From f5864eb85436d52fe3e2670387744d5008003813 Mon Sep 17 00:00:00 2001 From: BWSTTVDEV Date: Tue, 5 Aug 2025 04:21:16 +0000 Subject: [PATCH 1/5] Initial setup script for new machines --- setup.sh | 57 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 57 insertions(+) create mode 100644 setup.sh diff --git a/setup.sh b/setup.sh new file mode 100644 index 0000000..26f6a34 --- /dev/null +++ b/setup.sh @@ -0,0 +1,57 @@ +#!/bin/bash +# Basic VM/LXC Setup Script for root environments +# Creates 'beer' user if missing, sets up SSH, installs basic tools. + +# === CONFIGURE PUBLIC KEY === +SSH_PUBLIC_KEY="rsa-key-20250805 +AAAAB3NzaC1yc2EAAAADAQABAAABAQDUDI9pCxrSCAWGvfMvjIYrHragCCJwHj3f +kMdpCVlf3d6rBu3VRSQHlVrcgb7sX+C4iuktCOBXFerV1XORuzWwpWq3047gPNDC +fg9u96nmvrINXWgkpuSqTWPUBoU/xL2rnW3a+yKAHBpCpk6O2kY9DA9tAU/LER3n +4tbu+vVe6CtRlrV3nZIMR6xYfnN7YLaVZWGIHwW+BPfRTxF09iLbrzSNCrenBWaG +oSTgsdHCFFuYAStr/5vE7ssM4T6loVML+Cljz7DftmEul5YRBQA8uON77+a+MiGS +dYLgpilGJ8bK77Bp0i+OwwY7icfQvtMw67aWaHXqauy/g3t0ji/L" # Paste your SSH public key here +USERNAME="beer" + +# Ensure script runs as root +if [ "$EUID" -ne 0 ]; then + echo "Please run as root." + exit 1 +fi + +# === UPDATE SYSTEM === +echo "Updating system..." +apt update && apt upgrade -y + +# === CREATE USER IF NOT EXISTS === +if id "$USERNAME" &>/dev/null; then + echo "User '$USERNAME' already exists." +else + echo "Creating user '$USERNAME'..." + adduser --disabled-password --gecos "" "$USERNAME" + usermod -aG sudo "$USERNAME" +fi + +# === SET UP SSH FOR USER === +echo "Configuring SSH for '$USERNAME'..." +mkdir -p /home/$USERNAME/.ssh +echo "$SSH_PUBLIC_KEY" > /home/$USERNAME/.ssh/authorized_keys +chmod 700 /home/$USERNAME/.ssh +chmod 600 /home/$USERNAME/.ssh/authorized_keys +chown -R $USERNAME:$USERNAME /home/$USERNAME/.ssh + +# === HARDEN SSH === +echo "Updating SSH security settings..." +sed -i 's/^#\?PermitRootLogin.*/PermitRootLogin prohibit-password/' /etc/ssh/sshd_config +sed -i 's/^#\?PasswordAuthentication.*/PasswordAuthentication no/' /etc/ssh/sshd_config +systemctl restart ssh || service ssh restart + +# === INSTALL BASIC UTILITIES === +echo "Installing base packages..." +apt install -y curl wget vim git ufw + +# === FIREWALL CONFIGURATION === +echo "Configuring firewall..." +ufw allow OpenSSH +ufw --force enable + +echo "Setup complete! You can now SSH into the container/VM as '$USERNAME'." From 72f71a698f4209b7cc3618f4577e075d70b8c061 Mon Sep 17 00:00:00 2001 From: BWSTTVDEV Date: Tue, 5 Aug 2025 04:41:49 +0000 Subject: [PATCH 2/5] Updated ssh key --- setup.sh | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/setup.sh b/setup.sh index 26f6a34..fa1f8f6 100644 --- a/setup.sh +++ b/setup.sh @@ -3,13 +3,7 @@ # Creates 'beer' user if missing, sets up SSH, installs basic tools. # === CONFIGURE PUBLIC KEY === -SSH_PUBLIC_KEY="rsa-key-20250805 -AAAAB3NzaC1yc2EAAAADAQABAAABAQDUDI9pCxrSCAWGvfMvjIYrHragCCJwHj3f -kMdpCVlf3d6rBu3VRSQHlVrcgb7sX+C4iuktCOBXFerV1XORuzWwpWq3047gPNDC -fg9u96nmvrINXWgkpuSqTWPUBoU/xL2rnW3a+yKAHBpCpk6O2kY9DA9tAU/LER3n -4tbu+vVe6CtRlrV3nZIMR6xYfnN7YLaVZWGIHwW+BPfRTxF09iLbrzSNCrenBWaG -oSTgsdHCFFuYAStr/5vE7ssM4T6loVML+Cljz7DftmEul5YRBQA8uON77+a+MiGS -dYLgpilGJ8bK77Bp0i+OwwY7icfQvtMw67aWaHXqauy/g3t0ji/L" # Paste your SSH public key here +SSH_PUBLIC_KEY="ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDxZomUDtOt7Kh1mfZleJrv/IZrdFZ6j80RIpyTWd5R+ beer@bwsttv.com" # Paste your SSH public key here USERNAME="beer" # Ensure script runs as root From 06e1350747b75afb877357953d33335570074255 Mon Sep 17 00:00:00 2001 From: BWSTTVDEV Date: Tue, 5 Aug 2025 04:45:03 +0000 Subject: [PATCH 3/5] Updated to disabled root --- setup.sh | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/setup.sh b/setup.sh index fa1f8f6..0a97b8a 100644 --- a/setup.sh +++ b/setup.sh @@ -48,4 +48,13 @@ echo "Configuring firewall..." ufw allow OpenSSH ufw --force enable +# === HARDEN SSH: Disable root login via SSH === +echo "Disabling root SSH login..." +sed -i 's/^#\?PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config +sed -i 's/^#\?PasswordAuthentication.*/PasswordAuthentication no/' /etc/ssh/sshd_config +systemctl restart ssh || service ssh restart + +# === ENSURE beer CAN USE SUDO === +usermod -aG sudo beer + echo "Setup complete! You can now SSH into the container/VM as '$USERNAME'." From 9fb8c8b15360db9ab5f6025c25eccd5f53fd3218 Mon Sep 17 00:00:00 2001 From: BWSTTVDEV Date: Tue, 5 Aug 2025 05:05:31 +0000 Subject: [PATCH 4/5] Updated to create a generated password --- setup.sh | 28 +++++++++++++++++++++++++++- 1 file changed, 27 insertions(+), 1 deletion(-) diff --git a/setup.sh b/setup.sh index 0a97b8a..d68ebf2 100644 --- a/setup.sh +++ b/setup.sh @@ -41,7 +41,7 @@ systemctl restart ssh || service ssh restart # === INSTALL BASIC UTILITIES === echo "Installing base packages..." -apt install -y curl wget vim git ufw +apt install -y curl wget vim git ufw wamerican # === FIREWALL CONFIGURATION === echo "Configuring firewall..." @@ -57,4 +57,30 @@ systemctl restart ssh || service ssh restart # === ENSURE beer CAN USE SUDO === usermod -aG sudo beer +# Make sure /usr/share/dict/words exists, or replace with your own file path or word array +WORDLIST="/usr/share/dict/words" + +# Pick 5 random words, capitalize first letter +PASSWORD_WORDS=$(shuf -n 5 "$WORDLIST" | sed 's/.*/\L&/' | sed 's/^./\u&/' | tr '\n' ' ') + +# Generate 4 random digits +PASSWORD_NUMBERS=$(shuf -i 1000-9999 -n 1) + +# Combine words and numbers +GENERATED_PASS="${PASSWORD_WORDS}${PASSWORD_NUMBERS}" + +# Remove trailing spaces if any +GENERATED_PASS=$(echo "$GENERATED_PASS" | xargs) + +# Set password for user beer +echo "beer:$GENERATED_PASS" | chpasswd + +# Show the generated password +echo "--------------------------------------------------" +echo "Generated password for user 'beer':" +echo "$GENERATED_PASS" +echo "Please save this password securely!" +echo "--------------------------------------------------" + + echo "Setup complete! You can now SSH into the container/VM as '$USERNAME'." From e12b5974c25f080b2387a933a9e5402dd7dfc3a7 Mon Sep 17 00:00:00 2001 From: BWSTTVDEV Date: Tue, 28 Oct 2025 01:04:53 +0000 Subject: [PATCH 5/5] Accounting for unifi repo changes --- group_vars/vault.yml | 0 keys/private.key.vault | 0 keys/public.key | 0 update.yml | 14 ++++++++++++-- 4 files changed, 12 insertions(+), 2 deletions(-) create mode 100644 group_vars/vault.yml create mode 100644 keys/private.key.vault create mode 100644 keys/public.key diff --git a/group_vars/vault.yml b/group_vars/vault.yml new file mode 100644 index 0000000..e69de29 diff --git a/keys/private.key.vault b/keys/private.key.vault new file mode 100644 index 0000000..e69de29 diff --git a/keys/public.key b/keys/public.key new file mode 100644 index 0000000..e69de29 diff --git a/update.yml b/update.yml index 22f19dd..2fece49 100644 --- a/update.yml +++ b/update.yml @@ -5,13 +5,23 @@ become_method: sudo become_user: root tasks: - - name: Update apt cache + - name: Update apt cache (tolerate repo codename changes) apt: update_cache: yes cache_valid_time: 3600 + environment: + APT::Get::AllowReleaseInfoChange: "true" + APT::Get::AllowReleaseInfoChange::Origin: "true" + APT::Get::AllowReleaseInfoChange::Suite: "true" + APT::Get::AllowReleaseInfoChange::Codename: "true" - - name: Upgrade all packages + - name: Upgrade all packages (tolerate repo codename changes) apt: upgrade: dist autoremove: yes autoclean: yes + environment: + APT::Get::AllowReleaseInfoChange: "true" + APT::Get::AllowReleaseInfoChange::Origin: "true" + APT::Get::AllowReleaseInfoChange::Suite: "true" + APT::Get::AllowReleaseInfoChange::Codename: "true"