From: Christian Heller Date: Sat, 15 Dec 2018 18:15:04 +0000 (+0100) Subject: Change directory structure and between-script path references. X-Git-Url: https://plomlompom.com/repos/%7B%7Bprefix%7D%7D/%7B%7B%20web_path%20%7D%7D/pick_tasks?a=commitdiff_plain;h=eafecb0ed8c373dc4f33b6190375fdc3d5c4d841;p=config Change directory structure and between-script path references. --- diff --git a/all_new_2018/hardlink_etc.sh b/all_new_2018/hardlink_etc.sh deleted file mode 100755 index a6f3b68..0000000 --- a/all_new_2018/hardlink_etc.sh +++ /dev/null @@ -1,23 +0,0 @@ -#!/bin/sh -# Hard link files to those in argument-selected subdirectories of -# linkable_etc_files//, e.g. link /etc/foo/bar to -# linkable_etc_files/$1/etc/foo/bar and so on. Create directories as -# necessary. We do the hard linking so files that should be readable to -# non-root in /etc/ remain so despite having a path below /root/, as -# symbolic links point into /root/ without making the targets readable -# to non-root. -# CAUTION: This removes original files at the affected paths. -set -e - -config_tree_prefix="${HOME}/config/all_new_2018/linkable_etc_files/" - -for target in "$@"; do - cd "${config_tree_prefix}${target}" - for path in $(find . -type f); do - linking=$(echo "${path}" | cut -c2-) - linked=$(realpath "${path}") - dir=$(dirname "${linking}") - mkdir -p "${dir}" - ln -f "${linked}" "${linking}" - done -done diff --git a/all_new_2018/init_user_and_keybased_login.sh b/all_new_2018/init_user_and_keybased_login.sh deleted file mode 100755 index fc9dd96..0000000 --- a/all_new_2018/init_user_and_keybased_login.sh +++ /dev/null @@ -1,51 +0,0 @@ -#!/bin/sh -# This script turns a fresh server with password-based root access to -# one of only key-based access and only to new non-root account plom. -# -# CAUTION: This is optimized for a *fresh* setup. It will overwrite any -# pre-existing ~/.ssh/authorized_keys of user plom with one that solely -# contains the local ~/.ssh/id_rsa.pub, and also any old -# /etc/ssh/sshd_config. -# -# Dependencies: ssh, scp, sshpass, ~/.ssh/id_rsa.pub, properly -# configured sshd_config file in reach. -set -e - -# Location auf a sshd_config with "PermitRootLogin no" and -# "PasswordAuthentication no". -system_path_sshd_config='/etc/ssh/sshd_config' -config_tree_prefix="${HOME}/config/all_new_2018/linkable_etc_files/server/" -local_path_sshd_config="${config_tree_prefix}""${system_path_sshd_config}" - -# Ensure we have a server name as argument. -if [ $# -eq 0 ]; then - echo "Need server as argument." - false -fi -server="$1" - -# Ask for root password only once, sshpass will re-use it then often. -stty -echo -printf "Server root password: " -read PW_ROOT -stty echo -printf "\n" -export SSHPASS="${PW_ROOT}" - -# Create user plom, and his ~/.ssh/authorized_keys based on the local -# ~/.ssh/id_rsa.pub; ensure the result has proper permissions and -# ownerships. Then disable root and pw login by copying over the -# sshd_config and restart ssh daemon. -# -# This could be a line or two shorter by using ssh-copy-id, but that -# would require setting a password for user plom otherwise not needed. -sshpass -e scp ~/.ssh/id_rsa.pub root@"${server}":/tmp/authorized_keys -sshpass -e ssh root@"${server}" \ - 'useradd -m plom && '\ - 'mkdir /home/plom/.ssh && '\ - 'chown plom:plom /home/plom/.ssh && '\ - 'chown plom:plom /tmp/authorized_keys && '\ - 'chmod u=rw,go= /tmp/authorized_keys && '\ - 'mv /tmp/authorized_keys /home/plom/.ssh/' -sshpass -e scp "${local_path_sshd_config}" root@"${server}":"${system_path_sshd_config}" -sshpass -e ssh root@"${server}" 'service ssh restart' diff --git a/all_new_2018/install_for_target.sh b/all_new_2018/install_for_target.sh deleted file mode 100755 index 9d765aa..0000000 --- a/all_new_2018/install_for_target.sh +++ /dev/null @@ -1,18 +0,0 @@ -#!/bin/sh -# Walks through the package names in the argument-selected files of -# apt-mark/ and ensures the respective packages are installed. -# -# Ignores anything in an apt-mark/ file after the last newline. -set -e - -config_tree_prefix="${HOME}/config/all_new_2018/apt-mark/" - -for target in "$@"; do - path="${config_tree_prefix}${target}" - cat "${path}" | while read line; do - echo "$line" - if [ ! $(echo "${line}" | cut -c1) = "#" ]; then - apt-get -y install "${line}" - fi - done -done diff --git a/all_new_2018/letsencrypt.sh b/all_new_2018/letsencrypt.sh deleted file mode 100755 index 5fdf703..0000000 --- a/all_new_2018/letsencrypt.sh +++ /dev/null @@ -1,29 +0,0 @@ -#!/bin/sh -set -e - -# Ensure we have a mail address as argument. -if [ $# -lt 1 ]; then - echo "Need mail address as argument." - false -fi -mail_address="$1" - -# We need certbot to get LetsEncrypt certificates. -apt install -y certbot - -# If port 80 blocked by iptables, open it. -set +e -iptables -C INPUT -p tcp --dport 80 -j ACCEPT -open_iptables="$?" -set -e -if [ "${open_iptables}" -eq "1" ]; then - iptables -A INPUT -p tcp --dport 80 -j ACCEPT -fi - -# Create new certificate and copy it to /etc/letsencrypt. -certbot certonly --standalone --agree-tos -m "${mail_address}" -d "$(hostname -f)" - -# Remove iptables rule to open port 80 if we added it. -if [ "${open_iptables}" -eq "1" ]; then - iptables -D INPUT -p tcp --dport 80 -j ACCEPT -fi diff --git a/all_new_2018/letsencrypt_get.sh b/all_new_2018/letsencrypt_get.sh deleted file mode 100755 index c2b3e9f..0000000 --- a/all_new_2018/letsencrypt_get.sh +++ /dev/null @@ -1,20 +0,0 @@ -#!/bin/sh -# Copy over LetsEncrypt certificates from another server. -set -e - -# Ensure we have a server name as argument. -if [ $# -lt 1 ]; then - echo "Need server as argument." - false -fi -server="$1" - -# Copy over. -ssh -t plom@${server} 'su -c "cd /etc/ && tar cf letsencrypt.tar letsencrypt && chown plom:plom letsencrypt.tar && mv letsencrypt.tar /home/plom/"' -scp plom@${server}:~/letsencrypt.tar . -apt -y install certbot -rmdir /etc/letsencrypt -mv letsencrypt.tar /etc/ -cd /etc/ -tar xf letsencrypt.tar -rm letsencrypt.tar diff --git a/all_new_2018/mirror_dir.sh b/all_new_2018/mirror_dir.sh deleted file mode 100755 index cb943c9..0000000 --- a/all_new_2018/mirror_dir.sh +++ /dev/null @@ -1,22 +0,0 @@ -#!/bin/sh -set -e - -if [ $# -lt 2 ]; then - echo "Need server and directory as arguments." - false -fi -server=$1 -dir=$2 -path_package=/tmp/delete.tar - -eval `ssh-agent` -ssh-add -cd -ssh plom@"${server}" "cd \"${dir}\" && tar cf ${path_package} ." -scp plom@"${server}":"${path_package}" "${path_package}" -mkdir -p "${dir}" -cd "${dir}" -tar xf "${path_package}" -cd -rm "${path_package}" -ssh plom@"${server}" rm "${path_package}" diff --git a/all_new_2018/prepare_to_meet_server.sh b/all_new_2018/prepare_to_meet_server.sh deleted file mode 100755 index 13d05ca..0000000 --- a/all_new_2018/prepare_to_meet_server.sh +++ /dev/null @@ -1,18 +0,0 @@ -#!/bin/sh -# Do some of the steps necessary to SSH (key-based) with another server. -set -e - -target="$1" - -# We need a public key to copy over, so generate it if not found. -if [ ! -f ~/.ssh/id_rsa.pub ]; then - ssh-keygen -fi - -# Add target to ~/.ssh/known_hosts so we don't get -# asked for permission at inopportune moments. -ssh-keyscan -H "$target" >> ~/.ssh/known_hosts - -# Tell user what to do. -echo "APPEND FOLLOWING TO TARGET'S ~/.ssh/authorized_keys:" -cat ~/.ssh/id_rsa.pub diff --git a/all_new_2018/purge_nonrequireds.sh b/all_new_2018/purge_nonrequireds.sh deleted file mode 100755 index 5b63ddf..0000000 --- a/all_new_2018/purge_nonrequireds.sh +++ /dev/null @@ -1,25 +0,0 @@ -#!/bin/sh -# This script removes all Debian packages that are not of Priority -# "required" or not depended on by packages of priority "required" -# or not listed in the argument-selected files of apt-mark/. -set -e - -config_tree_prefix="${HOME}/config/all_new_2018/apt-mark/" - -dpkg-query -Wf '${Package} ${Priority}\n' | grep ' required' | sed 's/ required//' > /tmp/list_white_unsorted -for target in "$@"; do - path="${config_tree_prefix}${target}" - cat "${path}" | while read line; do - if [ ! $(echo "${line}" | cut -c1) = "#" ]; then - echo "${line}" >> /tmp/list_white_unsorted - fi - done -done -sort /tmp/list_white_unsorted > /tmp/list_white -dpkg-query -Wf '${Package}\n' > /tmp/list_all_packages -sort /tmp/list_all_packages > /tmp/foo -mv /tmp/foo /tmp/list_all_packages -comm -3 /tmp/list_all_packages /tmp/list_white > /tmp/list_black -apt-mark auto `cat /tmp/list_black` -DEBIAN_FRONTEND=noninteractive apt-get -y --purge autoremove -rm /tmp/list_all_packages /tmp/list_white_unsorted /tmp/list_white /tmp/list_black diff --git a/all_new_2018/set_hostname_and_fqdn.sh b/all_new_2018/set_hostname_and_fqdn.sh deleted file mode 100755 index 3f95590..0000000 --- a/all_new_2018/set_hostname_and_fqdn.sh +++ /dev/null @@ -1,45 +0,0 @@ -#!/bin/sh -# Sets hostname and optionally FQDN. -# -# Calls hostname, writes to /etc/hostname and /etc/hosts. For /etc/hosts -# writing follows recommendations from Debian manual at -# -# (section "The hostname resolution") on how to map hostname and possibly -# FQDN to a permanent IP if present (we assume here any non-private IP -# and non-loopback IP returned by hostname -I to fulfill that criterion -# on our systems) or to 127.0.1.1 if not. On the reasoning for separating -# localhost and hostname mapping to different IPs, see -# . -set -e - -hostname="$1" -fqdn="$2" -if [ "${hostname}" = "" ]; then - echo "Need hostname as argument." - false -fi -echo "${hostname}" > /etc/hostname -hostname "${hostname}" - -final_ip="127.0.1.1" -for ip in $(hostname -I); do - range_1=$(echo "${ip}" | cut -d "." -f 1) - range_2=$(echo "${ip}" | cut -d "." -f 2) - if [ "${range_1}" -eq 127 ]; then - continue - elif [ "${range_1}" -eq 10 ]; then - continue - elif [ "${range_1}" -eq 172 ]; then - if [ "${range_2}" -ge 16 ] && [ "${range_2}" -le 31 ]; then - continue - fi - elif [ "${range_1}" -eq 192 ]; then - if [ "${range_2}" -eq 168 ]; then - continue - fi - fi - final_ip="${ip}" -done - -echo "127.0.0.1 localhost.localdomain localhost" > /etc/hosts -echo "${final_ip} ${fqdn} ${hostname}" >> /etc/hosts diff --git a/all_new_2018/setup_mail.sh b/all_new_2018/setup_mail.sh deleted file mode 100755 index 60eda31..0000000 --- a/all_new_2018/setup_mail.sh +++ /dev/null @@ -1,69 +0,0 @@ -#/bin/sh -set -e - -if [ $# -lt 2 ]; then - echo "Give arguments of mail domain and DKIM selector." - echo "Also, if hosting mail for entire domain, give third argument 'domainwide'." - false -fi -mail_domain="$1" -dkim_selector="$2" -domainwide="$3" - -# Set up DKIM key if necessary. -mkdir -p /etc/dkimkeys/ -add_dkim_record=0 -if [ ! -f "/etc/dkimkeys/${dkim_selector}.private" ]; then - add_dkim_record=1 - set +e - dpkg -s opendkim-tools &> /dev/null - preinstalled="$?" - set -e - if [ ! "${preinstalled}" -eq "0" ]; then - apt install -y opendkim-tools - fi - opendkim-genkey -s "${dkim_selector}" - mv "${dkim_selector}.private" /etc/dkimkeys/ - if [ ! "${preinstalled}" -eq "0" ]; then - apt -y --purge autoremove opendkim-tools - fi -fi - -# Link and adapt mail-server-specific /etc/ files. -./hardlink_etc.sh mail -sed -i "s/REPLACE_maildomain_ECALPER/${mail_domain}/g" /etc/mailutils.conf -sed -i "s/REPLACE_Domain_ECALPER/${mail_domain}/g" /etc/opendkim.conf -sed -i "s/REPLACE_Selector_ECALPER/${dkim_selector}/g" /etc/opendkim.conf -sed -i "s/REPLACE_myhostname_ECALPER/$(hostname -f)/g" /etc/postfix/main.cf -if [ "${domainwide}" = "domainwide" ]; then - sed -i 's/REPLACE_mydomain_if_domainwide_ECALPER/$mydomain/g' /etc/postfix/main.cf -else - sed -i 's/REPLACE_mydomain_if_domainwide_ECALPER//g' /etc/postfix/main.cf -fi -# Since we re-set the iptables rules, we need to reload them. -iptables-restore /etc/iptables/rules.v4 - -# Some useful debconf selections. -echo "postfix postfix/main_mailer_type string 'Internet Site'" | debconf-set-selections -echo "ssl_cert = /etc/dovecot/conf.d/99-ssl-certs.conf -echo "ssl_key = > /etc/dovecot/conf.d/99-ssl-certs.conf - -# The second line should not be necessary due to the first line, but for -# some reason the installation forgets to set up /etc/mailname early -# enough to not (when running newaliases) stumble over its absence. -echo "postfix postfix/mailname string ${mail_domain}" | debconf-set-selections -echo "${mail_domain}" > /etc/mailname - -# Everything should now be ready for installations. Note that we don't -# strictly need dovecot-lmtpd, as postfix will deliver mail to /var/mail/USER -# in any case, to be found by dovecot; we use it as a transport mechanism to -# allow for sophisticated stuff like dovecot-side sieve filtering (installed -# with dovecot-sieve). -apt install -y -o Dpkg::Options::=--force-confold postfix dovecot-imapd dovecot-lmtpd dovecot-sieve opendkim -echo "TODO: Ensure MX entry for your system in your DNS configuration." -echo "TODO: Ensure a proper SPF entry for this system in your DNS configuration; something like 'v=spf1 mx -all' mapped to your host." -if [ "${add_dkim_record}" -eq "1" ]; then - echo "TODO: Add the following DKIM entry to your DNS configuration (possibly with slightly changed host entry – if your mail domain includes a subdomain, append that with a dot):" - cat "${dkim_selector}.txt" -fi -echo "TODO: passwd plom" diff --git a/all_new_2018/setup_play.sh b/all_new_2018/setup_play.sh deleted file mode 100755 index 233219d..0000000 --- a/all_new_2018/setup_play.sh +++ /dev/null @@ -1,42 +0,0 @@ -#!/bin/sh -set -e - -# Ensure we have a GPG target to encrypt to. -if [ $# -lt 1 ]; then - echo "Need public key ID as argument." - false -fi -gpg_key="$1" - -./hardlink_etc.sh play -config_tree_prefix="${HOME}/config/all_new_2018/" -apt -y install weechat screen vim -cp "${config_tree_prefix}user_files/encrypter.sh" /home/plom/ -chown plom:plom /home/plom/encrypter.sh -cp "${config_tree_prefix}user_files/weechat-wrapper.sh" /home/plom/ -chown plom:plom /home/plom/weechat-wrapper.sh -cp "${config_tree_prefix}user_files/weechatrc" /home/plom/.weechatrc -chown plom:plom /home/plom/.weechatrc -apt -y install screen gnupg dirmngr -keyservers='sks-keyservers.net/ keys.gnupg.net' -set +e -while true; do - do_break=0 - for keyserver in $(echo "${keyservers}"); do - su plom -c "gpg --no-tty --keyserver $keyserver --recv-key ${gpg_key}" - if [ $? -eq "0" ]; then - do_break=1 - break - fi - echo "Attempt with keyserver ${keyserver} unsuccessful, trying other." - done - if [ "${do_break}" -eq "1" ]; then - break - fi -done -set -e -echo "$gpg_key" > /home/plom/.encrypt_target -chown plom:plom /home/plom/.encrypt_target -# TODO: We may remove dirmngr here if only this script installed it. -systemctl daemon-reload -systemctl start encrypt_chatlogs.timer diff --git a/all_new_2018/setup_plomlombot.sh b/all_new_2018/setup_plomlombot.sh deleted file mode 100755 index 3c9efa3..0000000 --- a/all_new_2018/setup_plomlombot.sh +++ /dev/null @@ -1,45 +0,0 @@ -#!/bin/sh -set -e - -# Ensure we have a GPG target to encrypt to. -if [ $# -lt 1 ]; then - echo "Need public key ID as argument." - false -fi -gpg_key="$1" - -config_tree_prefix="${HOME}/config/all_new_2018/" -irclogs_dir=/var/www/html/irclogs -irclogs_pw_dir=/var/www/irclogs_pw -cp "${config_tree_prefix}"/user_files/plomlombot_daemon.sh /home/plom/ -chown plom:plom /home/plom/plomlombot_daemon.sh -apt -y install screen python3-venv gnupg dirmngr -keyservers='sks-keyservers.net/ keys.gnupg.net' -set +e -while true; do - do_break=0 - for keyserver in $(echo "${keyservers}"); do - su plom -c "gpg --no-tty --keyserver $keyserver --recv-key ${gpg_key}" - if [ $? -eq "0" ]; then - do_break=1 - break - fi - echo "Attempt with keyserver ${keyserver} unsuccessful, trying other." - done - if [ "${do_break}" -eq "1" ]; then - break - fi -done -set -e -# TODO: We may remove dirmngr here if only this script installed it. -su plom -c "cd && git clone /var/public_repos/plomlombot-irc" -systemctl enable /etc/systemd/system/plomlombot.service -service plomlombot start -mkdir -p "${irclogs_dir}" -chown -R plom:plom "${irclogs_dir}" -mkdir -p "${irclogs_pw_dir}" -chown -R plom:plom "${irclogs_pw_dir}" -echo "Don't forget to add a file ~/.plomlombot with content such as:" -echo "gpg_key ${gpg_key}" -echo "bot: SCREEN_SESSION_NAME BOT_NAME #CHANNEL_NAME IRC_SERVER_NAME LOGS_USER LOGS_PW" -echo "# file should end in newline or non-interpreted line such as this" diff --git a/all_new_2018/setup_scripts/hardlink_etc.sh b/all_new_2018/setup_scripts/hardlink_etc.sh new file mode 100755 index 0000000..d6f2987 --- /dev/null +++ b/all_new_2018/setup_scripts/hardlink_etc.sh @@ -0,0 +1,24 @@ +#!/bin/sh +# Hard link files to those in argument-selected subdirectories of +# linkable_etc_files//, e.g. link /etc/foo/bar to +# linkable_etc_files/$1/etc/foo/bar and so on. Create directories as +# necessary. We do the hard linking so files that should be readable to +# non-root in /etc/ remain so despite having a path below /root/, as +# symbolic links point into /root/ without making the targets readable +# to non-root. +# CAUTION: This removes original files at the affected paths. +set -e + +config_tree_prefix="${HOME}/config/all_new_2018/linkable_etc_files" +linkable_files_dir="${config_tree_prefix}/linkable_etc_files" + +for target in "$@"; do + cd "${linkable_files_dir}/${target}" + for path in $(find . -type f); do + linking=$(echo "${path}" | cut -c2-) + linked=$(realpath "${path}") + dir=$(dirname "${linking}") + mkdir -p "${dir}" + ln -f "${linked}" "${linking}" + done +done diff --git a/all_new_2018/setup_scripts/init_user_and_keybased_login.sh b/all_new_2018/setup_scripts/init_user_and_keybased_login.sh new file mode 100755 index 0000000..6a46c20 --- /dev/null +++ b/all_new_2018/setup_scripts/init_user_and_keybased_login.sh @@ -0,0 +1,52 @@ +#!/bin/sh +# This script turns a fresh server with password-based root access to +# one of only key-based access and only to new non-root account plom. +# +# CAUTION: This is optimized for a *fresh* setup. It will overwrite any +# pre-existing ~/.ssh/authorized_keys of user plom with one that solely +# contains the local ~/.ssh/id_rsa.pub, and also any old +# /etc/ssh/sshd_config. +# +# Dependencies: ssh, scp, sshpass, ~/.ssh/id_rsa.pub, properly +# configured sshd_config file in reach. +set -e + +# Location auf a sshd_config with "PermitRootLogin no" and +# "PasswordAuthentication no". +config_tree_prefix="${HOME}/config/all_new_2018" +linkable_files_dir="${config_tree_prefix}/linkable_etc_files/server" +system_path_sshd_config='/etc/ssh/sshd_config' +local_path_sshd_config="${linkable_files_dir}/${system_path_sshd_config}" + +# Ensure we have a server name as argument. +if [ $# -eq 0 ]; then + echo "Need server as argument." + false +fi +server="$1" + +# Ask for root password only once, sshpass will re-use it then often. +stty -echo +printf "Server root password: " +read PW_ROOT +stty echo +printf "\n" +export SSHPASS="${PW_ROOT}" + +# Create user plom, and his ~/.ssh/authorized_keys based on the local +# ~/.ssh/id_rsa.pub; ensure the result has proper permissions and +# ownerships. Then disable root and pw login by copying over the +# sshd_config and restart ssh daemon. +# +# This could be a line or two shorter by using ssh-copy-id, but that +# would require setting a password for user plom otherwise not needed. +sshpass -e scp ~/.ssh/id_rsa.pub root@"${server}":/tmp/authorized_keys +sshpass -e ssh root@"${server}" \ + 'useradd -m plom && '\ + 'mkdir /home/plom/.ssh && '\ + 'chown plom:plom /home/plom/.ssh && '\ + 'chown plom:plom /tmp/authorized_keys && '\ + 'chmod u=rw,go= /tmp/authorized_keys && '\ + 'mv /tmp/authorized_keys /home/plom/.ssh/' +sshpass -e scp "${local_path_sshd_config}" root@"${server}":"${system_path_sshd_config}" +sshpass -e ssh root@"${server}" 'service ssh restart' diff --git a/all_new_2018/setup_scripts/install_for_target.sh b/all_new_2018/setup_scripts/install_for_target.sh new file mode 100755 index 0000000..53914d6 --- /dev/null +++ b/all_new_2018/setup_scripts/install_for_target.sh @@ -0,0 +1,19 @@ +#!/bin/sh +# Walks through the package names in the argument-selected files of +# apt-mark/ and ensures the respective packages are installed. +# +# Ignores anything in an apt-mark/ file after the last newline. +set -e + +config_tree_prefix="${HOME}/config/all_new_2018" +aptmark_dir="${config_tree_prefix}/apt-mark" + +for target in "$@"; do + path="${aptmark_dir}/${target}" + cat "${path}" | while read line; do + echo "$line" + if [ ! $(echo "${line}" | cut -c1) = "#" ]; then + apt-get -y install "${line}" + fi + done +done diff --git a/all_new_2018/setup_scripts/letsencrypt.sh b/all_new_2018/setup_scripts/letsencrypt.sh new file mode 100755 index 0000000..29ed3b6 --- /dev/null +++ b/all_new_2018/setup_scripts/letsencrypt.sh @@ -0,0 +1,31 @@ +#!/bin/sh +# Certify current server with LetsEncrypt. +# Uses hostname -f for the domain we want to certify. +set -e + +# Ensure we have a mail address as argument. +if [ $# -lt 1 ]; then + echo "Need mail address as argument." + false +fi +mail_address="$1" + +# We need certbot to get LetsEncrypt certificates. +apt install -y certbot + +# If port 80 blocked by iptables, open it. +set +e +iptables -C INPUT -p tcp --dport 80 -j ACCEPT +open_iptables="$?" +set -e +if [ "${open_iptables}" -eq "1" ]; then + iptables -A INPUT -p tcp --dport 80 -j ACCEPT +fi + +# Create new certificate and copy it to /etc/letsencrypt. +certbot certonly --standalone --agree-tos -m "${mail_address}" -d "$(hostname -f)" + +# Remove iptables rule to open port 80 if we added it. +if [ "${open_iptables}" -eq "1" ]; then + iptables -D INPUT -p tcp --dport 80 -j ACCEPT +fi diff --git a/all_new_2018/setup_scripts/letsencrypt_get.sh b/all_new_2018/setup_scripts/letsencrypt_get.sh new file mode 100755 index 0000000..c2b3e9f --- /dev/null +++ b/all_new_2018/setup_scripts/letsencrypt_get.sh @@ -0,0 +1,20 @@ +#!/bin/sh +# Copy over LetsEncrypt certificates from another server. +set -e + +# Ensure we have a server name as argument. +if [ $# -lt 1 ]; then + echo "Need server as argument." + false +fi +server="$1" + +# Copy over. +ssh -t plom@${server} 'su -c "cd /etc/ && tar cf letsencrypt.tar letsencrypt && chown plom:plom letsencrypt.tar && mv letsencrypt.tar /home/plom/"' +scp plom@${server}:~/letsencrypt.tar . +apt -y install certbot +rmdir /etc/letsencrypt +mv letsencrypt.tar /etc/ +cd /etc/ +tar xf letsencrypt.tar +rm letsencrypt.tar diff --git a/all_new_2018/setup_scripts/mirror_dir.sh b/all_new_2018/setup_scripts/mirror_dir.sh new file mode 100755 index 0000000..0fc03aa --- /dev/null +++ b/all_new_2018/setup_scripts/mirror_dir.sh @@ -0,0 +1,23 @@ +#!/bin/sh +# Mirror directory tree from remote to local server, keeping the path. +set -e + +if [ $# -lt 2 ]; then + echo "Need server and directory as arguments." + false +fi +server=$1 +dir=$2 +path_package=/tmp/delete.tar + +eval `ssh-agent` +ssh-add +cd +ssh plom@"${server}" "cd \"${dir}\" && tar cf ${path_package} ." +scp plom@"${server}":"${path_package}" "${path_package}" +mkdir -p "${dir}" +cd "${dir}" +tar xf "${path_package}" +cd +rm "${path_package}" +ssh plom@"${server}" rm "${path_package}" diff --git a/all_new_2018/setup_scripts/prepare_to_meet_server.sh b/all_new_2018/setup_scripts/prepare_to_meet_server.sh new file mode 100755 index 0000000..13d05ca --- /dev/null +++ b/all_new_2018/setup_scripts/prepare_to_meet_server.sh @@ -0,0 +1,18 @@ +#!/bin/sh +# Do some of the steps necessary to SSH (key-based) with another server. +set -e + +target="$1" + +# We need a public key to copy over, so generate it if not found. +if [ ! -f ~/.ssh/id_rsa.pub ]; then + ssh-keygen +fi + +# Add target to ~/.ssh/known_hosts so we don't get +# asked for permission at inopportune moments. +ssh-keyscan -H "$target" >> ~/.ssh/known_hosts + +# Tell user what to do. +echo "APPEND FOLLOWING TO TARGET'S ~/.ssh/authorized_keys:" +cat ~/.ssh/id_rsa.pub diff --git a/all_new_2018/setup_scripts/purge_nonrequireds.sh b/all_new_2018/setup_scripts/purge_nonrequireds.sh new file mode 100755 index 0000000..e444a55 --- /dev/null +++ b/all_new_2018/setup_scripts/purge_nonrequireds.sh @@ -0,0 +1,26 @@ +#!/bin/sh +# This script removes all Debian packages that are not of Priority +# "required" or not depended on by packages of priority "required" +# or not listed in the argument-selected files of apt-mark/. +set -e + +config_tree_prefix="${HOME}/config/all_new_2018" +aptmark_dir="${config_tree_prefix}/apt-mark" + +dpkg-query -Wf '${Package} ${Priority}\n' | grep ' required' | sed 's/ required//' > /tmp/list_white_unsorted +for target in "$@"; do + path="${aptmark_dir}/${target}" + cat "${path}" | while read line; do + if [ ! $(echo "${line}" | cut -c1) = "#" ]; then + echo "${line}" >> /tmp/list_white_unsorted + fi + done +done +sort /tmp/list_white_unsorted > /tmp/list_white +dpkg-query -Wf '${Package}\n' > /tmp/list_all_packages +sort /tmp/list_all_packages > /tmp/foo +mv /tmp/foo /tmp/list_all_packages +comm -3 /tmp/list_all_packages /tmp/list_white > /tmp/list_black +apt-mark auto `cat /tmp/list_black` +DEBIAN_FRONTEND=noninteractive apt-get -y --purge autoremove +rm /tmp/list_all_packages /tmp/list_white_unsorted /tmp/list_white /tmp/list_black diff --git a/all_new_2018/setup_scripts/set_hostname_and_fqdn.sh b/all_new_2018/setup_scripts/set_hostname_and_fqdn.sh new file mode 100755 index 0000000..3f95590 --- /dev/null +++ b/all_new_2018/setup_scripts/set_hostname_and_fqdn.sh @@ -0,0 +1,45 @@ +#!/bin/sh +# Sets hostname and optionally FQDN. +# +# Calls hostname, writes to /etc/hostname and /etc/hosts. For /etc/hosts +# writing follows recommendations from Debian manual at +# +# (section "The hostname resolution") on how to map hostname and possibly +# FQDN to a permanent IP if present (we assume here any non-private IP +# and non-loopback IP returned by hostname -I to fulfill that criterion +# on our systems) or to 127.0.1.1 if not. On the reasoning for separating +# localhost and hostname mapping to different IPs, see +# . +set -e + +hostname="$1" +fqdn="$2" +if [ "${hostname}" = "" ]; then + echo "Need hostname as argument." + false +fi +echo "${hostname}" > /etc/hostname +hostname "${hostname}" + +final_ip="127.0.1.1" +for ip in $(hostname -I); do + range_1=$(echo "${ip}" | cut -d "." -f 1) + range_2=$(echo "${ip}" | cut -d "." -f 2) + if [ "${range_1}" -eq 127 ]; then + continue + elif [ "${range_1}" -eq 10 ]; then + continue + elif [ "${range_1}" -eq 172 ]; then + if [ "${range_2}" -ge 16 ] && [ "${range_2}" -le 31 ]; then + continue + fi + elif [ "${range_1}" -eq 192 ]; then + if [ "${range_2}" -eq 168 ]; then + continue + fi + fi + final_ip="${ip}" +done + +echo "127.0.0.1 localhost.localdomain localhost" > /etc/hosts +echo "${final_ip} ${fqdn} ${hostname}" >> /etc/hosts diff --git a/all_new_2018/setup_scripts/setup_mail.sh b/all_new_2018/setup_scripts/setup_mail.sh new file mode 100755 index 0000000..c8d4254 --- /dev/null +++ b/all_new_2018/setup_scripts/setup_mail.sh @@ -0,0 +1,73 @@ +#/bin/sh +set -e + +if [ $# -lt 2 ]; then + echo "Give arguments of mail domain and DKIM selector." + echo "Also, if hosting mail for entire domain, give third argument 'domainwide'." + false +fi +mail_domain="$1" +dkim_selector="$2" +domainwide="$3" + +config_tree_prefix="${HOME}/config/all_new_2018" +setup_scripts_dir="${config_tree_prefix}/setup_scripts" +cd "${setup_scripts_dir}" + +# Set up DKIM key if necessary. +mkdir -p /etc/dkimkeys/ +add_dkim_record=0 +if [ ! -f "/etc/dkimkeys/${dkim_selector}.private" ]; then + add_dkim_record=1 + set +e + dpkg -s opendkim-tools &> /dev/null + preinstalled="$?" + set -e + if [ ! "${preinstalled}" -eq "0" ]; then + apt install -y opendkim-tools + fi + opendkim-genkey -s "${dkim_selector}" + mv "${dkim_selector}.private" /etc/dkimkeys/ + if [ ! "${preinstalled}" -eq "0" ]; then + apt -y --purge autoremove opendkim-tools + fi +fi + +# Link and adapt mail-server-specific /etc/ files. +./hardlink_etc.sh mail +sed -i "s/REPLACE_maildomain_ECALPER/${mail_domain}/g" /etc/mailutils.conf +sed -i "s/REPLACE_Domain_ECALPER/${mail_domain}/g" /etc/opendkim.conf +sed -i "s/REPLACE_Selector_ECALPER/${dkim_selector}/g" /etc/opendkim.conf +sed -i "s/REPLACE_myhostname_ECALPER/$(hostname -f)/g" /etc/postfix/main.cf +if [ "${domainwide}" = "domainwide" ]; then + sed -i 's/REPLACE_mydomain_if_domainwide_ECALPER/$mydomain/g' /etc/postfix/main.cf +else + sed -i 's/REPLACE_mydomain_if_domainwide_ECALPER//g' /etc/postfix/main.cf +fi +# Since we re-set the iptables rules, we need to reload them. +iptables-restore /etc/iptables/rules.v4 + +# Some useful debconf selections. +echo "postfix postfix/main_mailer_type string 'Internet Site'" | debconf-set-selections +echo "ssl_cert = /etc/dovecot/conf.d/99-ssl-certs.conf +echo "ssl_key = > /etc/dovecot/conf.d/99-ssl-certs.conf + +# The second line should not be necessary due to the first line, but for +# some reason the installation forgets to set up /etc/mailname early +# enough to not (when running newaliases) stumble over its absence. +echo "postfix postfix/mailname string ${mail_domain}" | debconf-set-selections +echo "${mail_domain}" > /etc/mailname + +# Everything should now be ready for installations. Note that we don't +# strictly need dovecot-lmtpd, as postfix will deliver mail to /var/mail/USER +# in any case, to be found by dovecot; we use it as a transport mechanism to +# allow for sophisticated stuff like dovecot-side sieve filtering (installed +# with dovecot-sieve). +apt install -y -o Dpkg::Options::=--force-confold postfix dovecot-imapd dovecot-lmtpd dovecot-sieve opendkim +echo "TODO: Ensure MX entry for your system in your DNS configuration." +echo "TODO: Ensure a proper SPF entry for this system in your DNS configuration; something like 'v=spf1 mx -all' mapped to your host." +if [ "${add_dkim_record}" -eq "1" ]; then + echo "TODO: Add the following DKIM entry to your DNS configuration (possibly with slightly changed host entry – if your mail domain includes a subdomain, append that with a dot):" + cat "${dkim_selector}.txt" +fi +echo "TODO: passwd plom" diff --git a/all_new_2018/setup_scripts/setup_play.sh b/all_new_2018/setup_scripts/setup_play.sh new file mode 100755 index 0000000..020c13d --- /dev/null +++ b/all_new_2018/setup_scripts/setup_play.sh @@ -0,0 +1,46 @@ +#!/bin/sh +set -e + +# Ensure we have a GPG target to encrypt to. +if [ $# -lt 1 ]; then + echo "Need public key ID as argument." + false +fi +gpg_key="$1" + +config_tree_prefix="${HOME}/config/all_new_2018" +setup_scripts_dir="${config_tree_prefix}/setup_scripts" +cd "${setup_scripts_dir}" + +config_tree_prefix="${HOME}/config/all_new_2018/" +./hardlink_etc.sh play +apt -y install weechat screen vim +cp "${config_tree_prefix}user_files/encrypter.sh" /home/plom/ +chown plom:plom /home/plom/encrypter.sh +cp "${config_tree_prefix}user_files/weechat-wrapper.sh" /home/plom/ +chown plom:plom /home/plom/weechat-wrapper.sh +cp "${config_tree_prefix}user_files/weechatrc" /home/plom/.weechatrc +chown plom:plom /home/plom/.weechatrc +apt -y install screen gnupg dirmngr +keyservers='sks-keyservers.net/ keys.gnupg.net' +set +e +while true; do + do_break=0 + for keyserver in $(echo "${keyservers}"); do + su plom -c "gpg --no-tty --keyserver $keyserver --recv-key ${gpg_key}" + if [ $? -eq "0" ]; then + do_break=1 + break + fi + echo "Attempt with keyserver ${keyserver} unsuccessful, trying other." + done + if [ "${do_break}" -eq "1" ]; then + break + fi +done +set -e +echo "$gpg_key" > /home/plom/.encrypt_target +chown plom:plom /home/plom/.encrypt_target +# TODO: We may remove dirmngr here if only this script installed it. +systemctl daemon-reload +systemctl start encrypt_chatlogs.timer diff --git a/all_new_2018/setup_scripts/setup_plomlombot.sh b/all_new_2018/setup_scripts/setup_plomlombot.sh new file mode 100755 index 0000000..5a45b6f --- /dev/null +++ b/all_new_2018/setup_scripts/setup_plomlombot.sh @@ -0,0 +1,45 @@ +#!/bin/sh +set -e + +# Ensure we have a GPG target to encrypt to. +if [ $# -lt 1 ]; then + echo "Need public key ID as argument." + false +fi +gpg_key="$1" + +config_tree_prefix="${HOME}/config/all_new_2018" +irclogs_dir=/var/www/html/irclogs +irclogs_pw_dir=/var/www/irclogs_pw +cp "${config_tree_prefix}"/user_files/plomlombot_daemon.sh /home/plom/ +chown plom:plom /home/plom/plomlombot_daemon.sh +apt -y install screen python3-venv gnupg dirmngr +keyservers='sks-keyservers.net/ keys.gnupg.net' +set +e +while true; do + do_break=0 + for keyserver in $(echo "${keyservers}"); do + su plom -c "gpg --no-tty --keyserver $keyserver --recv-key ${gpg_key}" + if [ $? -eq "0" ]; then + do_break=1 + break + fi + echo "Attempt with keyserver ${keyserver} unsuccessful, trying other." + done + if [ "${do_break}" -eq "1" ]; then + break + fi +done +set -e +# TODO: We may remove dirmngr here if only this script installed it. +su plom -c "cd && git clone /var/public_repos/plomlombot-irc" +systemctl enable /etc/systemd/system/plomlombot.service +service plomlombot start +mkdir -p "${irclogs_dir}" +chown -R plom:plom "${irclogs_dir}" +mkdir -p "${irclogs_pw_dir}" +chown -R plom:plom "${irclogs_pw_dir}" +echo "Don't forget to add a file ~/.plomlombot with content such as:" +echo "gpg_key ${gpg_key}" +echo "bot: SCREEN_SESSION_NAME BOT_NAME #CHANNEL_NAME IRC_SERVER_NAME LOGS_USER LOGS_PW" +echo "# file should end in newline or non-interpreted line such as this" diff --git a/all_new_2018/setup_scripts/setup_sendonly.sh b/all_new_2018/setup_scripts/setup_sendonly.sh new file mode 100755 index 0000000..e761eeb --- /dev/null +++ b/all_new_2018/setup_scripts/setup_sendonly.sh @@ -0,0 +1,14 @@ +#!/bin/sh +# This sets up the minimum of a mail server necessary to send out mails +# to the world. +set -e + +config_tree_prefix="${HOME}/config/all_new_2018" +setup_scripts_dir="${config_tree_prefix}/setup_scripts" +cd "${setup_scripts_dir}" + +./hardlink_etc.sh sendonly +echo "postfix postfix/main_mailer_type string 'Internet Site'" | debconf-set-selections +echo "postfix postfix/mailname string $(hostname -f)" | debconf-set-selections +echo "$(hostname -f)" > /etc/mailname +apt install -y postfix diff --git a/all_new_2018/setup_scripts/setup_server.sh b/all_new_2018/setup_scripts/setup_server.sh new file mode 100755 index 0000000..b47a495 --- /dev/null +++ b/all_new_2018/setup_scripts/setup_server.sh @@ -0,0 +1,46 @@ +#!/bin/sh +# Next setup steps for a server whose login policy has just been set from +# the outside via ./init_user_and_keybased_login.sh. +set -e + +# Provide maximum input for set_hostname_and_fqdn.sh. +if [ "$#" -ne 2 ]; then + echo 'Need exactly two arguments (hostname, FQDN).' + false +fi +hostname="$1" +fqdn="$2" + +config_tree_prefix="${HOME}/config/all_new_2018" +setup_scripts_dir="${config_tree_prefix}/setup_scripts" +cd "${setup_scripts_dir}" + +# Adapt /etc/ to our needs by hardlinking into ./linkable_etc_files. This +# will set basic configurations affecting following steps, such as setup +# of APT and the locale selection, so needs to be right at the beginning. +./hardlink_etc.sh all server + +# Set hostname and FQDN. +./set_hostname_and_fqdn.sh "${hostname}" "${fqdn}" + +# Some debconf selections we don't want to get asked during coming +# install actions. +echo 'iptables-persistent iptables-persistent/autosave_v4 boolean false' | debconf-set-selections +echo 'iptables-persistent iptables-persistent/autosave_v6 boolean false' | debconf-set-selections + +# Ensure package installation state as defined by what packages are +# defined as required by Debian policy and by settings in ./apt-mark/. +apt update +./install_for_target.sh all server +./purge_nonrequireds.sh all server + +# Only upgrade after reducing the system to the desired minimum, so that +# we don't need to get more data than necessary. +apt -y dist-upgrade + +# Set Berlin localtime. +ln -sf /usr/share/zoneinfo/Europe/Berlin /etc/localtime + +# If we have not yet set the shell for user plom, ensure it here. This +# is mostly for convenience. +usermod -s /bin/bash plom diff --git a/all_new_2018/setup_scripts/setup_web.sh b/all_new_2018/setup_scripts/setup_web.sh new file mode 100755 index 0000000..7adb62f --- /dev/null +++ b/all_new_2018/setup_scripts/setup_web.sh @@ -0,0 +1,18 @@ +#!/bin/sh +# Set up plomlompom.com web server. +set -e + +config_tree_prefix="${HOME}/config/all_new_2018" +setup_scripts_dir="${config_tree_prefix}/setup_scripts" +cd "${setup_scripts_dir}" + +./hardlink_etc.sh web +sed -i "s/REPLACE_fqdn_ECALPER/$(hostname -f)/g" /etc/nginx/nginx.conf +sed -i "s/REPLACE_fqdn_ECALPER/$(hostname -f)/g" /etc/gitweb.conf +cd /var/ +rm -rf www +git clone plom@core.plomlompom.com:repos/website www +apt -y -o Dpkg::Options::=--force-confold install nginx gitweb fcgiwrap +mkdir /var/public_repos +chown plom:plom /var/public_repos +iptables-restore /etc/iptables/rules.v4 diff --git a/all_new_2018/setup_sendonly.sh b/all_new_2018/setup_sendonly.sh deleted file mode 100755 index 641c16b..0000000 --- a/all_new_2018/setup_sendonly.sh +++ /dev/null @@ -1,10 +0,0 @@ -#!/bin/sh -# This sets up the minimum of a mail server necessary to send out mails -# to the world. -set -e - -./hardlink_etc.sh sendonly -echo "postfix postfix/main_mailer_type string 'Internet Site'" | debconf-set-selections -echo "postfix postfix/mailname string $(hostname -f)" | debconf-set-selections -echo "$(hostname -f)" > /etc/mailname -apt install -y postfix diff --git a/all_new_2018/setup_server.sh b/all_new_2018/setup_server.sh deleted file mode 100755 index ea3437a..0000000 --- a/all_new_2018/setup_server.sh +++ /dev/null @@ -1,42 +0,0 @@ -#!/bin/sh -# Next setup steps for a server whose login policy has just been set from -# the outside via ./init_user_and_keybased_login.sh. -set -e - -# Provide maximum input for set_hostname_and_fqdn.sh. -if [ "$#" -ne 2 ]; then - echo 'Need exactly two arguments (hostname, FQDN).' - false -fi -hostname="$1" -fqdn="$2" - -# Adapt /etc/ to our needs by hardlinking into ./linkable_etc_files. This -# will set basic configurations affecting following steps, such as setup -# of APT and the locale selection, so needs to be right at the beginning. -./hardlink_etc.sh all server - -# Set hostname and FQDN. -./set_hostname_and_fqdn.sh "${hostname}" "${fqdn}" - -# Some debconf selections we don't want to get asked during coming -# install actions. -echo 'iptables-persistent iptables-persistent/autosave_v4 boolean false' | debconf-set-selections -echo 'iptables-persistent iptables-persistent/autosave_v6 boolean false' | debconf-set-selections - -# Ensure package installation state as defined by what packages are -# defined as required by Debian policy and by settings in ./apt-mark/. -apt update -./install_for_target.sh all server -./purge_nonrequireds.sh all server - -# Only upgrade after reducing the system to the desired minimum, so that -# we don't need to get more data than necessary. -apt -y dist-upgrade - -# Set Berlin localtime. -ln -sf /usr/share/zoneinfo/Europe/Berlin /etc/localtime - -# If we have not yet set the shell for user plom, ensure it here. This -# is mostly for convenience. -usermod -s /bin/bash plom diff --git a/all_new_2018/setup_web.sh b/all_new_2018/setup_web.sh deleted file mode 100755 index 661aa74..0000000 --- a/all_new_2018/setup_web.sh +++ /dev/null @@ -1,13 +0,0 @@ -#!/bin/sh -set -e - -./hardlink_etc.sh web -sed -i "s/REPLACE_fqdn_ECALPER/$(hostname -f)/g" /etc/nginx/nginx.conf -sed -i "s/REPLACE_fqdn_ECALPER/$(hostname -f)/g" /etc/gitweb.conf -cd /var/ -rm -rf www -git clone plom@core.plomlompom.com:repos/website www -apt -y -o Dpkg::Options::=--force-confold install nginx gitweb fcgiwrap -mkdir /var/public_repos -chown plom:plom /var/public_repos -iptables-restore /etc/iptables/rules.v4