betogrun · May 14, 2024 20:26
diff --git a/setup.sh b/setup.sh
 #!/bin/bash

 # Exit immediately if a command exits with a non-zero status
 set -e

 # Logging function
 log() {
    echo "$(date '+%Y-%m-%d %H:%M:%S') - $1" | tee -a /var/log/setup_script.log
 }

 # Check if the script is being run as root
 if [[ $EUID -ne 0 ]]; then
    log "This script must be run as root. Please run it with sudo or as root."
    exit 1
 fi

 # Define server type: "database" for PostgreSQL, "webserver" for web server
 SERVER_TYPE=$1  # First argument to script

 if [ -z "$SERVER_TYPE" ]; then
    log "No server type specified, defaulting to 'webserver'"
    SERVER_TYPE="webserver"
 elif [ "$SERVER_TYPE" != "database" ] && [ "$SERVER_TYPE" != "webserver" ]; then
    log "Invalid server type specified. Use 'database' or 'webserver'."
    exit 1
 fi

 # Update packages
 log "Updating packages..."
 sudo apt update && sudo apt upgrade -y | tee -a /var/log/setup_script.log

 # Install necessary packages
 log "Installing necessary packages..."
 NEEDED_PACKAGES="apt-transport-https build-essential ca-certificates curl docker.io fail2ban git gnupg htop ntp ufw unattended-upgrades vim"
 for PACKAGE in $NEEDED_PACKAGES; do
    if ! dpkg -l | grep -q $PACKAGE; then
        sudo apt install -y $PACKAGE | tee -a /var/log/setup_script.log
    else
        log "$PACKAGE is already installed."
    fi
 done
 sudo apt autoremove -y | tee -a /var/log/setup_script.log
 sudo apt autoclean -y | tee -a /var/log/setup_script.log

 # Start NTP and Fail2ban services
 log "Starting ntp and fail2ban services..."
 if ! systemctl is-enabled ntp > /dev/null 2>&1; then
    sudo systemctl enable ntp | tee -a /var/log/setup_script.log
    sudo systemctl start ntp | tee -a /var/log/setup_script.log
 else
    log "ntp service is already enabled and started."
 fi
 if ! systemctl is-enabled fail2ban > /dev/null 2>&1; then
    sudo systemctl enable fail2ban | tee -a /var/log/setup_script.log
    sudo systemctl start fail2ban | tee -a /var/log/setup_script.log
 else
    log "fail2ban service is already enabled and started."
 fi

 # Create a non-root user called 'app'
 log "Creating a non-root user 'app'..."
 if ! id -u app > /dev/null 2>&1; then
    sudo useradd -m -s /bin/bash app | tee -a /var/log/setup_script.log
    log "User 'app' created successfully."
 else
    log "User 'app' already exists."
 fi

 # Add SSH key for 'app' user
 log "Adding SSH key for 'app' user..."
 APP_SSH_DIR="/home/app/.ssh"
 APP_AUTH_KEYS="$APP_SSH_DIR/authorized_keys"
 if [ ! -d "$APP_SSH_DIR" ]; then
    sudo mkdir -p "$APP_SSH_DIR"
    sudo chown app:app "$APP_SSH_DIR"
    sudo chmod 700 "$APP_SSH_DIR"
 fi

 # Add the provided SSH public key
 echo "YOUR PUBLIC KEY" | sudo tee -a "$APP_AUTH_KEYS" > /dev/null
 sudo chown app:app "$APP_AUTH_KEYS"
 sudo chmod 600 "$APP_AUTH_KEYS"
 log "SSH key added for 'app' user."

 # Check if Docker is installed and add 'app' user to 'docker' group
 log "Checking if Docker is installed..."
 if dpkg -l | grep -q docker.io; then
    log "Docker is installed."
    log "Adding 'app' user to 'docker' group..."
    if groups app | grep -q docker; then
        log "User 'app' is already in 'docker' group."
    else
        sudo usermod -a -G docker app | tee -a /var/log/setup_script.log
        log "User 'app' added to 'docker' group."
    fi
 else
    log "Docker is not installed. Skipping adding 'app' user to 'docker' group."
 fi

 # Configure UFW based on server type
 log "Configuring UFW..."
 if ! sudo ufw status | grep -q "Status: active"; then
    sudo ufw default deny incoming | tee -a /var/log/setup_script.log
    sudo ufw default allow outgoing | tee -a /var/log/setup_script.log
    sudo ufw allow 22/tcp | tee -a /var/log/setup_script.log  # Allow SSH
    if [ "$SERVER_TYPE" = "database" ]; then
        sudo ufw allow 5432/tcp | tee -a /var/log/setup_script.log # PostgreSQL default port
    else
        sudo ufw allow 80/tcp | tee -a /var/log/setup_script.log  # HTTP
        sudo ufw allow 443/tcp | tee -a /var/log/setup_script.log # HTTPS
    fi
    sudo ufw --force enable | tee -a /var/log/setup_script.log
 else
    log "UFW is already configured and enabled."
 fi

 # SSH security updates
 log "Updating SSH security settings..."
 SSH_CONFIG="/etc/ssh/sshd_config"
 update_sshd_config() {
    local setting="$1"
    local value="$2"
    if grep -q "^${setting}" $SSH_CONFIG; then
        sudo sed -i "s/^${setting}.*/${setting} ${value}/" $SSH_CONFIG | tee -a /var/log/setup_script.log
    else
        echo "${setting} ${value}" | sudo tee -a $SSH_CONFIG | tee -a /var/log/setup_script.log
    fi
 }

 update_sshd_config "PasswordAuthentication" "no"
 update_sshd_config "PermitRootLogin" "no"
 update_sshd_config "Port" "22"
 update_sshd_config "UseDNS" "no"
 update_sshd_config "PermitEmptyPasswords" "no"
 update_sshd_config "ChallengeResponseAuthentication" "no"
 update_sshd_config "GSSAPIAuthentication" "no"
 update_sshd_config "X11Forwarding" "no"
 sudo systemctl restart sshd | tee -a /var/log/setup_script.log

 # Remove Snap
 log "Removing Snap and associated packages..."
 if dpkg -l | grep -q snapd; then
    sudo apt purge -y snapd snap | tee -a /var/log/setup_script.log
 else
    log "Snap is already removed."
 fi

 log "Configuration successfully completed!"
	#!/bin/bash

	# Exit immediately if a command exits with a non-zero status
	set -e

	# Logging function
	log() {
	echo "$(date '+%Y-%m-%d %H:%M:%S') - $1" \| tee -a /var/log/setup_script.log
	}

	# Check if the script is being run as root
	if [[ $EUID -ne 0 ]]; then
	log "This script must be run as root. Please run it with sudo or as root."
	exit 1
	fi

	# Define server type: "database" for PostgreSQL, "webserver" for web server
	SERVER_TYPE=$1 # First argument to script

	if [ -z "$SERVER_TYPE" ]; then
	log "No server type specified, defaulting to 'webserver'"
	SERVER_TYPE="webserver"
	elif [ "$SERVER_TYPE" != "database" ] && [ "$SERVER_TYPE" != "webserver" ]; then
	log "Invalid server type specified. Use 'database' or 'webserver'."
	exit 1
	fi

	# Update packages
	log "Updating packages..."
	sudo apt update && sudo apt upgrade -y \| tee -a /var/log/setup_script.log

	# Install necessary packages
	log "Installing necessary packages..."
	NEEDED_PACKAGES="apt-transport-https build-essential ca-certificates curl docker.io fail2ban git gnupg htop ntp ufw unattended-upgrades vim"
	for PACKAGE in $NEEDED_PACKAGES; do
	if ! dpkg -l \| grep -q $PACKAGE; then
	sudo apt install -y $PACKAGE \| tee -a /var/log/setup_script.log
	else
	log "$PACKAGE is already installed."
	fi
	done
	sudo apt autoremove -y \| tee -a /var/log/setup_script.log
	sudo apt autoclean -y \| tee -a /var/log/setup_script.log

	# Start NTP and Fail2ban services
	log "Starting ntp and fail2ban services..."
	if ! systemctl is-enabled ntp > /dev/null 2>&1; then
	sudo systemctl enable ntp \| tee -a /var/log/setup_script.log
	sudo systemctl start ntp \| tee -a /var/log/setup_script.log
	else
	log "ntp service is already enabled and started."
	fi
	if ! systemctl is-enabled fail2ban > /dev/null 2>&1; then
	sudo systemctl enable fail2ban \| tee -a /var/log/setup_script.log
	sudo systemctl start fail2ban \| tee -a /var/log/setup_script.log
	else
	log "fail2ban service is already enabled and started."
	fi

	# Create a non-root user called 'app'
	log "Creating a non-root user 'app'..."
	if ! id -u app > /dev/null 2>&1; then
	sudo useradd -m -s /bin/bash app \| tee -a /var/log/setup_script.log
	log "User 'app' created successfully."
	else
	log "User 'app' already exists."
	fi

	# Add SSH key for 'app' user
	log "Adding SSH key for 'app' user..."
	APP_SSH_DIR="/home/app/.ssh"
	APP_AUTH_KEYS="$APP_SSH_DIR/authorized_keys"
	if [ ! -d "$APP_SSH_DIR" ]; then
	sudo mkdir -p "$APP_SSH_DIR"
	sudo chown app:app "$APP_SSH_DIR"
	sudo chmod 700 "$APP_SSH_DIR"
	fi

	# Add the provided SSH public key
	echo "YOUR PUBLIC KEY" \| sudo tee -a "$APP_AUTH_KEYS" > /dev/null
	sudo chown app:app "$APP_AUTH_KEYS"
	sudo chmod 600 "$APP_AUTH_KEYS"
	log "SSH key added for 'app' user."

	# Check if Docker is installed and add 'app' user to 'docker' group
	log "Checking if Docker is installed..."
	if dpkg -l \| grep -q docker.io; then
	log "Docker is installed."
	log "Adding 'app' user to 'docker' group..."
	if groups app \| grep -q docker; then
	log "User 'app' is already in 'docker' group."
	else
	sudo usermod -a -G docker app \| tee -a /var/log/setup_script.log
	log "User 'app' added to 'docker' group."
	fi
	else
	log "Docker is not installed. Skipping adding 'app' user to 'docker' group."
	fi

	# Configure UFW based on server type
	log "Configuring UFW..."
	if ! sudo ufw status \| grep -q "Status: active"; then
	sudo ufw default deny incoming \| tee -a /var/log/setup_script.log
	sudo ufw default allow outgoing \| tee -a /var/log/setup_script.log
	sudo ufw allow 22/tcp \| tee -a /var/log/setup_script.log # Allow SSH
	if [ "$SERVER_TYPE" = "database" ]; then
	sudo ufw allow 5432/tcp \| tee -a /var/log/setup_script.log # PostgreSQL default port
	else
	sudo ufw allow 80/tcp \| tee -a /var/log/setup_script.log # HTTP
	sudo ufw allow 443/tcp \| tee -a /var/log/setup_script.log # HTTPS
	fi
	sudo ufw --force enable \| tee -a /var/log/setup_script.log
	else
	log "UFW is already configured and enabled."
	fi

	# SSH security updates
	log "Updating SSH security settings..."
	SSH_CONFIG="/etc/ssh/sshd_config"
	update_sshd_config() {
	local setting="$1"
	local value="$2"
	if grep -q "^${setting}" $SSH_CONFIG; then
	sudo sed -i "s/^${setting}.*/${setting} ${value}/" $SSH_CONFIG \| tee -a /var/log/setup_script.log
	else
	echo "${setting} ${value}" \| sudo tee -a $SSH_CONFIG \| tee -a /var/log/setup_script.log
	fi
	}

	update_sshd_config "PasswordAuthentication" "no"
	update_sshd_config "PermitRootLogin" "no"
	update_sshd_config "Port" "22"
	update_sshd_config "UseDNS" "no"
	update_sshd_config "PermitEmptyPasswords" "no"
	update_sshd_config "ChallengeResponseAuthentication" "no"
	update_sshd_config "GSSAPIAuthentication" "no"
	update_sshd_config "X11Forwarding" "no"
	sudo systemctl restart sshd \| tee -a /var/log/setup_script.log

	# Remove Snap
	log "Removing Snap and associated packages..."
	if dpkg -l \| grep -q snapd; then
	sudo apt purge -y snapd snap \| tee -a /var/log/setup_script.log
	else
	log "Snap is already removed."
	fi

	log "Configuration successfully completed!"