From 428f694eaa230fa6aac1c0be966408c76aff708f Mon Sep 17 00:00:00 2001
From: "v.karaychentsev" <105486287+vk-aterise@users.noreply.github.com>
Date: Fri, 13 Feb 2026 18:24:00 +0300
Subject: [PATCH] add initial setup scripts used for by-02 host
 (vpnwg.ulakar.com)

---
 hosts/lab-by-02/initial_setup.sh          | 79 +++++++++++++++++++++++
 hosts/lab-by-02/install_base_utilities.sh | 13 ++++
 hosts/lab-by-02/setup_docker.sh           |  8 +++
 hosts/lab-by-02/setup_fail2ban.sh         |  4 ++
 hosts/lab-by-02/setup_ufw.sh              | 12 ++++
 5 files changed, 116 insertions(+)
 create mode 100644 hosts/lab-by-02/initial_setup.sh
 create mode 100644 hosts/lab-by-02/install_base_utilities.sh
 create mode 100644 hosts/lab-by-02/setup_docker.sh
 create mode 100644 hosts/lab-by-02/setup_fail2ban.sh
 create mode 100644 hosts/lab-by-02/setup_ufw.sh

diff --git a/hosts/lab-by-02/initial_setup.sh b/hosts/lab-by-02/initial_setup.sh
new file mode 100644
index 0000000..57d8c93
--- /dev/null
+++ b/hosts/lab-by-02/initial_setup.sh
@@ -0,0 +1,79 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+
+### ==== CONFIG ====
+NEW_USER="vk"
+NEW_USER_SSH_KEY='ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCrWDR47Kc44jCeM+DK+2J1MZgPm6FlHc7LTkN0loeWea0EMCu3rtzSRV6OUIMsbh6038m77kNmsoP7XjfYOdHLTEdYZ87Y4kd6O0VUSW0ldDCtrmFZBy7rI7YAnAh1Hup0Q4DaimDHx2UWrrXxUxKcuPw2eJtbN7/yhq9nrdTkr1kP213geHIcs91d+g9UrGSU2eMS8wGm67VSEgIQSiOoGiY422JzDR57x3EmH3M4bDw0kQFAwguBM7LtBG0oX/Znd4EjAZNnkqaGGqdaxxld3sqzs8EjXIgkEfvwp7qX9tW5qyyA2j3syg/qj89FaLW/CRmIKqxIZnYaweL4e2MhvHWE8CaMws5N801YuTdyvyQZSUHgNCe5MR9f6FihgPBX9M0qDAHlZ0oUKq6ScIUqz+JpWL/NTcOLYMCnBoL+JDIyzkwBzlJpreq4MmC7bjL6hjw5K0ykA9S8Kk4Cuarfw9OwSk5LiL/bVy2CDBtBBIzFg9Hd0TanSERjRQrhh7s= vk@jalezze'
+HOSTNAME_FQDN="lab-by-02.ulakar.com"
+### ===================================
+
+if [[ "$(id -u)" -ne 0 ]]; then
+  echo "Run this script under root user" >&2
+  exit 1
+fi
+
+echo "== Update System =="
+apt-get update -y
+apt-get upgrade -y
+
+if [[ -n "$HOSTNAME_FQDN" ]]; then
+  echo "== Set hostname: $HOSTNAME_FQDN =="
+  hostnamectl set-hostname "$HOSTNAME_FQDN"
+fi
+
+echo "== Create user $NEW_USER =="
+if id "$NEW_USER" >/dev/null 2>&1; then
+  echo "User $NEW_USER already exists. Skip."
+else
+  adduser --disabled-password --gecos "" "$NEW_USER"
+fi
+
+echo "== Add $NEW_USER into sudo =="
+usermod -aG sudo "$NEW_USER"
+
+# allow sudo commands without password
+echo "$NEW_USER ALL=(ALL) NOPASSWD:ALL" | sudo tee "/etc/sudoers.d/$NEW_USER"
+sudo chmod 440 "/etc/sudoers.d/$NEW_USER"
+
+echo "== Setup SSH-key for $NEW_USER =="
+USER_HOME=$(getent passwd "$NEW_USER" | cut -d: -f6)
+mkdir -p "$USER_HOME/.ssh"
+chmod 700 "$USER_HOME/.ssh"
+
+AUTH_KEYS="$USER_HOME/.ssh/authorized_keys"
+touch "$AUTH_KEYS"
+grep -qxF "$NEW_USER_SSH_KEY" "$AUTH_KEYS" || echo "$NEW_USER_SSH_KEY" >> "$AUTH_KEYS"
+chmod 600 "$AUTH_KEYS"
+chown -R "$NEW_USER:$NEW_USER" "$USER_HOME/.ssh"
+
+echo "== Setup SSH =="
+
+cat >/etc/ssh/sshd_config.d/100-security.conf <<EOF
+PermitRootLogin no
+PasswordAuthentication no
+EOF
+
+echo "== Reload SSH daemon =="
+
+if systemctl reload ssh 2>/dev/null; then
+    echo "SSH reloaded via ssh.service"
+elif systemctl reload sshd 2>/dev/null; then
+    echo "SSH reloaded via sshd.service"
+else
+    echo "Warning: could not reload SSH daemon"
+fi
+
+echo "== Install base utilities =="
+apt-get install -y \
+  net-tools \
+  htop \
+  curl \
+  wget \
+  git \
+  vim \
+  gnupg \
+  ca-certificates \
+  lsb-release
+
+echo "== Finished. Check SSH for $NEW_USER =="
diff --git a/hosts/lab-by-02/install_base_utilities.sh b/hosts/lab-by-02/install_base_utilities.sh
new file mode 100644
index 0000000..642f3bc
--- /dev/null
+++ b/hosts/lab-by-02/install_base_utilities.sh
@@ -0,0 +1,13 @@
+echo "== Install base utilities =="
+apt-get install -y \
+  net-tools \
+  htop \
+  curl \
+  wget \
+  git \
+  vim \
+  gnupg \
+  ca-certificates \
+  lsb-release
+
+echo "== Finished install base utilities =="
\ No newline at end of file
diff --git a/hosts/lab-by-02/setup_docker.sh b/hosts/lab-by-02/setup_docker.sh
new file mode 100644
index 0000000..a1a1a36
--- /dev/null
+++ b/hosts/lab-by-02/setup_docker.sh
@@ -0,0 +1,8 @@
+echo "== Docker: install from get.docker.com =="
+curl -fsSL https://get.docker.com | sh
+
+echo "== Docker: add $NEW_USER into docker group =="
+usermod -aG docker "$NEW_USER"
+systemctl enable --now docker
+
+echo "== Finished docker installation =="
diff --git a/hosts/lab-by-02/setup_fail2ban.sh b/hosts/lab-by-02/setup_fail2ban.sh
new file mode 100644
index 0000000..cfa8175
--- /dev/null
+++ b/hosts/lab-by-02/setup_fail2ban.sh
@@ -0,0 +1,4 @@
+echo "== Fail2ban =="
+apt-get install -y fail2ban
+systemctl enable --now fail2ban
+echo "== Fail2ban enabled =="
\ No newline at end of file
diff --git a/hosts/lab-by-02/setup_ufw.sh b/hosts/lab-by-02/setup_ufw.sh
new file mode 100644
index 0000000..bd88336
--- /dev/null
+++ b/hosts/lab-by-02/setup_ufw.sh
@@ -0,0 +1,12 @@
+echo "== UFW =="
+apt-get install -y ufw
+
+ufw default deny incoming
+ufw default allow outgoing
+ufw allow 22/tcp
+ufw allow 80/tcp
+ufw allow 443/tcp
+# enable with interactive = off
+echo "y" | ufw enable
+
+echo "== UFW enabled =="
\ No newline at end of file