forksand-it-manual/source/resources/apps/sharkfork-bootstrap/forksand-sf-001-bootstrap

#!/bin/bash
# forksand-bootstrap-sf-001
# GPLv3+
# This script does some initial setup and config
# Sets up Proxmox.

# Log script
exec > >(tee /root/bootstrap-sf-001.log) 2>/root/bootstrap-sf-001.err

set -x

# Set locale
echo "en_US.UTF-8 UTF-8" > /etc/locale.gen
locale-gen
update-locale

# XXX Set timezone
ln -sf /usr/share/zoneinfo/America/Denver /etc/localtime

# Set up git for tracking. XXX Ansible... XXX
apt-get -y install git sudo
cd /etc
git init
chmod og-rwx /etc/.git

cat > /etc/.gitignore <<EOF
prelink.cache
*.swp
ld.so.cache
adjtime
blkid.tab
blkid.tab.old
mtab
resolv.conf
asound.state
mtab.fuselock
aliases.db
EOF

git config --global user.name "Jeff Moe"
git config --global user.email moe@forksand.com
cd /etc ; git add . ; git commit -a -m 'Set up new Debian Stretch sf-001 server.'

# SET UP APT
#
cat > /etc/apt/sources.list <<EOF
deb http://mirrors.kernel.org/debian/ stretch-backports main
deb http://mirrors.kernel.org/debian/ stretch main
deb http://mirrors.kernel.org/debian/ stretch-updates main
deb http://security.debian.org/ stretch/updates main
EOF

# Make apt use IPv4:
echo 'Acquire::ForceIPv4 "true";' | tee /etc/apt/apt.conf.d/99force-ipv4

git add /etc/apt/apt.conf.d/99force-ipv4
git commit -m "Force APT to use IPv4, not IPv6." /etc/apt/apt.conf.d/99force-ipv4

cd /etc ; git add . ; git commit -a -m 'Set up apt.'

# UPGRADE SERVER
apt-get update
apt-get -y dist-upgrade --download-only
DEBIAN_FRONTEND=noninteractive apt-get -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confnew" dist-upgrade

cd /etc ; git add . ; git commit -a -m 'Update base install'

apt-get -y --download-only install					\
	--no-install-recommends						\
	apt-transport-https						\
	bzip2								\
	ca-certificates							\
	colordiff							\
	cpufrequtils							\
	curl								\
	debian-archive-keyring						\
	exuberant-ctags							\
	git								\
	host								\
	less								\
	locales								\
	lsb-release							\
	man-db								\
	manpages							\
	molly-guard							\
	net-tools							\
	ntp								\
	openssh-server							\
	postfix								\
	python3								\
	rsync								\
	telnet								\
	traceroute							\
	vim								\
	vim-scripts

DEBIAN_FRONTEND=noninteractive apt-get -y 				\
	-o Dpkg::Options::="--force-confdef"				\
	-o Dpkg::Options::="--force-confnew"				\
	install								\
	--no-install-recommends						\
	apt-transport-https						\
	bzip2								\
	ca-certificates							\
	colordiff							\
	cpufrequtils							\
	curl								\
	debian-archive-keyring						\
	exuberant-ctags							\
	git								\
	host								\
	less								\
	locales								\
	lsb-release							\
	man-db								\
	manpages							\
	molly-guard							\
	net-tools							\
	ntp								\
	openssh-server							\
	postfix								\
	python3								\
	rsync								\
	telnet								\
	traceroute							\
	vim								\
	vim-scripts

cd /etc ; git add . ; git commit -a -m 'Install base packages'

# NTP SharkTech. They firewall outside ntp.
sed -i                                                                                   \
 -e 's/pool 0.debian.pool.ntp.org/\#pool 0.debian.pool.ntp.org/g'                \
 -e 's/pool 1.debian.pool.ntp.org/\#pool 1.debian.pool.ntp.org/g'                \
 -e 's/pool 2.debian.pool.ntp.org/\#pool 2.debian.pool.ntp.org/g'                \
 -e 's/pool 3.debian.pool.ntp.org/pool time.sharktech.net iburst/g'              \
 /etc/ntp.conf

cd /etc ; git add . ; git commit -a -m 'Use SharkTech NTP (others firewalled).'
/etc/init.d/ntp restart

# Speed up
echo 'GOVERNOR="performance"' > /etc/default/cpufrequtils
/etc/init.d/cpufrequtils restart
cd /etc ; git add . ; git commit -a -m 'Set up cpufrequtils'

# Small user tweaks
echo :syntax on > ~/.vimrc
echo :syntax on > /home/jebba/.vimrc
chown jebba:jebba /home/jebba/.vimrc
echo export EDITOR=vi >> /root/.bashrc

# XXX Passwordless sudo XXX Ya, probably remove
sed -i -e 's/%sudo\tALL=(ALL:ALL) ALL/%sudo ALL=(ALL) NOPASSWD: ALL/g' /etc/sudoers

adduser jebba sudo
cd /etc ; git add . ; git commit -a -m 'Set up passwordless sudo'

# SSH config XXX sed cruft
sed -i  \
 -e 's/PermitRootLogin yes/PermitRootLogin prohibit-password/g' \
 -e 's/\#PermitRootLogin prohibit-password/PermitRootLogin prohibit-password/g' \
 -e 's/\#PasswordAuthentication yes/PasswordAuthentication no/g' \
 -e 's/\#X11Forwarding yes/X11Forwarding no/g' \
 /etc/ssh/sshd_config

echo 'KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256' >> /etc/ssh/sshd_config

echo 'Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr' >> /etc/ssh/sshd_config

# Need to update/fix for Debian Buster (testing/10). This line breaks Buster:
#echo 'MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com' >> /etc/ssh/sshd_config

# XXX Add admins as only allowed ssh users
# XXX add user for ansbile
echo "AllowUsers jebba root" >> /etc/ssh/sshd_config

cd /etc ; git add . ; git commit -a -m 'Set up sshd'
systemctl restart sshd

# Startup XXX disable unneeded.
for i in rsync exim4 saned
do echo $i 
  /usr/sbin/update-rc.d $i disable
done
# XXX KILL THIS, listening on public port (firewalled, but still):
# tcp        0      0 0.0.0.0:5355            0.0.0.0:*               LISTEN      296/systemd-resolve
cd /etc ; git add . ; git commit -a -m 'Turn off junk on boot'

# GRUB
sed -i -e 's/^GRUB_TIMEOUT=5/GRUB_TIMEOUT=4/g' /etc/default/grub
sed -i -e 's/^#GRUB_TERMINAL=console/GRUB_TERMINAL=console/g' /etc/default/grub
echo 'GRUB_DISABLE_OS_PROBER=true' >> /etc/default/grub

update-grub

cd /etc ; git add . ; git commit -a -m 'GRUB tweaks'

# Fix network to come up on boot
sed -i -e 's/allow-hotplug/auto/g' /etc/network/interfaces
cd /etc ; git add . ; git commit -a -m 'Auto start network'

# XXX not sure why this is getting installed:
apt-get -y autoremove

apt-get -y remove os-prober

# Proxmox
#cat > /etc/apt/sources.list.d/pve-enterprise.list<<EOF
##deb https://enterprise.proxmox.com/debian/pve stretch pve-enterprise
#EOF
cat > /etc/apt/sources.list.d/pve-no-subscription.list<<EOF
deb http://download.proxmox.com/debian/pve stretch pve-no-subscription
EOF

# Add Proxmox enterprise key XXX Add key 
#cat > /etc/apt/auth.conf<<EOF
#machine enterprise.proxmox.com
# login pve2s-0000000000
# password 00000000000000000000000000000000
#EOF

# XXX crufty add proxmox apt key
wget http://download.proxmox.com/debian/proxmox-ve-release-5.x.gpg -O /etc/apt/trusted.gpg.d/proxmox-ve-release-5.x.gpg

apt-get update
apt-get -y dist-upgrade --download-only
DEBIAN_FRONTEND=noninteractive apt-get -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confnew" dist-upgrade

apt-get -y				 				\
	install								\
	ksm-control-daemon						\
	omping								\
	proxmox-ve

cd /etc ; git add . ; git commit -a -m 'Install Proxmox'
apt clean

exit 0
Lots of updates, new co-location 8 years ago			`#!/bin/bash`
Add bootstrap scripts for SharkFork 8 years ago			`# forksand-bootstrap-sf-001`
Lots of updates, new co-location 8 years ago			`# GPLv3+`
			`# This script does some initial setup and config`
			`# Sets up Proxmox.`

			`# Log script`
Add bootstrap scripts for SharkFork 8 years ago			`exec > >(tee /root/bootstrap-sf-001.log) 2>/root/bootstrap-sf-001.err`
Lots of updates, new co-location 8 years ago
			`set -x`

			`# Set locale`
			`echo "en_US.UTF-8 UTF-8" > /etc/locale.gen`
			`locale-gen`
			`update-locale`

			`# XXX Set timezone`
			`ln -sf /usr/share/zoneinfo/America/Denver /etc/localtime`

			`# Set up git for tracking. XXX Ansible... XXX`
			`apt-get -y install git sudo`
			`cd /etc`
			`git init`
			`chmod og-rwx /etc/.git`

			`cat > /etc/.gitignore <<EOF`
			`prelink.cache`
			`*.swp`
			`ld.so.cache`
			`adjtime`
			`blkid.tab`
			`blkid.tab.old`
			`mtab`
			`resolv.conf`
			`asound.state`
			`mtab.fuselock`
			`aliases.db`
			`EOF`

Add bootstrap scripts for SharkFork 8 years ago			`git config --global user.name "Jeff Moe"`
			`git config --global user.email moe@forksand.com`
			`cd /etc ; git add . ; git commit -a -m 'Set up new Debian Stretch sf-001 server.'`
Lots of updates, new co-location 8 years ago
			`# SET UP APT`
			`#`
			`cat > /etc/apt/sources.list <<EOF`
			`deb http://mirrors.kernel.org/debian/ stretch-backports main`
			`deb http://mirrors.kernel.org/debian/ stretch main`
			`deb http://mirrors.kernel.org/debian/ stretch-updates main`
			`deb http://security.debian.org/ stretch/updates main`
			`EOF`

			`# Make apt use IPv4:`
			`echo 'Acquire::ForceIPv4 "true";' \| tee /etc/apt/apt.conf.d/99force-ipv4`

			`git add /etc/apt/apt.conf.d/99force-ipv4`
			`git commit -m "Force APT to use IPv4, not IPv6." /etc/apt/apt.conf.d/99force-ipv4`

			`cd /etc ; git add . ; git commit -a -m 'Set up apt.'`

			`# UPGRADE SERVER`
			`apt-get update`
			`apt-get -y dist-upgrade --download-only`
			`DEBIAN_FRONTEND=noninteractive apt-get -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confnew" dist-upgrade`

			`cd /etc ; git add . ; git commit -a -m 'Update base install'`

			`apt-get -y --download-only install \`
			`--no-install-recommends \`
			`apt-transport-https \`
			`bzip2 \`
			`ca-certificates \`
			`colordiff \`
			`cpufrequtils \`
			`curl \`
			`debian-archive-keyring \`
			`exuberant-ctags \`
			`git \`
			`host \`
			`less \`
			`locales \`
			`lsb-release \`
			`man-db \`
			`manpages \`
			`molly-guard \`
			`net-tools \`
			`ntp \`
			`openssh-server \`
Add bootstrap scripts for SharkFork 8 years ago			`postfix \`
Lots of updates, new co-location 8 years ago			`python3 \`
			`rsync \`
			`telnet \`
			`traceroute \`
			`vim \`
			`vim-scripts`

			`DEBIAN_FRONTEND=noninteractive apt-get -y \`
			`-o Dpkg::Options::="--force-confdef" \`
			`-o Dpkg::Options::="--force-confnew" \`
			`install \`
			`--no-install-recommends \`
			`apt-transport-https \`
			`bzip2 \`
			`ca-certificates \`
			`colordiff \`
			`cpufrequtils \`
			`curl \`
			`debian-archive-keyring \`
			`exuberant-ctags \`
			`git \`
			`host \`
			`less \`
			`locales \`
			`lsb-release \`
			`man-db \`
			`manpages \`
			`molly-guard \`
			`net-tools \`
			`ntp \`
			`openssh-server \`
Add bootstrap scripts for SharkFork 8 years ago			`postfix \`
Lots of updates, new co-location 8 years ago			`python3 \`
			`rsync \`
			`telnet \`
			`traceroute \`
			`vim \`
			`vim-scripts`

			`cd /etc ; git add . ; git commit -a -m 'Install base packages'`

Add bootstrap scripts for SharkFork 8 years ago			`# NTP SharkTech. They firewall outside ntp.`
			`sed -i \`
			`-e 's/pool 0.debian.pool.ntp.org/\#pool 0.debian.pool.ntp.org/g' \`
			`-e 's/pool 1.debian.pool.ntp.org/\#pool 1.debian.pool.ntp.org/g' \`
			`-e 's/pool 2.debian.pool.ntp.org/\#pool 2.debian.pool.ntp.org/g' \`
			`-e 's/pool 3.debian.pool.ntp.org/pool time.sharktech.net iburst/g' \`
			`/etc/ntp.conf`
Lots of updates, new co-location 8 years ago
			`cd /etc ; git add . ; git commit -a -m 'Use SharkTech NTP (others firewalled).'`
Add bootstrap scripts for SharkFork 8 years ago			`/etc/init.d/ntp restart`
Lots of updates, new co-location 8 years ago
			`# Speed up`
			`echo 'GOVERNOR="performance"' > /etc/default/cpufrequtils`
			`/etc/init.d/cpufrequtils restart`
			`cd /etc ; git add . ; git commit -a -m 'Set up cpufrequtils'`

			`# Small user tweaks`
			`echo :syntax on > ~/.vimrc`
			`echo :syntax on > /home/jebba/.vimrc`
			`chown jebba:jebba /home/jebba/.vimrc`
			`echo export EDITOR=vi >> /root/.bashrc`

			`# XXX Passwordless sudo XXX Ya, probably remove`
			`sed -i -e 's/%sudo\tALL=(ALL:ALL) ALL/%sudo ALL=(ALL) NOPASSWD: ALL/g' /etc/sudoers`

			`adduser jebba sudo`
			`cd /etc ; git add . ; git commit -a -m 'Set up passwordless sudo'`

			`# SSH config XXX sed cruft`
			`sed -i \`
			`-e 's/PermitRootLogin yes/PermitRootLogin prohibit-password/g' \`
			`-e 's/\#PermitRootLogin prohibit-password/PermitRootLogin prohibit-password/g' \`
			`-e 's/\#PasswordAuthentication yes/PasswordAuthentication no/g' \`
			`-e 's/\#X11Forwarding yes/X11Forwarding no/g' \`
			`/etc/ssh/sshd_config`

			`echo 'KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256' >> /etc/ssh/sshd_config`

			`echo 'Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr' >> /etc/ssh/sshd_config`

			`# Need to update/fix for Debian Buster (testing/10). This line breaks Buster:`
			`#echo 'MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com' >> /etc/ssh/sshd_config`

			`# XXX Add admins as only allowed ssh users`
			`# XXX add user for ansbile`
Add bootstrap scripts for SharkFork 8 years ago			`echo "AllowUsers jebba root" >> /etc/ssh/sshd_config`
Lots of updates, new co-location 8 years ago
			`cd /etc ; git add . ; git commit -a -m 'Set up sshd'`
			`systemctl restart sshd`

			`# Startup XXX disable unneeded.`
			`for i in rsync exim4 saned`
			`do echo $i`
			`/usr/sbin/update-rc.d $i disable`
			`done`
			`# XXX KILL THIS, listening on public port (firewalled, but still):`
			`# tcp 0 0 0.0.0.0:5355 0.0.0.0:* LISTEN 296/systemd-resolve`
			`cd /etc ; git add . ; git commit -a -m 'Turn off junk on boot'`

			`# GRUB`
			`sed -i -e 's/^GRUB_TIMEOUT=5/GRUB_TIMEOUT=4/g' /etc/default/grub`
			`sed -i -e 's/^#GRUB_TERMINAL=console/GRUB_TERMINAL=console/g' /etc/default/grub`
			`echo 'GRUB_DISABLE_OS_PROBER=true' >> /etc/default/grub`

			`update-grub`

			`cd /etc ; git add . ; git commit -a -m 'GRUB tweaks'`

			`# Fix network to come up on boot`
			`sed -i -e 's/allow-hotplug/auto/g' /etc/network/interfaces`
			`cd /etc ; git add . ; git commit -a -m 'Auto start network'`

			`# XXX not sure why this is getting installed:`
			`apt-get -y autoremove`

Add bootstrap scripts for SharkFork 8 years ago			`apt-get -y remove os-prober`

Lots of updates, new co-location 8 years ago			`# Proxmox`
			`#cat > /etc/apt/sources.list.d/pve-enterprise.list<<EOF`
			`##deb https://enterprise.proxmox.com/debian/pve stretch pve-enterprise`
			`#EOF`
			`cat > /etc/apt/sources.list.d/pve-no-subscription.list<<EOF`
			`deb http://download.proxmox.com/debian/pve stretch pve-no-subscription`
			`EOF`

			`# Add Proxmox enterprise key XXX Add key`
			`#cat > /etc/apt/auth.conf<<EOF`
			`#machine enterprise.proxmox.com`
			`# login pve2s-0000000000`
			`# password 00000000000000000000000000000000`
			`#EOF`

			`# XXX crufty add proxmox apt key`
			`wget http://download.proxmox.com/debian/proxmox-ve-release-5.x.gpg -O /etc/apt/trusted.gpg.d/proxmox-ve-release-5.x.gpg`

			`apt-get update`
			`apt-get -y dist-upgrade --download-only`
			`DEBIAN_FRONTEND=noninteractive apt-get -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confnew" dist-upgrade`

			`apt-get -y \`
			`install \`
			`ksm-control-daemon \`
Add bootstrap scripts for SharkFork 8 years ago			`omping \`
Lots of updates, new co-location 8 years ago			`proxmox-ve`

			`cd /etc ; git add . ; git commit -a -m 'Install Proxmox'`
			`apt clean`

			`exit 0`