diff --git a/source/resources/apps/sharkfork-bootstrap/forksand-oc1-desktop-bootstrap b/source/resources/apps/sharkfork-bootstrap/forksand-oc1-desktop-bootstrap new file mode 100755 index 0000000..90b3193 --- /dev/null +++ b/source/resources/apps/sharkfork-bootstrap/forksand-oc1-desktop-bootstrap @@ -0,0 +1,202 @@ +#!/bin/bash +# forksand-bootstrap-oc1-desktop +# GPLv3+ +# This script does some initial setup and config + +# Log script +exec > >(tee /root/bootstrap-oc1-desktop.log) 2>/root/bootstrap-oc1-desktop.err + +set -x + +# Set locale +echo "en_US.UTF-8 UTF-8" > /etc/locale.gen +locale-gen +update-locale + +# XXX Set timezone +ln -sf /usr/share/zoneinfo/America/Denver /etc/localtime + +# Use apt-cache +#echo 'Acquire::http::Proxy "http://192.168.110.72:3142";' > /etc/apt/apt.conf + +# Set up git for tracking. XXX Ansible... XXX +apt-get -y install git sudo +cd /etc +git init +chmod og-rwx /etc/.git + +cat > /etc/.gitignore < /etc/apt/sources.list < /etc/default/cpufrequtils +/etc/init.d/cpufrequtils restart +cd /etc ; git add . ; git commit -a -m 'Set up cpufrequtils' + +# Small user tweaks +echo :syntax on > ~/.vimrc +echo :syntax on > /home/jebba/.vimrc +chown jebba:jebba /home/jebba/.vimrc +echo export EDITOR=vi >> /root/.bashrc + +# XXX Passwordless sudo XXX Ya, probably remove +sed -i -e 's/%sudo\tALL=(ALL:ALL) ALL/%sudo ALL=(ALL) NOPASSWD: ALL/g' /etc/sudoers + +adduser jebba sudo +cd /etc ; git add . ; git commit -a -m 'Set up passwordless sudo' + +# SSH config XXX sed cruft +sed -i \ + -e 's/PermitRootLogin yes/PermitRootLogin prohibit-password/g' \ + -e 's/\#PermitRootLogin prohibit-password/PermitRootLogin prohibit-password/g' \ + -e 's/\#PasswordAuthentication yes/PasswordAuthentication no/g' \ + -e 's/\#X11Forwarding yes/X11Forwarding no/g' \ + /etc/ssh/sshd_config + +echo 'KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256' >> /etc/ssh/sshd_config + +echo 'Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr' >> /etc/ssh/sshd_config + +# Need to update/fix for Debian Buster (testing/10). This line breaks Buster: +#echo 'MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com' >> /etc/ssh/sshd_config + +# XXX Add admins as only allowed ssh users +# XXX add user for ansbile +echo "AllowUsers jebba" >> /etc/ssh/sshd_config + +cd /etc ; git add . ; git commit -a -m 'Set up sshd' +systemctl restart sshd + +# Startup XXX disable unneeded. +for i in rsync exim4 saned +do echo $i + /usr/sbin/update-rc.d $i disable +done +# XXX KILL THIS, listening on public port (firewalled, but still): +# tcp 0 0 0.0.0.0:5355 0.0.0.0:* LISTEN 296/systemd-resolve +cd /etc ; git add . ; git commit -a -m 'Turn off junk on boot' + +# GRUB +sed -i -e 's/^GRUB_TIMEOUT=5/GRUB_TIMEOUT=4/g' /etc/default/grub +sed -i -e 's/^#GRUB_TERMINAL=console/GRUB_TERMINAL=console/g' /etc/default/grub +echo 'GRUB_DISABLE_OS_PROBER=true' >> /etc/default/grub + +update-grub + +cd /etc ; git add . ; git commit -a -m 'GRUB tweaks' + +# Fix network to come up on boot +sed -i -e 's/allow-hotplug/auto/g' /etc/network/interfaces +cd /etc ; git add . ; git commit -a -m 'Auto start network' + +# XXX not sure why this is getting installed: +apt-get -y autoremove +cd /etc ; git add . ; git commit -a -m 'autoremove' + +apt clean + +exit 0 diff --git a/source/resources/apps/sharkfork-bootstrap/forksand-sf-generic-bootstrap b/source/resources/apps/sharkfork-bootstrap/forksand-sf-generic-bootstrap new file mode 100755 index 0000000..0bb2d41 --- /dev/null +++ b/source/resources/apps/sharkfork-bootstrap/forksand-sf-generic-bootstrap @@ -0,0 +1,294 @@ +#!/bin/bash +# forksand-sf-generic-bootstrap +# GPLv3+ +# This script does some initial setup and config + +# Log script +exec > >(tee /root/bootstrap-sf-generic.log) 2>/root/bootstrap-sf-generic.err + +set -x + +# Set locale +echo "en_US.UTF-8 UTF-8" > /etc/locale.gen +locale-gen +update-locale + +# XXX Set timezone +ln -sf /usr/share/zoneinfo/America/Denver /etc/localtime + +# Use apt-cache +echo 'Acquire::http::Proxy "http://10.22.22.112:3142";' > /etc/apt/apt.conf + +# Set up git for tracking. XXX Ansible... XXX +apt-get -y install git sudo +cd /etc +git init +chmod og-rwx /etc/.git + +cat > /etc/.gitignore < /etc/network/if-pre-up.d/iptables < /etc/iptables.test.rules < /etc/iptables.up.rules + +cd /etc ; git add . ; git commit -a -m 'Set up firewall.' + +# scriptlet for root to reload firewall rules +cat > /root/iptables-reload < /etc/iptables.up.rules +EOF +chmod 700 /root/iptables-reload + + +# SET UP APT +# +cat > /etc/apt/sources.list < ~/.vimrc +echo :syntax on > /home/jebba/.vimrc +chown jebba:jebba /home/jebba/.vimrc +echo export EDITOR=vi >> /root/.bashrc + +# XXX Passwordless sudo XXX Ya, probably remove +sed -i -e 's/%sudo\tALL=(ALL:ALL) ALL/%sudo ALL=(ALL) NOPASSWD: ALL/g' /etc/sudoers + +adduser jebba sudo +cd /etc ; git add . ; git commit -a -m 'Set up passwordless sudo' + +# SSH config XXX sed cruft +sed -i \ + -e 's/PermitRootLogin yes/PermitRootLogin no/g' \ + -e 's/\#PermitRootLogin prohibit-password/PermitRootLogin no/g' \ + -e 's/\#PasswordAuthentication yes/PasswordAuthentication no/g' \ + -e 's/\#X11Forwarding yes/X11Forwarding no/g' \ + /etc/ssh/sshd_config + +echo 'KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256' >> /etc/ssh/sshd_config + +echo 'Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr' >> /etc/ssh/sshd_config + +# Need to update/fix for Debian Buster (testing/10). This line breaks Buster: +#echo 'MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com' >> /etc/ssh/sshd_config + +# XXX Add admins as only allowed ssh users +# XXX add user for ansbile +echo "AllowUsers jebba" >> /etc/ssh/sshd_config + +cd /etc ; git add . ; git commit -a -m 'Set up sshd' +systemctl restart sshd + +# Startup XXX disable unneeded. +for i in rsync exim4 saned +do echo $i + /usr/sbin/update-rc.d $i disable +done +# XXX KILL THIS, listening on public port (firewalled, but still): +# tcp 0 0 0.0.0.0:5355 0.0.0.0:* LISTEN 296/systemd-resolve +cd /etc ; git add . ; git commit -a -m 'Turn off junk on boot' + +# GRUB +sed -i -e 's/^GRUB_TIMEOUT=5/GRUB_TIMEOUT=0/g' /etc/default/grub +sed -i -e 's/^#GRUB_TERMINAL=console/GRUB_TERMINAL=console/g' /etc/default/grub +sed -i -e 's/^GRUB_CMDLINE_LINUX=""/GRUB_CMDLINE_LINUX="ipv6.disable=1"/g' /etc/default/grub +echo 'GRUB_DISABLE_OS_PROBER=true' >> /etc/default/grub + +update-grub + +cd /etc ; git add . ; git commit -a -m 'GRUB tweaks' + +# Don't load IPv6 kernel modules. +echo blacklist ipv6 > /etc/modprobe.d/ipv6.conf +echo alias net-pf-10 off >> /etc/modprobe.d/aliases.conf +echo alias ivp6 off >> /etc/modprobe.d/aliases.conf +# Disable IPv6 with sysctl. +cat >> /etc/sysctl.conf < >(tee /root/bootstrap-ocadev2.log) 2>/root/bootstrap-ocadev2.err + +set -x + +# Set locale +echo "en_US.UTF-8 UTF-8" > /etc/locale.gen +locale-gen +update-locale + +# XXX Set timezone +ln -sf /usr/share/zoneinfo/America/Denver /etc/localtime + +# Set up git for tracking. XXX Ansible... XXX +apt-get -y install git sudo +cd /etc +git init +chmod og-rwx /etc/.git + +cat > /etc/.gitignore < /etc/apt/sources.list < ~/.vimrc +echo :syntax on > /home/jebba/.vimrc +chown jebba:jebba /home/jebba/.vimrc +echo export EDITOR=vi >> /root/.bashrc + +# XXX Passwordless sudo XXX Ya, probably remove +sed -i -e 's/%sudo\tALL=(ALL:ALL) ALL/%sudo ALL=(ALL) NOPASSWD: ALL/g' /etc/sudoers + +adduser jebba sudo +cd /etc ; git add . ; git commit -a -m 'Set up passwordless sudo' + +# SSH config XXX sed cruft +sed -i \ + -e 's/PermitRootLogin yes/PermitRootLogin prohibit-password/g' \ + -e 's/\#PermitRootLogin prohibit-password/PermitRootLogin prohibit-password/g' \ + -e 's/\#PasswordAuthentication yes/PasswordAuthentication no/g' \ + -e 's/\#X11Forwarding yes/X11Forwarding no/g' \ + /etc/ssh/sshd_config + +echo 'KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256' >> /etc/ssh/sshd_config + +echo 'Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr' >> /etc/ssh/sshd_config + +# Need to update/fix for Debian Buster (testing/10). This line breaks Buster: +#echo 'MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com' >> /etc/ssh/sshd_config + +# XXX Add admins as only allowed ssh users +# XXX add user for ansbile +echo "AllowUsers jebba jballester" >> /etc/ssh/sshd_config + +cd /etc ; git add . ; git commit -a -m 'Set up sshd' +systemctl restart sshd + +# Startup XXX disable unneeded. +for i in rsync exim4 saned +do echo $i + /usr/sbin/update-rc.d $i disable +done +# XXX KILL THIS, listening on public port (firewalled, but still): +# tcp 0 0 0.0.0.0:5355 0.0.0.0:* LISTEN 296/systemd-resolve +cd /etc ; git add . ; git commit -a -m 'Turn off junk on boot' + +# GRUB +sed -i -e 's/^GRUB_TIMEOUT=5/GRUB_TIMEOUT=0/g' /etc/default/grub +sed -i -e 's/^#GRUB_TERMINAL=console/GRUB_TERMINAL=console/g' /etc/default/grub +echo 'GRUB_DISABLE_OS_PROBER=true' >> /etc/default/grub + +update-grub + +cd /etc ; git add . ; git commit -a -m 'GRUB tweaks' + +# Fix network to come up on boot +sed -i -e 's/allow-hotplug/auto/g' /etc/network/interfaces +cd /etc ; git add . ; git commit -a -m 'Auto start network' + +# XXX not sure why this is getting installed: +apt-get -y autoremove +cd /etc ; git add . ; git commit -a -m 'apt autoremove' + +exit 0 diff --git a/source/resources/apps/sharkfork-bootstrap/forksand-testo-bootstrap b/source/resources/apps/sharkfork-bootstrap/forksand-testo-bootstrap new file mode 100755 index 0000000..010cd6f --- /dev/null +++ b/source/resources/apps/sharkfork-bootstrap/forksand-testo-bootstrap @@ -0,0 +1,200 @@ +#!/bin/bash +# forksand-testo-bootstrap +# GPLv3+ +# This script does some initial setup and config + +# Log script +exec > >(tee /root/bootstrap-testo.log) 2>/root/bootstrap-testo.err + +set -x + +# Set locale +echo "en_US.UTF-8 UTF-8" > /etc/locale.gen +locale-gen +update-locale + +# XXX Set timezone +ln -sf /usr/share/zoneinfo/America/Denver /etc/localtime + +# Use apt-cache +echo 'Acquire::http::Proxy "http://192.168.110.72:3142";' > /etc/apt/apt.conf + +# Set up git for tracking. XXX Ansible... XXX +apt-get -y install git sudo +cd /etc +git init +chmod og-rwx /etc/.git + +cat > /etc/.gitignore < /etc/apt/sources.list < /etc/default/cpufrequtils +/etc/init.d/cpufrequtils restart +cd /etc ; git add . ; git commit -a -m 'Set up cpufrequtils' + +# Small user tweaks +echo :syntax on > ~/.vimrc +echo :syntax on > /home/jebba/.vimrc +chown jebba:jebba /home/jebba/.vimrc +echo export EDITOR=vi >> /root/.bashrc + +# XXX Passwordless sudo XXX Ya, probably remove +sed -i -e 's/%sudo\tALL=(ALL:ALL) ALL/%sudo ALL=(ALL) NOPASSWD: ALL/g' /etc/sudoers + +adduser jebba sudo +cd /etc ; git add . ; git commit -a -m 'Set up passwordless sudo' + +# SSH config XXX sed cruft +sed -i \ + -e 's/PermitRootLogin yes/PermitRootLogin no/g' \ + -e 's/\#PermitRootLogin prohibit-password/PermitRootLogin no/g' \ + -e 's/\#PasswordAuthentication yes/PasswordAuthentication no/g' \ + -e 's/\#X11Forwarding yes/X11Forwarding no/g' \ + /etc/ssh/sshd_config + +echo 'KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256' >> /etc/ssh/sshd_config + +echo 'Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr' >> /etc/ssh/sshd_config + +# Need to update/fix for Debian Buster (testing/10). This line breaks Buster: +#echo 'MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com' >> /etc/ssh/sshd_config + +# XXX Add admins as only allowed ssh users +# XXX add user for ansbile +echo "AllowUsers jebba" >> /etc/ssh/sshd_config + +cd /etc ; git add . ; git commit -a -m 'Set up sshd' +systemctl restart sshd + +# Startup XXX disable unneeded. +for i in rsync exim4 saned +do echo $i + /usr/sbin/update-rc.d $i disable +done +# XXX KILL THIS, listening on public port (firewalled, but still): +# tcp 0 0 0.0.0.0:5355 0.0.0.0:* LISTEN 296/systemd-resolve +cd /etc ; git add . ; git commit -a -m 'Turn off junk on boot' + +# GRUB +sed -i -e 's/^GRUB_TIMEOUT=5/GRUB_TIMEOUT=0/g' /etc/default/grub +sed -i -e 's/^#GRUB_TERMINAL=console/GRUB_TERMINAL=console/g' /etc/default/grub +echo 'GRUB_DISABLE_OS_PROBER=true' >> /etc/default/grub + +update-grub + +cd /etc ; git add . ; git commit -a -m 'GRUB tweaks' + +# Fix network to come up on boot +sed -i -e 's/allow-hotplug/auto/g' /etc/network/interfaces +cd /etc ; git add . ; git commit -a -m 'Auto start network' + +# XXX not sure why this is getting installed: +apt-get -y autoremove +cd /etc ; git add . ; git commit -a -m 'autoremove' + +apt clean + +exit 0 diff --git a/source/resources/apps/sharkfork-bootstrap/forksand-util-bootstrap b/source/resources/apps/sharkfork-bootstrap/forksand-util-bootstrap new file mode 100755 index 0000000..79b8498 --- /dev/null +++ b/source/resources/apps/sharkfork-bootstrap/forksand-util-bootstrap @@ -0,0 +1,214 @@ +#!/bin/bash +# forksand-util-bootstrap +# GPLv3+ +# This script does some initial setup and config + +# Log script +exec > >(tee /root/bootstrap-util.log) 2>/root/bootstrap-util.err + +set -x + +# Set locale +echo "en_US.UTF-8 UTF-8" > /etc/locale.gen +locale-gen +update-locale + +# XXX Set timezone +ln -sf /usr/share/zoneinfo/America/Denver /etc/localtime + +# Use apt-cache +#echo 'Acquire::http::Proxy "http://192.168.110.72:3142";' > /etc/apt/apt.conf + +# Set up git for tracking. XXX Ansible... XXX +apt-get -y install git sudo +cd /etc +git init +chmod og-rwx /etc/.git + +cat > /etc/.gitignore < /etc/apt/sources.list < /etc/default/cpufrequtils +/etc/init.d/cpufrequtils restart +cd /etc ; git add . ; git commit -a -m 'Set up cpufrequtils' + +# Small user tweaks +echo :syntax on > ~/.vimrc +echo :syntax on > /home/jebba/.vimrc +chown jebba:jebba /home/jebba/.vimrc +echo export EDITOR=vi >> /root/.bashrc + +# XXX Passwordless sudo XXX Ya, probably remove +sed -i -e 's/%sudo\tALL=(ALL:ALL) ALL/%sudo ALL=(ALL) NOPASSWD: ALL/g' /etc/sudoers + +adduser jebba sudo +cd /etc ; git add . ; git commit -a -m 'Set up passwordless sudo' + +# SSH config XXX sed cruft +sed -i \ + -e 's/PermitRootLogin yes/PermitRootLogin no/g' \ + -e 's/\#PermitRootLogin prohibit-password/PermitRootLogin no/g' \ + -e 's/\#PasswordAuthentication yes/PasswordAuthentication no/g' \ + -e 's/\#X11Forwarding yes/X11Forwarding no/g' \ + /etc/ssh/sshd_config + +echo 'KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256' >> /etc/ssh/sshd_config + +echo 'Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr' >> /etc/ssh/sshd_config + +# Need to update/fix for Debian Buster (testing/10). This line breaks Buster: +#echo 'MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com' >> /etc/ssh/sshd_config + +# XXX Add admins as only allowed ssh users +# XXX add user for ansbile +echo "AllowUsers jebba" >> /etc/ssh/sshd_config + +cd /etc ; git add . ; git commit -a -m 'Set up sshd' +systemctl restart sshd + +# Startup XXX disable unneeded. +for i in rsync exim4 saned +do echo $i + /usr/sbin/update-rc.d $i disable +done +# XXX KILL THIS, listening on public port (firewalled, but still): +# tcp 0 0 0.0.0.0:5355 0.0.0.0:* LISTEN 296/systemd-resolve +cd /etc ; git add . ; git commit -a -m 'Turn off junk on boot' + +# GRUB +sed -i -e 's/^GRUB_TIMEOUT=5/GRUB_TIMEOUT=0/g' /etc/default/grub +sed -i -e 's/^#GRUB_TERMINAL=console/GRUB_TERMINAL=console/g' /etc/default/grub +echo 'GRUB_DISABLE_OS_PROBER=true' >> /etc/default/grub + +update-grub + +cd /etc ; git add . ; git commit -a -m 'GRUB tweaks' + +# Fix network to come up on boot +sed -i -e 's/allow-hotplug/auto/g' /etc/network/interfaces +cd /etc ; git add . ; git commit -a -m 'Auto start network' + +# XXX not sure why this is getting installed: +apt-get -y autoremove +cd /etc ; git add . ; git commit -a -m 'autoremove' + +apt clean + +exit 0 + +#################### +# XXX Post install # +#################### + +# Disable IPv6 + +apt remove postfix +cd /etc ; git add . ; git commit -a -m 'remove postfix' + +apt install apt-cacher-ng +cd /etc ; git add . ; git commit -a -m 'install apt-cacher-ng'