#!/bin/bash # forksand-bootstrap-oc1-desktop # GPLv3+ # This script does some initial setup and config # Log script exec > >(tee /root/bootstrap-oc1-desktop.log) 2>/root/bootstrap-oc1-desktop.err set -x # Set locale echo "en_US.UTF-8 UTF-8" > /etc/locale.gen locale-gen update-locale # XXX Set timezone ln -sf /usr/share/zoneinfo/America/Denver /etc/localtime # Use apt-cache #echo 'Acquire::http::Proxy "http://192.168.110.72:3142";' > /etc/apt/apt.conf # Set up git for tracking. XXX Ansible... XXX apt-get -y install git sudo cd /etc git init chmod og-rwx /etc/.git cat > /etc/.gitignore <<EOF prelink.cache *.swp ld.so.cache adjtime blkid.tab blkid.tab.old mtab resolv.conf asound.state mtab.fuselock aliases.db EOF git config --global user.name "Jeff Moe" git config --global user.email moe@forksand.com cd /etc ; git add . ; git commit -a -m 'Set up new Debian stretch oc1-desktop.' # SET UP APT # cat > /etc/apt/sources.list <<EOF deb http://mirrors.kernel.org/debian/ stretch-backports main deb http://mirrors.kernel.org/debian/ stretch main deb http://mirrors.kernel.org/debian/ stretch-updates main deb http://security.debian.org/ stretch/updates main EOF # Make apt use IPv4: echo 'Acquire::ForceIPv4 "true";' | tee /etc/apt/apt.conf.d/99force-ipv4 git add /etc/apt/apt.conf.d/99force-ipv4 git commit -m "Force APT to use IPv4, not IPv6." /etc/apt/apt.conf.d/99force-ipv4 cd /etc ; git add . ; git commit -a -m 'Set up apt.' # UPGRADE SERVER apt-get update apt-get -y dist-upgrade --download-only DEBIAN_FRONTEND=noninteractive apt-get -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confnew" dist-upgrade cd /etc ; git add . ; git commit -a -m 'Update base install' apt-get -y --download-only install \ --no-install-recommends \ apt-transport-https \ bzip2 \ ca-certificates \ colordiff \ cpufrequtils \ curl \ debian-archive-keyring \ exuberant-ctags \ git \ host \ less \ locales \ lsb-release \ man-db \ manpages \ molly-guard \ net-tools \ ntp \ openssh-server \ postfix \ python3 \ qemu-guest-agent \ rsync \ telnet \ traceroute \ vim \ vim-scripts DEBIAN_FRONTEND=noninteractive apt-get -y \ -o Dpkg::Options::="--force-confdef" \ -o Dpkg::Options::="--force-confnew" \ install \ --no-install-recommends \ apt-transport-https \ bzip2 \ ca-certificates \ colordiff \ cpufrequtils \ curl \ debian-archive-keyring \ exuberant-ctags \ git \ host \ less \ locales \ lsb-release \ man-db \ manpages \ molly-guard \ net-tools \ ntp \ openssh-server \ postfix \ python3 \ qemu-guest-agent \ rsync \ telnet \ traceroute \ vim \ vim-scripts cd /etc ; git add . ; git commit -a -m 'Install base packages' # Speed up echo 'GOVERNOR="performance"' > /etc/default/cpufrequtils /etc/init.d/cpufrequtils restart cd /etc ; git add . ; git commit -a -m 'Set up cpufrequtils' # Small user tweaks echo :syntax on > ~/.vimrc echo :syntax on > /home/jebba/.vimrc chown jebba:jebba /home/jebba/.vimrc echo export EDITOR=vi >> /root/.bashrc # XXX Passwordless sudo XXX Ya, probably remove sed -i -e 's/%sudo\tALL=(ALL:ALL) ALL/%sudo ALL=(ALL) NOPASSWD: ALL/g' /etc/sudoers adduser jebba sudo cd /etc ; git add . ; git commit -a -m 'Set up passwordless sudo' # SSH config XXX sed cruft sed -i \ -e 's/PermitRootLogin yes/PermitRootLogin prohibit-password/g' \ -e 's/\#PermitRootLogin prohibit-password/PermitRootLogin prohibit-password/g' \ -e 's/\#PasswordAuthentication yes/PasswordAuthentication no/g' \ -e 's/\#X11Forwarding yes/X11Forwarding no/g' \ /etc/ssh/sshd_config echo 'KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256' >> /etc/ssh/sshd_config echo 'Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr' >> /etc/ssh/sshd_config # Need to update/fix for Debian Buster (testing/10). This line breaks Buster: #echo 'MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com' >> /etc/ssh/sshd_config # XXX Add admins as only allowed ssh users # XXX add user for ansbile echo "AllowUsers jebba" >> /etc/ssh/sshd_config cd /etc ; git add . ; git commit -a -m 'Set up sshd' systemctl restart sshd # Startup XXX disable unneeded. for i in rsync exim4 saned do echo $i /usr/sbin/update-rc.d $i disable done # XXX KILL THIS, listening on public port (firewalled, but still): # tcp 0 0 0.0.0.0:5355 0.0.0.0:* LISTEN 296/systemd-resolve cd /etc ; git add . ; git commit -a -m 'Turn off junk on boot' # GRUB sed -i -e 's/^GRUB_TIMEOUT=5/GRUB_TIMEOUT=4/g' /etc/default/grub sed -i -e 's/^#GRUB_TERMINAL=console/GRUB_TERMINAL=console/g' /etc/default/grub echo 'GRUB_DISABLE_OS_PROBER=true' >> /etc/default/grub update-grub cd /etc ; git add . ; git commit -a -m 'GRUB tweaks' # Fix network to come up on boot sed -i -e 's/allow-hotplug/auto/g' /etc/network/interfaces cd /etc ; git add . ; git commit -a -m 'Auto start network' # XXX not sure why this is getting installed: apt-get -y autoremove cd /etc ; git add . ; git commit -a -m 'autoremove' apt clean exit 0