-
Notifications
You must be signed in to change notification settings - Fork 0
/
setup.sh
179 lines (152 loc) · 5.51 KB
/
setup.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
#!/bin/bash
cd $(dirname $0)
MYNAME=$(pwd)/$(basename $0)
CONFIGFILE=/etc/proventis/setup.config
while [[ $# -gt 0 ]] ; do
key="$1"
case $key in
--docker)
DOCKERINSTALL="1"
shift
;;
--local)
LOCALINSTALL="1"
shift
;;
*)
shift
;;
esac
done
export DEBIAN_FRONTEND=noninteractive
function apt-get() {
i=0
tput sc
while fuser /var/lib/dpkg/lock >/dev/null 2>&1 ; do
case $(($i % 4)) in
0 ) j="-" ;;
1 ) j="\\" ;;
2 ) j="|" ;;
3 ) j="/" ;;
esac
tput rc
echo -en "\r[$j] Waiting for other software managers to finish..."
sleep 0.5
((i=i+1))
done
/usr/bin/apt-get "$@"
}
function installDocker() {
(
source /etc/os-release
curl -fsSL https://download.docker.com/linux/${ID}/gpg | apt-key add -
add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/${ID} $(lsb_release -cs) stable"
apt-get -yq update
#DOCKER_VERSION=$(apt list -a docker-ce 2>/dev/null | awk '{print $2;}' | grep "19." | head -n 1)
#( set -x ; apt-get -yq --allow-downgrades install "docker-ce=$DOCKER_VERSION" "docker-ce-cli=$DOCKER_VERSION" containerd.io )
( set -x ; apt-get -yq --allow-downgrades install "docker-ce" "docker-ce-cli" containerd.io )
systemctl enable docker
systemctl start docker
)
}
function installDefaultSoftware() {
apt-get -yq install apt-transport-https ca-certificates curl gnupg2 software-properties-common rsync mc open-iscsi ufw dstat fail2ban
cat > $HOME/.bash_aliases <<EOF
alias l='ls -CF'
alias mc='. /usr/share/mc/bin/mc-wrapper.sh'
export EDITOR=mcedit
EOF
echo 'SELECTED_EDITOR="/usr/bin/mcedit"' > $HOME/.selected_editor
}
function setupCACertificate() {
cat > /usr/local/share/ca-certificates/Proventis-CA-2.crt <<EOF
-----BEGIN CERTIFICATE-----
MIIFijCCA3KgAwIBAgIJAPtW92iJXVb2MA0GCSqGSIb3DQEBCwUAMFoxCzAJBgNV
BAYTAkRFMQ8wDQYDVQQHDAZCZXJsaW4xHjAcBgNVBAoMFXByb3ZlbnRpcyBHbWJI
IEJlcmxpbjEaMBgGA1UEAwwRcHJvdmVudGlzIEdtYkggQ0EwHhcNMTkwOTAyMTE0
MTA2WhcNMzkwODI4MTE0MTA2WjBaMQswCQYDVQQGEwJERTEPMA0GA1UEBwwGQmVy
bGluMR4wHAYDVQQKDBVwcm92ZW50aXMgR21iSCBCZXJsaW4xGjAYBgNVBAMMEXBy
b3ZlbnRpcyBHbWJIIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA
3LFe0FH6pWcDAw+vZ7h0nSFTbnSwH0PlFnw6p/S3SK4xvjGOkIrobFR9a7t1gO8e
uwcb+Q74d2ZiNWHV3EnWS24eX96dKZgTkETPacqpnnN4M5LlfkHys0+2+LhAIlo/
jqzhAHRPGaYaPTm3aXcMg3UHlpe8UCNuNNZgkefypAMksOsRyt/xnCEy9g9xiEsc
h+FCpkw+yIYQnTzSgbFo/hcO1T4F6So2SUGPjLDSDkPbCQ8lR69akwJlJJD4Wej0
SNXh1NVbi4miAXl0Xiak39z7QiSvWm4yq4McvgdEDdQRqcd0BgmGjZPNwFKnpCIG
5QT9Gr5bXlUlkM4sA9iReITgDNSxL55fLSvfF86/g7E7JzhAyqQf0LA9MzoRJjh9
Ql+4w99uZvRJL5KVfSSV7RrBhnhuNq/sxMm96VcFTZv3QePzIvBMlB8Pq+fKmWzS
Qix+2gnePmov92TDZ5y5xLuVNCxUqsgeRBoNSocK+mpi+sOENeYS+qkoKUMktDvh
Vshg740ZzB0lyH8s7aHGeCPv0f3RrbKuk5fNeSWqkXY/1HUgefnFQLexPHjRYfTt
KaeUIR9+rT7H7Z2CnPpwQn0zyk2ujMLB5N4tSoNrrb89FqWjhyqxwVQX4qSEG64E
NlMikqj0R5pBF6FoPIFk8gt43VIO/LEPJdmumJS2ayECAwEAAaNTMFEwHQYDVR0O
BBYEFKajP3VghdgMsYJ0b1swAewu3FOrMB8GA1UdIwQYMBaAFKajP3VghdgMsYJ0
b1swAewu3FOrMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggIBAMA+
oDlkkxj6qTk3fc4GScrsKIAX7RbuKwL0zrdS6mXMKbWhsTm22t49VTkOyFbJ2YP1
/13QfiFuV55sS6dl8PZBn2b1q13CASXM2/hEifW+Xr6H5A2DnIu48DR1wQAqZKYO
C1UU4DWCd8Bb4aNnbwSmn4t6AwzCF7Q0oYRmk2RiKZ2Wnh2U51NinI0jQwoyi26y
wuT025+YKdkrAyGZkK9saPWkJ6I/GGE9tGyxYYb+fYjy6IazumrF4OTAfoG0ro9d
2CxEnELOZJTPVP+hi1qZ2Q8IQkyrpZ0DO/vB8ZBnk4GmOZASOJs/scXDejMgqGTK
uJQeGk3erwiElss5rmdNYy06kpXlMG7avJn60UwqTbqNaw1k5OcQ8vYY+WKicqW7
t/9Myvry5PQTQezneKU8rJZ/EBmCSRPdA/7KhJWPvTluy5Uf1wZAeMQHmK6+c9xk
D7EHpRJTWlMEdpcDuduzxvfchFKOA9iCM9Efz/erERZT53Jpp9b6bHW/9V0hHiHv
OSXKj7LdrfsMYWY1xeeXmJTVyAKqQ3JuMSwZN4/21LMgi3KPW6C5jZRhpBHH5UGd
apvcSs9FxM/ievugbC815LKD8XPXQihfmakMCynAmuSpuBson5yYWC8UslpK7RhY
D3SZjPRlJRdjxLxbiaTF5vop5HN57AIhyHHI8voZ
-----END CERTIFICATE-----
EOF
update-ca-certificates
}
function installPostfix() {
mailhost="server-$(hostname -s).cluster.proventis.info"
debconf-set-selections <<< "postfix postfix/mailname string ${mailhost}"
debconf-set-selections <<< "postfix postfix/main_mailer_type string 'Internet Site'"
apt-get -yq install postfix
echo "root: server-$(hostname -s)@proventis.net" >> /etc/aliases
newaliases
postconf -e "inet_interfaces=loopback-only"
postconf -e "myhostname=${mailhost}"
postconf -e "mydomain=${mailhost}"
postfix reload
}
function disablePasswordAuthentication() {
sed -i 's/[#]*PermitRootLogin yes/PermitRootLogin prohibit-password/g' /etc/ssh/sshd_config
sed -i 's/[#]*PasswordAuthentication yes/PasswordAuthentication no/g' /etc/ssh/sshd_config
systemctl restart sshd
}
function setupFirewall() {
ufw allow proto tcp from any to any port 22,80,443,6443
ufw allow from 10.43.0.0/16
ufw allow from 10.42.0.0/16
ufw allow from 10.0.0.0/16
ufw allow from 10.244.0.0/16
ufw allow in on docker0 from 172.17.0.0/16
ufw allow from 217.111.101.34
ufw -f default deny incoming
ufw -f default allow outgoing
ufw enable <<< "y"
}
function setupSystem() {
chmod +x ${MYNAME}
disablePasswordAuthentication
if [ -z "$LOCALINSTALL" ]; then
# warten so dass rancher erstmal installieren kann
sleep 5m
apt-get -yq upgrade
else
apt-get -yq update
apt-get -yq dist-upgrade
fi
installDefaultSoftware
setupCACertificate
installPostfix
setupFirewall
applySysconfig
if [ -n "$DOCKERINSTALL" ]; then
installDocker
fi
}
function applySysconfig() {
echo "vm.max_map_count=524288" >> /etc/sysctl.conf
echo "* hard nofile 131072" >> /etc/security/limits.conf
echo "root hard nofile 131072" >> /etc/security/limits.conf
}
setupSystem