First commit. Added Debian 12 OpenVZ
This commit is contained in:
Doc
88
scripts/bootstrap-vps-debian12.sh
Normal file
88
scripts/bootstrap-vps-debian12.sh
Normal file
@@ -0,0 +1,88 @@
|
||||
#!/usr/bin/env bash
|
||||
#
|
||||
# https://gitea.wolfeden.online/Doc/bootstraps4ansible/scripts/bootstrap-vps-debian12.sh
|
||||
#
|
||||
# Bootstrap a clean system for use with Ansible
|
||||
|
||||
if [[ "${UID}" -ne 0 ]]; then
|
||||
echo " You need to run this script as root"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
ANSIUSER=ansiuser
|
||||
ANSIUSERDIR=/home/$ANSIUSER
|
||||
TMP_PORT=46347
|
||||
|
||||
# Update to current
|
||||
apt update && apt upgrade -y --no-recommends
|
||||
|
||||
# Install requirements
|
||||
apt install -y --no-recommends openssh-client openssh-server sudo
|
||||
|
||||
# Create a user for Ansible
|
||||
useradd -m -s /bin/bash -c "Ansible User" $ANSIUSER
|
||||
|
||||
echo "Configuring sudo for user $ANSIUSER"
|
||||
usermod -aG sudo $ANSIUSER
|
||||
mkdir -p /etc/sudoers.d
|
||||
cat << EOF > /etc/sudoers.d/99-ansible-user
|
||||
$ANSIUSER ALL=(ALL) NOPASSWD:ALL
|
||||
EOF
|
||||
echo ""
|
||||
|
||||
mkdir -p $ANSIUSERDIR/.ssh
|
||||
# Prompt to paste public key
|
||||
echo "Paste public key for $ANSIUSER. Ctl+d when done." ; cat >> $ANSIUSERDIR/.ssh/authorized_keys
|
||||
echo ""
|
||||
|
||||
echo "Configuring ssh..."
|
||||
chown -Rc ${ANSIUSER}:${ANSIUSER} $ANSIUSERDIR/.ssh
|
||||
chmod 700 $ANSIUSERDIR/.ssh && chmod 600 $ANSIUSERDIR/.ssh/authorized_keys
|
||||
|
||||
rm -rf /etc/ssh/sshd_config.d/*.*
|
||||
|
||||
cat << EOF > /etc/ssh/sshd_config
|
||||
Include /etc/ssh/sshd_config.d/*.conf
|
||||
PermitEmptyPasswords no
|
||||
PermitRootLogin no
|
||||
PasswordAuthentication no
|
||||
PubkeyAuthentication yes
|
||||
AuthenticationMethods publickey
|
||||
UsePAM yes
|
||||
# Change port to temp reduce attacks before Ansible connects
|
||||
Port $TMP_PORT
|
||||
MaxAuthTries 3
|
||||
KbdInteractiveAuthentication no
|
||||
AcceptEnv LANG LC_*
|
||||
Subsystem sftp /usr/lib/openssh/sftp-server
|
||||
EOF
|
||||
|
||||
cat << EOF > /etc/ssh/sshd_config.d/enable_$ANSIUSER.conf
|
||||
AllowUsers $ANSIUSER
|
||||
EOF
|
||||
|
||||
if command -v ufw &> /dev/null; then
|
||||
echo "Opening port $TMP_PORT with ufw..."
|
||||
ufw allow $TMP_PORT/tcp comment 'Allow temporary SSH port'
|
||||
elif command -v firewall-cmd &> /dev/null; then
|
||||
echo "Opening port $TMP_PORT with firewalld..."
|
||||
firewall-cmd --permanent --add-port=$TMP_PORT/tcp
|
||||
firewall-cmd --reload
|
||||
elif command -v iptables &> /dev/null; then
|
||||
echo "Temporarily opening port $TMP_PORT with iptables (this session only)..."
|
||||
iptables -I INPUT -p tcp --dport $TMP_PORT -j ACCEPT
|
||||
fi
|
||||
|
||||
echo "User: $ANSIUSER"
|
||||
echo "Port: $TMP_PORT"
|
||||
echo ""
|
||||
|
||||
# Partially redact authorized_keys
|
||||
echo "--- Authorized Keys ---"
|
||||
grep -Poi 'ssh\-.*' $ANSIUSERDIR/.ssh/authorized_keys | awk '{ print $1, substr($2, 1, 4)".."substr($2, length($2) - 3, 4), $3 }'
|
||||
echo "-----------------------"
|
||||
|
||||
echo ""
|
||||
echo "Restarting SSH server and ending script"
|
||||
|
||||
systemctl restart sshd
|
||||
Reference in New Issue
Block a user