Merge pull request 'Staging' (#2) from Staging into main

Reviewed-on: #2

setup.sh

@@ -0,0 +1,86 @@
+#!/bin/bash
+# Basic VM/LXC Setup Script for root environments
+# Creates 'beer' user if missing, sets up SSH, installs basic tools.
+
+# === CONFIGURE PUBLIC KEY ===
+SSH_PUBLIC_KEY="ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDxZomUDtOt7Kh1mfZleJrv/IZrdFZ6j80RIpyTWd5R+ beer@bwsttv.com" # Paste your SSH public key here
+USERNAME="beer"
+
+# Ensure script runs as root
+if [ "$EUID" -ne 0 ]; then
+  echo "Please run as root."
+  exit 1
+fi
+
+# === UPDATE SYSTEM ===
+echo "Updating system..."
+apt update && apt upgrade -y
+
+# === CREATE USER IF NOT EXISTS ===
+if id "$USERNAME" &>/dev/null; then
+    echo "User '$USERNAME' already exists."
+else
+    echo "Creating user '$USERNAME'..."
+    adduser --disabled-password --gecos "" "$USERNAME"
+    usermod -aG sudo "$USERNAME"
+fi
+
+# === SET UP SSH FOR USER ===
+echo "Configuring SSH for '$USERNAME'..."
+mkdir -p /home/$USERNAME/.ssh
+echo "$SSH_PUBLIC_KEY" > /home/$USERNAME/.ssh/authorized_keys
+chmod 700 /home/$USERNAME/.ssh
+chmod 600 /home/$USERNAME/.ssh/authorized_keys
+chown -R $USERNAME:$USERNAME /home/$USERNAME/.ssh
+
+# === HARDEN SSH ===
+echo "Updating SSH security settings..."
+sed -i 's/^#\?PermitRootLogin.*/PermitRootLogin prohibit-password/' /etc/ssh/sshd_config
+sed -i 's/^#\?PasswordAuthentication.*/PasswordAuthentication no/' /etc/ssh/sshd_config
+systemctl restart ssh || service ssh restart
+
+# === INSTALL BASIC UTILITIES ===
+echo "Installing base packages..."
+apt install -y curl wget vim git ufw wamerican
+
+# === FIREWALL CONFIGURATION ===
+echo "Configuring firewall..."
+ufw allow OpenSSH
+ufw --force enable
+
+# === HARDEN SSH: Disable root login via SSH ===
+echo "Disabling root SSH login..."
+sed -i 's/^#\?PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config
+sed -i 's/^#\?PasswordAuthentication.*/PasswordAuthentication no/' /etc/ssh/sshd_config
+systemctl restart ssh || service ssh restart
+
+# === ENSURE beer CAN USE SUDO ===
+usermod -aG sudo beer
+
+# Make sure /usr/share/dict/words exists, or replace with your own file path or word array
+WORDLIST="/usr/share/dict/words"
+
+# Pick 5 random words, capitalize first letter
+PASSWORD_WORDS=$(shuf -n 5 "$WORDLIST" | sed 's/.*/\L&/' | sed 's/^./\u&/' | tr '\n' ' ')
+
+# Generate 4 random digits
+PASSWORD_NUMBERS=$(shuf -i 1000-9999 -n 1)
+
+# Combine words and numbers
+GENERATED_PASS="${PASSWORD_WORDS}${PASSWORD_NUMBERS}"
+
+# Remove trailing spaces if any
+GENERATED_PASS=$(echo "$GENERATED_PASS" | xargs)
+
+# Set password for user beer
+echo "beer:$GENERATED_PASS" | chpasswd
+
+# Show the generated password
+echo "--------------------------------------------------"
+echo "Generated password for user 'beer':"
+echo "$GENERATED_PASS"
+echo "Please save this password securely!"
+echo "--------------------------------------------------"
+
+
+echo "Setup complete! You can now SSH into the container/VM as '$USERNAME'."

update.yml

@@ -5,13 +5,23 @@
   become_method: sudo
   become_user: root
   tasks:
-    - name: Update apt cache
+    - name: Update apt cache (tolerate repo codename changes)
       apt:
         update_cache: yes
         cache_valid_time: 3600
+      environment:
+        APT::Get::AllowReleaseInfoChange: "true"
+        APT::Get::AllowReleaseInfoChange::Origin: "true"
+        APT::Get::AllowReleaseInfoChange::Suite: "true"
+        APT::Get::AllowReleaseInfoChange::Codename: "true"
 
-    - name: Upgrade all packages
+    - name: Upgrade all packages (tolerate repo codename changes)
       apt:
         upgrade: dist
         autoremove: yes
         autoclean: yes
+      environment:
+        APT::Get::AllowReleaseInfoChange: "true"
+        APT::Get::AllowReleaseInfoChange::Origin: "true"
+        APT::Get::AllowReleaseInfoChange::Suite: "true"
+        APT::Get::AllowReleaseInfoChange::Codename: "true"