viniciusban · May 22, 2020 15:40
diff --git a/new_user.txt b/new_user.txt
 john:hey,Iamjohn.:John Doe
diff --git a/provision.sh b/provision.sh
 #!/bin/bash

 # Provision a new Ubuntu 16.04 (Xenial) machine with an admin user.
 #
 # Script based on https://github.com/laravel/settler/blob/master/scripts/provision.sh
 #

 [ $EUID -ne 0 ] && echo "run as root" && exit 1


 function install_basic_packages () {
    apt update
    apt install -y curl wget unzip git ack-grep htop vim tmux tree software-properties-common
 }

 function create_user () {
    wget -O /tmp/new_user.txt https://gist.githubusercontent.com/viniciusban/f6d9fe176c4f25ce2e57cc418576b59d/raw/0c44039b9072ee9bf0743476dc8b3d81dcb455d3/new_user.txt
    IFS=: read NEWUSER NEWPASSWD NEWGECO </tmp/new_user.txt

    adduser --disabled-login --geco "$NEWGECO" $NEWUSER
    usermod -a -G sudo $NEWUSER

    mkdir /home/${NEWUSER}/.ssh
    wget -O /home/${NEWUSER}/.ssh/authorized_keys https://gist.githubusercontent.com/viniciusban/0de0e094046f0283a13195775a78c197/raw/71f190b108774423c623ac1ddcc03a91bf3f5377/id_rsa.pub
    chown -R ${NEWUSER}:${NEWUSER} /home/${NEWUSER}/.ssh
    chmod 600 /home/${NEWUSER}/.ssh/authorized_keys
    chmod 700 /home/${NEWUSER}/.ssh

    echo "$NEWUSER:$NEWPASSWD" | chpasswd
    rm -f /tmp/new_user.txt
 }

 function config_ssh () {
    # disable root login and password authentication
    local DIR=/etc/ssh
    cp $DIR/sshd_config $DIR/sshd_config.original
    sed -i'' -e 's/^\(PermitRootLogin \)/#\1/' -e 's/^\(PasswordAuthentication \)/#\1/' $DIR/sshd_config

    cat >>$DIR/sshd_config <<_EOD_

 # ---------------------------------
 # Custom additions by viniciusban
 PermitRootLogin no
 PasswordAuthentication no
 _EOD_

    service ssh restart
 }

 function config_timezone () {
    ln -sf /usr/share/zoneinfo/UTC /etc/localtime
 }

 function force_locale () {
    echo "LC_ALL=en_US.UTF-8" >> /etc/default/locale
    locale-gen en_US.UTF-8
 }

 function config_firewall () {
    ufw --force enable
    ufw default deny incoming
    ufw default allow outgoing
    ufw allow ssh
    ufw allow 22/tcp
    ufw allow http
    ufw allow https
 }

 function config_fail2ban () {
    apt install -y fail2ban
    cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
 }

 function security_updates () {
    apt install -y unattended-upgrades
    sed -i'' -e 's/^\(Unattended-Upgrade::Automatic-Reboot \)/\/\/\1/' /etc/apt/apt.conf.d/50unattended-upgrades

    cat >>/etc/apt/apt.conf.d/50unattended-upgrades <<_EOD_

    Unattended-Upgrade::Automatic-Reboot "false";

 _EOD_
 }

 function install_nginx () {
    add-apt-repository -y ppa:nginx/stable
    apt update
    apt install -y nginx
    service nginx restart
    systemctl enable nginx
 }


 install_basic_packages
 create_user
 config_ssh
 config_firewall
 config_fail2ban
 security_updates
 config_timezone
 force_locale
 install_nginx
	#!/bin/bash

	# Provision a new Ubuntu 16.04 (Xenial) machine with an admin user.
	#
	# Script based on https://github.com/laravel/settler/blob/master/scripts/provision.sh
	#

	[ $EUID -ne 0 ] && echo "run as root" && exit 1


	function install_basic_packages () {
	apt update
	apt install -y curl wget unzip git ack-grep htop vim tmux tree software-properties-common
	}

	function create_user () {
	wget -O /tmp/new_user.txt https://gist.githubusercontent.com/viniciusban/f6d9fe176c4f25ce2e57cc418576b59d/raw/0c44039b9072ee9bf0743476dc8b3d81dcb455d3/new_user.txt
	IFS=: read NEWUSER NEWPASSWD NEWGECO </tmp/new_user.txt

	adduser --disabled-login --geco "$NEWGECO" $NEWUSER
	usermod -a -G sudo $NEWUSER

	mkdir /home/${NEWUSER}/.ssh
	wget -O /home/${NEWUSER}/.ssh/authorized_keys https://gist.githubusercontent.com/viniciusban/0de0e094046f0283a13195775a78c197/raw/71f190b108774423c623ac1ddcc03a91bf3f5377/id_rsa.pub
	chown -R ${NEWUSER}:${NEWUSER} /home/${NEWUSER}/.ssh
	chmod 600 /home/${NEWUSER}/.ssh/authorized_keys
	chmod 700 /home/${NEWUSER}/.ssh

	echo "$NEWUSER:$NEWPASSWD" \| chpasswd
	rm -f /tmp/new_user.txt
	}

	function config_ssh () {
	# disable root login and password authentication
	local DIR=/etc/ssh
	cp $DIR/sshd_config $DIR/sshd_config.original
	sed -i'' -e 's/^\(PermitRootLogin \)/#\1/' -e 's/^\(PasswordAuthentication \)/#\1/' $DIR/sshd_config

	cat >>$DIR/sshd_config <<_EOD_

	# ---------------------------------
	# Custom additions by viniciusban
	PermitRootLogin no
	PasswordAuthentication no
	_EOD_

	service ssh restart
	}

	function config_timezone () {
	ln -sf /usr/share/zoneinfo/UTC /etc/localtime
	}

	function force_locale () {
	echo "LC_ALL=en_US.UTF-8" >> /etc/default/locale
	locale-gen en_US.UTF-8
	}

	function config_firewall () {
	ufw --force enable
	ufw default deny incoming
	ufw default allow outgoing
	ufw allow ssh
	ufw allow 22/tcp
	ufw allow http
	ufw allow https
	}

	function config_fail2ban () {
	apt install -y fail2ban
	cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
	}

	function security_updates () {
	apt install -y unattended-upgrades
	sed -i'' -e 's/^\(Unattended-Upgrade::Automatic-Reboot \)/\/\/\1/' /etc/apt/apt.conf.d/50unattended-upgrades

	cat >>/etc/apt/apt.conf.d/50unattended-upgrades <<_EOD_

	Unattended-Upgrade::Automatic-Reboot "false";

	_EOD_
	}

	function install_nginx () {
	add-apt-repository -y ppa:nginx/stable
	apt update
	apt install -y nginx
	service nginx restart
	systemctl enable nginx
	}


	install_basic_packages
	create_user
	config_ssh
	config_firewall
	config_fail2ban
	security_updates
	config_timezone
	force_locale
	install_nginx