Doc/bootstraps4ansible
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
ff6e1ddeb39afba56ad755dd55617bd681de00d5
bootstraps4ansible/scripts/bootstrap-vps-debian12.sh
Doc ff6e1ddeb3 Fixed option to apt. Installed a few extra files. 
- Fixed --no-recommends to the correct --no-install-recommends
- Added wget, curl, and git to utilities to install.
2025-12-14 17:23:36 -05:00

89 lines
2.4 KiB
Bash
Raw Blame History

#!/usr/bin/env bash
#
# https://gitea.wolfeden.online/Doc/bootstraps4ansible/scripts/bootstrap-vps-debian12.sh
#
# Bootstrap a clean system for use with Ansible
if [[ "${UID}" -ne 0 ]]; then
echo " You need to run this script as root"
exit 1
fi
ANSIUSER=ansiuser
ANSIUSERDIR=/home/$ANSIUSER
TMP_PORT=46347
# Update to current
apt update && apt upgrade -y
# Install requirements
apt install -y --no-install-recommends openssh-client openssh-server sudo git curl wget
# Create a user for Ansible
useradd -m -s /bin/bash -c "Ansible User" $ANSIUSER
echo "Configuring sudo for user $ANSIUSER"
usermod -aG sudo $ANSIUSER
mkdir -p /etc/sudoers.d
cat << EOF > /etc/sudoers.d/99-ansible-user
$ANSIUSER ALL=(ALL) NOPASSWD:ALL
EOF
echo ""
mkdir -p $ANSIUSERDIR/.ssh
# Prompt to paste public key
echo "Paste public key for $ANSIUSER. Ctl+d when done." ; cat >> $ANSIUSERDIR/.ssh/authorized_keys
echo ""
echo "Configuring ssh..."
chown -Rc ${ANSIUSER}:${ANSIUSER} $ANSIUSERDIR/.ssh
chmod 700 $ANSIUSERDIR/.ssh && chmod 600 $ANSIUSERDIR/.ssh/authorized_keys
rm -rf /etc/ssh/sshd_config.d/*.*
cat << EOF > /etc/ssh/sshd_config
Include /etc/ssh/sshd_config.d/*.conf
PermitEmptyPasswords no
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
AuthenticationMethods publickey
UsePAM yes
# Change port to temp reduce attacks before Ansible connects
Port $TMP_PORT
MaxAuthTries 3
KbdInteractiveAuthentication no
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
EOF
cat << EOF > /etc/ssh/sshd_config.d/enable_$ANSIUSER.conf
AllowUsers $ANSIUSER
EOF
if command -v ufw &> /dev/null; then
echo "Opening port $TMP_PORT with ufw..."
ufw allow $TMP_PORT/tcp comment 'Allow temporary SSH port'
elif command -v firewall-cmd &> /dev/null; then
echo "Opening port $TMP_PORT with firewalld..."
firewall-cmd --permanent --add-port=$TMP_PORT/tcp
firewall-cmd --reload
elif command -v iptables &> /dev/null; then
echo "Temporarily opening port $TMP_PORT with iptables (this session only)..."
iptables -I INPUT -p tcp --dport $TMP_PORT -j ACCEPT
fi
echo "User: $ANSIUSER"
echo "Port: $TMP_PORT"
echo ""
# Partially redact authorized_keys
echo "--- Authorized Keys ---"
grep -Poi 'ssh\-.*' $ANSIUSERDIR/.ssh/authorized_keys | awk '{ print $1, substr($2, 1, 4)".."substr($2, length($2) - 3, 4), $3 }'
echo "-----------------------"
echo ""
echo "Restarting SSH server and ending script"
systemctl restart sshd
Reference in New Issue View Git Blame Copy Permalink