-
-
Notifications
You must be signed in to change notification settings - Fork 134
/
debian-setup.sh
executable file
·211 lines (184 loc) · 6.44 KB
/
debian-setup.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
#!/bin/bash
#
# Debian bullseye setup on a virtual server.
#
# VERSION :3.0.0
# URL :https://github.com/szepeviktor/debian-server-tools
# AUTHOR :Viktor Szépe <[email protected]>
# LICENSE :The MIT License (MIT)
# BASH-VERSION :4.2+
# CI :shellcheck debian-setup.sh
# CONFIG :/root/server.yml
# Choose providers
#
# - Domain registrar
# - DNS provider
# - Server provider (UpCloud)
# - SSL certificate vendor (HTTPS)
# - CDN provider (static files)
# - Transactional email provider
# - Storage provider (server backup)
#
# Features
#
# - YAML configuration file with provider profiles
# - OS image normalization
# - Optionally switch to SysVinit
# - Boot and Halt alert
# - UTC timezone
# - Micro Name Service Caching
# - IRQ balance
# - Time synchronization
# - Hardware TRNG or HAVEGE generator
# - Fail2ban and blocking hostile networks
# - Monit monitoring
# - Courier MTA
# - System backup with S3QL
# - Nice motd welcome screen
# - Package managers: composer, phive, pip, npm
# - CLI tools: WP-CLI, Drush, CacheTool
#
# Webserver
#
# - Apache 2.4 with HTTP/2 and event MPM
# - PHP-FPM 7.4
# - Redis in-memory cache
# - MariaDB 10 or Percona Server 5.7
# - 155 MB idle memory usage, 2 GB disk usage
#
# Execution Steps
#
# 1. wget -O- https://github.com/szepeviktor/debian-server-tools/archive/master.tar.gz|tar xz
# export LC_ALL=C.UTF-8; cd debian-server-tools-master/debian-setup/
# 2. Acquire settings: webmaster@, hostname, networking, DNS resolvers, NTP servers, custom kernel, user names, SSH keys
# 3. cat server.yml providers/upcloud-defra1.yml >/root/server.yml
# editor /root/server.yml
# 4. Set up DNS resource records: PTR/IPv4 PTR/IPv6, A, AAAA, MX
# 5. Check fs type, set volume label: lsblk -f; tune2fs -L "instanceID-root" /dev/vda1
# 6. Start!
# script --timing=../debian-setup.time ../debian-setup.script
# ./debian-setup.sh
# 7. PuTTY session: Connection/Data: viktor, xterm-256color; Connection/SSH/Auth: [ ] keyboard-interactive
# 8. Continue after reboot!
# export LC_ALL=C.UTF-8; cd debian-server-tools-master/debian-setup/
# @FIXME export MONIT_EXCLUDED_PACKAGES=apache2:php5-fpm:php7.0-fpm:php7.1-fpm:php7.2-fpm:php7.3-fpm:php7.4-fpm:php8.0-fpm
# script --timing=../debian-setup2.time ../debian-setup2.script
# ./debian-setup2.sh
# 9. Set up inbound ESP and bounce notification
#
# Tests
#
# - DNS test /monitoring/DNS.md
# - Webpage test https://www.webpagetest.org/
# - HTTP headers https://redbot.org/
# - Security headers https://securityheaders.io/
# - HTTPS https://www.ssllabs.com/ssltest/
# - HTTPS + Security headers https://observatory.mozilla.org/
# - CRL and OCSP test https://certificate.revocationcheck.com/
# - PHP configuration /webserver/php-env-check.php
export IMAGE_ARCH="amd64"
export IMAGE_MACHINE="x86_64"
export IMAGE_ID="Debian"
export IMAGE_CODENAME="bullseye"
#export IMAGE_CODENAME="bookworm"
# "A real danger for the future of GNU/Linux"
# https://skarnet.org/software/s6/systemd.html
export WITHOUT_SYSTEMD="yes"
export SETUP_PACKAGES="debian-archive-keyring lsb-release ca-certificates wget apt apt-utils aptitude net-tools"
#:ubuntu test "$(dpkg-vendor --query vendor)" == Ubuntu
#export SETUP_PACKAGES="ubuntu-keyring lsb-release ca-certificates wget apt apt-utils aptitude net-tools"
# APT sources must be hardcoded as shyaml is unavailable before OS image normalization
export SETUP_APTSOURCES_URL_PREFIX="https://github.com/szepeviktor/debian-server-tools/raw/master/package/apt-sources"
# @TODO Update to https://deb.debian.org/
# Microsoft Azure Traffic Manager
export SETUP_APTSOURCESLIST_URL="${SETUP_APTSOURCES_URL_PREFIX}/${IMAGE_CODENAME}-azure.list"
# Amazon CloudFront
#export SETUP_APTSOURCESLIST_URL="${SETUP_APTSOURCES_URL_PREFIX}/${IMAGE_CODENAME}-cloudfront.list"
# Fastly and Amazon CloudFront
#export SETUP_APTSOURCESLIST_URL="${SETUP_APTSOURCES_URL_PREFIX}/${IMAGE_CODENAME}-deb.list"
export SETUP_SHYAML_URL="https://github.com/0k/shyaml/raw/master/shyaml.py"
set -e -x
# Am I root?
[[ $EUID -eq 0 ]]
if [ ! -t 0 ]; then
echo "Some commands still need a terminal." 1>&2
exit 10
fi
# Common functions
# shellcheck disable=SC1091
source debian-setup-functions.inc.sh
# Necessary packages
IS_FUNCTIONAL="yes"
hash dpkg-query
for PKG in ${SETUP_PACKAGES}; do
if ! Is_installed "$PKG"; then
IS_FUNCTIONAL="no"
break
fi
done
if [ "$IS_FUNCTIONAL" != "yes" ]; then
apt-get update -qq || true
# shellcheck disable=SC2086
apt-get install -y ${SETUP_PACKAGES} || true
fi
IP="$(hostname --all-ip-addresses | cut -d " " -f 1)"
export IP
# These packages from SETUP_PACKAGES should be auto-installed
apt-mark auto lsb-release ca-certificates
# Package sources
packages/apt
# OS check
packages/base-files
# OS image normalization (does dist-upgrade)
./debian-image-normalize.sh
# Remove wheezy packages
if Is_installed "libgnutls26"; then
apt-get purge -qq \
libboost-iostreams1.49.0 libdb5.1 libgcrypt11 libgnutls26 \
libprocps0 libtasn1-3 libudev0 python2.6 python2.6-minimal
fi
# Remove jessie packages
if Is_installed "gcc-4.9-base"; then
apt-get purge -qq \
libapt-inst1.5 libapt-pkg4.12 libept1.4.12 libreadline6 libssl1.0.0 libxapian22 \
gcc-4.9-base python-reportbug sysvinit
fi
# Remove ClamAV data
rm -rf /var/lib/clamav /var/log/clamav
# Remove left-over fonts
rm -rf /etc/console-setup
# Packages used on top of SETUP_PACKAGES
Pkg_install_quiet ssh sudo dirmngr
# Install SHYAML (config reader)
Pkg_install_quiet python3-yaml
wget -nv -O /usr/local/bin/shyaml "$SETUP_SHYAML_URL"
# @FIXME
sed -i -e '1 s#/usr/bin/env python#/usr/bin/env python3#' /usr/local/bin/shyaml
chmod +x /usr/local/bin/shyaml
shyaml --version
# Add APT repositories
for REPO in $(Data get-values package.apt.sources); do
wget -nv -O "/etc/apt/sources.list.d/${REPO}.list" "${SETUP_APTSOURCES_URL_PREFIX}/${REPO}.list"
done
# Import signing keys
eval "$(grep -h -A 5 "^deb " /etc/apt/sources.list.d/*.list | grep "^#K: " | cut -d " " -f 2-)"
# Get package lists
apt-get update -qq
# Virtualization environment
packages/virt-what
packages/hostname
packages/login
packages/readline-common
# Set Bash as default
packages/dash
# Root user and first user
packages/adduser
# After adduser
packages/openssh-server
# Remove apparmor
apt-get purge -qq apparmor
printf 'Package: apparmor\nPin: release *\nPin-Priority: -1\n' >/etc/apt/preferences.d/apparmor.pref
# Optionally switch to SysVinit
packages/systemd
# Log in on a new terminal and log out here
exit 0