97 lines
4.2 KiB
Bash
97 lines
4.2 KiB
Bash
#!/bin/sh
|
|
#WIP
|
|
# Install screen first
|
|
# install build package
|
|
apt update
|
|
apt install -y zlib1g-dev zlib1g libpcre3 libpcre3-dev build-essential git autoconf curl wget apt-transport-https rsync lego iptables-persistent etckeeper openvpn
|
|
|
|
useradd -m -s /bin/bash dryusdan
|
|
cp -R /root/.ssh /home/dryusdan
|
|
chown -R dryusdan:dryusdan /home/dryusdan
|
|
|
|
sed -ie "s/PermitRootLogin yes/PermitRootLogin no/" /etc/ssh/sshd_config
|
|
sed -ie "s/#PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config
|
|
|
|
git clone https://git.drycat.fr/Dryusdan/scripts-vrac.git /tmp/install
|
|
|
|
sh /tmp/install/compilation/nginx_compile_deb.sh
|
|
mv /tmp/install/nginx /etc
|
|
cp /tmp/install/systemd/nginx.service /etc/systemd/system
|
|
mkdir -p /etc/nginx/ssl/private/
|
|
wget -O- https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem https://letsencrypt.org/certs/lets-encrypt-x4-cross-signed.pem | tee -a /etc/nginx/ssl/private/letsencrypt-certs.pem
|
|
openssl dhparam -out /etc/nginx/ssl/private/dhparam.pem 4096
|
|
systemctl daemon-reload
|
|
systemctl enable nginx
|
|
systemctl start nginx
|
|
|
|
curl -sL https://repos.influxdata.com/influxdb.key | apt-key add -
|
|
echo "deb https://repos.influxdata.com/debian stretch stable" | tee /etc/apt/sources.list.d/influxdb.list
|
|
apt update
|
|
apt -y install telegraf
|
|
|
|
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
|
|
iptables -A INPUT -i lo -j ACCEPT
|
|
iptables -A INPUT -p icmp -j ACCEPT
|
|
iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
|
|
iptables -A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
|
|
iptables -A INPUT -p udp -m udp --dport 53 -j ACCEPT
|
|
iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
|
|
iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
|
|
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
|
|
iptables -A OUTPUT -o lo -j ACCEPT
|
|
iptables -A OUTPUT -p icmp -j ACCEPT
|
|
iptables -A OUTPUT -p tcp -m tcp --dport 22 -j ACCEPT
|
|
iptables -A OUTPUT -p tcp -m tcp --dport 53 -j ACCEPT
|
|
iptables -A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
|
|
iptables -A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT
|
|
iptables -A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT
|
|
iptables -P INPUT DROP
|
|
iptables -P FORWARD DROP
|
|
iptables -P OUTPUT ACCEPT
|
|
|
|
|
|
ip6tables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
|
|
ip6tables -A INPUT -i lo -j ACCEPT
|
|
ip6tables -A INPUT -p ipv6-icmp -j ACCEPT
|
|
ip6tables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
|
|
ip6tables -A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
|
|
ip6tables -A INPUT -p udp -m udp --dport 53 -j ACCEPT
|
|
ip6tables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
|
|
ip6tables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
|
|
ip6tables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
|
|
ip6tables -A OUTPUT -o lo -j ACCEPT
|
|
ip6tables -A OUTPUT -p icmp -j ACCEPT
|
|
ip6tables -A OUTPUT -p tcp -m tcp --dport 22 -j ACCEPT
|
|
ip6tables -A OUTPUT -p tcp -m tcp --dport 53 -j ACCEPT
|
|
ip6tables -A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
|
|
ip6tables -A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT
|
|
ip6tables -A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT
|
|
ip6tables -P INPUT DROP
|
|
ip6tables -P FORWARD DROP
|
|
ip6tables -P OUTPUT ACCEPT
|
|
|
|
iptables-save > /etc/iptables/rules.v4
|
|
ip6tables-save > /etc/iptables/rules.v6
|
|
|
|
apt install -y fail2ban
|
|
|
|
cp /tmp/install/fail2ban/jail.d/defaults-debian.conf /etc/fail2ban/jail.d/defaults-debian.conf
|
|
|
|
cp -R /tmp/install/nginx/* /etc/nginx
|
|
# install php ext ?
|
|
|
|
#apt install php-apcu php-bcmath php-cli-prompt php-common php-composer-ca-bundle php-composer-semver php-composer-spdx-licenses php-gmp php-json-schema php-pear php-psr-log php-symfony-console php-symfony-filesystem php-symfony-finder php-symfony-polyfill-mbstring php-symfony-process php-zip php7.0-bcmath php7.0-cli php7.0-common php7.0-curl php7.0-dev php7.0-fpm php7.0-gmp php7.0-gd php7.0-imap php7.0-intl php7.0-json php7.0-mcrypt php7.0-mbstring php7.0-mysql php7.0-opcache php7.0-pspell php7.0-readline php7.0-recode php7.0-tidy php7.0-xml php7.0-zip
|
|
|
|
# Install composer ?
|
|
#apt install composer
|
|
|
|
# Install yarn
|
|
|
|
#curl -sL https://deb.nodesource.com/setup_8.x | sudo -E bash -
|
|
#apt update
|
|
#apt-get install -y nodejs
|
|
|
|
#curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | sudo apt-key add -
|
|
#echo "deb https://dl.yarnpkg.com/debian/ stable main" | sudo tee /etc/apt/sources.list.d/yarn.list
|
|
#apt-get update
|
|
#apt-get install -y yarn |