chris/scarif
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Additional configuration for server and prepare for deployment

Browse Source
This commit is contained in:
Chris
2020-12-13 23:08:24 +00:00
parent 2df38382bb
commit 8629648666
4 changed files with 100 additions and 55 deletions
Download Patch File Download Diff File Expand all files Collapse all files

52
bootstrap.sh
View File

@@ -2,16 +2,43 @@
source /opt/scarif/.env
echo "------- Generating system users -------"
# Add me as a user and git for SSH passthrough to gitea (change passwords after finishing)
useradd -m -p $(echo $USER_PASSWORD | openssl passwd -1 -stdin) chris
useradd -m -p $(echo $GIT_PASSWORD | openssl passwd -1 -stdin) -u1200 git
# Install necessary packages
pacman -S --needed --noconfirm sudo wget tmux htop vim docker docker-compose git ufw
# Set up privileges
echo "chris ALL=(ALL) ALL" >> /etc/sudoers
# Disable root login
passwd -l root
# Install necessary packages
echo "------- Installing packages -------"
pacman -S --needed --noconfirm sudo wget tmux htop vim docker docker-compose git ufw
echo "------- Setting up SSH -------"
# Remove old SSH keys in case running again
rm -f /home/git/.ssh/*
# Generate SSH keys for git to enable SSH proxy
sudo -u git ssh-keygen -t rsa -b 4096 -C "Gitea Host Key" -f/home/git/.ssh/id_rsa -q -N ""
# Add SSH key to authorized keys which is shared with docker container
echo "no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty $(cat /home/git/.ssh/id_rsa.pub)" >> /home/git/.ssh/authorized_keys
# Add current SSH key to main user's authorized keys
mkdir /home/chris/.ssh
echo $SSH_KEY >> /home/chris/.ssh/authorized_keys
# Disable root login
sed -i "s/#PermitRootLogin prohibit-password/PermitRootLogin no/" /etc/ssh/sshd_config
# Logout after 5 minutes of inactivity
sed -i "s/#LoginGraceTime 2m/LoginGraceTime 5m/" /etc/ssh/sshd_config
# Add banner art
sed -i "s/#Banner none/Banner \/opt\/scarif\/ssh-banner-art/" >> /etc/ssh/sshd_config
# Modify login messages
echo "Clearance codes accepted! proceed:" > /etc/motd
# Enforce a delay after a failed login attempt to prevent brute force attacks
echo "auth optional pam-faildelay.so delay 2000000" >> /etc/pam.d/system-login
systemctl restart sshd
echo "------- Enabling SSH passthrough -------"
# Make files necessary for SSH passthrough (https://docs.gitea.io/en-us/install-with-docker/#ssh-container-passthrough)
mkdir -p /var/lib/gitea
mkdir -p /app/gitea
@@ -24,19 +51,8 @@ chmod +x /app/gitea/gitea
chown -R git /app/gitea/gitea
chown -R git /var/lib/gitea
rm -f /home/git/.ssh/*
sudo -u git ssh-keygen -t rsa -b 4096 -C "Gitea Host Key" -f/home/git/.ssh/id_rsa -q -N ""
sudo -u git touch /home/git/.ssh/authorized_keys
echo "no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty $(cat /home/git/.ssh/id_rsa.pub)" >> /home/git/.ssh/authorized_keys
echo $SSH_KEY >> /home/git/.ssh/authorized_keys
sed -i 's/#PermitRootLogin prohibit-password/PermitRootLogin no/' /etc/ssh/sshd_config
systemctl restart sshd
# Set up firewall
echo "------- Setting up firewall -------"
ufw default deny incoming
ufw default allow outgoing
ufw allow 22
@@ -44,9 +60,9 @@ ufw allow 80
ufw allow 443
ufw --force enable
# Start the docker service and build docker compose
echo "------- Starting docker -------"
systemctl enable docker --now
docker-compose -f "/opt/scarif/docker-compose.yml" --env-file "/opt/scarif/.env" up -d
# Create a super user for pinry
docker exec -it scarif_pinry_1 python manage.py createsuperuser --settings=pinry.settings.docker