add initial setup scripts used for by-02 host (vpnwg.ulakar.com)

hosts/lab-by-02/initial_setup.sh

@@ -0,0 +1,79 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+
+### ==== CONFIG ====
+NEW_USER="vk"
+NEW_USER_SSH_KEY='ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCrWDR47Kc44jCeM+DK+2J1MZgPm6FlHc7LTkN0loeWea0EMCu3rtzSRV6OUIMsbh6038m77kNmsoP7XjfYOdHLTEdYZ87Y4kd6O0VUSW0ldDCtrmFZBy7rI7YAnAh1Hup0Q4DaimDHx2UWrrXxUxKcuPw2eJtbN7/yhq9nrdTkr1kP213geHIcs91d+g9UrGSU2eMS8wGm67VSEgIQSiOoGiY422JzDR57x3EmH3M4bDw0kQFAwguBM7LtBG0oX/Znd4EjAZNnkqaGGqdaxxld3sqzs8EjXIgkEfvwp7qX9tW5qyyA2j3syg/qj89FaLW/CRmIKqxIZnYaweL4e2MhvHWE8CaMws5N801YuTdyvyQZSUHgNCe5MR9f6FihgPBX9M0qDAHlZ0oUKq6ScIUqz+JpWL/NTcOLYMCnBoL+JDIyzkwBzlJpreq4MmC7bjL6hjw5K0ykA9S8Kk4Cuarfw9OwSk5LiL/bVy2CDBtBBIzFg9Hd0TanSERjRQrhh7s= vk@jalezze'
+HOSTNAME_FQDN="lab-by-02.ulakar.com"
+### ===================================
+
+if [[ "$(id -u)" -ne 0 ]]; then
+  echo "Run this script under root user" >&2
+  exit 1
+fi
+
+echo "== Update System =="
+apt-get update -y
+apt-get upgrade -y
+
+if [[ -n "$HOSTNAME_FQDN" ]]; then
+  echo "== Set hostname: $HOSTNAME_FQDN =="
+  hostnamectl set-hostname "$HOSTNAME_FQDN"
+fi
+
+echo "== Create user $NEW_USER =="
+if id "$NEW_USER" >/dev/null 2>&1; then
+  echo "User $NEW_USER already exists. Skip."
+else
+  adduser --disabled-password --gecos "" "$NEW_USER"
+fi
+
+echo "== Add $NEW_USER into sudo =="
+usermod -aG sudo "$NEW_USER"
+
+# allow sudo commands without password
+echo "$NEW_USER ALL=(ALL) NOPASSWD:ALL" | sudo tee "/etc/sudoers.d/$NEW_USER"
+sudo chmod 440 "/etc/sudoers.d/$NEW_USER"
+
+echo "== Setup SSH-key for $NEW_USER =="
+USER_HOME=$(getent passwd "$NEW_USER" | cut -d: -f6)
+mkdir -p "$USER_HOME/.ssh"
+chmod 700 "$USER_HOME/.ssh"
+
+AUTH_KEYS="$USER_HOME/.ssh/authorized_keys"
+touch "$AUTH_KEYS"
+grep -qxF "$NEW_USER_SSH_KEY" "$AUTH_KEYS" || echo "$NEW_USER_SSH_KEY" >> "$AUTH_KEYS"
+chmod 600 "$AUTH_KEYS"
+chown -R "$NEW_USER:$NEW_USER" "$USER_HOME/.ssh"
+
+echo "== Setup SSH =="
+
+cat >/etc/ssh/sshd_config.d/100-security.conf <<EOF
+PermitRootLogin no
+PasswordAuthentication no
+EOF
+
+echo "== Reload SSH daemon =="
+
+if systemctl reload ssh 2>/dev/null; then
+    echo "SSH reloaded via ssh.service"
+elif systemctl reload sshd 2>/dev/null; then
+    echo "SSH reloaded via sshd.service"
+else
+    echo "Warning: could not reload SSH daemon"
+fi
+
+echo "== Install base utilities =="
+apt-get install -y \
+  net-tools \
+  htop \
+  curl \
+  wget \
+  git \
+  vim \
+  gnupg \
+  ca-certificates \
+  lsb-release
+
+echo "== Finished. Check SSH for $NEW_USER =="

hosts/lab-by-02/install_base_utilities.sh

@@ -0,0 +1,13 @@
+echo "== Install base utilities =="
+apt-get install -y \
+  net-tools \
+  htop \
+  curl \
+  wget \
+  git \
+  vim \
+  gnupg \
+  ca-certificates \
+  lsb-release
+
+echo "== Finished install base utilities =="

hosts/lab-by-02/setup_docker.sh

@@ -0,0 +1,8 @@
+echo "== Docker: install from get.docker.com =="
+curl -fsSL https://get.docker.com | sh
+
+echo "== Docker: add $NEW_USER into docker group =="
+usermod -aG docker "$NEW_USER"
+systemctl enable --now docker
+
+echo "== Finished docker installation =="

hosts/lab-by-02/setup_fail2ban.sh

@@ -0,0 +1,4 @@
+echo "== Fail2ban =="
+apt-get install -y fail2ban
+systemctl enable --now fail2ban
+echo "== Fail2ban enabled =="

hosts/lab-by-02/setup_ufw.sh

@@ -0,0 +1,12 @@
+echo "== UFW =="
+apt-get install -y ufw
+
+ufw default deny incoming
+ufw default allow outgoing
+ufw allow 22/tcp
+ufw allow 80/tcp
+ufw allow 443/tcp
+# enable with interactive = off
+echo "y" | ufw enable
+
+echo "== UFW enabled =="