Cogman

scripts on startup, shutdown and initial settings to virtual machines, maybe useful for
all poor man like me, but currently just only for me own .

Overview

1. Server initial setting (do only first time) .

   1. makes some optimizations for the VM to stands a web server .

      • i18N (Locale / Language) setting .
      • l10N (Timezone) setting .
      • unforcing SELinux .

   2. change SSH port number for protect under crack .

      • Firewall setting (firewalld) .
      • SSH port number setting (sshd) .
        • only use Public Key Authentication .
        • enable to login as Root directly .
      • generate SSH key pair .

   3. install Slackbot ( Hubot Slack adapter ) .

      • install daemonized Hubot .

   4. and never repeated .

2. Server startup/shutdown notification .

   • using IFTTT .

Prerequirement

• a VM instance need to could be accessible to internet .
• all commands need you are "root" or you listed in "wheel" .

TL;DR

cat <<_EOT_|bash
declare -r locale_lang=ja_JP.utf8
declare -r timezone=Asia/Tokyo
declare -r ssh_port_number=
declare -r ssh_config_options=
declare -r ssh_key_passphrase=
declare -r ssh_keygen_options='-t ed25519'

declare -r ifttt_api_key=${IFTTT_API_KEY:-}
declare -r platform='unknown'
declare -r project='unknown'
declare -r instance="$(hostname)"
declare -r eventName='statechanged'
declare -r status='started'

# vars of server status notification using Slack and HUBOT
declare -r slackbot_user='shockwave'
declare -r slackbot_group='decepticons'
declare -ir slackbot_uid=1101
declare -ir slackbot_gid=1111
declare -r hubot_slack_token=${HUBOT_SLACK_TOKEN:-}
declare -r hubot_owner_domain='example.com'
declare -r hubot_home="/home/${slackbot_user}/hubot-${slackbot_user}"
declare -r hubot_name="slackbot-${slackbot_user}"
declare -r hubot_desc='server status notifierer generated by Cogman .'
declare -r hubot_owner="${slackbot_user} ${slackbot_user}.${instance,,}.${project,,}.${platform,,}@${hubot_owner_domain}"
declare -ir hubot_heroku_keepalive=1

source <(curl -fLsS https://github.com/furplag/cogman/raw/main/el.startup.sh)
_EOT_

Getting Start

makes some optimizations for the VM to stands a web server .

i18N (Locale / Language) setting .

localctl set-locale LANG="${LANG_TO_CHANGE}"

l10N (Timezone) setting .

timedatectl set-timezone "${Area/City}"

Unforcing SELinux .

Set "Permissive" to SELinux .

sed -i -e 's/^SELINUX=.*/#\0\nSELINUX=Permissive/' /etc/selinux/config && \
setenforce 0

change SSH port number for protect under crack .

add SSH service with another TCP port number to Firewall .

ssh_port_number=${the_port_number_you_decide_to_change:-23456}

# add another port number of SSH to the list of SELinux allows .
[[ $(semanage port -l | grep ssh_port_t | grep ${ssh_port_number} |wc -l) -lt 1 ]] && \
  setenforce 1 && \
  semanage port -a -t ssh_port_t -p tcp ${ssh_port_number} && \
  setenforce 0

# add SSH with another TCP port number to Firewall services .
cat /usr/lib/firewalld/services/ssh.xml >/etc/firewalld/services/ssh-port-modified.xml && \
sed -i -e "s@\(short>\).*\(<\/\)@\1SSH via $ssh_port_number\2@" \
 -e "s/port=\".*\"/port=\"$ssh_port_number\"/" /etc/firewalld/services/ssh-port-modified.xml

# accept TCP port number \"${ssh_port_number}\" on Firewall .
firewall-cmd --add-service=ssh-port-modified --permanent && \
firewall-cmd --reload

Important notice:

you should test to can be connect the server using new port before you logged out from current session .

SSH (sshd) setting .

setting	default	change to
AddressFamily	any	inet (v4 only)
Port	22	the port number you decide to change .
PermitRootLogin	no	without-password
PubkeyAuthentication	yes	yes
PasswordAuthentication	yes	no
PermitEmptyPasswords	no	no
ChallengeResponseAuthentication	yes	no
GSSAPIAuthentication	yes	no
UsePAM	yes	yes
UseDNS	yes	no

ssh_port_number=${the_port_number_you_decide_to_change:-23456}
cat /etc/ssh/sshd_config > /etc/ssh/sshd_config.ofDefault && \
sed -i -e "s/^#\?Port/Port ${ssh_port_number}\n#\0/" \
  -e 's/^#\?PermitRootLogin .*/PermitRootLogin without-password\n#\0/' \
  -e 's/^#\?PubkeyAuthentication .*/PubkeyAuthentication yes\n#\0/' \
  -e 's/^#\?PasswordAuthentication .*/PasswordAuthentication no\n#\0/' \
  -e 's/^#\?PermitEmptyPasswords .*/PermitEmptyPasswords no\n#\0/' \
  -e 's/^#\?ChallengeResponseAuthentication .*/ChallengeResponseAuthentication no\n#\0/' \
  -e 's/^#\?GSSAPIAuthentication .*/GSSAPIAuthentication no\n#\0/' \
  -e 's/^#\?UsePAM .*/UsePAM yes\n#\0/' \
  -e 's/^#\?UseDNS .*/GSSAPICleanupCredentials no\n#\0/' \
  -e 's/^#\+/#/' \
  /etc/ssh/sshd_config && \
  systemctl reload sshd

# systemctl status sshd

generate SSH key pair .

[[ -d ~/.ssh ]] || mkdir -p ~/.ssh
# variable
ssh_passphrase=${set_password_that_have_enough_strength:-$(mkpasswd -l 14 -d 2 -s 2)}
echo -e "remember that, the passphrase is \"${ssh_passphrase}\" ."
ssh-keygen -t Ed25519 -N ${ssh_passphrase} -C "${HOSTNAME}.ssh.key" -f ~/.ssh/${HOSTNAME}.ssh.key && \
  cat ~/.ssh/${HOSTNAME}.ssh.key.pub >> ~/.ssh/authorized_keys && \
  mv ~/.ssh/${HOSTNAME}.ssh.key ~/.ssh/${HOSTNAME}.private.key && \
  mv ~/.ssh/${HOSTNAME}.ssh.key.pub ~/.ssh/${HOSTNAME}.public.key && \
  chmod -R 600 ~/.ssh && \
  chmod -R 400 ~/.ssh/*.key

install Slackbot ( Hubot Slack adapter ) .

Prerequirement

• Redis installed and running .
• Node.js and npm installed .

see this .

Server startup/shutdown notification .

you can receive notification of server startup, shutdown and any some way .

• using IFTTT .

Create IFTTT like that as below .

IF This: webhook named as "${some_event_you_gazing}" event fired . Then That: send a email message from "Webhooks via IFTTT" to you .

Note: you should create endpoints of "send email" per events you need to receive notification . See also IFTTT webhook documentation, for more information .

curl -X POST "https://maker.ifttt.com/trigger/${event_name}/with/key/${key_of_ifttt_webhook_api}" \
  -H "Content-Type: application/json" -d \
  "{\"value1\":\"${platform}\",\"value2\":\"${project}\",\"value3\":\"${instance}\"}"

License

Code is under MIT License.