diff --git a/group_vars/vault.yml b/group_vars/vault.yml new file mode 100644 index 0000000..e69de29 diff --git a/keys/private.key.vault b/keys/private.key.vault new file mode 100644 index 0000000..e69de29 diff --git a/keys/public.key b/keys/public.key new file mode 100644 index 0000000..e69de29 diff --git a/setup.sh b/setup.sh new file mode 100644 index 0000000..d68ebf2 --- /dev/null +++ b/setup.sh @@ -0,0 +1,86 @@ +#!/bin/bash +# Basic VM/LXC Setup Script for root environments +# Creates 'beer' user if missing, sets up SSH, installs basic tools. + +# === CONFIGURE PUBLIC KEY === +SSH_PUBLIC_KEY="ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDxZomUDtOt7Kh1mfZleJrv/IZrdFZ6j80RIpyTWd5R+ beer@bwsttv.com" # Paste your SSH public key here +USERNAME="beer" + +# Ensure script runs as root +if [ "$EUID" -ne 0 ]; then + echo "Please run as root." + exit 1 +fi + +# === UPDATE SYSTEM === +echo "Updating system..." +apt update && apt upgrade -y + +# === CREATE USER IF NOT EXISTS === +if id "$USERNAME" &>/dev/null; then + echo "User '$USERNAME' already exists." +else + echo "Creating user '$USERNAME'..." + adduser --disabled-password --gecos "" "$USERNAME" + usermod -aG sudo "$USERNAME" +fi + +# === SET UP SSH FOR USER === +echo "Configuring SSH for '$USERNAME'..." +mkdir -p /home/$USERNAME/.ssh +echo "$SSH_PUBLIC_KEY" > /home/$USERNAME/.ssh/authorized_keys +chmod 700 /home/$USERNAME/.ssh +chmod 600 /home/$USERNAME/.ssh/authorized_keys +chown -R $USERNAME:$USERNAME /home/$USERNAME/.ssh + +# === HARDEN SSH === +echo "Updating SSH security settings..." +sed -i 's/^#\?PermitRootLogin.*/PermitRootLogin prohibit-password/' /etc/ssh/sshd_config +sed -i 's/^#\?PasswordAuthentication.*/PasswordAuthentication no/' /etc/ssh/sshd_config +systemctl restart ssh || service ssh restart + +# === INSTALL BASIC UTILITIES === +echo "Installing base packages..." +apt install -y curl wget vim git ufw wamerican + +# === FIREWALL CONFIGURATION === +echo "Configuring firewall..." +ufw allow OpenSSH +ufw --force enable + +# === HARDEN SSH: Disable root login via SSH === +echo "Disabling root SSH login..." +sed -i 's/^#\?PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config +sed -i 's/^#\?PasswordAuthentication.*/PasswordAuthentication no/' /etc/ssh/sshd_config +systemctl restart ssh || service ssh restart + +# === ENSURE beer CAN USE SUDO === +usermod -aG sudo beer + +# Make sure /usr/share/dict/words exists, or replace with your own file path or word array +WORDLIST="/usr/share/dict/words" + +# Pick 5 random words, capitalize first letter +PASSWORD_WORDS=$(shuf -n 5 "$WORDLIST" | sed 's/.*/\L&/' | sed 's/^./\u&/' | tr '\n' ' ') + +# Generate 4 random digits +PASSWORD_NUMBERS=$(shuf -i 1000-9999 -n 1) + +# Combine words and numbers +GENERATED_PASS="${PASSWORD_WORDS}${PASSWORD_NUMBERS}" + +# Remove trailing spaces if any +GENERATED_PASS=$(echo "$GENERATED_PASS" | xargs) + +# Set password for user beer +echo "beer:$GENERATED_PASS" | chpasswd + +# Show the generated password +echo "--------------------------------------------------" +echo "Generated password for user 'beer':" +echo "$GENERATED_PASS" +echo "Please save this password securely!" +echo "--------------------------------------------------" + + +echo "Setup complete! You can now SSH into the container/VM as '$USERNAME'." diff --git a/update.yml b/update.yml index 22f19dd..2fece49 100644 --- a/update.yml +++ b/update.yml @@ -5,13 +5,23 @@ become_method: sudo become_user: root tasks: - - name: Update apt cache + - name: Update apt cache (tolerate repo codename changes) apt: update_cache: yes cache_valid_time: 3600 + environment: + APT::Get::AllowReleaseInfoChange: "true" + APT::Get::AllowReleaseInfoChange::Origin: "true" + APT::Get::AllowReleaseInfoChange::Suite: "true" + APT::Get::AllowReleaseInfoChange::Codename: "true" - - name: Upgrade all packages + - name: Upgrade all packages (tolerate repo codename changes) apt: upgrade: dist autoremove: yes autoclean: yes + environment: + APT::Get::AllowReleaseInfoChange: "true" + APT::Get::AllowReleaseInfoChange::Origin: "true" + APT::Get::AllowReleaseInfoChange::Suite: "true" + APT::Get::AllowReleaseInfoChange::Codename: "true"