admin/bootstrap
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
prod
bootstrap/bootstrap.sh
admin c0c155b322 Add bootstrap script
2026-06-11 15:23:59 +02:00

177 lines
4.4 KiB
Bash
Raw Permalink Blame History

#!/bin/bash
### 1. VARIABLES
MOTD="/etc/update-motd.d/01-custom"
REBOOTBIN="/usr/sbin/reboot"
REBOOTBINOLD="/usr/sbin/reboot.old"
SHUTBIN="/usr/sbin/shut"
SCRIPTSDIR="/root/scripts"
REBOOTHANDLER="/root/scripts/reboot_handler.sh"
CRONTABTMP="/tmp/crontab.root.tmp"
HOSTNAME=$(hostname)
KEYFILE="/root/.ssh/id_ed25519"
## 2. ALIASES
echo "alias ll='ls -l --color=auto'" >> ~/.bashrc
echo "alias l='ls -lAh --color=auto'" >> ~/.bashrc
source ~/.bashrc
## 3. UPDATE & ESSENTIALS
apt update && apt -o Dpkg::Options::="--force-confold" upgrade -y
apt install -y vim inxi fastfetch htop ncdu net-tools
timedatectl set-timezone Europe/Paris
# VIM CONFIG
VIMDEF=$(find /usr/share/vim -type f -name defaults.vim | head -n1)
[ -f "$VIMDEF" ] && sed -i 's/set mouse=a/set mouse=/g' "$VIMDEF"
# MOTD CUSTOMIZATION
rm -rf /etc/motd /etc/update-motd.d/*
cat << 'EOF' > $MOTD
#!/bin/bash
RED='\033[0;31m'
BLUE='\033[0;34m'
NC='\033[0m' # No Color
echo -e "${RED} GENERAL SYSTEM INFORMATION ${NC}"
echo
script -q -c '/usr/bin/fastfetch' /dev/null
echo
echo -e "${RED} SYSTEM DISK USAGE ${NC}"
export TERM=xterm; inxi -D
echo
echo -e "${RED} LAST REBOOT STATUS ${NC}"
tail -n 4 /var/log/reboot.log
echo
apt update -qq > /dev/null 2>&1
updates=$(apt list --upgradable 2>/dev/null | grep -v "^Listing" | wc -l)
if [ "$updates" -gt 0 ]; then
echo -e "${RED} APT UPDATE RESULT ${NC}"
echo "$updates package updates available"
fi
EOF
chmod +x $MOTD
### 4. Hardening binaries
# REBOOT WRAPPER
mv $REBOOTBIN $REBOOTBINOLD
cat << 'EOF' > $REBOOTBIN
#!/bin/bash
touch /var/log/restart-flag
sleep 1
/usr/sbin/reboot.old
EOF
chmod +x $REBOOTBIN
# SHUTDOWN WRAPPER
cat << 'EOF' > $SHUTBIN
#!/bin/bash
touch /var/log/restart-flag
sleep 1
shutdown -h now
EOF
chmod +x $SHUTBIN
### 5. REBOOT HANDLER
mkdir -p $SCRIPTSDIR
cat << 'EOF' > $REBOOTHANDLER
#!/bin/bash
FLAG='/var/log/restart-flag'
FLAG2='/var/log/scheduled-flag'
LOG='/var/log/reboot.log'
if [ -f "$FLAG" ]; then
echo '--------------------------------' >> "$LOG"
date >> "$LOG"
echo '* REBOOT OK : command exec *' >> "$LOG"
echo '--------------------------------' >> "$LOG"
rm -f "$FLAG"
elif [ -f "$FLAG2" ]; then
echo '---------------------------------' >> "$LOG"
date >> "$LOG"
echo '* REBOOT PLANNED : crontab *' >> "$LOG"
echo '---------------------------------' >> "$LOG"
rm -f "$FLAG2"
else
date >> "$LOG"
echo '* REBOOT ERROR : not planned *' >> "$LOG"
echo '---------------------------------' >> "$LOG"
fi
EOF
chmod +x $REBOOTHANDLER
# CRONTAB SETUP
crontab -l 2>/dev/null > $CRONTABTMP || true
echo "@reboot /root/scripts/reboot_handler.sh" >> $CRONTABTMP
crontab $CRONTABTMP
rm -f $CRONTABTMP
# INIT LOG FILE
touch /var/log/reboot.log
### 6. Ajout route VPN
echo "up ip route add 10.8.0.0/24 via 192.168.1.200" >> /etc/network/interfaces
systemctl restart networking
### 7. Hardening SSH
echo "AllowUsers root@192.168.1.250 #(PC_Aurel)" >> /etc/ssh/sshd_config
echo "AllowUsers root@10.8.0.3 #(asus_r409l via VPN)" >> /etc/ssh/sshd_config
systemctl restart sshd
# Préparation clé SSH root
mkdir -p /root/.ssh
chmod 700 /root/.ssh
ssh-keygen -t ed25519 -C "$HOSTNAME" -f "$KEYFILE" -N ""
# Ajouter la clé publique dans authorized_keys
cat "${KEYFILE}.pub" >> /root/.ssh/authorized_keys
chmod 600 /root/.ssh/authorized_keys
### 8. Création du script first-login
cat << 'EOF' > /root/first-login.sh
#!/bin/bash
KEYFILE="/root/.ssh/id_ed25519"
echo
echo "==============================="
echo " Clé privée SSH à conserver !"
echo "==============================="
echo
cat "${KEYFILE}"
echo
echo "==============================="
# Suppression de la clé privée
rm -f "${KEYFILE}"
# Durcissement SSH
sed -i 's/^#\?PubkeyAuthentication.*/PubkeyAuthentication yes/' /etc/ssh/sshd_config
sed -i 's/^#\?AuthorizedKeysFile.*/AuthorizedKeysFile .ssh\/authorized_keys/' /etc/ssh/sshd_config
sed -i 's/^#\?PermitRootLogin.*/PermitRootLogin prohibit-password/' /etc/ssh/sshd_config
sed -i 's/^#\?PasswordAuthentication.*/PasswordAuthentication no/' /etc/ssh/sshd_config
systemctl restart sshd
# Désactivation du hook
rm -f /root/.bash_firstlogin
EOF
chmod +x /root/first-login.sh
# Hook pour exécuter first-login au premier login root
echo "/root/first-login.sh" > /root/.bash_firstlogin
# Ajout dans .bashrc
if ! grep -q bash_firstlogin /root/.bashrc; then
echo '[ -f /root/.bash_firstlogin ] && bash /root/.bash_firstlogin' >> /root/.bashrc
fi
Reference in New Issue View Git Blame Copy Permalink