Se han modificado 1 ficheros con 84 adiciones y 58 borrados
Dividir vista
Opciones de diferencias
-
+84 -58prep-grid-vm.sh
+ 84
- 58
prep-grid-vm.sh
Ver fichero
| @@ -1,78 +1,98 @@ | |||
| #!/bin/bash | |||
| set -euo pipefail | |||
| update_system() { | |||
| echo "Updating system and installing mandatory tools" | |||
| apt-get update | |||
| apt-get install sudo nmon tmux restic tcpdump nano iputils-ping net-tools -y | |||
| } | |||
| REPO_BASE="https://docs.grid.tf/threefold_public/public/raw/branch/master" | |||
| install_docker() { | |||
| echo "Installing Docker" | |||
| apt-get install ca-certificates curl gnupg lsb-release -y | |||
| curl -fsSL https://download.docker.com/linux/ubuntu/gpg | gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg | |||
| echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null | |||
| apt-get update | |||
| apt-get install docker-ce docker-ce-cli containerd.io -y | |||
| systemctl start docker | |||
| echo "Docker installation completed" | |||
| } | |||
| echo "=== Grid VM Preparation ===" | |||
| install_caddy() { | |||
| echo "Installing Caddy" | |||
| apt install -y debian-keyring debian-archive-keyring apt-transport-https | |||
| curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | sudo gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg | |||
| curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | sudo tee /etc/apt/sources.list.d/caddy-stable.list | |||
| apt-get update | |||
| apt-get install caddy -y | |||
| echo "Caddy installation completed." | |||
| } | |||
| if [ "$EUID" -ne 0 ]; then | |||
| echo "Please run as root" | |||
| exit 1 | |||
| fi | |||
| setup_tf_users() { | |||
| echo "Setting up TFUsers" | |||
| wget https://docs.grid.tf/threefold_public/public/raw/branch/master/add-tf-users.sh | |||
| sh add-tf-users.sh | |||
| rm add-tf-users.sh | |||
| } | |||
| # --- System update and base tools --- | |||
| echo "" | |||
| echo "=== Updating system and installing base tools ===" | |||
| apt-get update -y | |||
| DEBIAN_FRONTEND=noninteractive apt-get install -y \ | |||
| sudo nmon tmux restic tcpdump nano iputils-ping net-tools curl wget | |||
| configure_ssh() { | |||
| echo "Configuring SSH" | |||
| ubuntu_version=$(lsb_release -rs 2>/dev/null || . /etc/os-release && echo "$VERSION_ID") | |||
| # --- TF Users --- | |||
| echo "" | |||
| echo "=== Setting up TF Users ===" | |||
| wget -q "${REPO_BASE}/add-tf-users.sh" -O /tmp/add-tf-users.sh | |||
| bash /tmp/add-tf-users.sh | |||
| rm -f /tmp/add-tf-users.sh | |||
| if [ "$ubuntu_version" = "22.04" ]; then | |||
| echo "Detected Ubuntu 22.04 — replacing sshd_config and restarting ssh service" | |||
| wget -q https://docs.grid.tf/threefold_public/public/raw/branch/master/sshd_config -O /etc/ssh/sshd_config | |||
| systemctl restart ssh | |||
| # --- SSH hardening --- | |||
| echo "" | |||
| echo "=== Configuring SSH ===" | |||
| elif [ "$ubuntu_version" = "24.04" ]; then | |||
| echo "Detected Ubuntu 24.04 — updating ssh.socket for port 34022" | |||
| wget -q https://docs.grid.tf/threefold_public/public/raw/branch/master/sshd_config -O /etc/ssh/sshd_config | |||
| mkdir -p /etc/systemd/system/ssh.socket.d | |||
| cat > /etc/systemd/system/ssh.socket.d/port.conf <<EOF | |||
| ubuntu_version=$(lsb_release -rs 2>/dev/null || (. /etc/os-release && echo "$VERSION_ID")) | |||
| major_version=$(echo "$ubuntu_version" | cut -d. -f1) | |||
| echo "Detected Ubuntu $ubuntu_version (major: $major_version)" | |||
| # Backup original if not already backed up | |||
| if [ ! -f "/etc/ssh/sshd_config.original" ]; then | |||
| cp /etc/ssh/sshd_config /etc/ssh/sshd_config.original | |||
| echo "[OK] Backed up original sshd_config" | |||
| fi | |||
| wget -q "${REPO_BASE}/sshd_config" -O /etc/ssh/sshd_config | |||
| echo "[OK] Installed hardened sshd_config (port 34022, no root, no password)" | |||
| if [ "$major_version" -ge 24 ]; then | |||
| # Ubuntu 24.04+ uses ssh.socket — override listen port | |||
| echo "Configuring ssh.socket for port 34022..." | |||
| mkdir -p /etc/systemd/system/ssh.socket.d | |||
| cat > /etc/systemd/system/ssh.socket.d/port.conf <<EOF | |||
| [Socket] | |||
| ListenStream= | |||
| ListenStream=34022 | |||
| EOF | |||
| systemctl daemon-reload | |||
| systemctl restart ssh.socket | |||
| systemctl enable ssh.socket | |||
| else | |||
| echo "Unsupported Ubuntu version: $ubuntu_version" | |||
| exit 1 | |||
| fi | |||
| } | |||
| update_system | |||
| setup_tf_users | |||
| configure_ssh | |||
| systemctl daemon-reload | |||
| systemctl restart ssh.socket | |||
| systemctl enable ssh.socket | |||
| echo "[OK] ssh.socket configured for port 34022" | |||
| else | |||
| # Ubuntu 22.04 and older — restart ssh service | |||
| systemctl restart ssh | |||
| echo "[OK] ssh service restarted" | |||
| fi | |||
| # --- Optional flags --- | |||
| while getopts ":dc" opt; do | |||
| case ${opt} in | |||
| d ) | |||
| install_docker | |||
| echo "" | |||
| echo "=== Installing Docker ===" | |||
| if command -v docker &>/dev/null; then | |||
| echo "[OK] Docker already installed" | |||
| else | |||
| DEBIAN_FRONTEND=noninteractive apt-get install -y \ | |||
| ca-certificates curl gnupg lsb-release | |||
| curl -fsSL https://download.docker.com/linux/ubuntu/gpg | gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg | |||
| echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null | |||
| apt-get update | |||
| DEBIAN_FRONTEND=noninteractive apt-get install -y docker-ce docker-ce-cli containerd.io | |||
| systemctl enable --now docker | |||
| echo "[OK] Docker installed" | |||
| fi | |||
| ;; | |||
| c ) | |||
| install_caddy | |||
| echo "" | |||
| echo "=== Installing Caddy ===" | |||
| if command -v caddy &>/dev/null; then | |||
| echo "[OK] Caddy already installed" | |||
| else | |||
| apt-get install -y debian-keyring debian-archive-keyring apt-transport-https | |||
| curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg | |||
| curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | tee /etc/apt/sources.list.d/caddy-stable.list | |||
| apt-get update | |||
| DEBIAN_FRONTEND=noninteractive apt-get install -y caddy | |||
| echo "[OK] Caddy installed" | |||
| fi | |||
| ;; | |||
| \? ) | |||
| echo "Invalid option: $OPTARG" 1>&2 | |||
| @@ -81,4 +101,10 @@ while getopts ":dc" opt; do | |||
| done | |||
| shift $((OPTIND -1)) | |||
| echo "Preping VM Completed." | |||
| echo "" | |||
| echo "=== VM Preparation Complete ===" | |||
| echo "" | |||
| echo "SSH is now on port 34022. Connect with:" | |||
| echo " ssh -p 34022 <username>@<server-ip>" | |||
| echo "" | |||
| echo "Root login is disabled. Use sudo from a TF user account." | |||