#!/bin/bash ## FORSTWOOF UBUNTU PRESEED :: INSTALLATION SCRIPT # Will do everything in temporary files cd /var/tmp # Set global locale echo LC_ALL=\"en_US.UTF-8\" >> /etc/default/locale # Point apt proxy to local cacher cat </etc/apt/apt.conf.d/01proxy Acquire::http::Proxy "http://beaver:3142"; EOF # Enable automatic updates of all packages rm /etc/apt/apt.conf.d/20auto-upgrades cat </etc/apt/apt.conf.d/50unattended-upgrades Unattended-Upgrade::Allowed-Origins { "\${distro_id}:\${distro_codename}-security"; "\${distro_id}:\${distro_codename}-updates"; "\${distro_id}:\${distro_codename}-proposed"; "\${distro_id}:\${distro_codename}-backports"; }; Unattended-Upgrade::Package-Blacklist { }; Unattended-Upgrade::Remove-Unused-Dependencies "true"; EOF cat </etc/apt/apt.conf.d/10periodic APT::Periodic::Update-Package-Lists "1"; APT::Periodic::Download-Upgradeable-Packages "1"; APT::Periodic::AutocleanInterval "7"; APT::Periodic::Unattended-Upgrade "1"; EOF # Install all updates apt-get -y update && \ apt-get -y dist-upgrade apt-get -y autoremove apt-get -y autoclean apt-get -y purge $(dpkg --get-selections | grep deinstall | awk '{print $1}') # Add ForstWoof certificate authority curl -Lso /usr/local/share/ca-certificates/ForstWoof.crt https://forstwoof.ru/ca/root.crt update-ca-certificates mkdir -p /etc/ssl/forstwoof for name in root server client proxy do for ext in crl crt do [[ "${name}" = "root" ]] && [[ "${ext}" = "crt" ]] && ln -s /usr/local/share/ca-certificates/ForstWoof.crt /etc/ssl/forstwoof/root.crt && continue curl -Ls https://forstwoof.ru/ca/${name}.${ext} -o /etc/ssl/forstwoof/${name}.${ext} done done cat </etc/cron.weekly/forstwoof-crl #!/bin/sh for name in root server client do wget https://forstwoof.ru/ca/${name}.crl -O /etc/ssl/forstwoof/${name}.crl done EOF chmod +x /etc/cron.weekly/forstwoof-crl # ZSH GRML configuration curl -Lso /etc/zsh/zshrc http://git.grml.org/f/grml-etc-core/etc/zsh/zshrc curl -Lso /etc/skel/.zshrc http://git.grml.org/f/grml-etc-core/etc/skel/.zshrc cp /etc/skel/.zshrc /root/.zshrc chsh -s /usr/bin/zsh # OpenSSH server configuration rm /etc/ssh/ssh_host_* declare -A keytypes=(\ ["ed25519"]="256" \ ["ecdsa"]="521" \ ["rsa"]="4096") for type in ${!keytypes[@]} do KEYPATH="/etc/ssh/ssh_host_${type}_key" ssh-keygen -q -t ${type} -b ${keytypes["$type"]} -C "" -N "" -f ${KEYPATH} done cat </etc/ssh/sshd_config Port 22 Protocol 2 HostKey /etc/ssh/ssh_host_ed25519_key HostKey /etc/ssh/ssh_host_ecdsa_key HostKey /etc/ssh/ssh_host_rsa_key SyslogFacility AUTH LogLevel INFO LoginGraceTime 60 AllowUsers root PermitRootLogin yes UsePAM yes PermitEmptyPasswords no UsePrivilegeSeparation yes StrictModes yes IgnoreRhosts yes PubkeyAuthentication yes HostbasedAuthentication no ChallengeResponseAuthentication no PasswordAuthentication no X11Forwarding no PrintMotd no PrintLastLog yes TCPKeepAlive no MaxStartups 4 Compression yes ClientAliveCountMax 5 ClientAliveInterval 30 IPQoS cs4 8 AcceptEnv LANG LC_* Subsystem sftp /usr/lib/openssh/sftp-server EOF mkdir -p /root/.ssh cat </root/.ssh/authorized_keys ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBAF1LO9QOys7ybGjoo40mZZfLUnztBcSBKk3m1lRGyxK6k5Hnb5HW/QpUT3uCdsaKJ9NrYmLlZjwkykxDSv4YqKReQFjNwfhPNo2DG3ah0AiCrvpmsvzh4FM6exiE1WQCMlQ40wJDhXnihbVYTKx7D2BJE4GopBWZ1X9QzhkUlHfkq3S+w== Shark ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBADTeo8BOL7Th3mdYqpxDwVbMt6OFHPtXocQddkFzG8bKZITSLZfGvmzzQAg9wWi7n8LPRYARgGZnlUMN2M1fmckOwCMwD1NyyIfK2jqzpD21VFsIabSbWXXwhSz+IPIVhemyXKOPNF9Tpkxqhava5xKNBQwEiHesCuiXvROc1F7UMzrtA== Cougar ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBAEy7loXboS2HxhP2c8nLsf68qsdpD7aCuD+Wly+CtHw+zBS9uSxZiYWfp5k210lS4bDkV5JO2VDlKcANLWY9M265wEeX4DD39WsjAyBfpEZajqRStselXrRNYlhtH7GDpx9RZJvHFtOzROXvZrpposbaeybjt5ZyMmPq+7Q6n9L6L6IbA== Dingo ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDKc56H2wFTSZxJHNgd66R4Ld6jEYLq4J9D4ZoqJQylYgTPJ4ITkeafp5msdcF1za8DZwThPr964c4LfNwVT/bQQHhzFr/Yxg2c4PDKyUSM0iV7wMixUCArxTaOoyOKA6YiH6Rn1M8mQVM4rqt0GqcAbeVqKdaqsWbDtxbcc8KpxwHNs6r5xxWp/jI1Y/enY5Vtt0La5DVfIfWmGzEfLxGJtZI7izfdToLsNDxBCpZa/xi9bshvBULFToIbrP4WsVrtac05H08n0pHV6eFwBlEJPzJsenx7sHOxhCipAN7sKe6qJrDyJL22PfQgYhOMQ4AlBvKDg6McD54Zep+p0VUB5U0+z7HylTEhswg6IORfslSiwEfrJen7DdDO2xEJlk6XFl0Dby2T6njppXhRu2Ra1HSuYGKbkYk+356oRHi+x9hIG0YNoAgLQjgKNQo+kFnywHNGuw6krUmN3qjctnNBe921a42UY3NenhmzN6UdkqXYJEpMyKSvh1XI2I5RPzQoIHAm4pl3YG70CP7Wg3XB+t3o5TeVvuT1PeLG8eUsVryQSs1C3UH2pPF2raI3URKwLmXr2XZukeLz6kPrXg0ky4yUDpY/emesKFaNtquUC0daMXttBtfED7t9a/rL/Zy/8HkrivajG9yrEgNy16pW2aHaF4P87aoE3aM94GKQOQ== Penguin EOFEOFEOFEOF # Sysctl configuration cat </etc/sysctl.conf net.core.default_qdisc = fq_codel net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.all.force_igmp_version = 2 net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.all.secure_redirects = 1 net.ipv4.icmp_echo_ignore_broadcasts = 1 net.ipv4.icmp_ignore_bogus_error_responses = 1 net.ipv4.tcp_ecn = 1 net.ipv4.tcp_rfc1337 = 1 net.ipv4.tcp_syncookies = 1 net.ipv6.conf.all.accept_source_route = 0 vm.swappiness = 0 EOF # Template network configuration cat <>/etc/network/interfaces #iface ens192 inet static # address 192.168.1.X # netmask 24 # gateway 192.168.1.1 # dns-nameservers 192.168.1.5 2002:d58d:9aaa:1::5 # dns-search lan.forstwoof.ru # mtu 9000 #iface ens192 inet6 static # address 2002:d58d:9aaa:1::X # netmask 64 # gateway 2002:d58d:9aaa:1::1 EOF # Enable log compression sed -i 's/#compress/compress/' /etc/logrotate.conf # Tweak initramfs generation sed -i 's/COMPRESS=gzip/COMPRESS=xz/' /etc/initramfs-tools/initramfs.conf sed -i 's/MODULES=most/MODULES=dep/' /etc/initramfs-tools/initramfs.conf update-initramfs -u -k all # Enable kexec reboots sed -i 's/LOAD_KEXEC=false/LOAD_KEXEC=true/' /etc/default/kexec # open-vm-tools logging tweak cat </etc/vmware-tools/tools.conf [logging] vmsvc.level=error EOF # Remote syslog server cat </etc/rsyslog.d/10-remote.conf *.notice @beaver:514