chris/scarif
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
0027c24306f097ba4a44d6d7b50f3b55a7d220c1
scarif/bootstrap.sh

100 lines
3.6 KiB
Bash
Executable File
Raw Blame History

#!/bin/bash
source /opt/scarif/.env
echo "------- Generating system users -------"
# Add me as a user and git for SSH passthrough to gitea (change passwords after finishing)
useradd -m -p $(echo $USER_PASSWORD | openssl passwd -1 -stdin) chris
useradd -m -p $(echo $GIT_PASSWORD | openssl passwd -1 -stdin) -u1200 git
# Set up privileges
echo "chris ALL=(ALL) ALL" >> /etc/sudoers
# Disable root login
passwd -l root
# Install necessary packages
echo "------- Installing packages -------"
pacman -S --needed --noconfirm sudo wget tmux htop vim docker docker-compose git ufw certbot certbot-dns-digitalocean
echo "------- Setting up SSH -------"
# Remove old SSH keys in case running again
rm -f /home/git/.ssh/*
# Generate SSH keys for git to enable SSH proxy
sudo -u git ssh-keygen -t rsa -b 4096 -C "Gitea Host Key" -f/home/git/.ssh/id_rsa -q -N ""
# Add SSH key to authorized keys which is shared with docker container
echo "no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty $(cat /home/git/.ssh/id_rsa.pub)" >> /home/git/.ssh/authorized_keys
# Add current SSH key to main user's authorized keys
mkdir /home/chris/.ssh
echo $SSH_KEY >> /home/chris/.ssh/authorized_keys
# Disable root login
sed -i "s/#PermitRootLogin prohibit-password/PermitRootLogin no/" /etc/ssh/sshd_config
# Logout after 1 minute of inactivity
sed -i "s/#LoginGraceTime 2m/LoginGraceTime 1m/" /etc/ssh/sshd_config
# Add banner art
sed -i "s/#Banner none/Banner \/opt\/scarif\/ssh-banner-art/" >> /etc/ssh/sshd_config
# Limit number of sessions
sed -i "s/#MaxSessions/MaxSessions 4/" >> /etc/ssh/sshd_config
# Limit users
sed -i "s/#AllowUsers/AllowUsers chris git/" >> /etc/ssh/sshd_config
# Modify login messages
echo "Clearance codes accepted! proceed:" > /etc/motd
# Enforce a delay after a failed login attempt to prevent brute force attacks
echo "auth optional pam-faildelay.so delay 2000000" >> /etc/pam.d/system-login
systemctl restart sshd
echo "------- Enabling SSH passthrough -------"
# Make files necessary for SSH passthrough (https://docs.gitea.io/en-us/install-with-docker/#ssh-container-passthrough)
mkdir -p /var/lib/gitea
mkdir -p /app/gitea
tee /app/gitea/gitea <<END
#!/bin/sh
ssh -p 2222 -o StrictHostKeyChecking=no git@127.0.0.1 "SSH_ORIGINAL_COMMAND=\\"\$SSH_ORIGINAL_COMMAND\\" \$0 \$@"
END
chmod +x /app/gitea/gitea
chown -R git /app/gitea/gitea
chown -R git /var/lib/gitea
if [ $APP_ENV = "production" ]
then
echo "------- Enabling certbot service -------"
mkdir -p /root/.secret/certbot
tee /root/.secret/certbot/digitalocean.ini <<END
# DigitalOcean API credentials used by Certbot
dns_digitalocean_token = $DIGITALOCEAN_TOKEN
END
certbot certonly \
--dns-digitalocean \
--dns-digitalocean-credentials /root/.secret/certbot/digitalocean.ini \
-d *.$DOMAIN -d $DOMAIN \
-m stofflees@gmail.com \
--agree-tos \
--no-eff-email
cp /opt/scarif/certbot/* /etc/systemd/system/
systemctl enable --now certbot.timer
fi
echo "------- Adding config folders for jitsi -------"
mkdir -p /opt/jitsi/{web/letsencrypt,transcripts,prosody/config,prosody/prosody-plugins-custom,jicofo,jvb,jigasi,jibri}
echo "------- Setting up firewall -------"
ufw default deny incoming
ufw default allow outgoing
ufw allow 22
ufw allow 80
ufw allow 443
ufw --force enable
echo "------- Starting docker -------"
systemctl enable docker --now
docker-compose -f "/opt/scarif/docker-compose.yml" --env-file "/opt/scarif/.env" up -d
# Create a super user for pinry
docker exec -it scarif_pinry_1 python manage.py createsuperuser --settings=pinry.settings.docker
# Create user for jitsi
docker-compose exec prosody prosodyctl --config /config/prosody.cfg.lua register chris meet.jitsi ${USER_PASSWORD}
Reference in New Issue View Git Blame Copy Permalink