commit c6cbab35e715c10ac07faf4efd048fd0e867dc84
parent 0c5245b7351cce9e0c4b56c73ccbde0b0e7be5ad
Author: pyratebeard <root@pyratebeard.net>
Date: Thu, 21 Dec 2023 21:40:39 +0000
forge
Diffstat:
A | forge | | | 144 | +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ |
1 file changed, 144 insertions(+), 0 deletions(-)
diff --git a/forge b/forge
@@ -0,0 +1,144 @@
+#!/usr/bin/env bash
+#
+# ████
+# ░██░ █████
+# ██████ ██████ ██████ ██░░░██ █████
+# ░░░██░ ██░░░░██░░██░░█░██ ░██ ██░░░██
+# ░██ ░██ ░██ ░██ ░ ░░██████░███████
+# ░██ ░██ ░██ ░██ ░░░░░██░██░░░░
+# ░██ ░░██████ ░███ █████ ░░██████
+# ░░ ░░░░░░ ░░░ ░░░░░ ░░░░░░
+#
+# author ▓▒ pyratebeard <root@pyratebeard.net>
+# code ▓▒ https://git.pyratebeard.net/setup
+# code ▓▒ curl -L https://s.rum.sh/forge > forge && chmod +x forge && ./forge
+
+# ▓▓▒░ user vars
+export USR="dwarf"
+export U_UID=0
+export ARCH="x86"
+
+U_HOME="/usr/${USR}"
+DWARF="sudo -u dwarf"
+EMAIL="root@pyratebeard.net"
+USERCA_KEY="userca-key-01.pub"
+
+# ▓▓▒░ functions
+function _echo() { printf "\n╓───── %s \n╙────────────────────────────────────── ─ ─ \n" "$1"; }
+
+[ "$(id -u)" -ne 0 ] && {
+ _echo "got root?" >&2
+ exit 1
+}
+
+# ▓▓▒░ locale
+_echo "setting up locales and console"
+locale-gen "en_US.UTF-8"
+localectl set-locale en_US.UTF-8
+dpkg-reconfigure locales
+dpkg-reconfigure console-setup
+systemctl daemon-reload
+systemctl restart console-setup.service
+
+# ▓▓▒░ packages
+_echo "installing runtime deps"
+apt update && apt install -y git gpg bash curl locales gnupg software-properties-common unzip
+
+# bitwarden
+curl -sL -o bw.zip "https://vault.bitwarden.com/download/?app=cli&platform=linux" && \
+ unzip -d /usr/local/bin bw.zip
+
+_echo "install pkgs"
+apt-get update && \
+ apt-get install -y \
+ bash \
+ coreutils \
+ fail2ban \
+ stow \
+ tmux \
+ tree \
+ unzip \
+ vim \
+ zsh
+
+_echo "remove pkgs"
+apt-get remove -y \
+ nano \
+ telnet
+apt-get autoremove -y
+
+_echo "adding dwarf user"
+id "${USR}" >/dev/null 2>&1 || \
+ useradd -omd ${U_HOME} -u ${U_UID} -g ${U_UID} -s $(which zsh) ${USR}
+
+_echo "bitwarden login"
+export BW_SESSION=$(bw login "${EMAIL}" --raw --method 0)
+
+_echo "creating home skel"
+## skeleton directories
+mkdir -p \
+ ${U_HOME}/.{config,local} \
+ ${U_HOME}/.local/{bin,cache,lib,share,src,state} \
+ ${U_HOME}/.local/state/zsh \
+ ${U_HOME}/.local/share/gpg
+
+_echo "dot dot dot"
+if [ ! -d ${U_HOME}/.local/src/dotfiles ] ; then
+ ${DWARF} git clone git://git.pyratebeard.net/dotfiles.git ${U_HOME}/.local/src/dotfiles && \
+ cd ${U_HOME}/.local/src/dotfiles && \
+ ${DWARF} stow git gpg tmux vim zsh -t ${U_HOME}
+fi
+
+# ▓▓▒░ bin
+_echo "bins"
+if [ ! -d ${U_HOME}/.local/src/scripts ] ; then
+ ${DWARF} git clone git://git.pyratebeard.net/scripts.git ${U_HOME}/.local/src/scripts && \
+ cd ${U_HOME}/.local/src/scripts && \
+ ${DWARF} stow bin fun -t ${U_HOME}
+fi
+
+# ▓▓▒░ shortcuts
+_echo "creating ~src and ~dot aliases"
+id dot >/dev/null 2>&1 || \
+useradd -d ${U_HOME}/.local/src/dotfiles -s $(which nologin) dot
+id src >/dev/null 2>&1 || \
+ useradd -d ${U_HOME}/.local/src -g src -s $(which nologin) src
+
+# ▓▓▒░ ssh
+_echo "ssh config"
+bw get notes "${USERCA_KEY}" | tee /etc/ssh/${USERCA_KEY}
+
+## add trustedusercakeys line before ciphers section
+sed -i "/^#\ Ciphers\ and\ keying/i TrustedUserCAKeys\ \/etc\/ssh\/${USERCA_KEY}\n" \
+ /etc/ssh/sshd_config
+
+## ensure root login is allowed with keys only
+sed -i 's/.*\(PermitRootLogin\).*/\1 prohibit-password/' /etc/ssh/sshd_config
+## disable password authentication
+sed -i 's/.*\(PasswordAuthentication\).*/\1 no/' /etc/ssh/sshd_config
+## {update,set} allow users
+echo "AllowUsers ${USR}" | tee -a /etc/ssh/sshd_config
+## print motd
+sed -i 's/.*\(PrintMotd\).*/\1 yes/' /etc/ssh/sshd_config
+## don't print lastlog
+sed -i 's/.*\(PrintLastLog\).*/\1 no/' /etc/ssh/sshd_config
+
+systemctl reload sshd
+
+# ▓▓▒░ security
+_echo "setting up fail2ban"
+cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
+fail2ban-client reload
+
+# ▓▓▒░ forged
+_echo "forge complete"
+IP=$(dig +short myip.opendns.com @resolver1.opendns.com)
+echo "${HOSTNAME}: ${USR}@${IP}"
+
+_echo "cleanup"
+bw logout
+srm -dvrl /root/.config/Bitwarden\ CLI/ &>/dev/null
+
+_echo "selfdestruct"
+srm -dvrl "$0" &> /dev/null
+systemctl reboot