From c0c155b32255c0232733fa9b435c0fa8dcc726fe Mon Sep 17 00:00:00 2001 From: admin Date: Thu, 11 Jun 2026 15:23:59 +0200 Subject: [PATCH] Add bootstrap script --- bootstrap.sh | 176 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 176 insertions(+) create mode 100644 bootstrap.sh diff --git a/bootstrap.sh b/bootstrap.sh new file mode 100644 index 0000000..aedac04 --- /dev/null +++ b/bootstrap.sh @@ -0,0 +1,176 @@ +#!/bin/bash + +### 1. VARIABLES +MOTD="/etc/update-motd.d/01-custom" +REBOOTBIN="/usr/sbin/reboot" +REBOOTBINOLD="/usr/sbin/reboot.old" +SHUTBIN="/usr/sbin/shut" +SCRIPTSDIR="/root/scripts" +REBOOTHANDLER="/root/scripts/reboot_handler.sh" +CRONTABTMP="/tmp/crontab.root.tmp" +HOSTNAME=$(hostname) +KEYFILE="/root/.ssh/id_ed25519" + + +## 2. ALIASES +echo "alias ll='ls -l --color=auto'" >> ~/.bashrc +echo "alias l='ls -lAh --color=auto'" >> ~/.bashrc +source ~/.bashrc + + +## 3. UPDATE & ESSENTIALS +apt update && apt -o Dpkg::Options::="--force-confold" upgrade -y +apt install -y vim inxi fastfetch htop ncdu net-tools + +timedatectl set-timezone Europe/Paris + +# VIM CONFIG +VIMDEF=$(find /usr/share/vim -type f -name defaults.vim | head -n1) +[ -f "$VIMDEF" ] && sed -i 's/set mouse=a/set mouse=/g' "$VIMDEF" + +# MOTD CUSTOMIZATION +rm -rf /etc/motd /etc/update-motd.d/* +cat << 'EOF' > $MOTD +#!/bin/bash +RED='\033[0;31m' +BLUE='\033[0;34m' +NC='\033[0m' # No Color + +echo -e "${RED} GENERAL SYSTEM INFORMATION ${NC}" +echo +script -q -c '/usr/bin/fastfetch' /dev/null +echo +echo -e "${RED} SYSTEM DISK USAGE ${NC}" +export TERM=xterm; inxi -D +echo +echo -e "${RED} LAST REBOOT STATUS ${NC}" +tail -n 4 /var/log/reboot.log +echo +apt update -qq > /dev/null 2>&1 +updates=$(apt list --upgradable 2>/dev/null | grep -v "^Listing" | wc -l) +if [ "$updates" -gt 0 ]; then + echo -e "${RED} APT UPDATE RESULT ${NC}" + echo "$updates package updates available" +fi +EOF +chmod +x $MOTD + + +### 4. Hardening binaries +# REBOOT WRAPPER +mv $REBOOTBIN $REBOOTBINOLD +cat << 'EOF' > $REBOOTBIN +#!/bin/bash +touch /var/log/restart-flag +sleep 1 +/usr/sbin/reboot.old +EOF +chmod +x $REBOOTBIN + +# SHUTDOWN WRAPPER +cat << 'EOF' > $SHUTBIN +#!/bin/bash +touch /var/log/restart-flag +sleep 1 +shutdown -h now +EOF +chmod +x $SHUTBIN + + +### 5. REBOOT HANDLER +mkdir -p $SCRIPTSDIR +cat << 'EOF' > $REBOOTHANDLER +#!/bin/bash +FLAG='/var/log/restart-flag' +FLAG2='/var/log/scheduled-flag' +LOG='/var/log/reboot.log' + +if [ -f "$FLAG" ]; then + echo '--------------------------------' >> "$LOG" + date >> "$LOG" + echo '* REBOOT OK : command exec *' >> "$LOG" + echo '--------------------------------' >> "$LOG" + rm -f "$FLAG" +elif [ -f "$FLAG2" ]; then + echo '---------------------------------' >> "$LOG" + date >> "$LOG" + echo '* REBOOT PLANNED : crontab *' >> "$LOG" + echo '---------------------------------' >> "$LOG" + rm -f "$FLAG2" +else + date >> "$LOG" + echo '* REBOOT ERROR : not planned *' >> "$LOG" + echo '---------------------------------' >> "$LOG" +fi +EOF +chmod +x $REBOOTHANDLER + +# CRONTAB SETUP +crontab -l 2>/dev/null > $CRONTABTMP || true +echo "@reboot /root/scripts/reboot_handler.sh" >> $CRONTABTMP +crontab $CRONTABTMP +rm -f $CRONTABTMP + +# INIT LOG FILE +touch /var/log/reboot.log + + +### 6. Ajout route VPN +echo "up ip route add 10.8.0.0/24 via 192.168.1.200" >> /etc/network/interfaces +systemctl restart networking + + +### 7. Hardening SSH +echo "AllowUsers root@192.168.1.250 #(PC_Aurel)" >> /etc/ssh/sshd_config +echo "AllowUsers root@10.8.0.3 #(asus_r409l via VPN)" >> /etc/ssh/sshd_config +systemctl restart sshd + +# Préparation clé SSH root +mkdir -p /root/.ssh +chmod 700 /root/.ssh +ssh-keygen -t ed25519 -C "$HOSTNAME" -f "$KEYFILE" -N "" + +# Ajouter la clé publique dans authorized_keys +cat "${KEYFILE}.pub" >> /root/.ssh/authorized_keys +chmod 600 /root/.ssh/authorized_keys + + +### 8. Création du script first-login +cat << 'EOF' > /root/first-login.sh +#!/bin/bash + +KEYFILE="/root/.ssh/id_ed25519" + +echo +echo "===============================" +echo " Clé privée SSH à conserver !" +echo "===============================" +echo +cat "${KEYFILE}" +echo +echo "===============================" + +# Suppression de la clé privée +rm -f "${KEYFILE}" + +# Durcissement SSH +sed -i 's/^#\?PubkeyAuthentication.*/PubkeyAuthentication yes/' /etc/ssh/sshd_config +sed -i 's/^#\?AuthorizedKeysFile.*/AuthorizedKeysFile .ssh\/authorized_keys/' /etc/ssh/sshd_config +sed -i 's/^#\?PermitRootLogin.*/PermitRootLogin prohibit-password/' /etc/ssh/sshd_config +sed -i 's/^#\?PasswordAuthentication.*/PasswordAuthentication no/' /etc/ssh/sshd_config + +systemctl restart sshd + +# Désactivation du hook +rm -f /root/.bash_firstlogin +EOF + +chmod +x /root/first-login.sh + +# Hook pour exécuter first-login au premier login root +echo "/root/first-login.sh" > /root/.bash_firstlogin + +# Ajout dans .bashrc +if ! grep -q bash_firstlogin /root/.bashrc; then + echo '[ -f /root/.bash_firstlogin ] && bash /root/.bash_firstlogin' >> /root/.bashrc +fi