From e867c9e163ff6194e9d746f5d06cc9fdb9af4a54 Mon Sep 17 00:00:00 2001
From: Jeff Moe <moe@forksand.com>
Date: Wed, 10 Feb 2021 10:37:48 -0700
Subject: [PATCH] eth bootstrap notes

---
 eqx-bootstrap-ethereum | 200 +++++++++++++++++++++++++++++++++++++++++
 1 file changed, 200 insertions(+)
 create mode 100644 eqx-bootstrap-ethereum

diff --git a/eqx-bootstrap-ethereum b/eqx-bootstrap-ethereum
new file mode 100644
index 0000000..3b3bde5
--- /dev/null
+++ b/eqx-bootstrap-ethereum
@@ -0,0 +1,200 @@
+#!/bin/bash
+set -x
+exit
+
+passwd  # root
+# copy over ssh key
+
+chmod og-rwx ~debian
+mkdir -p ~debian/.ssh
+cp -p ~root/authorized_keys ~debian/.ssh/
+chmod -R og-rwx ~debian/.ssh
+chown -R debian:debian ~debian/.ssh
+
+
+echo "en_US.UTF-8 UTF-8" > /etc/locale.gen
+locale-gen
+update-locale
+ln -sf /usr/share/zoneinfo/UTC /etc/localtime
+
+rm -f /etc/apt/sources.list.d/*.list
+
+cat > /etc/apt/sources.list <<EOF
+deb http://deb.debian.org/debian/ buster-backports main
+deb http://deb.debian.org/debian/ buster main
+deb http://deb.debian.org/debian/ buster-updates main
+deb http://security.debian.org/ buster/updates main
+EOF
+
+echo "RESUME=none" > /etc/initramfs-tools/conf.d/resume
+
+echo 'Acquire::ForceIPv4 "true";' | tee /etc/apt/apt.conf.d/99force-ipv4
+
+# XXX nameservers
+echo "nameserver 208.67.222.222" >  /etc/resolv.conf
+echo "nameserver 208.67.220.220" >> /etc/resolv.conf
+
+apt-get update
+
+iptables -L -n || DEBIAN_FRONTEND=noninteractive apt-get -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confnew" install iptables
+
+cat > /etc/network/if-pre-up.d/iptables <<EOF
+#!/bin/bash
+# iptables
+/sbin/iptables-restore < /etc/iptables.up.rules
+EOF
+
+cat > /etc/iptables.test.rules <<EOF
+# iptables.test.rules
+*filter
+
+# Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
+-A INPUT -i lo -j ACCEPT
+
+# Accepts all established inbound connections
+-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+
+# Allows all outbound traffic
+# You could modify this to only allow certain traffic
+-A OUTPUT -j ACCEPT
+
+# SSH Access Port
+-A INPUT -p tcp --dport 42661 -j ACCEPT
+
+# Ethereum
+-A INPUT -p tcp --dport 30303 -j ACCEPT
+-A INPUT -p udp --dport 30303 -j ACCEPT
+
+# Allow ping
+#-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
+# log iptables denied calls (access via 'dmesg' command)
+
+-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
+
+# Reject all other inbound - default deny unless explicitly allowed policy:
+-A INPUT -j REJECT
+-A FORWARD -j REJECT
+COMMIT
+EOF
+
+touch /etc/iptables.up.rules
+chmod 600 /etc/iptables.up.rules
+chmod 755 /etc/network/if-pre-up.d/iptables
+chmod 600 /etc/iptables.test.rules
+
+iptables-restore < /etc/iptables.test.rules
+iptables -L -n
+iptables-save > /etc/iptables.up.rules
+
+cat > /root/iptables-reload <<EOF
+iptables-restore < /etc/iptables.test.rules
+iptables-save > /etc/iptables.up.rules
+EOF
+chmod 700 /root/iptables-reload
+
+apt-get update
+apt-get -y autoremove --purge
+apt-get -y purge --autoremove						\
+	apache2								\
+	chrony								\
+	exim4-base							\
+	exim4-config							\
+	man-db								\
+	manpages							\
+	postfix								\
+	reportbug							\
+	rpcbind								\
+	snmpd								\
+	unscd								\
+	xinetd
+
+apt-get -y dist-upgrade --download-only
+DEBIAN_FRONTEND=noninteractive apt-get -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confnew" dist-upgrade
+
+DEBIAN_FRONTEND=noninteractive apt-get -y 				\
+	-o Dpkg::Options::="--force-confdef"				\
+	-o Dpkg::Options::="--force-confnew"				\
+	install								\
+	bzip2								\
+	ca-certificates							\
+	debian-archive-keyring						\
+	haveged								\
+	host								\
+	less								\
+	locales								\
+	lsb-release							\
+	net-tools							\
+	parted								\
+	psmisc								\
+	sudo								\
+	traceroute							\
+	vim								\
+	wget
+
+apt-get clean
+
+adduser debian sudo
+
+echo ":syntax on" > ~/.vimrc
+
+# XXX turn off macros in clusterssh
+sed -i -e 's/%sudo\tALL=(ALL:ALL) ALL/%sudo ALL=(ALL) NOPASSWD: ALL/g' /etc/sudoers
+cat /etc/sudoers
+
+echo ":syntax on" > ~debian/.vimrc
+
+# TEST XMR LOGIN BEFORE REBOOT!
+# Port 42661
+sed -i  \
+ -e 's/\#PermitRootLogin prohibit-password/PermitRootLogin no/g' \
+ -e 's/\#Port 22/Port 42661/g' \
+ -e 's/\PermitRootLogin yes/PermitRootLogin no/g' \
+ -e 's/\#PasswordAuthentication no/PasswordAuthentication no/g' \
+ -e 's/RSAAuthentication yes/RSAAuthentication no/g' \
+ -e 's/X11Forwarding yes/X11Forwarding no/g' \
+ /etc/ssh/sshd_config
+
+echo "AllowUsers debian" >> /etc/ssh/sshd_config
+
+for i in plymouth rpcbind rsync saslauthd unattended-upgrades
+do echo $i 
+  /usr/sbin/update-rc.d $i stop
+  /usr/sbin/update-rc.d $i disable
+done
+
+# keep quiet for now am6 console serial is slow ? rm quiet
+#sed -i -e 's/^GRUB_TIMEOUT=5/GRUB_TIMEOUT=0/g' /etc/default/grub
+#sed -i -e 's/^GRUB_CMDLINE_LINUX=""/GRUB_CMDLINE_LINUX="ipv6.disable=1"/g' /etc/default/grub
+# GRUB_CMDLINE_LINUX_DEFAULT="quiet"
+# GRUB_CMDLINE_LINUX="console=tty0 console=ttyS1,115200n8 ipv6.disable=1"
+
+grub-install /dev/sda
+update-grub
+
+echo blacklist ipv6 > /etc/modprobe.d/ipv6.conf
+echo alias net-pf-10 off >>  /etc/modprobe.d/aliases.conf
+echo alias ivp6 off  >>  /etc/modprobe.d/aliases.conf
+cat >> /etc/sysctl.conf <<EOF
+net.ipv6.conf.all.disable_ipv6 = 1
+net.ipv6.conf.default.disable_ipv6 = 1
+net.ipv6.conf.lo.disable_ipv6 = 1
+#net.ipv6.conf.ens3.disable_ipv6 = 1
+EOF
+sysctl -p
+
+cat /etc/network/interfaces
+sed -i -e 's/allow-hotplug/auto/g' /etc/network/interfaces
+
+cat /etc/hosts
+cat /etc/hostname
+hostname > /etc/hostname
+echo "127.0.1.1 `hostname`" >> /etc/hosts
+
+rm /etc/ssh/ssh_host_*
+dpkg-reconfigure openssh-server
+
+systemctl restart sshd
+# TEST SSH
+# ssh xmr@foo
+# sudo su -
+# reboot