rework for Debian support only, dropping support for Ubuntu
This commit is contained in:
Matthew Saunders Brown
parent
8a4b0dd0a5
commit
e71a4e75e4
|
|
@ -1,6 +1,9 @@
|
||||||
# Base Stack
|
# Base Stack
|
||||||
|
|
||||||
Base Stack installs some basic applications and configs that are common to any server build. Specifically firewald & fail2ban to lock a server down.
|
Base Stack installs some basic applications and configs that are common to any server build. Specifically automatic updates and firewald with fail2ban for a secure server setup.
|
||||||
|
|
||||||
|
## Requirements
|
||||||
|
A minimal Debian 12 server install with no extra services or packages installed.
|
||||||
|
|
||||||
## Install
|
## Install
|
||||||
|
|
||||||
|
|
@ -25,5 +28,5 @@ echo "user@example.com" > /root/.forward
|
||||||
```
|
```
|
||||||
|
|
||||||
## License
|
## License
|
||||||
Copyright (c) 2022 Matthew Saunders Brown <matthewsaundersbrown@gmail.com>\
|
Copyright (c) 2024 Matthew Saunders Brown <matthewsaundersbrown@gmail.com>\
|
||||||
GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
|
GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
|
||||||
|
|
|
||||||
68
install.sh
68
install.sh
|
|
@ -14,10 +14,10 @@ if [ "${EUID}" -ne 0 ]; then
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# do some basic pre-install checks - these are *not* exhaustive
|
# do some basic pre-install checks - these are *not* exhaustive
|
||||||
# check for Ubuntu 22.04 (jammy) or Debian 12 (bookworm)
|
os_id=`lsb_release -is`
|
||||||
os_codename=`lsb_release -cs`
|
os_release=`lsb_release -rs`
|
||||||
if [ $os_codename != jammy ] && [ $os_codename != bookworm ]; then
|
if [ $os_id != Debian ] || [ $os_release != 12 ]; then
|
||||||
echo "This installer only runs on Ubuntu 22.04 (jammy) or Debian 12 (Bookworm), bailing out."
|
echo "This installer only runs on Debian 12 (Bookworm), bailing out."
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
|
@ -31,18 +31,6 @@ fi
|
||||||
# set webmaster email address, used below
|
# set webmaster email address, used below
|
||||||
WEBMASTER=webmaster@`hostname -f`
|
WEBMASTER=webmaster@`hostname -f`
|
||||||
|
|
||||||
# if policy-rc.d is installed configure it to allow all packages to automatically start/restart/stop after install/upgrade/uninstall
|
|
||||||
if [[ -f /usr/sbin/policy-rc.d ]]; then
|
|
||||||
echo -e '#!/bin/sh\nexit 0' > /usr/sbin/policy-rc.d
|
|
||||||
fi
|
|
||||||
# set needrestart to list only, which is also default for unattended upgrades
|
|
||||||
if [[ -f /etc/needrestart/needrestart.conf ]]; then
|
|
||||||
sed -i "s|^#\$nrconf{restart} = 'i';|\$nrconf{restart} = 'l';|g" /etc/needrestart/needrestart.conf
|
|
||||||
# 'l' = list only, change to 'a' for automatic restart or 'i' for interactive
|
|
||||||
# disable kernelhints (no warnings about currently running kernel version)
|
|
||||||
echo '$nrconf{kernelhints} = 0;' > /etc/needrestart/conf.d/kernelhints.conf
|
|
||||||
fi
|
|
||||||
|
|
||||||
# set system variables
|
# set system variables
|
||||||
if [[ ! -f /etc/sysctl.d/60-swappiness.conf ]]; then
|
if [[ ! -f /etc/sysctl.d/60-swappiness.conf ]]; then
|
||||||
echo "vm.swappiness = 1" >> /etc/sysctl.d/60-swappiness.conf
|
echo "vm.swappiness = 1" >> /etc/sysctl.d/60-swappiness.conf
|
||||||
|
|
@ -52,37 +40,18 @@ fi
|
||||||
# update system
|
# update system
|
||||||
DEBIAN_FRONTEND=noninteractive apt-get -y update
|
DEBIAN_FRONTEND=noninteractive apt-get -y update
|
||||||
# update grub first, by itself, as it requires special overrides to run unattended
|
# update grub first, by itself, as it requires special overrides to run unattended
|
||||||
DEBIAN_FRONTEND=noninteractive apt-get -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" install grub-common grub2-common grub-pc grub-pc-bin
|
DEBIAN_FRONTEND=noninteractive apt-get -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" install grub-common grub2-common
|
||||||
DEBIAN_FRONTEND=noninteractive apt-get -y dist-upgrade
|
DEBIAN_FRONTEND=noninteractive apt-get -y dist-upgrade
|
||||||
|
|
||||||
# remove unwanted packages
|
# remove unwanted packages
|
||||||
DEBIAN_FRONTEND=noninteractive apt-get -y purge snapd ufw iptables landscape-common popularity-contest
|
DEBIAN_FRONTEND=noninteractive apt-get -y purge snapd cryptsetup ufw iptables popularity-contest
|
||||||
DEBIAN_FRONTEND=noninteractive apt-get -y autoremove
|
DEBIAN_FRONTEND=noninteractive apt-get -y autoremove
|
||||||
systemctl daemon-reload
|
systemctl daemon-reload
|
||||||
|
|
||||||
# disable motd
|
|
||||||
if [[ -f /etc/default/motd-news ]]; then
|
|
||||||
sed -i 's|ENABLED=1|ENABLED=0|g' /etc/default/motd-news
|
|
||||||
fi
|
|
||||||
if [[ -f /etc/update-motd.d/10-help-text ]]; then
|
|
||||||
chmod 644 /etc/update-motd.d/10-help-text
|
|
||||||
fi
|
|
||||||
# disable apt news
|
|
||||||
if [[ -x /usr/bin/pro ]]; then
|
|
||||||
/usr/bin/pro config set apt_news=false
|
|
||||||
fi
|
|
||||||
|
|
||||||
# configure unattended upgrades with automatic reboots
|
# configure unattended upgrades with automatic reboots
|
||||||
DEBIAN_FRONTEND=noninteractive apt-get -y install unattended-upgrades apt-listchanges
|
DEBIAN_FRONTEND=noninteractive apt-get -y install unattended-upgrades apt-listchanges
|
||||||
# /etc/apt/apt.conf.d/10periodic is part of update-notifier-common, on Ubuntu only
|
sed -i 's|// "origin=Debian,codename=${distro_codename}-updates";| "origin=Debian,codename=${distro_codename}-updates";|g' /etc/apt/apt.conf.d/50unattended-upgrades
|
||||||
if [[ -f /etc/apt/apt.conf.d/10periodic ]]; then
|
# sed -i 's|// "origin=Debian,codename=${distro_codename}-proposed-updates";| "origin=Debian,codename=${distro_codename}-proposed-updates";|g' /etc/apt/apt.conf.d/50unattended-upgrades
|
||||||
sed -i 's|^APT::Periodic::Update-Package-Lists.*|APT::Periodic::Update-Package-Lists "1";|g' /etc/apt/apt.conf.d/10periodic
|
|
||||||
sed -i 's|^APT::Periodic::Download-Upgradeable-Packages.*|APT::Periodic::Download-Upgradeable-Packages "1";|g' /etc/apt/apt.conf.d/10periodic
|
|
||||||
sed -i 's|^APT::Periodic::AutocleanInterval.*|APT::Periodic::AutocleanInterval "7";|g' /etc/apt/apt.conf.d/10periodic
|
|
||||||
fi
|
|
||||||
sed -i 's|^APT::Periodic::Update-Package-Lists.*|APT::Periodic::Update-Package-Lists "1";|g' /etc/apt/apt.conf.d/20auto-upgrades
|
|
||||||
sed -i 's|^APT::Periodic::Unattended-Upgrade.*|APT::Periodic::Unattended-Upgrade "1";|g' /etc/apt/apt.conf.d/20auto-upgrades
|
|
||||||
sed -i 's|// "${distro_id}:${distro_codename}-updates";| "${distro_id}:${distro_codename}-updates";|g' /etc/apt/apt.conf.d/50unattended-upgrades
|
|
||||||
sed -i 's|//Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";|Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";|g' /etc/apt/apt.conf.d/50unattended-upgrades
|
sed -i 's|//Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";|Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";|g' /etc/apt/apt.conf.d/50unattended-upgrades
|
||||||
sed -i 's|//Unattended-Upgrade::Remove-Unused-Dependencies "false";|Unattended-Upgrade::Remove-Unused-Dependencies "true";|g' /etc/apt/apt.conf.d/50unattended-upgrades
|
sed -i 's|//Unattended-Upgrade::Remove-Unused-Dependencies "false";|Unattended-Upgrade::Remove-Unused-Dependencies "true";|g' /etc/apt/apt.conf.d/50unattended-upgrades
|
||||||
sed -i 's|//Unattended-Upgrade::Automatic-Reboot "false";|Unattended-Upgrade::Automatic-Reboot "true";|g' /etc/apt/apt.conf.d/50unattended-upgrades
|
sed -i 's|//Unattended-Upgrade::Automatic-Reboot "false";|Unattended-Upgrade::Automatic-Reboot "true";|g' /etc/apt/apt.conf.d/50unattended-upgrades
|
||||||
|
|
@ -90,6 +59,8 @@ sed -i 's|//Unattended-Upgrade::Automatic-Reboot "false";|Unattended-Upgrade::Au
|
||||||
REBOOT_TIME=01:$(printf "%02d" $((0 + RANDOM % 55)))
|
REBOOT_TIME=01:$(printf "%02d" $((0 + RANDOM % 55)))
|
||||||
sed -i "s|//Unattended-Upgrade::Automatic-Reboot-Time \"02:00\";|Unattended-Upgrade::Automatic-Reboot-Time \"$REBOOT_TIME\";|g" /etc/apt/apt.conf.d/50unattended-upgrades
|
sed -i "s|//Unattended-Upgrade::Automatic-Reboot-Time \"02:00\";|Unattended-Upgrade::Automatic-Reboot-Time \"$REBOOT_TIME\";|g" /etc/apt/apt.conf.d/50unattended-upgrades
|
||||||
sed -i "s|//Unattended-Upgrade::Mail \"\";|Unattended-Upgrade::Mail \"$WEBMASTER\";|g" /etc/apt/apt.conf.d/50unattended-upgrades
|
sed -i "s|//Unattended-Upgrade::Mail \"\";|Unattended-Upgrade::Mail \"$WEBMASTER\";|g" /etc/apt/apt.conf.d/50unattended-upgrades
|
||||||
|
echo unattended-upgrades unattended-upgrades/enable_auto_updates boolean true | debconf-set-selections
|
||||||
|
dpkg-reconfigure -f noninteractive unattended-upgrades
|
||||||
|
|
||||||
# firewalld
|
# firewalld
|
||||||
# without "--no-install-recommends" ipset and ipables are pulled in, and we don't need or want those
|
# without "--no-install-recommends" ipset and ipables are pulled in, and we don't need or want those
|
||||||
|
|
@ -123,12 +94,7 @@ cp -a fail2ban/* /etc/fail2ban/
|
||||||
echo "destemail = $WEBMASTER" >> /etc/fail2ban/jail.local
|
echo "destemail = $WEBMASTER" >> /etc/fail2ban/jail.local
|
||||||
echo "bantime = 24h" >> /etc/fail2ban/jail.d/defaults-debian.conf
|
echo "bantime = 24h" >> /etc/fail2ban/jail.d/defaults-debian.conf
|
||||||
echo "maxretry = 3" >> /etc/fail2ban/jail.d/defaults-debian.conf
|
echo "maxretry = 3" >> /etc/fail2ban/jail.d/defaults-debian.conf
|
||||||
if [ $os_codename = jammy ]; then
|
|
||||||
echo "backend = auto" >> /etc/fail2ban/jail.d/defaults-debian.conf
|
|
||||||
echo "logpath = /var/log/auth.log tail" >> /etc/fail2ban/jail.d/defaults-debian.conf
|
|
||||||
elif [ $os_codename = bookworm ]; then
|
|
||||||
echo "backend = systemd" >> /etc/fail2ban/jail.d/defaults-debian.conf
|
echo "backend = systemd" >> /etc/fail2ban/jail.d/defaults-debian.conf
|
||||||
fi
|
|
||||||
systemctl enable fail2ban
|
systemctl enable fail2ban
|
||||||
systemctl start fail2ban
|
systemctl start fail2ban
|
||||||
|
|
||||||
|
|
@ -140,16 +106,14 @@ sed -i 's|.*RuntimeMaxFiles=.*|RuntimeMaxFiles=10|g' /etc/systemd/journald.conf
|
||||||
sed -i 's|.*MaxRetentionSec=.*|MaxRetentionSec=1week|g' /etc/systemd/journald.conf
|
sed -i 's|.*MaxRetentionSec=.*|MaxRetentionSec=1week|g' /etc/systemd/journald.conf
|
||||||
systemctl restart systemd-journald.service
|
systemctl restart systemd-journald.service
|
||||||
|
|
||||||
# adjust rsyslogd to log cron to it's own file, and to not include cron or mail in main syslog file (Ubuntu only, not on Debian 12+)
|
# adjust rsyslogd to log cron to it's own file, and to not include cron or mail in main syslog file
|
||||||
if [[ -f /etc/rsyslog.d/50-default.conf ]]; then
|
# sed -i 's|^#cron\.\*|cron\.\*|' /etc/rsyslog.d/50-default.conf
|
||||||
sed -i 's|^#cron\.\*|cron\.\*|' /etc/rsyslog.d/50-default.conf
|
# sed -i 's|^\*\.\*;auth,authpriv\.none|\*\.\*;auth,authpriv\.none;mail\.none;cron\.none|' /etc/rsyslog.d/50-default.conf
|
||||||
sed -i 's|^\*\.\*;auth,authpriv\.none|\*\.\*;auth,authpriv\.none;mail\.none;cron\.none|' /etc/rsyslog.d/50-default.conf
|
# systemctl restart rsyslog
|
||||||
systemctl restart rsyslog
|
|
||||||
fi
|
|
||||||
|
|
||||||
# install some handy extra packages
|
# install some handy extra packages
|
||||||
DEBIAN_FRONTEND=noninteractive apt-get -y install gdu exa pwgen net-tools curl sudo
|
DEBIAN_FRONTEND=noninteractive apt-get -y install curl exa gdu git isoquery net-tools pwgen sudo
|
||||||
# exa will be changed to eza in future releases
|
# exa is no longer maintained, eza is a fork that I expect/hope Debian will add to the next release
|
||||||
|
|
||||||
# install
|
# install
|
||||||
chmod 750 sbin/*
|
chmod 750 sbin/*
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue
Block a user