Doc/bootstraps4ansible
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
53327301d109b7d056548029515fe21b9627a0bd
bootstraps4ansible/scripts/bootstrap-vps-debian12.sh
Doc 53327301d1 Removed --no-install-recommends option 
Maybe its better if we allow recommends for basic utilities. wget has problems with https if we do not allow recommends.
2025-12-14 21:54:27 -05:00

235 lines
5.5 KiB
Bash
Raw Blame History

#!/usr/bin/env bash
#
# https://gitea.wolfeden.online/Doc/bootstraps4ansible/scripts/bootstrap-vps-debian12.sh
#
# Bootstrap a clean system for use with Ansible
if [[ "${UID}" -ne 0 ]]; then
echo " You need to run this script as root"
exit 1
fi
ANSIUSER=${1:-ansiuser}
ANSIUSERDIR=/home/$ANSIUSER
TMP_PORT=${2:-46347}
cat << EOF
#####################
# Updating System #
#####################
EOF
# Update to current
apt update && apt upgrade -y
err=$?
# Was there an error
if [ $err -ne 0 ]; then
cat << EOF
###########################################
# # # # # # # # # # # # # # # # # # # # # #
### ERROR while updating the system! ###
# # # # # # # # # # # # # # # # # # # # # #
###########################################
Correct the issues and try again. Exiting.
EOF
exit $err
fi
cat << EOF
#############################
# Installing ssh and sudo #
#############################
EOF
# avoid --no-install-recommends for basic programs
# like wget, sudo, and openssh
apt install -y openssh-client openssh-server sudo
err=$?
if [ $err -ne 0 ]; then
cat << EOF
###############################################
# # # # # # # # # # # # # # # # # # # # # # # #
### ERROR while installing ssh and sudo! ###
# # # # # # # # # # # # # # # # # # # # # # # #
###############################################
Correct the issues and try again. Exiting.
EOF
exit $err
fi
cat << EOF
###################################
# Creating and configuring user #
###################################
EOF
echo -e "- Creating user '$ANSIUSER'..."
useradd -m -s /bin/bash -c "Ansible User" $ANSIUSER
echo "- Configuring sudo for user '$ANSIUSER'..."
usermod -aG sudo $ANSIUSER
mkdir -p /etc/sudoers.d
cat << EOF > /etc/sudoers.d/99-ansible-user
$ANSIUSER ALL=(ALL) NOPASSWD:ALL
EOF
echo ""
mkdir -p $ANSIUSERDIR/.ssh
# Prompt to paste public key
cat << EOF
########################################################
# IMPORTANT! | #
#-------------+ #
# #
# Past public key for '$ANSIUSER'. #
# Ctrl+d when done. #
# #
########################################################
EOF
if [ -f "$ANSIUSERDIR/.ssh/authorized_keys" ]; then
BEFORESZ=$(wc -c "$ANSIUSERDIR/.ssh/authorized_keys" | awk '//{ print $1 }')
else
BEFORESZ=0
fi
cat >> $ANSIUSERDIR/.ssh/authorized_keys
err=$?
if [ -f "$ANSIUSERDIR/.ssh/authorized_keys" ]; then
AFTERSZ=$(wc -c "$ANSIUSERDIR/.ssh/authorized_keys" | awk '//{ print $1 }')
if [ ! $AFTERSZ -gt $BEFORESZ ]; then
cat << EOF
###############################################
# # # # # # # # # # # # # # # # # # # # # # # #
### ERROR authorized_keys did not change ###
# # # # # # # # # # # # # # # # # # # # # # # #
###############################################
Exiting!
EOF
exit $?
fi
else
cat << EOF
#####################################################
# # # # # # # # # # # # # # # # # # # # # # # # # # #
### ERROR could not append to authorized_keys! ###
# # # # # # # # # # # # # # # # # # # # # # # # # # #
#####################################################
Exiting!
EOF
exit $err
fi
cat << EOF
###################################
# (Re)setting SSH configuration #
###################################
EOF
chown -Rc ${ANSIUSER}:${ANSIUSER} $ANSIUSERDIR/.ssh
chmod 700 $ANSIUSERDIR/.ssh && chmod 600 $ANSIUSERDIR/.ssh/authorized_keys
rm -rf /etc/ssh/sshd_config.d/*.*
cat << EOF > /etc/ssh/sshd_config
Include /etc/ssh/sshd_config.d/*.conf
PermitEmptyPasswords no
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
AuthenticationMethods publickey
UsePAM yes
# Change port to temp reduce attacks before Ansible connects
Port $TMP_PORT
MaxAuthTries 3
KbdInteractiveAuthentication no
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
EOF
cat << EOF > /etc/ssh/sshd_config.d/enable_$ANSIUSER.conf
AllowUsers $ANSIUSER
EOF
cat << EOF
################################
# Opening a port (if needed) #
################################
EOF
if command -v ufw &> /dev/null; then
echo "Opening port $TMP_PORT with ufw..."
ufw allow $TMP_PORT/tcp comment 'Allow temporary SSH port' || echo "## WARNING error occurred while openning a port ##"
elif command -v firewall-cmd &> /dev/null; then
echo "Opening port $TMP_PORT with firewalld..."
firewall-cmd --permanent --add-port=$TMP_PORT/tcp || echo "## WARNING error occurred while openning a port ##"
firewall-cmd --reload
elif command -v iptables &> /dev/null; then
echo "Temporarily opening port $TMP_PORT with iptables (this session only)..."
iptables -I INPUT -p tcp --dport $TMP_PORT -j ACCEPT || echo "## WARNING error occurred while openning a port ##"
fi
cat << EOF
###################################
# Complete | #
#-----------+ #
# #
# Process completed. #
# After action summary below: #
# #
###################################
EOF
echo " - User: $ANSIUSER"
echo " - Port: $TMP_PORT"
echo ""
# Partially redact authorized_keys
echo "--- Authorized Keys ---"
grep -Poi 'ssh\-.*' $ANSIUSERDIR/.ssh/authorized_keys | awk '{ print $1, substr($2, 1, 4)".."substr($2, length($2) - 3, 4), $3 }'
echo "-----------------------"
echo ""
echo "Restarting SSH server in 10 seconds and ending script"
sleep 10
systemctl enable ssh
systemctl restart ssh
Reference in New Issue View Git Blame Copy Permalink