Skip to content

Instantly share code, notes, and snippets.

@dimorphic

dimorphic/server_bootstrap.sh

Forked from kidGodzilla/server_bootstrap.sh
Created April 5, 2024 21:23
Show Gist options
  • Save dimorphic/d4ee755cd81aa40e2bad91e22316d61e to your computer and use it in GitHub Desktop.
Save dimorphic/d4ee755cd81aa40e2bad91e22316d61e to your computer and use it in GitHub Desktop.
Download ZIP
Raw
server_bootstrap.sh
#!/bin/bash
set -e
######################################################################
# This Bootstrap Script installs Dokku latest on Ubuntu (use LTS or latest)
#
# This script also installs UFW (firewall), some basic Dokku plugins, and
# raises ulimits. Comment out any step you wish to skip.
#
# IMPORTANT: This script also disables password authentication via SSH for
# subsequent logins (a recommended hardening step). Don't forget to add your SSK
# key to your server before logging out!
######################################################################
# See Comments in the related GitHub Gist below for installation instructions
######################################################################
# DOKKU_TAG=v0.32.4
# Ensure we are running as root
check_root() {
if [ "$USER" != "root" ]; then
echo "Permission Denied"
echo "Can only be run by root"
exit
fi
}
# Create a keys file if one does not already exist
create-keys-file() {
mkdir -p ~/.ssh
touch ~/.ssh/authorized_keys
}
# Update apps
apt-get-update() {
sudo apt-get update
}
# Set up automatic updates
automatic-updates() {
# Ubuntu
sudo apt install unattended-upgrades apt-listchanges bsd-mailx -y
# sudo dpkg-reconfigure -plow unattended-upgrades -y
sudo DEBIAN_FRONTEND=noninteractive dpkg-reconfigure --priority=low unattended-upgrades
echo 'Unattended-Upgrade::Automatic-Reboot "true";' >> /etc/apt/apt.conf.d/50unattended-upgrades
sudo unattended-upgrades --dry-run
}
raise-ulimits() {
if ! grep -q "fs.file-max = 65535" "/etc/sysctl.conf"; then
echo "fs.file-max = 65535" >> /etc/sysctl.conf
echo "fs.nr_open = 65535" >> /etc/sysctl.conf
echo "session required pam_limits.so" >> /etc/pam.d/common-session
echo "* soft nproc 65535" >> su
echo "* hard nproc 65535" >> /etc/security/limits.conf
echo "* soft nofile 65535" >> /etc/security/limits.conf
echo "* hard nofile 65535" >> /etc/security/limits.conf
echo "root soft nproc 65535" >> /etc/security/limits.conf
echo "root hard nproc 65535" >> /etc/security/limits.conf
echo "root soft nofile 65535" >> /etc/security/limits.conf
echo "root hard nofile 65535" >> /etc/security/limits.conf
echo "* soft nproc 65535" >> /etc/security/limits.conf
echo "* hard nproc 65535" >> /etc/security/limits.conf
echo "* soft nofile 65535" >> /etc/security/limits.conf
echo "* hard nofile 65535" >> /etc/security/limits.conf
echo "root soft nproc 65535" >> /etc/security/limits.conf
echo "root hard nproc 65535" >> /etc/security/limits.conf
echo "root soft nofile 65535" >> /etc/security/limits.conf
echo "root hard nofile 65535" >> /etc/security/limits.conf
u
ulimit -n 65535
fi
}
# Disable password-based SSH authentication
disable-password-authentication() {
# Disable password authentication
sudo grep -q "ChallengeResponseAuthentication" /etc/ssh/sshd_config && sed -i "/^[^#]*ChallengeResponseAuthentication[[:space:]]yes.*/c\ChallengeResponseAuthentication no" /etc/ssh/sshd_config || echo "ChallengeResponseAuthentication no" >> /etc/ssh/sshd_config
sudo grep -q "^[^#]*PasswordAuthentication" /etc/ssh/sshd_config && sed -i "/^[^#]*PasswordAuthentication[[:space:]]yes/c\PasswordAuthentication no" /etc/ssh/sshd_config || echo "PasswordAuthentication no" >> /etc/ssh/sshd_config
/etc/init.d/ssh reload
}
# Get Dokku if not already installed
install-dokku() {
if ! command -v dokku &> /dev/null
then
wget https://dokku.com/bootstrap.sh;
sudo bash bootstrap.sh
fi
}
# Check that dokku is installed on the server
ensure-dokku() {
if ! command -v dokku &> /dev/null
then
echo "dokku is not installed"
exit
fi
}
# Install UFW
install-firewall() {
apt-get install ufw
ufw enable && sudo ufw allow www && sudo ufw allow https
(yes | sudo ufw allow ssh)
sudo ufw status
}
# Install Fail2Ban
install-fail2ban() {
sudo apt-get install fail2ban -y
cd /etc/fail2ban/
wget https://gist.githubusercontent.com/petarGitNik/e24f9bfda6e1277640e376f8a2ecfaef/raw/a58d7983260e73a45668c2774e16122ccf4fc5f4/http-get-dos.conf
wget https://gist.githubusercontent.com/petarGitNik/e24f9bfda6e1277640e376f8a2ecfaef/raw/a58d7983260e73a45668c2774e16122ccf4fc5f4/http-post-dos.conf
wget https://gist.githubusercontent.com/petarGitNik/e24f9bfda6e1277640e376f8a2ecfaef/raw/a58d7983260e73a45668c2774e16122ccf4fc5f4/jail.local
cd ~
if command -v fail2ban &> /dev/null
then
sudo systemctl restart fail2ban
# sudo fail2ban-client status
fi
}
# Make directories for db import/export
make-dirs() {
cd ~
if [ ! -d "$HOME/dumps" ]; then
mkdir dumps
cd dumps
mkdir postgres
mkdir mysql
mkdir redis
mkdir mongo
cd ~
fi
}
# Check if dokku redis plugin is installed and otherwise install it
install-redis() {
if sudo dokku plugin:installed redis; then
echo "=> Redis plugin already installed skipping"
else
echo "=> Installing redis plugin"
sudo dokku plugin:install https://github.com/dokku/dokku-redis.git redis
fi
}
# Check if dokku postgres plugin is installed and otherwise install it
install-postgres() {
if sudo dokku plugin:installed postgres; then
echo "=> Postgres plugin already installed skipping"
else
echo "=> Installing postgres plugin"
sudo dokku plugin:install https://github.com/dokku/dokku-postgres.git postgres
fi
}
# Check if dokku MySQL plugin is installed and otherwise install it
install-mysql() {
if sudo dokku plugin:installed mysql; then
echo "=> Postgres plugin already installed skipping"
else
echo "=> Installing mysql plugin"
sudo dokku plugin:install https://github.com/dokku/dokku-mysql.git mysql
fi
}
# Check if dokku mongo plugin is installed and otherwise install it
install-mongo() {
if sudo dokku plugin:installed mongo; then
echo "=> Postgres plugin already installed skipping"
else
echo "=> Installing mongo plugin"
sudo dokku plugin:install https://github.com/dokku/dokku-mongo.git mongo
fi
}
# Check if dokku memcached plugin is installed and otherwise install it
install-memcached() {
if sudo dokku plugin:installed memcached; then
echo "=> Memcached plugin already installed skipping"
else
echo "=> Installing memcached plugin"
sudo dokku plugin:install https://github.com/dokku/dokku-memcached.git memcached
fi
}
# Check if dokku clickhouse plugin is installed and otherwise install it
install-clickhouse() {
if sudo dokku plugin:installed clickhouse; then
echo "=> Clickhouse plugin already installed skipping"
else
echo "=> Installing clickhouse plugin"
sudo dokku plugin:install https://github.com/dokku/dokku-clickhouse.git clickhouse
fi
}
# Install Letsencrypt plugin
install-letsencrypt() {
if [ ! -d "/var/lib/dokku/plugins/available/letsencrypt" ]; then
sudo dokku plugin:install https://github.com/dokku/dokku-letsencrypt.git
dokku letsencrypt:cron-job --add
fi
}
# Install custom dokku limited users plugin
install-limited-users() {
if [ ! -d "/var/lib/dokku/plugins/available/limited-users" ]; then
sudo dokku plugin:install https://github.com/kidGodzilla/dokku-limited-users.git
fi
}
main() {
check_root
# Get user ip and export to environment variable
DOKKU_SSH_HOST=$(curl ifconfig.co)
SERVER_IP=$(curl ipinfo.io/ip)
# Basics
apt-get-update
install-firewall
# Add access key
create-keys-file
# Hardening
disable-password-authentication
# Install Dokku
install-dokku
make-dirs
# Ensure dokku was installed
ensure-dokku
# dokku databases & plugins
install-redis
install-postgres
install-mysql
install-mongo
install-letsencrypt
install-limited-users
install-clickhouse
install-memcached
# Additional Configuration
automatic-updates
raise-ulimits
# install-fail2ban
}
main
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment