docker |
|
|
|
# Docker |
|
|
|
apt-get -y install apt-transport-https ca-certificates curl gnupg2 software-properties-common |
|
|
|
apt-get -y install apt-transport-https ca-certificates curl gnupg2 software-properties-common |
|
|
|
curl -fsSL https://download.docker.com/linux/debian/gpg | apt-key add - |
|
|
|
curl -fsSL https://download.docker.com/linux/debian/gpg | apt-key add - |
|
|
|
add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/debian $(lsb_release -cs) stable" |
|
|
|
add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/debian $(lsb_release -cs) stable" |
|
|
|
apt-get update |
|
|
|
apt-get update |
|
|
|
apt-get -y install docker-ce docker-ce-cli containerd.io |
|
|
|
apt-get -y install docker-ce docker-ce-cli containerd.io |
|
|
|
|
|
|
|
|
|
|
|
# Docker compose |
|
|
|
# Docker compose |
|
|
|
curl -L "https://github.com/docker/compose/releases/download/1.29.1/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose |
|
|
|
curl -L "https://github.com/docker/compose/releases/download/1.29.1/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose |
|
|
|
chmod +x /usr/local/bin/docker-compose |
|
|
|
chmod +x /usr/local/bin/docker-compose |
|
|
|
curl -L https://raw.githubusercontent.com/docker/compose/1.29.1/contrib/completion/bash/docker-compose -o /etc/bash_completion.d/docker-compose |
|
|
|
curl -L https://raw.githubusercontent.com/docker/compose/1.29.1/contrib/completion/bash/docker-compose -o /etc/bash_completion.d/docker-compose |
|
|
|
|
|
|
|
|
|
|
|
# Generate SSH key |
|
|
|
# NodeJS |
|
|
|
ssh-keygen -ted25519 -f ~/.ssh/id_ed25519 -N '' |
|
|
|
curl -fsSL https://deb.nodesource.com/setup_18.x | bash && apt-get install -y nodejs |
|
|
|
|
|
|
|
|
|
|
|
# Use Cloudflare DNS server |
|
|
|
# Git |
|
|
|
echo 'supersede domain-name-servers 1.1.1.1;' >> /etc/dhcp/dhclient.conf |
|
|
|
echo deb http://deb.debian.org/debian buster-backports main | tee /etc/apt/sources.list.d/buster-backports.list |
|
|
|
|
|
|
|
apt-get update && apt-get -y install -t buster-backports git |
|
|
|
# Cleanup |
|
|
|
|
|
|
|
sed -i '/^deb-src/d' /etc/apt/sources.list |
|
|
|
# Generate SSH key |
|
|
|
apt-get update |
|
|
|
ssh-keygen -ted25519 -f ~/.ssh/id_ed25519 -N '' |
|
|
|
apt-get -y purge unattended-upgrades |
|
|
|
|
|
|
|
apt-get -y autoremove --purge |
|
|
|
# Use Cloudflare DNS server |
|
|
|
apt-get clean |
|
|
|
echo 'supersede domain-name-servers 1.1.1.1;' >>/etc/dhcp/dhclient.conf |
|
|
|
|
|
|
|
|
|
|
|
# The end |
|
|
|
# Cleanup |
|
|
|
reboot |
|
|
|
sed -i '/^deb-src/d' /etc/apt/sources.list |
|
|
|
|
|
|
|
apt-get update |
|
|
|
|
|
|
|
apt-get -y purge unattended-upgrades |
|
|
|
|
|
|
|
apt-get -y autoremove --purge |
|
|
|
|
|
|
|
apt-get clean |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# SSH Keys Infra Team |
|
|
|
|
|
|
|
curl https://github.com/{harryvasanth,frenchris,kigiri}.keys >>~/.ssh/authorized_keys |
|
|
|
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# Check Config |
|
|
|
|
|
|
|
function checkConfig() { |
|
|
|
|
|
|
|
test "$(command -v "${1:-}")" && echo -n ✅ || echo -n ❌ |
|
|
|
|
|
|
|
echo " $@" |
|
|
|
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# Check configs in the List |
|
|
|
|
|
|
|
function checkList() { |
|
|
|
|
|
|
|
checkConfig docker-compose |
|
|
|
|
|
|
|
checkConfig docker |
|
|
|
|
|
|
|
checkConfig node |
|
|
|
|
|
|
|
checkConfig git |
|
|
|
|
|
|
|
checkConfig man |
|
|
|
|
|
|
|
checkConfig ufw |
|
|
|
|
|
|
|
checkConfig jq |
|
|
|
|
|
|
|
checkConfig curl |
|
|
|
|
|
|
|
checkConfig netcat |
|
|
|
|
|
|
|
checkConfig wget |
|
|
|
|
|
|
|
checkConfig lz4 |
|
|
|
|
|
|
|
checkConfig file |
|
|
|
|
|
|
|
checkConfig brotli |
|
|
|
|
|
|
|
checkConfig unzip |
|
|
|
|
|
|
|
checkConfig zip |
|
|
|
|
|
|
|
checkConfig fail2ban-server |
|
|
|
|
|
|
|
checkConfig xauth |
|
|
|
|
|
|
|
checkConfig rsync |
|
|
|
|
|
|
|
checkConfig iperf |
|
|
|
|
|
|
|
checkConfig pv |
|
|
|
|
|
|
|
checkConfig tree |
|
|
|
|
|
|
|
checkConfig mc |
|
|
|
|
|
|
|
checkConfig screen |
|
|
|
|
|
|
|
checkConfig ssh |
|
|
|
|
|
|
|
checkConfig iotop |
|
|
|
|
|
|
|
checkConfig htop |
|
|
|
|
|
|
|
checkConfig aws |
|
|
|
|
|
|
|
checkConfig whois |
|
|
|
|
|
|
|
checkConfig sudo |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
test "$(ls ~/.ssh/*.pub 2>/dev/null)" && echo -n ✅ || echo -n ❌ |
|
|
|
|
|
|
|
echo " SSH private/public key pair generated" |
|
|
|
|
|
|
|
} |
|
|
|
|
|
|
|
if [[ ! -n ${1:-} ]] || [[ "--check" = $1 ]]; then |
|
|
|
|
|
|
|
echo -e "$(tput setaf 2)$(tput bold)\nCommencing configuration check: $(tput sgr0)\n" |
|
|
|
|
|
|
|
checkList |
|
|
|
|
|
|
|
echo -e "$(tput setaf 2)\nSystem configuration check complete! $(tput sgr0)" |
|
|
|
|
|
|
|
exit 0 |
|
|
|
|
|
|
|
elif [[ "--help" = $1 ]]; then |
|
|
|
|
|
|
|
echo "$(tput setaf 2) --check : to check the current configuration. $(tput sgr0)" |
|
|
|
|
|
|
|
echo "$(tput setaf 3) --run : to configure the system. $(tput sgr0)" |
|
|
|
|
|
|
|
echo "$(tput setaf 1) --reboot : to configure the system and reboot. $(tput sgr0)" |
|
|
|
|
|
|
|
echo "$(tput setaf 7) --help : to display this message. $(tput sgr0)" |
|
|
|
|
|
|
|
elif [[ "--reboot" = $1 ]]; then |
|
|
|
|
|
|
|
echo -e "$(tput setaf 1)$(tput bold)\nSystem will be configured and rebooted. $(tput sgr0)\n" |
|
|
|
|
|
|
|
sysConfig |
|
|
|
|
|
|
|
echo -e "$(tput setaf 1)\nSystem configuration complete. Rebooting now... $(tput sgr0)" |
|
|
|
|
|
|
|
reboot |
|
|
|
|
|
|
|
elif [[ "--run" = $1 ]]; then |
|
|
|
|
|
|
|
echo -e "$(tput setaf 3)$(tput bold)\nSystem will be configured without rebooting. $(tput sgr0)\n" |
|
|
|
|
|
|
|
sysConfig |
|
|
|
|
|
|
|
echo -e "$(tput setaf 3)\nSystem configuration complete! $(tput sgr0)" |
|
|
|
|
|
|
|
exit 0 |
|
|
|
|
|
|
|
else |
|
|
|
|
|
|
|
echo "$(tput setaf 1)$(tput bold) Unknown configuration option: $1 $(tput sgr0)" |
|
|
|
|
|
|
|
echo "$(tput setaf 1)Please use --help for all available options. $(tput sgr0)" |
|
|
|
|
|
|
|
echo "$(tput setaf 1)No changes are made $(tput sgr0)" |
|
|
|
|
|
|
|
exit 0 |
|
|
|
|
|
|
|
fi |
|
|
|