bootstrap.sh

@@ -0,0 +1,176 @@
+#!/bin/bash
+
+### 1. VARIABLES
+MOTD="/etc/update-motd.d/01-custom"
+REBOOTBIN="/usr/sbin/reboot"
+REBOOTBINOLD="/usr/sbin/reboot.old"
+SHUTBIN="/usr/sbin/shut"
+SCRIPTSDIR="/root/scripts"
+REBOOTHANDLER="/root/scripts/reboot_handler.sh"
+CRONTABTMP="/tmp/crontab.root.tmp"
+HOSTNAME=$(hostname)
+KEYFILE="/root/.ssh/id_ed25519"
+
+
+## 2. ALIASES
+echo "alias ll='ls -l --color=auto'" >> ~/.bashrc
+echo "alias l='ls -lAh --color=auto'" >> ~/.bashrc
+source ~/.bashrc
+
+
+## 3. UPDATE & ESSENTIALS
+apt update && apt -o Dpkg::Options::="--force-confold" upgrade -y
+apt install -y vim inxi fastfetch htop ncdu net-tools
+
+timedatectl set-timezone Europe/Paris
+
+# VIM CONFIG
+VIMDEF=$(find /usr/share/vim -type f -name defaults.vim | head -n1)
+[ -f "$VIMDEF" ] && sed -i 's/set mouse=a/set mouse=/g' "$VIMDEF"
+
+# MOTD CUSTOMIZATION
+rm -rf /etc/motd /etc/update-motd.d/*
+cat << 'EOF' > $MOTD
+#!/bin/bash
+RED='\033[0;31m'
+BLUE='\033[0;34m'
+NC='\033[0m' # No Color
+
+echo -e "${RED}          GENERAL SYSTEM INFORMATION ${NC}"
+echo
+script -q -c '/usr/bin/fastfetch' /dev/null
+echo
+echo -e "${RED}  SYSTEM DISK USAGE ${NC}"
+export TERM=xterm; inxi -D
+echo
+echo -e "${RED} LAST REBOOT STATUS ${NC}"
+tail -n 4 /var/log/reboot.log
+echo
+apt update -qq > /dev/null 2>&1
+updates=$(apt list --upgradable 2>/dev/null | grep -v "^Listing" | wc -l)
+if [ "$updates" -gt 0 ]; then
+    echo -e "${RED} APT UPDATE RESULT ${NC}"
+    echo "$updates package updates available"
+fi
+EOF
+chmod +x $MOTD
+
+
+### 4. Hardening binaries
+# REBOOT WRAPPER
+mv $REBOOTBIN $REBOOTBINOLD
+cat << 'EOF' > $REBOOTBIN
+#!/bin/bash
+touch /var/log/restart-flag
+sleep 1
+/usr/sbin/reboot.old
+EOF
+chmod +x $REBOOTBIN
+
+# SHUTDOWN WRAPPER
+cat << 'EOF' > $SHUTBIN
+#!/bin/bash
+touch /var/log/restart-flag
+sleep 1
+shutdown -h now
+EOF
+chmod +x $SHUTBIN
+
+
+### 5. REBOOT HANDLER
+mkdir -p $SCRIPTSDIR
+cat << 'EOF' > $REBOOTHANDLER
+#!/bin/bash
+FLAG='/var/log/restart-flag'
+FLAG2='/var/log/scheduled-flag'
+LOG='/var/log/reboot.log'
+
+if [ -f "$FLAG" ]; then
+    echo '--------------------------------' >> "$LOG"
+    date >> "$LOG"
+    echo '*  REBOOT OK :  command exec   *' >> "$LOG"
+    echo '--------------------------------' >> "$LOG"
+    rm -f "$FLAG"
+elif [ -f "$FLAG2" ]; then
+    echo '---------------------------------' >> "$LOG"
+    date >> "$LOG"
+    echo '*  REBOOT PLANNED :   crontab   *' >> "$LOG"
+    echo '---------------------------------' >> "$LOG"
+    rm -f "$FLAG2"
+else
+    date >> "$LOG"
+    echo '*  REBOOT ERROR :  not planned  *' >> "$LOG"
+    echo '---------------------------------' >> "$LOG"
+fi
+EOF
+chmod +x $REBOOTHANDLER
+
+# CRONTAB SETUP
+crontab -l 2>/dev/null > $CRONTABTMP || true
+echo "@reboot /root/scripts/reboot_handler.sh" >> $CRONTABTMP
+crontab $CRONTABTMP
+rm -f $CRONTABTMP
+
+# INIT LOG FILE
+touch /var/log/reboot.log
+
+
+### 6. Ajout route VPN
+echo "up ip route add 10.8.0.0/24 via 192.168.1.200" >> /etc/network/interfaces
+systemctl restart networking
+
+
+### 7. Hardening SSH
+echo "AllowUsers root@192.168.1.250 #(PC_Aurel)" >> /etc/ssh/sshd_config
+echo "AllowUsers root@10.8.0.3 #(asus_r409l via VPN)" >> /etc/ssh/sshd_config
+systemctl restart sshd
+
+# Préparation clé SSH root
+mkdir -p /root/.ssh
+chmod 700 /root/.ssh
+ssh-keygen -t ed25519 -C "$HOSTNAME" -f "$KEYFILE" -N ""
+
+# Ajouter la clé publique dans authorized_keys
+cat "${KEYFILE}.pub" >> /root/.ssh/authorized_keys
+chmod 600 /root/.ssh/authorized_keys
+
+
+### 8. Création du script first-login
+cat << 'EOF' > /root/first-login.sh
+#!/bin/bash
+
+KEYFILE="/root/.ssh/id_ed25519"
+
+echo
+echo "==============================="
+echo " Clé privée SSH à conserver !"
+echo "==============================="
+echo
+cat "${KEYFILE}"
+echo
+echo "==============================="
+
+# Suppression de la clé privée
+rm -f "${KEYFILE}"
+
+# Durcissement SSH
+sed -i 's/^#\?PubkeyAuthentication.*/PubkeyAuthentication yes/' /etc/ssh/sshd_config
+sed -i 's/^#\?AuthorizedKeysFile.*/AuthorizedKeysFile .ssh\/authorized_keys/' /etc/ssh/sshd_config
+sed -i 's/^#\?PermitRootLogin.*/PermitRootLogin prohibit-password/' /etc/ssh/sshd_config
+sed -i 's/^#\?PasswordAuthentication.*/PasswordAuthentication no/' /etc/ssh/sshd_config
+
+systemctl restart sshd
+
+# Désactivation du hook
+rm -f /root/.bash_firstlogin
+EOF
+
+chmod +x /root/first-login.sh
+
+# Hook pour exécuter first-login au premier login root
+echo "/root/first-login.sh" > /root/.bash_firstlogin
+
+# Ajout dans .bashrc
+if ! grep -q bash_firstlogin /root/.bashrc; then
+    echo '[ -f /root/.bash_firstlogin ] && bash /root/.bash_firstlogin' >> /root/.bashrc
+fi