71 lines
2.5 KiB
Bash
71 lines
2.5 KiB
Bash
#!/bin/bash
|
|
set -eu
|
|
|
|
# ==================================================================================== #
|
|
# VARIABLES
|
|
# ==================================================================================== #
|
|
|
|
# Set the timezone for the server. A full list of available timezones can be found by
|
|
# running timedatectl list-timezones.
|
|
TIMEZONE=Europe/Vienna
|
|
|
|
# Set the name of the new user to create.
|
|
USERNAME=alfheim
|
|
|
|
# Prompt to enter a password for the PostgreSQL greenlight user (rather than hard-coding
|
|
# a password in this script).
|
|
read -p "Enter password for alfheim DB user: " DB_PASSWORD
|
|
|
|
# Force all output to be presented in en_US for the duration of this script. This avoids
|
|
# any "setting locale failed" errors while this script is running, before we have
|
|
# installed support for all locales. Do not change this setting!
|
|
export LC_ALL=en_US.UTF-8
|
|
|
|
# ==================================================================================== #
|
|
# SCRIPT LOGIC
|
|
# ==================================================================================== #
|
|
|
|
# Update all software packages. Using the --force-confnew flag means that configuration
|
|
# files will be replaced if newer ones are available.
|
|
apt update
|
|
apt --yes -o Dpkg::Options::="--force-confnew" upgrade
|
|
|
|
# Set the system timezone and install all locales.
|
|
timedatectl set-timezone ${TIMEZONE}
|
|
apt --yes install locales-all
|
|
|
|
# Add the new user (and give them sudo privileges).
|
|
useradd --create-home --shell "/bin/bash" --groups sudo "${USERNAME}"
|
|
|
|
# Force a password to be set for the new user the first time they log in.
|
|
passwd --delete "${USERNAME}"
|
|
chage --lastday 0 "${USERNAME}"
|
|
|
|
# Copy the SSH keys from the root user to the new user.
|
|
rsync --archive --chown=${USERNAME}:${USERNAME} /root/.ssh /home/${USERNAME}
|
|
|
|
# Configure the firewall to allow SSH, HTTP and HTTPS traffic.
|
|
ufw allow 22
|
|
ufw allow 80/tcp
|
|
ufw allow 443/tcp
|
|
ufw --force enable
|
|
|
|
#
|
|
# Install fail2ban.
|
|
apt --yes install fail2ban
|
|
apt --yes install certbot
|
|
|
|
su - alfheim -c "mkdir cert"
|
|
su - alfheim -c "mkdir cert/lib"
|
|
su - alfheim -c "mkdir cert/config"
|
|
su - alfheim -c "mkdir cert/log"
|
|
su - alfheim -c "sudo certbot certonly --cert-path cert/ --work-dir cert/lib --config-dir cert/config/ --logs-dir cert/log/ --standalone"
|
|
su - alfheim -c "sudo chown -R alfheim:alfheim cert"
|
|
|
|
# Add a DSN for connecting to the greenlight database to the system-wide environment
|
|
# variables in the /etc/environment file.
|
|
echo "ALFHEIM_DB_DSN='postgres://elves_database:${DB_PASSWORD}@vicenteferrari.com/elves_database'" >> /etc/environment
|
|
|
|
echo "Script complete! Rebooting..."
|
|
reboot
|