From 6820191dda3b0d599f76cc8b1617c1b018495582 Mon Sep 17 00:00:00 2001 From: petep Date: Wed, 11 Mar 2026 11:20:17 +0000 Subject: [PATCH] Update 'prep-grid-vm.sh' --- prep-grid-vm.sh | 142 ++++++++++++++++++++++++++++-------------------- 1 file changed, 84 insertions(+), 58 deletions(-) diff --git a/prep-grid-vm.sh b/prep-grid-vm.sh index 8c5adf5..945a84b 100644 --- a/prep-grid-vm.sh +++ b/prep-grid-vm.sh @@ -1,78 +1,98 @@ #!/bin/bash +set -euo pipefail -update_system() { - echo "Updating system and installing mandatory tools" - apt-get update - apt-get install sudo nmon tmux restic tcpdump nano iputils-ping net-tools -y -} +REPO_BASE="https://docs.grid.tf/threefold_public/public/raw/branch/master" -install_docker() { - echo "Installing Docker" - apt-get install ca-certificates curl gnupg lsb-release -y - curl -fsSL https://download.docker.com/linux/ubuntu/gpg | gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg - echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null - apt-get update - apt-get install docker-ce docker-ce-cli containerd.io -y - systemctl start docker - echo "Docker installation completed" -} +echo "=== Grid VM Preparation ===" -install_caddy() { - echo "Installing Caddy" - apt install -y debian-keyring debian-archive-keyring apt-transport-https - curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | sudo gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg - curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | sudo tee /etc/apt/sources.list.d/caddy-stable.list - apt-get update - apt-get install caddy -y - echo "Caddy installation completed." -} +if [ "$EUID" -ne 0 ]; then + echo "Please run as root" + exit 1 +fi -setup_tf_users() { - echo "Setting up TFUsers" - wget https://docs.grid.tf/threefold_public/public/raw/branch/master/add-tf-users.sh - sh add-tf-users.sh - rm add-tf-users.sh -} +# --- System update and base tools --- +echo "" +echo "=== Updating system and installing base tools ===" +apt-get update -y +DEBIAN_FRONTEND=noninteractive apt-get install -y \ + sudo nmon tmux restic tcpdump nano iputils-ping net-tools curl wget -configure_ssh() { - echo "Configuring SSH" - ubuntu_version=$(lsb_release -rs 2>/dev/null || . /etc/os-release && echo "$VERSION_ID") +# --- TF Users --- +echo "" +echo "=== Setting up TF Users ===" +wget -q "${REPO_BASE}/add-tf-users.sh" -O /tmp/add-tf-users.sh +bash /tmp/add-tf-users.sh +rm -f /tmp/add-tf-users.sh - if [ "$ubuntu_version" = "22.04" ]; then - echo "Detected Ubuntu 22.04 — replacing sshd_config and restarting ssh service" - wget -q https://docs.grid.tf/threefold_public/public/raw/branch/master/sshd_config -O /etc/ssh/sshd_config - systemctl restart ssh +# --- SSH hardening --- +echo "" +echo "=== Configuring SSH ===" - elif [ "$ubuntu_version" = "24.04" ]; then - echo "Detected Ubuntu 24.04 — updating ssh.socket for port 34022" - wget -q https://docs.grid.tf/threefold_public/public/raw/branch/master/sshd_config -O /etc/ssh/sshd_config - mkdir -p /etc/systemd/system/ssh.socket.d - cat > /etc/systemd/system/ssh.socket.d/port.conf </dev/null || (. /etc/os-release && echo "$VERSION_ID")) +major_version=$(echo "$ubuntu_version" | cut -d. -f1) + +echo "Detected Ubuntu $ubuntu_version (major: $major_version)" + +# Backup original if not already backed up +if [ ! -f "/etc/ssh/sshd_config.original" ]; then + cp /etc/ssh/sshd_config /etc/ssh/sshd_config.original + echo "[OK] Backed up original sshd_config" +fi + +wget -q "${REPO_BASE}/sshd_config" -O /etc/ssh/sshd_config +echo "[OK] Installed hardened sshd_config (port 34022, no root, no password)" + +if [ "$major_version" -ge 24 ]; then + # Ubuntu 24.04+ uses ssh.socket — override listen port + echo "Configuring ssh.socket for port 34022..." + mkdir -p /etc/systemd/system/ssh.socket.d + cat > /etc/systemd/system/ssh.socket.d/port.conf </dev/null; then + echo "[OK] Docker already installed" + else + DEBIAN_FRONTEND=noninteractive apt-get install -y \ + ca-certificates curl gnupg lsb-release + curl -fsSL https://download.docker.com/linux/ubuntu/gpg | gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg + echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null + apt-get update + DEBIAN_FRONTEND=noninteractive apt-get install -y docker-ce docker-ce-cli containerd.io + systemctl enable --now docker + echo "[OK] Docker installed" + fi ;; c ) - install_caddy + echo "" + echo "=== Installing Caddy ===" + if command -v caddy &>/dev/null; then + echo "[OK] Caddy already installed" + else + apt-get install -y debian-keyring debian-archive-keyring apt-transport-https + curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg + curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | tee /etc/apt/sources.list.d/caddy-stable.list + apt-get update + DEBIAN_FRONTEND=noninteractive apt-get install -y caddy + echo "[OK] Caddy installed" + fi ;; \? ) echo "Invalid option: $OPTARG" 1>&2 @@ -81,4 +101,10 @@ while getopts ":dc" opt; do done shift $((OPTIND -1)) -echo "Preping VM Completed." \ No newline at end of file +echo "" +echo "=== VM Preparation Complete ===" +echo "" +echo "SSH is now on port 34022. Connect with:" +echo " ssh -p 34022 @" +echo "" +echo "Root login is disabled. Use sudo from a TF user account." \ No newline at end of file