o0-o · January 6, 2020 00:43
diff --git a/raspi.sh b/raspi.sh
 #/usr/bin/env bash
 #raspberry pi config WIP

 set -euxo pipefail

 declare EMAIL= #[email protected]
 declare SMTP_PW=
 declare RECIPIENT=

 ################################################################################
 ### LOCALIZATION ###############################################################
 ################################################################################

 ### SET LOCALE TO US ENGLISH
 sudo cp -a    /etc/locale.gen \
              /etc/.locale.gen.default~
           
 sudo sed -i ' /^#/! s/^/# /g
              /.*en_US\.UTF-8.*/ s/^#[[:space:]]*//' \
              /etc/locale.gen

 sudo locale-gen
 sudo update-locale LANG=en_US.UTF-8 LANGUAGE

 ### SET KEYBOARD LAYOUT TO US
 sudo cp -a    /etc/default/keyboard \
              /etc/default/.keyboard.default~

 sudo sed -i ' /^XKBLAYOUT/ s/=.*/="us"/' \
              /etc/default/keyboard

 ### SET TIMEZONE TO EASTERN TIME
 sudo timedatectl set-timezone America/New_York

 #reboot here if you need these changes to take effect (not running this as a script)



 ################################################################################
 ### HOST NAME ##################################################################
 ################################################################################

 # ensure systemd uses fqdn
 sudo hostnamectl set-hostname "$(hostname -f)"

 # register short hostname and FQDN in /etc/hosts
 sudo cp -a    /etc/hosts \
              /etc/.hosts.default~

 # remove old entries
 sudo sed -i " /$(hostname -s)/d" \
              /etc/hosts


 printf "\n$( hostname -i | grep -o "[0-9]\{1,3\}\(\.[0-9]\{0,3\}\)\{3\}" )\t$(hostname -f) $(hostname -s)\n" |
  sudo tee -a /etc/hosts >/dev/null



 ################################################################################
 ### PACKAGE MANAGER ############################################################
 ################################################################################

 export DEBIAN_FRONTEND=noninteractive

 sudo apt-get -q update

 sudo apt-get -yq install unattended-upgrades apt-listchanges

 sudo sed -i ' /Unattended-Upgrade::Origins-Pattern {/,/};/ {
                /^\/\//! s/\(origin=\).*\(,codename\)/\1${distro_id}\2/
                /^[[:space:]]*$/ i\
 \t"o=*";
              }
              s/^\/\/[[:space:]]*\(Unattended-Upgrade::Mail[[:space:]]*\).*/\1"root";/
              s/^\/\/[[:space:]]*\(Unattended-Upgrade::Automatic-Reboot\)[[:space:]]*.*/\1 "true";/
              s/^\/\/[[:space:]]*\(Unattended-Upgrade::Automatic-Reboot-Time\)[[:space:]]*.*/\1 "02:00";/' \
              /etc/apt/apt.conf.d/50unattended-upgrades

 echo 'APT::Periodic::Enable "1";' | 
  sudo tee /etc/apt/apt.conf.d/20periodic >/dev/null
 echo 'APT::Periodic::Update-Package-Lists "1";' | 
  sudo tee -a /etc/apt/apt.conf.d/20periodic >/dev/null
 echo 'APT::Periodic::Download-Upgradeable-Packages "1";' | 
  sudo tee -a /etc/apt/apt.conf.d/20periodic >/dev/null
 echo 'APT::Periodic::AutocleanInterval "21";' | 
  sudo tee -a /etc/apt/apt.conf.d/20periodic >/dev/null
 echo 'APT::Periodic::Verbose "2";' | 
  sudo tee -a /etc/apt/apt.conf.d/20periodic >/dev/null

 sudo unattended-upgrade -d



 ################################################################################
 ### EMAIL ALERTS ###############################################################
 ################################################################################

 sudo apt-get -yq install exim4

 echo "$(hostname -f)" | sudo tee /etc/mailname >/dev/null

 echo "root: real-$(whoami), ${RECIPIENT}
 $(whoami): ${RECIPIENT}" |
  sudo tee -a /etc/aliases >/dev/null

 sudo newaliases

 sudo sed -i " s/\(configtype=\).*/\1'smarthost'/
              s/\(smarthost=\).*/\1'smtp.gmail.com::587'/
              s/\(split_config=\).*/\1'true'/
              s/\(hide_mailname=\).*/\1'false'/" \
              exim4/update-exim4.conf.conf

 echo "smtp.gmail.com:${EMAIL}:${SMTP_PW}" |
  sudo tee -a /etc/exim4/passwd.client

 sudo update-exim4.conf
 sudo systemctl restart exim4
 sudo exim4 -qff

 # send test alert
 echo "Subject: $(hostname -f) - Email Alerts Configured
 $(hostname -f) has been configured to send email alerts to this address." |
  sendmail -F "Alert" root



 ################################################################################
 ### NETWORK ####################################################################
 ################################################################################

 echo "net.ipv6.conf.all.disable_ipv6=1
 net.ipv6.conf.default.disable_ipv6=1
 net.ipv4.conf.default.accept_source_route=0
 net.ipv4.conf.default.accept_redirects=0
 net.ipv4.conf.all.accept_redirects=0
 net.ipv4.conf.all.send_redirects=0
 net.ipv4.conf.default.send_redirects=0" |
  sudo tee -a /etc/sysctl.d/99-sysctl.conf >/dev/null

 sudo sysctl --system >/dev/null



 ################################################################################
 ### USERS ######################################################################
 ################################################################################

 # set password strength rules
 echo "difok = 4
 minlen = 10
 dcredit = -1
 ucredit = -1
 lcredit = -1
 ocredit = -1
 maxrepeat = 3" |
  sudo tee /etc/security/pwquality.conf >/dev/null

 # add sysadmin to appropriate groups
 sudo gpasswd -a "$(whoami)" systemd-journal
 sudo gpasswd -a "$(whoami)" adm

 # login message
 echo "
 WARNING: Unauthorized access to this information system will be prosecuted to the fullest extent of the law.
 " | sudo tee /etc/issue >/dev/null

 # timeouts
 echo "TMOUT=600" | sudo tee /etc/profile.d/timeout.sh >/dev/null
 echo "FAIL_DELAY 4" | sudo tee -a /etc/login.defs >/dev/null

 # Remote Access

 # ssh
 declare FQDN_IP="$(host "$(hostname -f)" | awk '{ print $NF }')"

 sudo cp -a /etc/ssh/sshd_config \
  /etc/ssh/.sshd_config.default~
 sudo sed -i -E \
  "s/^#(ListenAddress[[:space:]])[[:digit:]].*/\1${FQDN_IP}/" \
  /etc/ssh/sshd_config
 sudo sed -i -E 's/^#(ClientAliveCountMax[[:space:]])[0-9]*/\10/' \
  /etc/ssh/sshd_config
 sudo sed -i -E 's/^#(ClientAliveInterval[[:space:]])[0-9]*/\1600/' \
  /etc/ssh/sshd_config
 sudo sed -i -E 's/^#(Banner[[:space:]]).*/\1\/etc\/issue/' \
  /etc/ssh/sshd_config
 sudo sed -i -E 's/^(GSSAPIAuthentication[[:space:]]).*/\1no/' \
  /etc/ssh/sshd_config
 sudo sed -i -E 's/^(PermitRootLogin[[:space:]]).*/\1no/' \
  /etc/ssh/sshd_config
	#/usr/bin/env bash
	#raspberry pi config WIP

	set -euxo pipefail

	declare EMAIL= #[email protected]
	declare SMTP_PW=
	declare RECIPIENT=

	################################################################################
	### LOCALIZATION ###############################################################
	################################################################################

	### SET LOCALE TO US ENGLISH
	sudo cp -a /etc/locale.gen \
	/etc/.locale.gen.default~

	sudo sed -i ' /^#/! s/^/# /g
	/.en_US\.UTF-8./ s/^#[[:space:]]*//' \
	/etc/locale.gen

	sudo locale-gen
	sudo update-locale LANG=en_US.UTF-8 LANGUAGE

	### SET KEYBOARD LAYOUT TO US
	sudo cp -a /etc/default/keyboard \
	/etc/default/.keyboard.default~

	sudo sed -i ' /^XKBLAYOUT/ s/=.*/="us"/' \
	/etc/default/keyboard

	### SET TIMEZONE TO EASTERN TIME
	sudo timedatectl set-timezone America/New_York

	#reboot here if you need these changes to take effect (not running this as a script)



	################################################################################
	### HOST NAME ##################################################################
	################################################################################

	# ensure systemd uses fqdn
	sudo hostnamectl set-hostname "$(hostname -f)"

	# register short hostname and FQDN in /etc/hosts
	sudo cp -a /etc/hosts \
	/etc/.hosts.default~

	# remove old entries
	sudo sed -i " /$(hostname -s)/d" \
	/etc/hosts


	printf "\n$( hostname -i \| grep -o "[0-9]\{1,3\}\(\.[0-9]\{0,3\}\)\{3\}" )\t$(hostname -f) $(hostname -s)\n" \|
	sudo tee -a /etc/hosts >/dev/null



	################################################################################
	### PACKAGE MANAGER ############################################################
	################################################################################

	export DEBIAN_FRONTEND=noninteractive

	sudo apt-get -q update

	sudo apt-get -yq install unattended-upgrades apt-listchanges

	sudo sed -i ' /Unattended-Upgrade::Origins-Pattern {/,/};/ {
	/^\/\//! s/\(origin=\).*\(,codename\)/\1${distro_id}\2/
	/^[[:space:]]*$/ i\
	\t"o=*";
	}
	s/^\/\/[[:space:]]\(Unattended-Upgrade::Mail[[:space:]]\).*/\1"root";/
	s/^\/\/[[:space:]]\(Unattended-Upgrade::Automatic-Reboot\)[[:space:]].*/\1 "true";/
	s/^\/\/[[:space:]]\(Unattended-Upgrade::Automatic-Reboot-Time\)[[:space:]].*/\1 "02:00";/' \
	/etc/apt/apt.conf.d/50unattended-upgrades

	echo 'APT::Periodic::Enable "1";' \|
	sudo tee /etc/apt/apt.conf.d/20periodic >/dev/null
	echo 'APT::Periodic::Update-Package-Lists "1";' \|
	sudo tee -a /etc/apt/apt.conf.d/20periodic >/dev/null
	echo 'APT::Periodic::Download-Upgradeable-Packages "1";' \|
	sudo tee -a /etc/apt/apt.conf.d/20periodic >/dev/null
	echo 'APT::Periodic::AutocleanInterval "21";' \|
	sudo tee -a /etc/apt/apt.conf.d/20periodic >/dev/null
	echo 'APT::Periodic::Verbose "2";' \|
	sudo tee -a /etc/apt/apt.conf.d/20periodic >/dev/null

	sudo unattended-upgrade -d



	################################################################################
	### EMAIL ALERTS ###############################################################
	################################################################################

	sudo apt-get -yq install exim4

	echo "$(hostname -f)" \| sudo tee /etc/mailname >/dev/null

	echo "root: real-$(whoami), ${RECIPIENT}
	$(whoami): ${RECIPIENT}" \|
	sudo tee -a /etc/aliases >/dev/null

	sudo newaliases

	sudo sed -i " s/\(configtype=\).*/\1'smarthost'/
	s/\(smarthost=\).*/\1'smtp.gmail.com::587'/
	s/\(split_config=\).*/\1'true'/
	s/\(hide_mailname=\).*/\1'false'/" \
	exim4/update-exim4.conf.conf

	echo "smtp.gmail.com:${EMAIL}:${SMTP_PW}" \|
	sudo tee -a /etc/exim4/passwd.client

	sudo update-exim4.conf
	sudo systemctl restart exim4
	sudo exim4 -qff

	# send test alert
	echo "Subject: $(hostname -f) - Email Alerts Configured
	$(hostname -f) has been configured to send email alerts to this address." \|
	sendmail -F "Alert" root



	################################################################################
	### NETWORK ####################################################################
	################################################################################

	echo "net.ipv6.conf.all.disable_ipv6=1
	net.ipv6.conf.default.disable_ipv6=1
	net.ipv4.conf.default.accept_source_route=0
	net.ipv4.conf.default.accept_redirects=0
	net.ipv4.conf.all.accept_redirects=0
	net.ipv4.conf.all.send_redirects=0
	net.ipv4.conf.default.send_redirects=0" \|
	sudo tee -a /etc/sysctl.d/99-sysctl.conf >/dev/null

	sudo sysctl --system >/dev/null



	################################################################################
	### USERS ######################################################################
	################################################################################

	# set password strength rules
	echo "difok = 4
	minlen = 10
	dcredit = -1
	ucredit = -1
	lcredit = -1
	ocredit = -1
	maxrepeat = 3" \|
	sudo tee /etc/security/pwquality.conf >/dev/null

	# add sysadmin to appropriate groups
	sudo gpasswd -a "$(whoami)" systemd-journal
	sudo gpasswd -a "$(whoami)" adm

	# login message
	echo "
	WARNING: Unauthorized access to this information system will be prosecuted to the fullest extent of the law.
	" \| sudo tee /etc/issue >/dev/null

	# timeouts
	echo "TMOUT=600" \| sudo tee /etc/profile.d/timeout.sh >/dev/null
	echo "FAIL_DELAY 4" \| sudo tee -a /etc/login.defs >/dev/null

	# Remote Access

	# ssh
	declare FQDN_IP="$(host "$(hostname -f)" \| awk '{ print $NF }')"

	sudo cp -a /etc/ssh/sshd_config \
	/etc/ssh/.sshd_config.default~
	sudo sed -i -E \
	"s/^#(ListenAddress[[:space:]])[[:digit:]].*/\1${FQDN_IP}/" \
	/etc/ssh/sshd_config
	sudo sed -i -E 's/^#(ClientAliveCountMax[[:space:]])[0-9]*/\10/' \
	/etc/ssh/sshd_config
	sudo sed -i -E 's/^#(ClientAliveInterval[[:space:]])[0-9]*/\1600/' \
	/etc/ssh/sshd_config
	sudo sed -i -E 's/^#(Banner[[:space:]]).*/\1\/etc\/issue/' \
	/etc/ssh/sshd_config
	sudo sed -i -E 's/^(GSSAPIAuthentication[[:space:]]).*/\1no/' \
	/etc/ssh/sshd_config
	sudo sed -i -E 's/^(PermitRootLogin[[:space:]]).*/\1no/' \
	/etc/ssh/sshd_config