From 01de6e555d9675370c4314c4c51cee67ee554f49 Mon Sep 17 00:00:00 2001
From: Christian Heller <c.heller@plomlompom.de>
Date: Wed, 29 Dec 2021 17:11:23 +0100
Subject: [PATCH] Add basic stretch setup for seedboxes.

---
 stretch/apt-mark/seedbox                      |   8 ++
 stretch/etc_files/server/etc/ssh/sshd_config  | 126 ++++++++++++++++++
 .../init_user_and_keybased_login.sh           |  56 ++++++++
 stretch/setup_scripts/install_for_target.sh   |  20 +++
 stretch/setup_scripts/setup_seedbox.sh        |  12 ++
 5 files changed, 222 insertions(+)
 create mode 100644 stretch/apt-mark/seedbox
 create mode 100644 stretch/etc_files/server/etc/ssh/sshd_config
 create mode 100755 stretch/setup_scripts/init_user_and_keybased_login.sh
 create mode 100755 stretch/setup_scripts/install_for_target.sh
 create mode 100755 stretch/setup_scripts/setup_seedbox.sh

diff --git a/stretch/apt-mark/seedbox b/stretch/apt-mark/seedbox
new file mode 100644
index 0000000..37b941e
--- /dev/null
+++ b/stretch/apt-mark/seedbox
@@ -0,0 +1,8 @@
+# needed for rtorrent config setup
+curl
+# needed for torrenting
+rtorrent
+# needed for torrenting session
+screen
+# needed for upload/download
+rsync
diff --git a/stretch/etc_files/server/etc/ssh/sshd_config b/stretch/etc_files/server/etc/ssh/sshd_config
new file mode 100644
index 0000000..89d08ac
--- /dev/null
+++ b/stretch/etc_files/server/etc/ssh/sshd_config
@@ -0,0 +1,126 @@
+#	$OpenBSD: sshd_config,v 1.100 2016/08/15 12:32:04 naddy Exp $
+
+# This is the sshd server system-wide configuration file.  See
+# sshd_config(5) for more information.
+
+# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
+
+# The strategy used for options in the default sshd_config shipped with
+# OpenSSH is to specify options with their default value where
+# possible, but leave them commented.  Uncommented options override the
+# default value.
+
+Port 22
+#AddressFamily any
+#ListenAddress 0.0.0.0
+#ListenAddress ::
+
+#HostKey /etc/ssh/ssh_host_rsa_key
+#HostKey /etc/ssh/ssh_host_ecdsa_key
+#HostKey /etc/ssh/ssh_host_ed25519_key
+
+# Ciphers and keying
+#RekeyLimit default none
+
+# Logging
+#SyslogFacility AUTH
+#LogLevel INFO
+
+# Authentication:
+
+#LoginGraceTime 2m
+PermitRootLogin no  # plomlompom's security rule
+#StrictModes yes
+#MaxAuthTries 6
+#MaxSessions 10
+
+#PubkeyAuthentication yes
+
+# Expect .ssh/authorized_keys2 to be disregarded by default in future.
+#AuthorizedKeysFile	.ssh/authorized_keys .ssh/authorized_keys2
+
+#AuthorizedPrincipalsFile none
+
+#AuthorizedKeysCommand none
+#AuthorizedKeysCommandUser nobody
+
+# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
+#HostbasedAuthentication no
+# Change to yes if you don't trust ~/.ssh/known_hosts for
+# HostbasedAuthentication
+#IgnoreUserKnownHosts no
+# Don't read the user's ~/.rhosts and ~/.shosts files
+#IgnoreRhosts yes
+
+# To disable tunneled clear text passwords, change to no here!
+#PasswordAuthentication yes
+#PermitEmptyPasswords no
+
+# Change to yes to enable challenge-response passwords (beware issues with
+# some PAM modules and threads)
+ChallengeResponseAuthentication no
+
+# Kerberos options
+#KerberosAuthentication no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+#KerberosGetAFSToken no
+
+# GSSAPI options
+#GSSAPIAuthentication no
+#GSSAPICleanupCredentials yes
+#GSSAPIStrictAcceptorCheck yes
+#GSSAPIKeyExchange no
+
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the ChallengeResponseAuthentication and
+# PasswordAuthentication.  Depending on your PAM configuration,
+# PAM authentication via ChallengeResponseAuthentication may bypass
+# the setting of "PermitRootLogin yes
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and ChallengeResponseAuthentication to 'no'.
+UsePAM yes
+
+#AllowAgentForwarding yes
+#AllowTcpForwarding yes
+#GatewayPorts no
+X11Forwarding yes
+#X11DisplayOffset 10
+#X11UseLocalhost yes
+#PermitTTY yes
+PrintMotd no
+#PrintLastLog yes
+#TCPKeepAlive yes
+#UseLogin no
+#UsePrivilegeSeparation sandbox
+#PermitUserEnvironment no
+#Compression delayed
+#ClientAliveInterval 0
+#ClientAliveCountMax 3
+#UseDNS no
+#PidFile /var/run/sshd.pid
+#MaxStartups 10:30:100
+#PermitTunnel no
+#ChrootDirectory none
+#VersionAddendum none
+
+# no default banner path
+#Banner none
+
+# Allow client to pass locale environment variables
+AcceptEnv LANG LC_*
+
+# override default of no subsystems
+Subsystem sftp	/usr/lib/openssh/sftp-server
+
+# Example of overriding settings on a per-user basis
+#Match User anoncvs
+#	X11Forwarding no
+#	AllowTcpForwarding no
+#	PermitTTY no
+#	ForceCommand cvs server
+
+ClientAliveInterval 120
+PasswordAuthentication no  # plomlompom's security rule
diff --git a/stretch/setup_scripts/init_user_and_keybased_login.sh b/stretch/setup_scripts/init_user_and_keybased_login.sh
new file mode 100755
index 0000000..cea582f
--- /dev/null
+++ b/stretch/setup_scripts/init_user_and_keybased_login.sh
@@ -0,0 +1,56 @@
+#!/bin/sh
+# This script turns a fresh server with password-based root access into
+# one of only key-based access and only to new non-root account plom.
+#
+# CAUTION: This is optimized for a *fresh* setup. It will overwrite any
+# pre-existing ~/.ssh/authorized_keys of user plom with one that solely
+# contains the local ~/.ssh/id_rsa.pub, and also any old
+# /etc/ssh/sshd_config.
+#
+# Dependencies: ssh, scp, sshpass, ~/.ssh/id_rsa.pub, properly
+# configured sshd_config file in reach.
+set -e
+
+# Location of an sshd_config with "PermitRootLogin no" and
+# "PasswordAuthentication no".
+config_tree_prefix="${HOME}/public_repos/config/stretch"
+linkable_files_dir="${config_tree_prefix}/etc_files/server"
+system_path_sshd_config='/etc/ssh/sshd_config'
+local_path_sshd_config="${linkable_files_dir}${system_path_sshd_config}"
+
+# Ensure we have a server name as argument.
+if [ $# -eq 0 ]; then
+    echo "Need server as argument."
+    false
+fi
+server="$1"
+
+# This will be used to log-in as root from plom account.
+echo 'First, enter the old root password; then enter new password twice.'
+ssh root@"${server}" "passwd"
+
+# Save root password for sshpass
+stty -echo
+printf "Re-enter new server root password: "
+read PW_ROOT
+stty echo
+printf "\n"
+export SSHPASS="${PW_ROOT}"
+
+# Create user plom, and his ~/.ssh/authorized_keys based on the local
+# ~/.ssh/id_rsa.pub; ensure the result has proper permissions and
+# ownerships. Then disable root and pw login by copying over the
+# sshd_config and restart ssh daemon.
+#
+# This could be a line or two shorter by using ssh-copy-id, but that
+# would require setting a password for user plom otherwise not needed.
+sshpass -e scp ~/.ssh/id_rsa.pub root@"${server}":/tmp/authorized_keys
+sshpass -e ssh root@"${server}" \
+        'useradd -m plom && '\
+        'mkdir /home/plom/.ssh && '\
+        'chown plom:plom /home/plom/.ssh && '\
+        'chown plom:plom /tmp/authorized_keys && '\
+        'chmod u=rw,go= /tmp/authorized_keys && '\
+        'mv /tmp/authorized_keys /home/plom/.ssh/'
+sshpass -e scp "${local_path_sshd_config}" root@"${server}":"${system_path_sshd_config}"
+sshpass -e ssh root@"${server}" 'service ssh restart'
diff --git a/stretch/setup_scripts/install_for_target.sh b/stretch/setup_scripts/install_for_target.sh
new file mode 100755
index 0000000..3a42c4d
--- /dev/null
+++ b/stretch/setup_scripts/install_for_target.sh
@@ -0,0 +1,20 @@
+#!/bin/sh
+# Walks through the package names in the argument-selected files of
+# apt-mark/ and ensures the respective packages are installed.
+#
+# Ignores anything in an apt-mark/ file after the last newline.
+set -e
+
+config_tree_prefix="${HOME}/config/stretch"
+aptmark_dir="${config_tree_prefix}/apt-mark"
+
+for target in "$@"; do
+    path="${aptmark_dir}/${target}"
+    # TODO: continue if file at $path not found, to get rid of dummy files
+    cat "${path}" | while read line; do
+        echo "$line"
+        if [ ! $(echo "${line}" | cut -c1) = "#" ]; then
+            DEBIAN_FRONTEND=noninteractive apt-get -y -o Dpkg::Options::=--force-confold install "${line}"
+        fi
+    done
+done
diff --git a/stretch/setup_scripts/setup_seedbox.sh b/stretch/setup_scripts/setup_seedbox.sh
new file mode 100755
index 0000000..32c7791
--- /dev/null
+++ b/stretch/setup_scripts/setup_seedbox.sh
@@ -0,0 +1,12 @@
+#!/bin/sh
+set -e
+
+./install_for_target.sh seedbox
+
+# As according to <https://rtorrent-docs.readthedocs.io/en/latest/cookbook.html#modernized-configuration-template>
+su -lc "curl -Ls 'https://raw.githubusercontent.com/wiki/rakshasa/rtorrent/CONFIG-Template.md' | grep -A9999 '^######' | grep -B9999 '^### END' | sed -re \"s:/home/USERNAME:\$HOME:\" >~/.rtorrent.rc" plom
+su -lc "mkdir ~/rtorrent" plom
+
+# As according to <https://unix.stackexchange.com/a/475485>
+chmod u+s /usr/bin/screen
+chmod 755 /var/run/screen
-- 
2.30.2