|
| 1 | +#!/bin/bash |
| 2 | + |
| 3 | +# Created by Avimanyu Bandyopadhyay for Linux Handbook ([email protected]) |
| 4 | +# Code fine-tuned by Debdut Chakraborty for Linux Handbook ([email protected]) |
| 5 | +# This program is free software: you can redistribute it and/or modify |
| 6 | +# it under the terms of the GNU General Public License as published by |
| 7 | +# the Free Software Foundation, either version 3 of the License, or |
| 8 | +# (at your option) any later version. |
| 9 | + |
| 10 | +# This program is distributed in the hope that it will be useful, |
| 11 | +# but WITHOUT ANY WARRANTY; without even the implied warranty of |
| 12 | +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
| 13 | +# GNU General Public License for more details. |
| 14 | + |
| 15 | +# You should have received a copy of the GNU General Public License |
| 16 | +# along with this program. If not, see <https://www.gnu.org/licenses/>. |
| 17 | + |
| 18 | +# Let's log all the errors to a standard file |
| 19 | +exec 2>/var/log/stack-init.log |
| 20 | + |
| 21 | +#allocate an extra 2G swapfile |
| 22 | +dd if=/dev/zero of=/swapfile bs=1M count=2048 && \ |
| 23 | + chmod 600 /swapfile && \ |
| 24 | + mkswap /swapfile && \ |
| 25 | + echo "/swapfile none swap sw 0 2" >> /etc/fstab |
| 26 | + |
| 27 | +#upgrade all existing packages |
| 28 | +apt update && { |
| 29 | + apt upgrade -y || apt upgrade -y # Sometimes the upgrade process fails because of some network issues, retrying in such cases completes the upgrade. |
| 30 | + apt -y install docker-compose auditd jq |
| 31 | +} |
| 32 | + |
| 33 | +#update auditd rules |
| 34 | +cat <<EOF >> /etc/audit/rules.d/audit.rules |
| 35 | +-w /usr/bin/docker -p wa |
| 36 | +-w /var/lib/docker -p wa |
| 37 | +-w /etc/docker -p wa |
| 38 | +-w /lib/systemd/system/docker.service -p wa |
| 39 | +-w /lib/systemd/system/docker.socket -p wa |
| 40 | +-w /usr/bin/containerd -p wa |
| 41 | +-w /etc/docker/daemon.json -p wa |
| 42 | +EOF |
| 43 | + |
| 44 | +#minimal docker daemon config |
| 45 | +cat <<EOF > /etc/docker/daemon.json |
| 46 | +{ |
| 47 | + "icc": false, |
| 48 | + "live-restore": true, |
| 49 | + "no-new-privileges": true |
| 50 | +} |
| 51 | +EOF |
| 52 | + |
| 53 | +systemctl enable --now docker # required for nginx-letsencrypt deployment |
| 54 | +systemctl enable auditd |
| 55 | + |
| 56 | +#create a user called tux with sudo privileges, save ssh public keys and harden sshd(make sure to change credentials after completing deployment) |
| 57 | +useradd -mG sudo -s /bin/bash -p `mkpasswd KJHkkjsf4iu3ubHJHAajh` tux |
| 58 | + |
| 59 | +#for the cp command to work, make sure to enable ssh key addition(assumed to be already existing on your linode profile) when creating the linode |
| 60 | +mkdir /home/tux/.ssh |
| 61 | +chmod 700 /home/tux/.ssh && chown tux:tux /home/tux/.ssh |
| 62 | +cp ~/.ssh/authorized_keys /home/tux/.ssh/authorized_keys |
| 63 | +chmod 600 /home/tux/.ssh/authorized_keys && chown tux:tux /home/tux/.ssh/authorized_keys |
| 64 | + |
| 65 | +sed -i -E -e 's/#Port 22/Port 4566/g' \ |
| 66 | + -e 's/(PermitRootLogin) yes/\1 no/g' \ |
| 67 | + -e 's/#(PubkeyAuthentication yes)/\1/g' \ |
| 68 | + -e 's/#(PasswordAuthentication) yes/\1 no/g' \ |
| 69 | + -e 's/#(PermitEmptyPasswords no)/\1/g' \ |
| 70 | + -e 's/(X11Forwarding) yes/\1 no/g' \ |
| 71 | + -e 's/#(ClientAliveInterval) 0/\1 300/g' \ |
| 72 | + -e 's/#(ClientAliveCountMax) 3/\1 2/g' \ |
| 73 | + /etc/ssh/sshd_config |
| 74 | +echo 'Protocol 2' >> /etc/ssh/sshd_config |
| 75 | + |
| 76 | +#enable automatic security and recommended updates |
| 77 | +sed -i /etc/apt/apt.conf.d/50unattended-upgrades -Ee 's/\/\/([[:space:]]+"\$\{distro_id\}:\$\{distro_codename\}-updates";)/\1/g' |
| 78 | +cat <<EOF >>/etc/apt/apt.conf.d/20auto-upgrades |
| 79 | +APT::Periodic::Update-Package-Lists "1"; |
| 80 | +APT::Periodic::Unattended-Upgrade "1"; |
| 81 | +APT::Periodic::AutocleanInterval "7"; |
| 82 | +APT::Periodic::Download-Upgradeable-Packages "1"; |
| 83 | +EOF |
| 84 | + |
| 85 | +#install jwilder nginx with ssl on docker(remember to change default email in let's encrypt config after finishing deployment. |
| 86 | +#also update your DNS record with this server's IP |
| 87 | +#redirections- rename the file www.domain.com to your own and edit it as well accordingly(required if using a root domain and not necessary for subdomains) |
| 88 | +#after doing the above 2 changes you would require running `sudo docker-compose up -d` from the jwilder nginx directory as tux after finishing this deployment |
| 89 | +sudo -u tux bash << EOF |
| 90 | +mkdir /home/tux/jwilder-nginx-with-ssl |
| 91 | +wget https://raw.githubusercontent.com/avimanyu786/Jwilder-Nginx-With-LetsEncrypt/main/docker-compose.yml -O /home/tux/jwilder-nginx-with-ssl/docker-compose.yml |
| 92 | +echo 'client_max_body_size 1G;' >> /home/tux/jwilder-nginx-with-ssl/client_max_upload_size.conf |
| 93 | +echo '[email protected]' >> /home/tux/jwilder-nginx-with-ssl/letsencrypt.env |
| 94 | +EOF |
| 95 | +docker network create net |
| 96 | +docker-compose -f /home/tux/jwilder-nginx-with-ssl/docker-compose.yml up -d |
| 97 | + |
| 98 | +#Reboot to finish updates |
| 99 | +sleep 6 |
| 100 | +reboot |
0 commit comments