From 401b4017d877d6148c3d6925f4d88c0f282ba926 Mon Sep 17 00:00:00 2001
From: debian <git@localhost>
Date: Wed, 24 Oct 2018 13:38:03 -0600
Subject: [PATCH] Add workstation bootstrap scriptlet

---
 .../forksand-workstation-bootstrap            | 199 ++++++++++++++++++
 1 file changed, 199 insertions(+)
 create mode 100755 source/resources/apps/workstations/forksand-workstation-bootstrap

diff --git a/source/resources/apps/workstations/forksand-workstation-bootstrap b/source/resources/apps/workstations/forksand-workstation-bootstrap
new file mode 100755
index 0000000..2bf5b4d
--- /dev/null
+++ b/source/resources/apps/workstations/forksand-workstation-bootstrap
@@ -0,0 +1,199 @@
+#!/bin/bash
+# forksand-workstation-bootstrap
+# GPLv3+
+# This script does some initial setup and config
+
+# Log script
+exec > >(tee /root/bootstrap-workstation-bootstrap.log) 2>/root/bootstrap-workstation-bootstrap.err
+
+set -x
+
+# Set locale
+echo "en_US.UTF-8 UTF-8" > /etc/locale.gen
+locale-gen
+update-locale
+
+# XXX Set timezone
+ln -sf /usr/share/zoneinfo/America/Denver /etc/localtime
+
+# Use apt-cache
+echo 'Acquire::http::Proxy "http://10.50.11.2:3142";' > /etc/apt/apt.conf
+
+# Set up git for tracking. XXX Ansible... XXX
+apt-get -y install git sudo
+cd /etc
+git init
+chmod og-rwx /etc/.git
+
+cat > /etc/.gitignore <<EOF
+prelink.cache
+*.swp
+ld.so.cache
+adjtime
+blkid.tab
+blkid.tab.old
+mtab
+resolv.conf
+asound.state
+mtab.fuselock
+aliases.db
+EOF
+
+git config --global user.name "Fork Sand Git"
+git config --global user.email git@forksand.com
+cd /etc ; git add . ; git commit -a -m 'Set up new Debian buster workstation'
+
+# SET UP APT
+#
+cat > /etc/apt/sources.list <<EOF
+#deb http://mirrors.kernel.org/debian/ buster-backports main
+deb http://mirrors.kernel.org/debian/ buster main
+deb http://mirrors.kernel.org/debian/ buster-updates main
+deb http://security.debian.org/ buster/updates main
+EOF
+
+# Make apt use IPv4:
+echo 'Acquire::ForceIPv4 "true";' | tee /etc/apt/apt.conf.d/99force-ipv4
+
+git add /etc/apt/apt.conf.d/99force-ipv4
+git commit -m "Force APT to use IPv4, not IPv6." /etc/apt/apt.conf.d/99force-ipv4
+
+cd /etc ; git add . ; git commit -a -m 'Set up apt.'
+
+# UPGRADE Workstation
+apt-get update
+apt-get -y dist-upgrade --download-only
+DEBIAN_FRONTEND=noninteractive apt-get -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confnew" dist-upgrade
+
+cd /etc ; git add . ; git commit -a -m 'Update base install'
+
+apt-get -y --download-only install					\
+	--no-install-recommends						\
+	apt-transport-https						\
+	bzip2								\
+	ca-certificates							\
+	colordiff							\
+	cpufrequtils							\
+	curl								\
+	debian-archive-keyring						\
+	exuberant-ctags							\
+	git								\
+	host								\
+	less								\
+	locales								\
+	lsb-release							\
+	man-db								\
+	manpages							\
+	molly-guard							\
+	net-tools							\
+	ntp								\
+	openssh-server							\
+	postfix								\
+	python3								\
+	rsync								\
+	telnet								\
+	traceroute							\
+	vim								\
+	vim-scripts
+
+DEBIAN_FRONTEND=noninteractive apt-get -y 				\
+	-o Dpkg::Options::="--force-confdef"				\
+	-o Dpkg::Options::="--force-confnew"				\
+	install								\
+	--no-install-recommends						\
+	apt-transport-https						\
+	bzip2								\
+	ca-certificates							\
+	colordiff							\
+	cpufrequtils							\
+	curl								\
+	debian-archive-keyring						\
+	exuberant-ctags							\
+	git								\
+	host								\
+	less								\
+	locales								\
+	lsb-release							\
+	man-db								\
+	manpages							\
+	molly-guard							\
+	net-tools							\
+	ntp								\
+	openssh-server							\
+	postfix								\
+	python3								\
+	rsync								\
+	telnet								\
+	traceroute							\
+	vim								\
+	vim-scripts
+
+cd /etc ; git add . ; git commit -a -m 'Install base packages'
+
+# Speed up
+#echo 'GOVERNOR="performance"' > /etc/default/cpufrequtils
+#/etc/init.d/cpufrequtils restart
+#cd /etc ; git add . ; git commit -a -m 'Set up cpufrequtils'
+
+# Small user tweaks
+echo :syntax on > ~/.vimrc
+echo :syntax on > /home/jebba/.vimrc
+chown jebba:jebba /home/jebba/.vimrc
+echo export EDITOR=vi >> /root/.bashrc
+
+# XXX Passwordless sudo XXX Ya, probably remove
+sed -i -e 's/%sudo\tALL=(ALL:ALL) ALL/%sudo ALL=(ALL) NOPASSWD: ALL/g' /etc/sudoers
+
+adduser jebba sudo
+cd /etc ; git add . ; git commit -a -m 'Set up passwordless sudo'
+
+# SSH config XXX sed cruft
+sed -i  \
+ -e 's/PermitRootLogin yes/PermitRootLogin prohibit-password/g' \
+ -e 's/\#PermitRootLogin prohibit-password/PermitRootLogin prohibit-password/g' \
+ -e 's/\#PasswordAuthentication yes/PasswordAuthentication no/g' \
+ -e 's/\#X11Forwarding yes/X11Forwarding no/g' \
+ /etc/ssh/sshd_config
+
+#echo 'KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256' >> /etc/ssh/sshd_config
+
+#echo 'Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr' >> /etc/ssh/sshd_config
+
+# Need to update/fix for Debian Buster (testing/10). This line breaks Buster:
+#echo 'MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com' >> /etc/ssh/sshd_config
+
+# XXX Add admins as only allowed ssh users
+echo "AllowUsers jebba" >> /etc/ssh/sshd_config
+
+cd /etc ; git add . ; git commit -a -m 'Set up sshd'
+systemctl restart sshd
+
+# Startup XXX disable unneeded.
+for i in rsync exim4 saned
+do echo $i 
+  /usr/sbin/update-rc.d $i disable
+done
+# XXX KILL THIS, listening on public port (firewalled, but still):
+# tcp        0      0 0.0.0.0:5355            0.0.0.0:*               LISTEN      296/systemd-resolve
+cd /etc ; git add . ; git commit -a -m 'Turn off junk on boot'
+
+# GRUB
+sed -i -e 's/^GRUB_TIMEOUT=5/GRUB_TIMEOUT=4/g' /etc/default/grub
+sed -i -e 's/^#GRUB_TERMINAL=console/GRUB_TERMINAL=console/g' /etc/default/grub
+echo 'GRUB_DISABLE_OS_PROBER=true' >> /etc/default/grub
+
+update-grub
+
+cd /etc ; git add . ; git commit -a -m 'GRUB tweaks'
+
+# Fix network to come up on boot
+sed -i -e 's/allow-hotplug/auto/g' /etc/network/interfaces
+cd /etc ; git add . ; git commit -a -m 'Auto start network'
+
+# XXX not sure why this is getting installed:
+apt-get -y autoremove
+cd /etc ; git add . ; git commit -a -m 'autoremove'
+
+apt clean
+
+exit 0