blob: 3a32a6342c7d3cdd9d4f2f153d6b310bb01ca1d1 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
|
#!/bin/bash
panic() {
echo "$1" >&2
echo "Aborting."
exit 1
}
[[ $1 == "--force" ]] || panic "Must be run with --force"
[[ $(id --user) -eq 0 ]] || panic "This script must be run as root."
log() {
echo "provision: $1" >&2
}
log "install and configure most essential packages"
apt-get update --quiet=2
apt-get install --yes --quiet=2 ufw
ufw allow 22/tcp
ufw default deny
ufw --force enable
log "install service packages"
apt-get install --yes --quiet=2 \
adduser \
apt-listchanges \
ca-certificates \
cgit \
curl \
fcgiwrap \
git-core \
jq \
nginx \
openssl \
python3-markdown \
python3-pygments \
rsync \
ssl-cert \
sudo \
ufw \
unattended-upgrades \
wget
log "copy package configurations"
rsync -r /usr/local/share/provision/rootfs/ /
log "ensure certificate bundle exists"
# the ceritifcate bundle should be provisioned by terraform, however
# for testing purposes (such as in a vm) this copies the default
# "snakeoil" test certificates to the appropriate locations if they do
# not already exist
if [[ ! -r /etc/ssl/private/server.key.pem ]] \
|| [[ ! -r /etc/ssl/server.cert.pem ]] \
|| [[ ! -r /etc/ssl/issuer.cert.pem ]]; then
ln -f -s /etc/ssl/private/ssl-cert-snakeoil.key /etc/ssl/private/server.key.pem
ln -f -s /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/ssl/server.cert.pem
ln -f -s /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/ssl/issuer.cert.pem
log "WARNING: no certificates found, falling back to snakeoil certificates!"
fi
log "configure nginx"
rm -r /etc/nginx/sites-enabled/default
usermod --append --groups ssl-cert www-data
ufw allow 80/tcp
ufw allow 443/tcp
log "configure git"
adduser --group --system --home /var/lib/git git
mkdir -p /srv/git
chown -R git:git /srv/git
mkdir -p /var/lib/git/www/
ln -s /usr/share/cgit/cgit.css /var/lib/git/www/cgit.css
ln -s /usr/share/cgit/robots.txt /var/lib/git/www/robots.txt
log "configure shell accounts"
adduser --uid 1000 --disabled-password --gecos "" jodersky
log "restart services"
systemctl restart nginx
log "configuration complete!"
|