setup

personal system configuration scripts
git clone git://git.pyratebeard.net/setup.git
Log | Files | Refs | README

commit c6cbab35e715c10ac07faf4efd048fd0e867dc84
parent 0c5245b7351cce9e0c4b56c73ccbde0b0e7be5ad
Author: pyratebeard <root@pyratebeard.net>
Date:   Thu, 21 Dec 2023 21:40:39 +0000

forge

Diffstat:
Aforge | 144+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 144 insertions(+), 0 deletions(-)

diff --git a/forge b/forge @@ -0,0 +1,144 @@ +#!/usr/bin/env bash +# +# ████ +# ░██░ █████ +# ██████ ██████ ██████ ██░░░██ █████ +# ░░░██░ ██░░░░██░░██░░█░██ ░██ ██░░░██ +# ░██ ░██ ░██ ░██ ░ ░░██████░███████ +# ░██ ░██ ░██ ░██ ░░░░░██░██░░░░ +# ░██ ░░██████ ░███ █████ ░░██████ +# ░░ ░░░░░░ ░░░ ░░░░░ ░░░░░░ +# +# author ▓▒ pyratebeard <root@pyratebeard.net> +# code ▓▒ https://git.pyratebeard.net/setup +# code ▓▒ curl -L https://s.rum.sh/forge > forge && chmod +x forge && ./forge + +# ▓▓▒░ user vars +export USR="dwarf" +export U_UID=0 +export ARCH="x86" + +U_HOME="/usr/${USR}" +DWARF="sudo -u dwarf" +EMAIL="root@pyratebeard.net" +USERCA_KEY="userca-key-01.pub" + +# ▓▓▒░ functions +function _echo() { printf "\n╓───── %s \n╙────────────────────────────────────── ─ ─ \n" "$1"; } + +[ "$(id -u)" -ne 0 ] && { + _echo "got root?" >&2 + exit 1 +} + +# ▓▓▒░ locale +_echo "setting up locales and console" +locale-gen "en_US.UTF-8" +localectl set-locale en_US.UTF-8 +dpkg-reconfigure locales +dpkg-reconfigure console-setup +systemctl daemon-reload +systemctl restart console-setup.service + +# ▓▓▒░ packages +_echo "installing runtime deps" +apt update && apt install -y git gpg bash curl locales gnupg software-properties-common unzip + +# bitwarden +curl -sL -o bw.zip "https://vault.bitwarden.com/download/?app=cli&platform=linux" && \ + unzip -d /usr/local/bin bw.zip + +_echo "install pkgs" +apt-get update && \ + apt-get install -y \ + bash \ + coreutils \ + fail2ban \ + stow \ + tmux \ + tree \ + unzip \ + vim \ + zsh + +_echo "remove pkgs" +apt-get remove -y \ + nano \ + telnet +apt-get autoremove -y + +_echo "adding dwarf user" +id "${USR}" >/dev/null 2>&1 || \ + useradd -omd ${U_HOME} -u ${U_UID} -g ${U_UID} -s $(which zsh) ${USR} + +_echo "bitwarden login" +export BW_SESSION=$(bw login "${EMAIL}" --raw --method 0) + +_echo "creating home skel" +## skeleton directories +mkdir -p \ + ${U_HOME}/.{config,local} \ + ${U_HOME}/.local/{bin,cache,lib,share,src,state} \ + ${U_HOME}/.local/state/zsh \ + ${U_HOME}/.local/share/gpg + +_echo "dot dot dot" +if [ ! -d ${U_HOME}/.local/src/dotfiles ] ; then + ${DWARF} git clone git://git.pyratebeard.net/dotfiles.git ${U_HOME}/.local/src/dotfiles && \ + cd ${U_HOME}/.local/src/dotfiles && \ + ${DWARF} stow git gpg tmux vim zsh -t ${U_HOME} +fi + +# ▓▓▒░ bin +_echo "bins" +if [ ! -d ${U_HOME}/.local/src/scripts ] ; then + ${DWARF} git clone git://git.pyratebeard.net/scripts.git ${U_HOME}/.local/src/scripts && \ + cd ${U_HOME}/.local/src/scripts && \ + ${DWARF} stow bin fun -t ${U_HOME} +fi + +# ▓▓▒░ shortcuts +_echo "creating ~src and ~dot aliases" +id dot >/dev/null 2>&1 || \ +useradd -d ${U_HOME}/.local/src/dotfiles -s $(which nologin) dot +id src >/dev/null 2>&1 || \ + useradd -d ${U_HOME}/.local/src -g src -s $(which nologin) src + +# ▓▓▒░ ssh +_echo "ssh config" +bw get notes "${USERCA_KEY}" | tee /etc/ssh/${USERCA_KEY} + +## add trustedusercakeys line before ciphers section +sed -i "/^#\ Ciphers\ and\ keying/i TrustedUserCAKeys\ \/etc\/ssh\/${USERCA_KEY}\n" \ + /etc/ssh/sshd_config + +## ensure root login is allowed with keys only +sed -i 's/.*\(PermitRootLogin\).*/\1 prohibit-password/' /etc/ssh/sshd_config +## disable password authentication +sed -i 's/.*\(PasswordAuthentication\).*/\1 no/' /etc/ssh/sshd_config +## {update,set} allow users +echo "AllowUsers ${USR}" | tee -a /etc/ssh/sshd_config +## print motd +sed -i 's/.*\(PrintMotd\).*/\1 yes/' /etc/ssh/sshd_config +## don't print lastlog +sed -i 's/.*\(PrintLastLog\).*/\1 no/' /etc/ssh/sshd_config + +systemctl reload sshd + +# ▓▓▒░ security +_echo "setting up fail2ban" +cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local +fail2ban-client reload + +# ▓▓▒░ forged +_echo "forge complete" +IP=$(dig +short myip.opendns.com @resolver1.opendns.com) +echo "${HOSTNAME}: ${USR}@${IP}" + +_echo "cleanup" +bw logout +srm -dvrl /root/.config/Bitwarden\ CLI/ &>/dev/null + +_echo "selfdestruct" +srm -dvrl "$0" &> /dev/null +systemctl reboot