ansible/setup.sh

#!/bin/bash
# Basic VM/LXC Setup Script for root environments
# Creates 'beer' user if missing, sets up SSH, installs basic tools.

# === CONFIGURE PUBLIC KEY ===
SSH_PUBLIC_KEY="ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDxZomUDtOt7Kh1mfZleJrv/IZrdFZ6j80RIpyTWd5R+ beer@bwsttv.com" # Paste your SSH public key here
USERNAME="beer"

# Ensure script runs as root
if [ "$EUID" -ne 0 ]; then
  echo "Please run as root."
  exit 1
fi

# === UPDATE SYSTEM ===
echo "Updating system..."
apt update && apt upgrade -y

# === CREATE USER IF NOT EXISTS ===
if id "$USERNAME" &>/dev/null; then
    echo "User '$USERNAME' already exists."
else
    echo "Creating user '$USERNAME'..."
    adduser --disabled-password --gecos "" "$USERNAME"
    usermod -aG sudo "$USERNAME"
fi

# === SET UP SSH FOR USER ===
echo "Configuring SSH for '$USERNAME'..."
mkdir -p /home/$USERNAME/.ssh
echo "$SSH_PUBLIC_KEY" > /home/$USERNAME/.ssh/authorized_keys
chmod 700 /home/$USERNAME/.ssh
chmod 600 /home/$USERNAME/.ssh/authorized_keys
chown -R $USERNAME:$USERNAME /home/$USERNAME/.ssh

# === HARDEN SSH ===
echo "Updating SSH security settings..."
sed -i 's/^#\?PermitRootLogin.*/PermitRootLogin prohibit-password/' /etc/ssh/sshd_config
sed -i 's/^#\?PasswordAuthentication.*/PasswordAuthentication no/' /etc/ssh/sshd_config
systemctl restart ssh || service ssh restart

# === INSTALL BASIC UTILITIES ===
echo "Installing base packages..."
apt install -y curl wget vim git ufw

# === FIREWALL CONFIGURATION ===
echo "Configuring firewall..."
ufw allow OpenSSH
ufw --force enable

# === HARDEN SSH: Disable root login via SSH ===
echo "Disabling root SSH login..."
sed -i 's/^#\?PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config
sed -i 's/^#\?PasswordAuthentication.*/PasswordAuthentication no/' /etc/ssh/sshd_config
systemctl restart ssh || service ssh restart

# === ENSURE beer CAN USE SUDO ===
usermod -aG sudo beer

echo "Setup complete! You can now SSH into the container/VM as '$USERNAME'."