chris/scarif
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
678894d7dbc3720c9b51cf2c50b71b514266df93
scarif/bootstrap.sh
Chris 678894d7db Working for homelab
2023-03-23 20:29:29 +00:00

109 lines
3.6 KiB
Bash
Executable File
Raw Blame History

#!/bin/bash
source /opt/scarif/.env
echo "------- Generating system users -------"
## Add me as a user and git for SSH passthrough to gitea (change passwords after finishing)
useradd -m -p $(echo $USER_PASSWORD | openssl passwd -1 -stdin) chris
useradd -m -p $(echo $GIT_PASSWORD | openssl passwd -1 -stdin) -u1200 git
## Set up privileges
echo "chris ALL=(ALL) ALL" >> /etc/sudoers
echo "root ALL=(ALL) ALL" >> /etc/sudoers
## Disable root login
passwd -l root
# Install necessary packages
echo "------- Installing packages -------"
pacman -Syyu --noconfirm
pacman -S --noconfirm archlinux-keyring
pacman -S --needed --noconfirm sudo wget tmux htop vim docker docker-compose git ufw certbot samba nfs-utils
echo "------- Setting up SSH -------"
# Remove old SSH keys in case running again
sudo -u git mkdir -p /home/git/.ssh
rm -f /home/git/.ssh/*
# Generate SSH keys for git to enable SSH proxy
sudo -u git ssh-keygen -t rsa -b 4096 -C "Gitea Host Key" -f/home/git/.ssh/id_rsa -q -N ""
# Add SSH key to authorized keys which is shared with docker container
echo "no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty $(cat /home/git/.ssh/id_rsa.pub)" >> /home/git/.ssh/authorized_keys
# Add current SSH key to main user's authorized keys
mkdir -p /home/chris/.ssh
echo $SSH_KEY >> /home/chris/.ssh/authorized_keys
rm /etc/ssh/sshd_config
ln -s /opt/scarif/sshd_config /etc/ssh/sshd_config
# Modify login messages
echo "Clearance codes accepted! proceed:" > /etc/motd
# Enforce a delay after a failed login attempt to prevent brute force attacks
echo "auth optional pam-faildelay.so delay 2000000" >> /etc/pam.d/system-login
systemctl restart sshd
echo "------- Enabling SSH passthrough -------"
## Make files necessary for SSH passthrough (https://docs.gitea.io/en-us/install-with-docker/#ssh-container-passthrough)
mkdir -p /var/lib/gitea
cat <<"EOF" | sudo tee /usr/local/bin/gitea
#!/bin/sh
ssh -p 2222 -o StrictHostKeyChecking=no git@127.0.0.1 "SSH_ORIGINAL_COMMAND=\"$SSH_ORIGINAL_COMMAND\" $0 $@"
EOF
sudo chmod +x /usr/local/bin/gitea
chmod +x /app/gitea/gitea
chown -R git /app/gitea/gitea
chown -R git /var/lib/gitea
#if [ $APP_ENV = "production" ]
#then
# echo "------- Enabling certbot service -------"
# mkdir -p /root/.secret/certbot
# tee /root/.secret/certbot/digitalocean.ini <<END
## DigitalOcean API credentials used by Certbot
#dns_digitalocean_token = $DIGITALOCEAN_TOKEN
#END
# certbot certonly \
# --dns-digitalocean \
# --dns-digitalocean-credentials /root/.secret/certbot/digitalocean.ini \
# -d *.$DOMAIN -d $DOMAIN \
# -m stofflees@gmail.com \
# --agree-tos \
# --no-eff-email
#
# cp /opt/scarif/certbot/* /etc/systemd/system/
# systemctl enable --now certbot.timer
#fi
echo "------- Adding config folders for jitsi -------"
mkdir -p /opt/jitsi/{web/letsencrypt,transcripts,prosody/config,prosody/prosody-plugins-custom,jicofo,jvb,jigasi,jibri}
echo "------- Setting up firewall -------"
ufw default deny incoming
ufw default allow outgoing
ufw allow 629
ufw allow 80
ufw allow 443
ufw allow 2049
ufw allow CIFS
ufw --force enable
echo "------- Starting docker -------"
systemctl enable docker --now
docker-compose -f "/opt/scarif/docker-compose.yml" --env-file "/opt/scarif/.env" up -d
## Create user for jitsi
docker-compose exec prosody prosodyctl --config /config/prosody.cfg.lua register chris meet.jitsi ${USER_PASSWORD}
echo "------- Start Samba share -------"
ln -s /opt/scarif/smb.conf /etc/samba/smb.conf
smbpasswd -a chris
systemctl enable --now smb
echo "------- Start NFS share -------"
ln -s /opt/scarif/nfs.conf /etc/nfs.conf
ln -s /opt/scarif/exports /etc/exports
exportfs -arv
systemctl enable --now nfs4-server
systemctl enable --now zfs-share
Reference in New Issue View Git Blame Copy Permalink