You can not select more than 25 topics
			Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
		
		
		
		
		
			
		
			
				
					
					
						
							241 lines
						
					
					
						
							6.8 KiB
						
					
					
				
			
		
		
	
	
							241 lines
						
					
					
						
							6.8 KiB
						
					
					
				| #!/bin/bash
 | |
| # forksand-bootstrap-sf-001
 | |
| # GPLv3+
 | |
| # This script does some initial setup and config
 | |
| # Sets up Proxmox.
 | |
| 
 | |
| # Log script
 | |
| exec > >(tee /root/bootstrap-sf-001.log) 2>/root/bootstrap-sf-001.err
 | |
| 
 | |
| set -x
 | |
| 
 | |
| # Set locale
 | |
| echo "en_US.UTF-8 UTF-8" > /etc/locale.gen
 | |
| locale-gen
 | |
| update-locale
 | |
| 
 | |
| # XXX Set timezone
 | |
| ln -sf /usr/share/zoneinfo/America/Denver /etc/localtime
 | |
| 
 | |
| # Set up git for tracking. XXX Ansible... XXX
 | |
| apt-get -y install git sudo
 | |
| cd /etc
 | |
| git init
 | |
| chmod og-rwx /etc/.git
 | |
| 
 | |
| cat > /etc/.gitignore <<EOF
 | |
| prelink.cache
 | |
| *.swp
 | |
| ld.so.cache
 | |
| adjtime
 | |
| blkid.tab
 | |
| blkid.tab.old
 | |
| mtab
 | |
| resolv.conf
 | |
| asound.state
 | |
| mtab.fuselock
 | |
| aliases.db
 | |
| EOF
 | |
| 
 | |
| git config --global user.name "Jeff Moe"
 | |
| git config --global user.email moe@forksand.com
 | |
| cd /etc ; git add . ; git commit -a -m 'Set up new Debian Stretch sf-001 server.'
 | |
| 
 | |
| # SET UP APT
 | |
| #
 | |
| cat > /etc/apt/sources.list <<EOF
 | |
| deb http://mirrors.kernel.org/debian/ stretch-backports main
 | |
| deb http://mirrors.kernel.org/debian/ stretch main
 | |
| deb http://mirrors.kernel.org/debian/ stretch-updates main
 | |
| deb http://security.debian.org/ stretch/updates main
 | |
| EOF
 | |
| 
 | |
| # Make apt use IPv4:
 | |
| echo 'Acquire::ForceIPv4 "true";' | tee /etc/apt/apt.conf.d/99force-ipv4
 | |
| 
 | |
| git add /etc/apt/apt.conf.d/99force-ipv4
 | |
| git commit -m "Force APT to use IPv4, not IPv6." /etc/apt/apt.conf.d/99force-ipv4
 | |
| 
 | |
| cd /etc ; git add . ; git commit -a -m 'Set up apt.'
 | |
| 
 | |
| # UPGRADE SERVER
 | |
| apt-get update
 | |
| apt-get -y dist-upgrade --download-only
 | |
| DEBIAN_FRONTEND=noninteractive apt-get -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confnew" dist-upgrade
 | |
| 
 | |
| cd /etc ; git add . ; git commit -a -m 'Update base install'
 | |
| 
 | |
| apt-get -y --download-only install					\
 | |
| 	--no-install-recommends						\
 | |
| 	apt-transport-https						\
 | |
| 	bzip2								\
 | |
| 	ca-certificates							\
 | |
| 	colordiff							\
 | |
| 	cpufrequtils							\
 | |
| 	curl								\
 | |
| 	debian-archive-keyring						\
 | |
| 	exuberant-ctags							\
 | |
| 	git								\
 | |
| 	host								\
 | |
| 	less								\
 | |
| 	locales								\
 | |
| 	lsb-release							\
 | |
| 	man-db								\
 | |
| 	manpages							\
 | |
| 	molly-guard							\
 | |
| 	net-tools							\
 | |
| 	ntp								\
 | |
| 	openssh-server							\
 | |
| 	postfix								\
 | |
| 	python3								\
 | |
| 	rsync								\
 | |
| 	telnet								\
 | |
| 	traceroute							\
 | |
| 	vim								\
 | |
| 	vim-scripts
 | |
| 
 | |
| DEBIAN_FRONTEND=noninteractive apt-get -y 				\
 | |
| 	-o Dpkg::Options::="--force-confdef"				\
 | |
| 	-o Dpkg::Options::="--force-confnew"				\
 | |
| 	install								\
 | |
| 	--no-install-recommends						\
 | |
| 	apt-transport-https						\
 | |
| 	bzip2								\
 | |
| 	ca-certificates							\
 | |
| 	colordiff							\
 | |
| 	cpufrequtils							\
 | |
| 	curl								\
 | |
| 	debian-archive-keyring						\
 | |
| 	exuberant-ctags							\
 | |
| 	git								\
 | |
| 	host								\
 | |
| 	less								\
 | |
| 	locales								\
 | |
| 	lsb-release							\
 | |
| 	man-db								\
 | |
| 	manpages							\
 | |
| 	molly-guard							\
 | |
| 	net-tools							\
 | |
| 	ntp								\
 | |
| 	openssh-server							\
 | |
| 	postfix								\
 | |
| 	python3								\
 | |
| 	rsync								\
 | |
| 	telnet								\
 | |
| 	traceroute							\
 | |
| 	vim								\
 | |
| 	vim-scripts
 | |
| 
 | |
| cd /etc ; git add . ; git commit -a -m 'Install base packages'
 | |
| 
 | |
| # NTP SharkTech. They firewall outside ntp.
 | |
| sed -i                                                                                   \
 | |
|  -e 's/pool 0.debian.pool.ntp.org/\#pool 0.debian.pool.ntp.org/g'                \
 | |
|  -e 's/pool 1.debian.pool.ntp.org/\#pool 1.debian.pool.ntp.org/g'                \
 | |
|  -e 's/pool 2.debian.pool.ntp.org/\#pool 2.debian.pool.ntp.org/g'                \
 | |
|  -e 's/pool 3.debian.pool.ntp.org/pool time.sharktech.net iburst/g'              \
 | |
|  /etc/ntp.conf
 | |
| 
 | |
| cd /etc ; git add . ; git commit -a -m 'Use SharkTech NTP (others firewalled).'
 | |
| /etc/init.d/ntp restart
 | |
| 
 | |
| # Speed up
 | |
| echo 'GOVERNOR="performance"' > /etc/default/cpufrequtils
 | |
| /etc/init.d/cpufrequtils restart
 | |
| cd /etc ; git add . ; git commit -a -m 'Set up cpufrequtils'
 | |
| 
 | |
| # Small user tweaks
 | |
| echo :syntax on > ~/.vimrc
 | |
| echo :syntax on > /home/jebba/.vimrc
 | |
| chown jebba:jebba /home/jebba/.vimrc
 | |
| echo export EDITOR=vi >> /root/.bashrc
 | |
| 
 | |
| # XXX Passwordless sudo XXX Ya, probably remove
 | |
| sed -i -e 's/%sudo\tALL=(ALL:ALL) ALL/%sudo ALL=(ALL) NOPASSWD: ALL/g' /etc/sudoers
 | |
| 
 | |
| adduser jebba sudo
 | |
| cd /etc ; git add . ; git commit -a -m 'Set up passwordless sudo'
 | |
| 
 | |
| # SSH config XXX sed cruft
 | |
| sed -i  \
 | |
|  -e 's/PermitRootLogin yes/PermitRootLogin prohibit-password/g' \
 | |
|  -e 's/\#PermitRootLogin prohibit-password/PermitRootLogin prohibit-password/g' \
 | |
|  -e 's/\#PasswordAuthentication yes/PasswordAuthentication no/g' \
 | |
|  -e 's/\#X11Forwarding yes/X11Forwarding no/g' \
 | |
|  /etc/ssh/sshd_config
 | |
| 
 | |
| echo 'KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256' >> /etc/ssh/sshd_config
 | |
| 
 | |
| echo 'Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr' >> /etc/ssh/sshd_config
 | |
| 
 | |
| # Need to update/fix for Debian Buster (testing/10). This line breaks Buster:
 | |
| #echo 'MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com' >> /etc/ssh/sshd_config
 | |
| 
 | |
| # XXX Add admins as only allowed ssh users
 | |
| # XXX add user for ansbile
 | |
| echo "AllowUsers jebba root" >> /etc/ssh/sshd_config
 | |
| 
 | |
| cd /etc ; git add . ; git commit -a -m 'Set up sshd'
 | |
| systemctl restart sshd
 | |
| 
 | |
| # Startup XXX disable unneeded.
 | |
| for i in rsync exim4 saned
 | |
| do echo $i 
 | |
|   /usr/sbin/update-rc.d $i disable
 | |
| done
 | |
| # XXX KILL THIS, listening on public port (firewalled, but still):
 | |
| # tcp        0      0 0.0.0.0:5355            0.0.0.0:*               LISTEN      296/systemd-resolve
 | |
| cd /etc ; git add . ; git commit -a -m 'Turn off junk on boot'
 | |
| 
 | |
| # GRUB
 | |
| sed -i -e 's/^GRUB_TIMEOUT=5/GRUB_TIMEOUT=4/g' /etc/default/grub
 | |
| sed -i -e 's/^#GRUB_TERMINAL=console/GRUB_TERMINAL=console/g' /etc/default/grub
 | |
| echo 'GRUB_DISABLE_OS_PROBER=true' >> /etc/default/grub
 | |
| 
 | |
| update-grub
 | |
| 
 | |
| cd /etc ; git add . ; git commit -a -m 'GRUB tweaks'
 | |
| 
 | |
| # Fix network to come up on boot
 | |
| sed -i -e 's/allow-hotplug/auto/g' /etc/network/interfaces
 | |
| cd /etc ; git add . ; git commit -a -m 'Auto start network'
 | |
| 
 | |
| # XXX not sure why this is getting installed:
 | |
| apt-get -y autoremove
 | |
| 
 | |
| apt-get -y remove os-prober
 | |
| 
 | |
| # Proxmox
 | |
| #cat > /etc/apt/sources.list.d/pve-enterprise.list<<EOF
 | |
| ##deb https://enterprise.proxmox.com/debian/pve stretch pve-enterprise
 | |
| #EOF
 | |
| cat > /etc/apt/sources.list.d/pve-no-subscription.list<<EOF
 | |
| deb http://download.proxmox.com/debian/pve stretch pve-no-subscription
 | |
| EOF
 | |
| 
 | |
| # Add Proxmox enterprise key XXX Add key 
 | |
| #cat > /etc/apt/auth.conf<<EOF
 | |
| #machine enterprise.proxmox.com
 | |
| # login pve2s-0000000000
 | |
| # password 00000000000000000000000000000000
 | |
| #EOF
 | |
| 
 | |
| # XXX crufty add proxmox apt key
 | |
| wget http://download.proxmox.com/debian/proxmox-ve-release-5.x.gpg -O /etc/apt/trusted.gpg.d/proxmox-ve-release-5.x.gpg
 | |
| 
 | |
| apt-get update
 | |
| apt-get -y dist-upgrade --download-only
 | |
| DEBIAN_FRONTEND=noninteractive apt-get -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confnew" dist-upgrade
 | |
| 
 | |
| apt-get -y				 				\
 | |
| 	install								\
 | |
| 	ksm-control-daemon						\
 | |
| 	omping								\
 | |
| 	proxmox-ve
 | |
| 
 | |
| cd /etc ; git add . ; git commit -a -m 'Install Proxmox'
 | |
| apt clean
 | |
| 
 | |
| exit 0
 | |
| 
 |