Beğen 0
Çatalla 0

Son aktivite 1701363500

ryansch's Avatar ryansch bu gisti düzenledi 1701363500. Düzenlemeye git

1 file changed, 209 insertions

digitalocean.sh(dosya oluşturuldu)

@@ -0,0 +1,209 @@
1 + #!/bin/bash
2 +
3 + set -euo pipefail
4 +
5 + DIR="$(cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd)"
6 + . "$DIR/shared.sh"
7 +
8 + echo "Updating packages"
9 + apt-update
10 + apt-upgrade
11 +
12 + echo "Adding user ubuntu"
13 + user_add_sudo ubuntu
14 + usermod -s /usr/bin/zsh ubuntu
15 + cp /root/.zshrc /home/ubuntu/.zshrc
16 + chown ubuntu:ubuntu /home/ubuntu/.zshrc
17 +
18 + echo "Hardening ssh"
19 + apt-install openssh-server
20 + cat > /etc/ssh/sshd_config <<EOM
21 + AuthorizedKeysFile .ssh/authorized_keys
22 + ClientAliveInterval 180
23 + Subsystem sftp /usr/lib/openssh/sftp-server
24 + UseDNS no
25 + PermitRootLogin no
26 + UsePAM yes
27 +
28 + KexAlgorithms curve25519-sha256@libssh.org
29 + Protocol 2
30 + HostKey /etc/ssh/ssh_host_ed25519_key
31 + PasswordAuthentication no
32 + ChallengeResponseAuthentication no
33 + PubkeyAuthentication yes
34 + Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
35 + MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
36 + EOM
37 +
38 + cat > /etc/ssh/ssh_config <<EOM
39 + Host *
40 + KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
41 + PasswordAuthentication no
42 + ChallengeResponseAuthentication no
43 + PubkeyAuthentication yes
44 + HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,ssh-rsa
45 + Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
46 + MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
47 + UseRoaming no
48 + EOM
49 + systemctl restart ssh
50 +
51 + echo "Setting up firewall"
52 + mkdir -p /etc/iptables
53 + cat > /etc/iptables/rules.v4 <<EOM
54 + *nat
55 + :PREROUTING ACCEPT [0:0]
56 + :INPUT ACCEPT [0:0]
57 + :OUTPUT ACCEPT [0:0]
58 + :POSTROUTING ACCEPT [0:0]
59 + COMMIT
60 + *filter
61 + :INPUT ACCEPT [0:0]
62 + :FORWARD DROP [0:0]
63 + :OUTPUT ACCEPT [0:0]
64 + :DOCKER-USER - [0:0]
65 + :icmp-routing -
66 + :logdrop-0 -
67 +
68 + -A DOCKER-USER -i eth0 -m conntrack --ctstate NEW -j logdrop-0
69 + -A DOCKER-USER -j RETURN
70 +
71 + -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
72 + -A INPUT -i lo -m comment --comment "Allow loopback connections" -j ACCEPT
73 + -A INPUT -p icmp -m comment --comment "Allow Ping to work as expected" -j ACCEPT
74 + -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
75 + -A INPUT -p udp --sport 67 --dport 68 -j ACCEPT
76 + -A INPUT -p udp -m multiport --dports 60000:61000 -j ACCEPT
77 + -A INPUT -i eth0 -j logdrop-0
78 +
79 + -A FORWARD -i eth0 -j logdrop-0
80 +
81 + -A logdrop-0 -m limit --limit 1/second -j LOG
82 + -A logdrop-0 -j DROP
83 + COMMIT
84 + EOM
85 +
86 + cat > /etc/iptables/rules.v6 <<EOM
87 + *filter
88 + :INPUT ACCEPT [0:0]
89 + :FORWARD ACCEPT [0:0]
90 + :OUTPUT ACCEPT [0:0]
91 +
92 + # Allow all loopback (lo0) traffic and reject traffic
93 + # to localhost that does not originate from lo0.
94 + -A INPUT -i lo -j ACCEPT
95 + -A INPUT ! -i lo -s ::1/128 -j REJECT
96 +
97 + # Below are the rules which are required for your IPv6 address to be properly allocated
98 + -A INPUT -p icmpv6 --icmpv6-type router-advertisement -m hl --hl-eq 255 -j ACCEPT
99 + -A INPUT -p icmpv6 --icmpv6-type neighbor-solicitation -m hl --hl-eq 255 -j ACCEPT
100 + -A INPUT -p icmpv6 --icmpv6-type neighbor-advertisement -m hl --hl-eq 255 -j ACCEPT
101 + -A INPUT -p icmpv6 --icmpv6-type redirect -m hl --hl-eq 255 -j ACCEPT
102 +
103 + # Allow ICMP
104 + -A INPUT -p icmpv6 -j ACCEPT
105 +
106 + # Allow inbound traffic from established connections.
107 + -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
108 +
109 + # Log what was incoming but denied (optional but useful).
110 + -A INPUT -m limit --limit 5/min -j LOG --log-prefix "ip6tables_INPUT_denied: " --log-level 7
111 +
112 + # Reject all other inbound.
113 + -A INPUT -j REJECT
114 +
115 + # Log any traffic that was sent to you
116 + # for forwarding (optional but useful).
117 + -A FORWARD -m limit --limit 5/min -j LOG --log-prefix "ip6tables_FORWARD_denied: " --log-level 7
118 +
119 + # Reject all traffic forwarding.
120 + -A FORWARD -j REJECT
121 +
122 + COMMIT
123 + EOM
124 + save_firewall
125 +
126 + echo "Installing docker"
127 + apt-install \
128 + apt-transport-https \
129 + ca-certificates \
130 + curl \
131 + gnupg-agent \
132 + software-properties-common
133 +
134 + curl -fsSL https://download.docker.com/linux/ubuntu/gpg | gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg
135 + echo \
136 + "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu \
137 + $(lsb_release -cs) stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null
138 +
139 + apt-update
140 + apt-install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
141 +
142 + groupadd docker || true
143 + usermod -aG docker ubuntu
144 +
145 + systemctl enable docker
146 +
147 + echo "Installing packages"
148 + apt-install unzip amazon-ecr-credential-helper gosu build-essential zsh fontconfig python3-pip libnss3-tools
149 +
150 + echo "Installing Homebrew"
151 + user-mkdir /home/linuxbrew/.linuxbrew
152 + gosu ubuntu /bin/bash -c "NONINTERACTIVE=1 USER=ubuntu $(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
153 + echo 'eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)"' >> /home/ubuntu/.bashrc
154 + echo 'eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)"' >> /home/ubuntu/.zshrc
155 + chown ubuntu:ubuntu /home/ubuntu/.bashrc
156 + chown ubuntu:ubuntu /home/ubuntu/.zshrc
157 +
158 + echo "Installing github cli"
159 + user-brew install gh
160 +
161 + echo "Installing mkcert"
162 + user-brew install mkcert
163 +
164 + pushd /home/ubuntu
165 +
166 + echo "Installing lastversion"
167 + gosu ubuntu /bin/bash -c "USER=ubuntu pip3 install lastversion"
168 +
169 + popd
170 +
171 + echo "Installing ansible"
172 + pip3 install ansible
173 +
174 + echo "Enable user-ssh-key firstboot script"
175 + systemctl enable user-ssh-key
176 +
177 + echo "Enable multiarch service"
178 + systemctl enable multiarch
179 +
180 + echo "Installing aws cli"
181 + curl -fsSL "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
182 + unzip awscliv2.zip
183 + ./aws/install
184 + rm awscliv2.zip
185 + rm -rf ./aws
186 +
187 + echo "Installing brew packages"
188 + user-brew install bat starship hub git-delta fzf ripgrep jq neovim git-lfs fd exa
189 +
190 + echo "Installing et"
191 + add-apt-repository -y ppa:jgmath2000/et
192 + apt-update
193 + apt-install et
194 + systemctl enable et
195 +
196 + user-mkdir /home/ubuntu/.docker
197 + cat << EOF > /home/ubuntu/.docker/config.json
198 + {
199 + "credHelpers": {
200 + "786715713882.dkr.ecr.us-east-1.amazonaws.com" : "ecr-login",
201 + "public.ecr.aws": "ecr-login"
202 + }
203 + }
204 + EOF
205 +
206 + echo "Making zsh the default shell"
207 + sudo sed -i 's/DSHELL=\/bin\/bash/DSHELL=\/usr\/bin\/zsh/' /etc/adduser.conf
208 +
209 + echo "Provisioning complete!"
Daha yeni Daha eski

Opengist tarafından desteklenmektedir Load: 32ms

Türkçe