derrekbertrand · February 17, 2017 22:04
diff --git a/nginx_install.sh b/nginx_install.sh
 #!/usr/bin/bash

 NGINX_NPROC=`nproc`
 NGINX_RPMREPO=https://nginx.org/packages/centos/7/noarch/RPMS/nginx-release-centos-7-0.el7.ngx.noarch.rpm

 #set up the repo
 wget -qO nginx.rpm $NGINX_RPMREPO
 yum install -y nginx.rpm > /dev/null
 rm nginx.rpm

 #install the software
 yum install -y nginx > /dev/null

 #update the firewall
 firewall-cmd --permanent --add-service=http > /dev/null
 firewall-cmd --permanent --add-service=https > /dev/null
 firewall-cmd --reload > /dev/null
 firewall-cmd --list-all

 #change the number of workers
 sed -i "/worker_processes/c\worker_processes $NGINX_NPROC;" /etc/nginx/nginx.conf

 #start the service
 systemctl start nginx.service > /dev/null
 systemctl enable nginx.service > /dev/null
diff --git a/post_install.sh b/post_install.sh
 #!/usr/bin/bash

 #IMPORTANT:
 #THIS SCRIPT WILL HAPPILY LOCK YOU OUT OF YOUR SERVER IF YOU DON'T KNOW WHAT YOU'RE DOING!

 #TODO:
 # - add fail2ban or other IP blacklist program
 # - add anti DoS firewall rules
 # - add Snort or other system validation suite

 #switched to sourcing config files
 . /root/cc_conf

 #install EPEL and update
 echo "Updating system..."
 yum install -y epel-release > /dev/null 2>&1
 yum update -y > /dev/null 2>&1

 #install firewall
 echo "Installing firewalld..."
 yum install -y wget firewalld > /dev/null 2>&1

 #set up firewall basics
 #I didn't know wich one was dumping junk, so I silenced them all
 systemctl start firewalld > /dev/null 2>&1
 systemctl enable firewalld > /dev/null 2>&1
 firewall-cmd --permanent --remove-service=dhcpv6-client > /dev/null 2>&1
 #SSH config
 firewall-cmd --permanent --remove-service=ssh > /dev/null 2>&1
 firewall-cmd --permanent --add-port=12222/tcp > /dev/null 2>&1
 firewall-cmd --reload > /dev/null 2>&1
 #this one is good to know, though
 firewall-cmd --list-all

 #enable nightly security updates
 echo "Installing yum-cron..."
 yum install -y yum-cron > /dev/null
 sed -i '/update_cmd/c\update_cmd = security' /etc/yum/yum-cron.conf
 sed -i '/apply_updates/c\apply_updates = yes' /etc/yum/yum-cron.conf
 systemctl start yum-cron
 systemctl enable yum-cron

 #add a unique, recognizable, bitterly nihilistic message of the day
 printf "===============================================================================\n\
 As you can see, all of our customers have taken refuge. It may be my undoing,\n\
 but I'm the sort of fellow who'll stay at his business through thick and thin.\n\
 And I continue standing here at the counter hoping one of my favorite customers\n\
           will appear... And I wasn't wrong. See? You stopped in.\n\
 ===============================================================================\n" > /etc/motd;

 #make sure new users have directory stuff
 mkdir /etc/skel/.ssh
 touch /etc/skel/.ssh/authorized_keys
 mkdir -p /etc/skel/www/public
 chmod 700 /etc/skel/.ssh
 chmod 600 /etc/skel/.ssh/authorized_keys

 #change to a stricter policy
 echo "Updating SSH policy..."
 sed -i -E "s/^(#?)PasswordAuthentication .+$/PasswordAuthentication no/" /etc/ssh/sshd_config
 sed -i -E "s/^(#?)ChallengeResponseAuthentication .+$/ChallengeResponseAuthentication no/" /etc/ssh/sshd_config
 sed -i -E "s/^(#?)PermitRootLogin .+$/PermitRootLogin no/" /etc/ssh/sshd_config
 sed -i -E "s/^(#?)Port .+$/Port 12222/" /etc/ssh/sshd_config
 systemctl restart sshd.service

 #add the defined administrator account
 adduser $ADMIN_USER
 echo $ADMIN_PASS | passwd $ADMIN_USER --stdin > /dev/null
 chage -d 0 $ADMIN_USER > /dev/null
 usermod -a -G wheel $ADMIN_USER
 #this line is deceptively dangerous if done wrong! Always use HTTPS and check the file beforehand!
 #if you accessed a spoofed/compromised server, they now have keys authed and an IP to start spamming
 wget -qO - $ADMIN_KURL > "/home/${ADMIN_USER}/.ssh/authorized_keys"

 #disable root login
 passwd -l root > /dev/null

 #echo this so you can log in and change the password
 echo "Created admin user..."
 echo "Username: $ADMIN_USER"
diff --git a/postgres95_install.sh b/postgres95_install.sh
 #!/usr/bin/bash

 #this file sets PostgreSQL 9.5

 PGSQL_RPMREPO=https://download.postgresql.org/pub/repos/yum/9.5/redhat/rhel-7-x86_64/pgdg-centos95-9.5-3.noarch.rpm

 #set up the pgSQL repo
 wget -qO pgsql.rpm $PGSQL_RPMREPO
 yum install -y pgsql.rpm > /dev/null
 rm pgsql.rpm

 #install and initialize the cluster
 yum install -y postgresql95-server postgresql95-contrib > /dev/null
 /usr/pgsql-9.5/bin/postgresql95-setup initdb

 #if tiering your system, you should
 # - change listen_addresses
 # - change port

 #change authentication methods in pg_hba.conf

 #start the service
 systemctl start postgresql-9.5.service
 systemctl enable postgresql-9.5.service

 #if allowing remote connections, open a port in the firewall
 #firewall-cmd --permanent --zone=public --add-port=5432/tcp
 #firewall-cmd --reload

 #protect the posgres user

 #create any databases you need
	#!/usr/bin/bash

	NGINX_NPROC=`nproc`
	NGINX_RPMREPO=https://nginx.org/packages/centos/7/noarch/RPMS/nginx-release-centos-7-0.el7.ngx.noarch.rpm

	#set up the repo
	wget -qO nginx.rpm $NGINX_RPMREPO
	yum install -y nginx.rpm > /dev/null
	rm nginx.rpm

	#install the software
	yum install -y nginx > /dev/null

	#update the firewall
	firewall-cmd --permanent --add-service=http > /dev/null
	firewall-cmd --permanent --add-service=https > /dev/null
	firewall-cmd --reload > /dev/null
	firewall-cmd --list-all

	#change the number of workers
	sed -i "/worker_processes/c\worker_processes $NGINX_NPROC;" /etc/nginx/nginx.conf

	#start the service
	systemctl start nginx.service > /dev/null
	systemctl enable nginx.service > /dev/null
	#!/usr/bin/bash

	#IMPORTANT:
	#THIS SCRIPT WILL HAPPILY LOCK YOU OUT OF YOUR SERVER IF YOU DON'T KNOW WHAT YOU'RE DOING!

	#TODO:
	# - add fail2ban or other IP blacklist program
	# - add anti DoS firewall rules
	# - add Snort or other system validation suite

	#switched to sourcing config files
	. /root/cc_conf

	#install EPEL and update
	echo "Updating system..."
	yum install -y epel-release > /dev/null 2>&1
	yum update -y > /dev/null 2>&1

	#install firewall
	echo "Installing firewalld..."
	yum install -y wget firewalld > /dev/null 2>&1

	#set up firewall basics
	#I didn't know wich one was dumping junk, so I silenced them all
	systemctl start firewalld > /dev/null 2>&1
	systemctl enable firewalld > /dev/null 2>&1
	firewall-cmd --permanent --remove-service=dhcpv6-client > /dev/null 2>&1
	#SSH config
	firewall-cmd --permanent --remove-service=ssh > /dev/null 2>&1
	firewall-cmd --permanent --add-port=12222/tcp > /dev/null 2>&1
	firewall-cmd --reload > /dev/null 2>&1
	#this one is good to know, though
	firewall-cmd --list-all

	#enable nightly security updates
	echo "Installing yum-cron..."
	yum install -y yum-cron > /dev/null
	sed -i '/update_cmd/c\update_cmd = security' /etc/yum/yum-cron.conf
	sed -i '/apply_updates/c\apply_updates = yes' /etc/yum/yum-cron.conf
	systemctl start yum-cron
	systemctl enable yum-cron

	#add a unique, recognizable, bitterly nihilistic message of the day
	printf "===============================================================================\n\
	As you can see, all of our customers have taken refuge. It may be my undoing,\n\
	but I'm the sort of fellow who'll stay at his business through thick and thin.\n\
	And I continue standing here at the counter hoping one of my favorite customers\n\
	will appear... And I wasn't wrong. See? You stopped in.\n\
	===============================================================================\n" > /etc/motd;

	#make sure new users have directory stuff
	mkdir /etc/skel/.ssh
	touch /etc/skel/.ssh/authorized_keys
	mkdir -p /etc/skel/www/public
	chmod 700 /etc/skel/.ssh
	chmod 600 /etc/skel/.ssh/authorized_keys

	#change to a stricter policy
	echo "Updating SSH policy..."
	sed -i -E "s/^(#?)PasswordAuthentication .+$/PasswordAuthentication no/" /etc/ssh/sshd_config
	sed -i -E "s/^(#?)ChallengeResponseAuthentication .+$/ChallengeResponseAuthentication no/" /etc/ssh/sshd_config
	sed -i -E "s/^(#?)PermitRootLogin .+$/PermitRootLogin no/" /etc/ssh/sshd_config
	sed -i -E "s/^(#?)Port .+$/Port 12222/" /etc/ssh/sshd_config
	systemctl restart sshd.service

	#add the defined administrator account
	adduser $ADMIN_USER
	echo $ADMIN_PASS \| passwd $ADMIN_USER --stdin > /dev/null
	chage -d 0 $ADMIN_USER > /dev/null
	usermod -a -G wheel $ADMIN_USER
	#this line is deceptively dangerous if done wrong! Always use HTTPS and check the file beforehand!
	#if you accessed a spoofed/compromised server, they now have keys authed and an IP to start spamming
	wget -qO - $ADMIN_KURL > "/home/${ADMIN_USER}/.ssh/authorized_keys"

	#disable root login
	passwd -l root > /dev/null

	#echo this so you can log in and change the password
	echo "Created admin user..."
	echo "Username: $ADMIN_USER"
	#!/usr/bin/bash

	#this file sets PostgreSQL 9.5

	PGSQL_RPMREPO=https://download.postgresql.org/pub/repos/yum/9.5/redhat/rhel-7-x86_64/pgdg-centos95-9.5-3.noarch.rpm

	#set up the pgSQL repo
	wget -qO pgsql.rpm $PGSQL_RPMREPO
	yum install -y pgsql.rpm > /dev/null
	rm pgsql.rpm

	#install and initialize the cluster
	yum install -y postgresql95-server postgresql95-contrib > /dev/null
	/usr/pgsql-9.5/bin/postgresql95-setup initdb

	#if tiering your system, you should
	# - change listen_addresses
	# - change port

	#change authentication methods in pg_hba.conf

	#start the service
	systemctl start postgresql-9.5.service
	systemctl enable postgresql-9.5.service

	#if allowing remote connections, open a port in the firewall
	#firewall-cmd --permanent --zone=public --add-port=5432/tcp
	#firewall-cmd --reload

	#protect the posgres user

	#create any databases you need