diff --git a/bootstrap.sh b/bootstrap.sh index b99c0c1..0949008 100755 --- a/bootstrap.sh +++ b/bootstrap.sh @@ -2,16 +2,43 @@ source /opt/scarif/.env +echo "------- Generating system users -------" # Add me as a user and git for SSH passthrough to gitea (change passwords after finishing) useradd -m -p $(echo $USER_PASSWORD | openssl passwd -1 -stdin) chris useradd -m -p $(echo $GIT_PASSWORD | openssl passwd -1 -stdin) -u1200 git - -# Install necessary packages -pacman -S --needed --noconfirm sudo wget tmux htop vim docker docker-compose git ufw - # Set up privileges echo "chris ALL=(ALL) ALL" >> /etc/sudoers +# Disable root login +passwd -l root +# Install necessary packages +echo "------- Installing packages -------" +pacman -S --needed --noconfirm sudo wget tmux htop vim docker docker-compose git ufw + +echo "------- Setting up SSH -------" +# Remove old SSH keys in case running again +rm -f /home/git/.ssh/* +# Generate SSH keys for git to enable SSH proxy +sudo -u git ssh-keygen -t rsa -b 4096 -C "Gitea Host Key" -f/home/git/.ssh/id_rsa -q -N "" +# Add SSH key to authorized keys which is shared with docker container +echo "no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty $(cat /home/git/.ssh/id_rsa.pub)" >> /home/git/.ssh/authorized_keys +# Add current SSH key to main user's authorized keys +mkdir /home/chris/.ssh +echo $SSH_KEY >> /home/chris/.ssh/authorized_keys +# Disable root login +sed -i "s/#PermitRootLogin prohibit-password/PermitRootLogin no/" /etc/ssh/sshd_config +# Logout after 5 minutes of inactivity +sed -i "s/#LoginGraceTime 2m/LoginGraceTime 5m/" /etc/ssh/sshd_config +# Add banner art +sed -i "s/#Banner none/Banner \/opt\/scarif\/ssh-banner-art/" >> /etc/ssh/sshd_config +# Modify login messages +echo "Clearance codes accepted! proceed:" > /etc/motd +# Enforce a delay after a failed login attempt to prevent brute force attacks +echo "auth optional pam-faildelay.so delay 2000000" >> /etc/pam.d/system-login + +systemctl restart sshd + +echo "------- Enabling SSH passthrough -------" # Make files necessary for SSH passthrough (https://docs.gitea.io/en-us/install-with-docker/#ssh-container-passthrough) mkdir -p /var/lib/gitea mkdir -p /app/gitea @@ -24,19 +51,8 @@ chmod +x /app/gitea/gitea chown -R git /app/gitea/gitea chown -R git /var/lib/gitea -rm -f /home/git/.ssh/* -sudo -u git ssh-keygen -t rsa -b 4096 -C "Gitea Host Key" -f/home/git/.ssh/id_rsa -q -N "" - -sudo -u git touch /home/git/.ssh/authorized_keys -echo "no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty $(cat /home/git/.ssh/id_rsa.pub)" >> /home/git/.ssh/authorized_keys -echo $SSH_KEY >> /home/git/.ssh/authorized_keys - -sed -i 's/#PermitRootLogin prohibit-password/PermitRootLogin no/' /etc/ssh/sshd_config - -systemctl restart sshd - -# Set up firewall +echo "------- Setting up firewall -------" ufw default deny incoming ufw default allow outgoing ufw allow 22 @@ -44,9 +60,9 @@ ufw allow 80 ufw allow 443 ufw --force enable -# Start the docker service and build docker compose +echo "------- Starting docker -------" systemctl enable docker --now docker-compose -f "/opt/scarif/docker-compose.yml" --env-file "/opt/scarif/.env" up -d - +# Create a super user for pinry docker exec -it scarif_pinry_1 python manage.py createsuperuser --settings=pinry.settings.docker diff --git a/docker-compose.yml b/docker-compose.yml index cca892d..eda9cec 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -1,9 +1,9 @@ # Options for building certificates -x-certs: &certs - image: paulczar/omgwtfssl - restart: "no" - volumes: - - certs:/certs +#x-certs: &certs +# image: paulczar/omgwtfssl +# restart: "no" +# volumes: +# - certs:/certs version: "3.4" @@ -171,7 +171,7 @@ services: image: nginx:alpine restart: always volumes: - - certs:/etc/nginx/certs:ro + - /opt/ssl:/etc/nginx/certs:ro - ./nginx.conf:/etc/nginx/nginx.conf - monica-public:/var/www/html/monica/public:ro - monica-data:/var/www/html/monica/storage:ro @@ -184,21 +184,20 @@ services: - collabora - cadvisor - pinry - - certs ports: - 80:80 - 443:443 networks: - nginx - certs: - <<: *certs - environment: - - SSL_SUBJECT=${DOMAIN} - - CA_SUBJECT=chris@${DOMAIN} - - SSL_KEY=/certs/${DOMAIN}.key - - SSL_CSR=/certs/${DOMAIN}.csr - - SSL_CERT=/certs/${DOMAIN}.crt + #certs: + # <<: *certs + # environment: + # - SSL_SUBJECT=${DOMAIN} + # - CA_SUBJECT=chris@${DOMAIN} + # - SSL_KEY=/certs/${DOMAIN}.key + # - SSL_CSR=/certs/${DOMAIN}.csr + # - SSL_CERT=/certs/${DOMAIN}.crt volumes: db: @@ -206,7 +205,7 @@ volumes: monica-public: monica-data: nextcloud: - certs: + #certs: dashboard: pinry: diff --git a/nginx.conf b/nginx.conf index f60f6eb..a5c3a36 100644 --- a/nginx.conf +++ b/nginx.conf @@ -75,10 +75,10 @@ http { server { listen 443 ssl http2; - ssl_certificate /etc/nginx/certs/scarif.local.crt; - ssl_certificate_key /etc/nginx/certs/scarif.local.key; + ssl_certificate /etc/nginx/certs/scarif.space.crt; + ssl_certificate_key /etc/nginx/certs/scarif.space.key; - server_name personel.scarif.local; + server_name personel.scarif.space; ## HSTS ## # Add the 'Strict-Transport-Security' headers to enable HSTS protocol. @@ -211,10 +211,10 @@ http { server { listen 443 ssl http2; - ssl_certificate /etc/nginx/certs/scarif.local.crt; - ssl_certificate_key /etc/nginx/certs/scarif.local.key; + ssl_certificate /etc/nginx/certs/scarif.space.crt; + ssl_certificate_key /etc/nginx/certs/scarif.space.key; - server_name tower.scarif.local; + server_name tower.scarif.space; ## HSTS ## # Add the 'Strict-Transport-Security' headers to enable HSTS protocol. @@ -346,10 +346,10 @@ http { server { listen 443 ssl; - server_name office.scarif.local; + server_name office.scarif.space; - ssl_certificate /etc/nginx/certs/scarif.local.crt; - ssl_certificate_key /etc/nginx/certs/scarif.local.key; + ssl_certificate /etc/nginx/certs/scarif.space.crt; + ssl_certificate_key /etc/nginx/certs/scarif.space.key; # static files location ^~ /loleaflet { @@ -405,13 +405,13 @@ http { server { listen 443 ssl http2; - ssl_certificate /etc/nginx/certs/scarif.local.crt; - ssl_certificate_key /etc/nginx/certs/scarif.local.key; + ssl_certificate /etc/nginx/certs/scarif.space.crt; + ssl_certificate_key /etc/nginx/certs/scarif.space.key; gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript; - server_name labs.scarif.local; + server_name labs.scarif.space; location / { proxy_pass http://gitea-handler; @@ -425,13 +425,13 @@ http { server { listen 443 ssl http2; - ssl_certificate /etc/nginx/certs/scarif.local.crt; - ssl_certificate_key /etc/nginx/certs/scarif.local.key; + ssl_certificate /etc/nginx/certs/scarif.space.crt; + ssl_certificate_key /etc/nginx/certs/scarif.space.key; gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript; - server_name command.scarif.local scarif.local; + server_name command.scarif.space scarif.space; location / { proxy_pass http://dashboard-handler; @@ -449,13 +449,13 @@ http { server { listen 443 ssl http2; - ssl_certificate /etc/nginx/certs/scarif.local.crt; - ssl_certificate_key /etc/nginx/certs/scarif.local.key; + ssl_certificate /etc/nginx/certs/scarif.space.crt; + ssl_certificate_key /etc/nginx/certs/scarif.space.key; gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript; - server_name monitoring.scarif.local; + server_name monitoring.scarif.space; location / { proxy_pass http://cadvisor-handler; @@ -469,13 +469,13 @@ http { server { listen 443 ssl http2; - ssl_certificate /etc/nginx/certs/scarif.local.crt; - ssl_certificate_key /etc/nginx/certs/scarif.local.key; + ssl_certificate /etc/nginx/certs/scarif.space.crt; + ssl_certificate_key /etc/nginx/certs/scarif.space.key; gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript; - server_name research.scarif.local; + server_name research.scarif.space; location / { proxy_pass http://pinry-handler; diff --git a/ssh-banner-art b/ssh-banner-art new file mode 100644 index 0000000..5b21768 --- /dev/null +++ b/ssh-banner-art @@ -0,0 +1,30 @@ + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + _______. ______ ___ .______ __ _______ + / | / | / \ | _ \ | | | ____| + | (----`| ,----' / ^ \ | |_) | | | | |__ + \ \ | | / /_\ \ | / | | | __| + .----) | | `----./ _____ \ | |\ \----.| | | | + |_______/ \______/__/ \__\ | _| `._____||__| |__| + + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + ________ + _,.-Y | | Y-._ + .-~" || | | | "-. + I" ""=="|" !""! "|"[]""| _____ + L__ [] |..------|: _[----I" .-{"-. + I___| ..| l______|l_ [__L]_[I_/r(=}=-P + [L______L_[________]______j~ '-=c_]/=-^ + \_I_j.--.\==I|I==_/.--L_] + [_((==)[`-----"](==)j + I--I"~~"""~~"I--I + |[]| |[]| + l__j l__j _\/_ + |!!| |!!| //o\ _\/_ + |..| |..| | /o\\_ + _____([]),,...__ ([]) __..---'"""|""' | + ___..-----'"""""" ]--[ `"]--[---``` | + [_L] [_L] + /|..|\ /|..|\ + `=}--{=' `=}--{=' + .-^--r-^-. .-^--r-^-. + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~