parent
1ed94ed2d0
commit
c3950577cf
@ -0,0 +1,289 @@
|
||||
#!/bin/bash
|
||||
# forksand-sf-redis-bootstrap
|
||||
# GPLv3+
|
||||
# This script does some initial setup and config
|
||||
|
||||
# Log script
|
||||
exec > >(tee /root/bootstrap-sf-redis.log) 2>/root/bootstrap-sf-redis.err
|
||||
|
||||
set -x
|
||||
|
||||
# Set locale
|
||||
echo "en_US.UTF-8 UTF-8" > /etc/locale.gen
|
||||
locale-gen
|
||||
update-locale
|
||||
|
||||
# XXX Set timezone
|
||||
ln -sf /usr/share/zoneinfo/America/Denver /etc/localtime
|
||||
|
||||
# Use apt-cache
|
||||
echo 'Acquire::http::Proxy "http://10.22.22.112:3142";' > /etc/apt/apt.conf
|
||||
|
||||
# Set up git for tracking. XXX Ansible... XXX
|
||||
apt-get -y install git sudo
|
||||
cd /etc
|
||||
git init
|
||||
chmod og-rwx /etc/.git
|
||||
|
||||
cat > /etc/.gitignore <<EOF
|
||||
prelink.cache
|
||||
*.swp
|
||||
ld.so.cache
|
||||
adjtime
|
||||
blkid.tab
|
||||
blkid.tab.old
|
||||
mtab
|
||||
resolv.conf
|
||||
asound.state
|
||||
mtab.fuselock
|
||||
aliases.db
|
||||
EOF
|
||||
|
||||
git config --global user.name "jebba"
|
||||
git config --global user.email moe@forksand.com
|
||||
cd /etc ; git add . ; git commit -m 'Add apt cache' /etc/apt/apt.conf
|
||||
cd /etc ; git add . ; git commit -a -m 'Set up new Debian stretch server.'
|
||||
|
||||
# Firewall
|
||||
# Create iptables startup script (is this still needed? From squeeze era)
|
||||
cat > /etc/network/if-pre-up.d/iptables <<EOF
|
||||
#!/bin/bash
|
||||
# iptables
|
||||
/sbin/iptables-restore < /etc/iptables.up.rules
|
||||
EOF
|
||||
|
||||
cat > /etc/iptables.test.rules <<EOF
|
||||
# iptables.test.rules
|
||||
*filter
|
||||
|
||||
# Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
|
||||
-A INPUT -i lo -j ACCEPT
|
||||
|
||||
# Accepts all established inbound connections
|
||||
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
|
||||
|
||||
# Allows all outbound traffic
|
||||
# You could modify this to only allow certain traffic
|
||||
-A OUTPUT -j ACCEPT
|
||||
|
||||
# SSH Access Port
|
||||
-A INPUT -p tcp --dport 22 -j ACCEPT
|
||||
-A INPUT -p tcp --dport 22202 -j ACCEPT
|
||||
|
||||
# Allow web port 80 for Letsencrypt
|
||||
#-A INPUT -p tcp --dport 80 -j ACCEPT
|
||||
|
||||
# Redis Access Ports
|
||||
-A INPUT -p tcp --dport 6379 -j ACCEPT
|
||||
-A INPUT -p tcp --dport 16379 -j ACCEPT
|
||||
|
||||
# Allow ping
|
||||
#-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
|
||||
# log iptables denied calls (access via 'dmesg' command)
|
||||
|
||||
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
|
||||
|
||||
# Reject all other inbound - default deny unless explicitly allowed policy:
|
||||
-A INPUT -j REJECT
|
||||
-A FORWARD -j REJECT
|
||||
COMMIT
|
||||
EOF
|
||||
|
||||
touch /etc/iptables.up.rules
|
||||
chmod 600 /etc/iptables.up.rules
|
||||
chmod 755 /etc/network/if-pre-up.d/iptables
|
||||
chmod 600 /etc/iptables.test.rules
|
||||
iptables-restore < /etc/iptables.test.rules
|
||||
iptables -L -n
|
||||
iptables-save > /etc/iptables.up.rules
|
||||
|
||||
cd /etc ; git add . ; git commit -a -m 'Set up firewall.'
|
||||
|
||||
# scriptlet for root to reload firewall rules
|
||||
cat > /root/iptables-reload <<EOF
|
||||
iptables-restore < /etc/iptables.test.rules
|
||||
iptables-save > /etc/iptables.up.rules
|
||||
EOF
|
||||
chmod 700 /root/iptables-reload
|
||||
|
||||
|
||||
# SET UP APT
|
||||
#
|
||||
cat > /etc/apt/sources.list <<EOF
|
||||
deb http://mirrors.kernel.org/debian/ stretch-backports main
|
||||
deb http://mirrors.kernel.org/debian/ stretch main
|
||||
deb http://mirrors.kernel.org/debian/ stretch-updates main
|
||||
deb http://security.debian.org/ stretch/updates main
|
||||
EOF
|
||||
|
||||
# Make apt use IPv4:
|
||||
echo 'Acquire::ForceIPv4 "true";' | tee /etc/apt/apt.conf.d/99force-ipv4
|
||||
|
||||
git add /etc/apt/apt.conf.d/99force-ipv4
|
||||
git commit -m "Force APT to use IPv4, not IPv6." /etc/apt/apt.conf.d/99force-ipv4
|
||||
|
||||
cd /etc ; git add . ; git commit -a -m 'Set up apt.'
|
||||
|
||||
# UPGRADE SERVER
|
||||
apt-get update
|
||||
apt-get -y dist-upgrade --download-only
|
||||
DEBIAN_FRONTEND=noninteractive apt-get -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confnew" dist-upgrade
|
||||
|
||||
cd /etc ; git add . ; git commit -a -m 'Update base install'
|
||||
|
||||
apt-get -y --download-only install \
|
||||
--no-install-recommends \
|
||||
apt-transport-https \
|
||||
bzip2 \
|
||||
ca-certificates \
|
||||
colordiff \
|
||||
curl \
|
||||
debian-archive-keyring \
|
||||
exuberant-ctags \
|
||||
git \
|
||||
host \
|
||||
less \
|
||||
locales \
|
||||
lsb-release \
|
||||
man-db \
|
||||
manpages \
|
||||
molly-guard \
|
||||
net-tools \
|
||||
ntp \
|
||||
openssh-server \
|
||||
python3 \
|
||||
qemu-guest-agent \
|
||||
rsync \
|
||||
telnet \
|
||||
traceroute \
|
||||
vim \
|
||||
vim-scripts
|
||||
|
||||
DEBIAN_FRONTEND=noninteractive apt-get -y \
|
||||
-o Dpkg::Options::="--force-confdef" \
|
||||
-o Dpkg::Options::="--force-confnew" \
|
||||
install \
|
||||
--no-install-recommends \
|
||||
apt-transport-https \
|
||||
bzip2 \
|
||||
ca-certificates \
|
||||
colordiff \
|
||||
curl \
|
||||
debian-archive-keyring \
|
||||
exuberant-ctags \
|
||||
git \
|
||||
host \
|
||||
less \
|
||||
locales \
|
||||
lsb-release \
|
||||
man-db \
|
||||
manpages \
|
||||
molly-guard \
|
||||
net-tools \
|
||||
ntp \
|
||||
openssh-server \
|
||||
python3 \
|
||||
qemu-guest-agent \
|
||||
rsync \
|
||||
telnet \
|
||||
traceroute \
|
||||
vim \
|
||||
vim-scripts
|
||||
|
||||
cd /etc ; git add . ; git commit -a -m 'Install base packages'
|
||||
|
||||
# NTP SharkTech. They firewall outside ntp.
|
||||
sed -i \
|
||||
-e 's/pool 0.debian.pool.ntp.org/\#pool 0.debian.pool.ntp.org/g' \
|
||||
-e 's/pool 1.debian.pool.ntp.org/\#pool 1.debian.pool.ntp.org/g' \
|
||||
-e 's/pool 2.debian.pool.ntp.org/\#pool 2.debian.pool.ntp.org/g' \
|
||||
-e 's/pool 3.debian.pool.ntp.org/pool time.sharktech.net iburst/g' \
|
||||
/etc/ntp.conf
|
||||
|
||||
cd /etc ; git add . ; git commit -a -m 'Use SharkTech NTP (others firewalled).'
|
||||
/etc/init.d/ntp restart
|
||||
|
||||
# Small user tweaks
|
||||
echo :syntax on > ~/.vimrc
|
||||
echo :syntax on > /home/jebba/.vimrc
|
||||
chown jebba:jebba /home/jebba/.vimrc
|
||||
echo export EDITOR=vi >> /root/.bashrc
|
||||
|
||||
# XXX Passwordless sudo XXX Ya, probably remove
|
||||
sed -i -e 's/%sudo\tALL=(ALL:ALL) ALL/%sudo ALL=(ALL) NOPASSWD: ALL/g' /etc/sudoers
|
||||
|
||||
adduser jebba sudo
|
||||
cd /etc ; git add . ; git commit -a -m 'Set up passwordless sudo'
|
||||
|
||||
# SSH config XXX sed cruft
|
||||
sed -i \
|
||||
-e 's/PermitRootLogin yes/PermitRootLogin no/g' \
|
||||
-e 's/\#PermitRootLogin prohibit-password/PermitRootLogin no/g' \
|
||||
-e 's/\#PasswordAuthentication yes/PasswordAuthentication no/g' \
|
||||
-e 's/\#X11Forwarding yes/X11Forwarding no/g' \
|
||||
/etc/ssh/sshd_config
|
||||
|
||||
echo 'KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256' >> /etc/ssh/sshd_config
|
||||
|
||||
echo 'Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr' >> /etc/ssh/sshd_config
|
||||
|
||||
# Need to update/fix for Debian Buster (testing/10). This line breaks Buster:
|
||||
#echo 'MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com' >> /etc/ssh/sshd_config
|
||||
|
||||
# XXX Add admins as only allowed ssh users
|
||||
# XXX add user for ansbile
|
||||
echo "AllowUsers jebba" >> /etc/ssh/sshd_config
|
||||
|
||||
cd /etc ; git add . ; git commit -a -m 'Set up sshd'
|
||||
systemctl restart sshd
|
||||
|
||||
# Startup XXX disable unneeded.
|
||||
for i in rsync exim4 saned
|
||||
do echo $i
|
||||
/usr/sbin/update-rc.d $i disable
|
||||
done
|
||||
# XXX KILL THIS, listening on public port (firewalled, but still):
|
||||
# tcp 0 0 0.0.0.0:5355 0.0.0.0:* LISTEN 296/systemd-resolve
|
||||
cd /etc ; git add . ; git commit -a -m 'Turn off junk on boot'
|
||||
|
||||
# GRUB
|
||||
sed -i -e 's/^GRUB_TIMEOUT=5/GRUB_TIMEOUT=0/g' /etc/default/grub
|
||||
sed -i -e 's/^#GRUB_TERMINAL=console/GRUB_TERMINAL=console/g' /etc/default/grub
|
||||
sed -i -e 's/^GRUB_CMDLINE_LINUX=""/GRUB_CMDLINE_LINUX="ipv6.disable=1"/g' /etc/default/grub
|
||||
echo 'GRUB_DISABLE_OS_PROBER=true' >> /etc/default/grub
|
||||
|
||||
update-grub
|
||||
|
||||
cd /etc ; git add . ; git commit -a -m 'GRUB tweaks'
|
||||
|
||||
# Don't load IPv6 kernel modules.
|
||||
echo blacklist ipv6 > /etc/modprobe.d/ipv6.conf
|
||||
echo alias net-pf-10 off >> /etc/modprobe.d/aliases.conf
|
||||
echo alias ivp6 off >> /etc/modprobe.d/aliases.conf
|
||||
# Disable IPv6 with sysctl.
|
||||
cat >> /etc/sysctl.conf <<EOF
|
||||
net.ipv6.conf.all.disable_ipv6 = 1
|
||||
net.ipv6.conf.default.disable_ipv6 = 1
|
||||
net.ipv6.conf.lo.disable_ipv6 = 1
|
||||
#net.ipv6.conf.ens3.disable_ipv6 = 1
|
||||
EOF
|
||||
|
||||
sysctl -p
|
||||
cd /etc ; git add . ; git commit -a -m 'Disable IPv6'
|
||||
|
||||
# Fix network to come up on boot
|
||||
sed -i -e 's/allow-hotplug/auto/g' /etc/network/interfaces
|
||||
cd /etc ; git add . ; git commit -a -m 'Auto start network'
|
||||
|
||||
# XXX not sure why this is getting installed:
|
||||
apt-get -y autoremove
|
||||
cd /etc ; git add . ; git commit -a -m 'autoremove'
|
||||
|
||||
apt clean
|
||||
|
||||
exit 0
|
||||
|
||||
# Reboot
|
||||
|
||||
# Set up Redis
|
||||
apt-get install -t stretch-backports redis redis-sentinel
|
Loading…
Reference in new issue