Slightly tweaked server setup, shamelessly copied from the Eric

server_setup.sh

#!/usr/bin/env bash

###
# Run this script as root
###

# Setup variables for this script
echo "Settings for this machine--"
[ -z "$HOSTNAME" ] && read -p 'Hostname: '    HOSTNAME
[ -z "$LOCALE" ]   && read -p 'Locale [en]: ' LOCALE
[ -z "$LOCALE" ]   && LOCALE=en
[ -z "$TIMEZONE" ] && read -p 'Timezone [US/Central]: ' TIMEZONE
[ -z "$TIMEZONE" ] && TIMEZONE='US/Central'

echo "Settings for first user--"
[ -z "$USER" ]        && read -p 'Username: ' USER
[ -z "$USER_EMAIL" ]  && read -p 'User email: ' USER_EMAIL
[ -z "$GITHUB_USER" ] && read -p 'Github Username [$USER]: ' GITHUB_USER
[ -z "$GITHUB_USER" ] && GITHUB_USER=$USER
[ -z "$SSH_PUBLIC_KEY" ] && read -p 'SSH Public Key [pull all user keys from github]: ' SSH_PUBLIC_KEY
[ -z "$SSH_PUBLIC_KEY" ] && SSH_PUBLIC_KEY=$(curl https://github.com/$GITHUB_USER.keys)

# Set a hostname
echo "$HOSTNAME" > /etc/hostname
hostname -F /etc/hostname

# Set the locale
locale-gen $LOCALE

# Set the timezone
echo "$TIMEZONE" > /etc/timezone
dpkg-reconfigure -f noninteractive tzdata

# Create an admin group
/usr/sbin/groupadd admin

# Add the admin group to the sudoers list (with no password)
sed 's/admin ALL=(ALL) ALL/admin  ALL=(ALL) NOPASSWD:ALL/g' /etc/sudoers > /tmp/sudoers.new
mv /tmp/sudoers.new /etc/sudoers && chmod 440 /etc/sudoers

# Create my admin user
/usr/sbin/useradd -m -G admin -s /bin/bash -d /home/$USER $USER

# Setup $USER for ssh access
su $USER -c "mkdir ~/.ssh"
su $USER -c "echo $SSH_PUBLIC_KEY >> ~/.ssh/authorized_keys"
su $USER -c "chmod 700 ~/.ssh && chmod 600 ~/.ssh/authorized_keys"

# Disable root login via SSH (now would be a good time to test your new user if running this script interactively)
sed 's/PermitRootLogin yes/PermitRootLogin no/g' /etc/ssh/sshd_config > /tmp/sshd_config.new
mv /tmp/sshd_config.new /etc/ssh/sshd_config && chmod 644 /etc/ssh/sshd_config
service ssh restart

# Update package cache and upgrade packages
DEBIAN_FRONTEND=noninteractive
apt-get update
apt-get upgrade -y -q -o Dpkg::Options::="--force-confold"

# Install fail2ban (prevent repeated logins)
apt-get install -y fail2ban
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sed -i '/\[ssh-ddos\]/,+2 s/enabled  = false/enabled  = true/g' /etc/fail2ban/jail.local
service fail2ban restart

# Setup firewall
cat << 'EOF' > /etc/iptables.firewall.rules
*filter

#  Allow all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT

#  Accept all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#  Allow all outbound traffic - you can modify this to only allow certain traffic
-A OUTPUT -j ACCEPT

#  Allow HTTP and HTTPS connections from anywhere (the normal ports for websites and SSL).
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT

#  Allow ports for MOSH (mobile shell)
-A INPUT -p udp --dport 60000:61000 -j ACCEPT

#  Allow SSH connections
#  The -dport number should be the same port number you set in sshd_config
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW --dport 2222 -j ACCEPT

#  Allow ping
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT

#  Log iptables denied calls
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

#  Reject all other inbound - default deny unless explicitly allowed policy
-A INPUT -j REJECT
-A FORWARD -j REJECT

COMMIT
EOF
iptables-restore < /etc/iptables.firewall.rules
echo '#!/bin/sh' > /etc/network/if-pre-up.d/firewall
echo '/sbin/iptables-restore < /etc/iptables.firewall.rules' >> /etc/network/if-pre-up.d/firewall
chmod +x /etc/network/if-pre-up.d/firewall

# Email me on sudo
echo "Defaults    mail_always" > /etc/sudoers.d/my_sudoers
echo "Defaults    mailto='$USER_EMAIL'" >> /etc/sudoers.d/my_sudoers
chmod 440 /etc/sudoers.d/my_sudoers

# Reboot server when out of memory
echo -e "vm.panic_on_oom=1\nkernel.panic=10" >> /etc/sysctl.conf

# Install essentials
apt-get install -y build-essential python-software-properties software-properties-common zsh curl netcat git htop ack-grep tmux vim-nox exuberant-ctags

# Install databases (removed mysql and redis)
add-apt-repository -y ppa:pitti/postgresql && apt-get update
apt-get install -y sqlite3 libpq-dev postgresql-9.2 postgresql-contrib-9.2 memcached

# Install ruby and related development libraries needed for gems
apt-add-repository -y ppa:brightbox/ruby-ng && apt-get update
apt-get install -y ruby1.9.3 rubygems ruby-switch imagemagick libxslt-dev libxml2-dev libssl-dev libsqlite3-dev
ruby-switch --set ruby1.9.1
gem install rake bundler rails tmuxinator --no-rdoc --no-ri

# Install Heroku Toolbelt
echo "deb http://toolbelt.heroku.com/ubuntu ./" > /etc/apt/sources.list.d/heroku.list
wget -O- https://toolbelt.heroku.com/apt/release.key | apt-key add -
apt-get update
apt-get install -y heroku-toolbelt

# Install NodeJS
add-apt-repository -y ppa:chris-lea/node.js && apt-get update
apt-get install -y nodejs npm nodejs-dev

# Divert ack to ack-grep
dpkg-divert --local --divert /usr/bin/ack --rename --add /usr/bin/ack-grep

# Setup postgresql roles & relax security permissions
su postgres -c "createuser -s $USER"
sed -i 's/peer$/trust/g' /etc/postgresql/9.2/main/pg_hba.conf
sed -i 's/md5$/trust/g' /etc/postgresql/9.2/main/pg_hba.conf
service postgresql restart

# Setup user and install dotfiles
su $USER -c "mv ~/.bashrc ~/.bashrc.bak"
su $USER -c "git clone git://github.com/ericboehs/dotfiles.git ~/.dotfiles"
su $USER -c "cd ~/.dotfiles && git submodule update --init && rake install && cd vim && rake"
su $USER -c "echo 'export GITHUB_USER=$GITHUB_USER' >> ~/.zsh/config.private"

# Change default shell to zsh
chsh -s /bin/zsh $USER

# Manually download code repositories