lib-system-utils

by katox
1 deployments · 0 still active · last rev. 1 year ago

Common utilities, java, docker, emacs, firewall settings, postfix gmail relay

Compatible with: Debian 7
						#!/bin/bash
#
# Common utilities
#

function system_install_utils {
    aptitude -y install htop iotop iftop bsd-mailx zsh vim-nox wget zip mc
}

function system_install_git {
    aptitude -y install git-core
}

function system_install_mercurial {
    aptitude -y install mercurial
}

function system_install_locales {
    aptitude -y install debconf locales
    cat > /etc/locale.gen << EOF
en_US.UTF-8 UTF-8
en_IE.UTF8 UTF-8
cs_CZ.UTF8 UTF-8
EOF
    /usr/sbin/locale-gen
    update-locale LANG=en_IE.UTF-8 LANGUAGE=en_US:en
}

function system_set_timezone {
    echo "tzdata tzdata/Areas select Europe" | debconf-set-selections
    echo "tzdata tzdata/Zones/Europe select Prague" | debconf-set-selections
    TIMEZONE="Europe/Prague"
    echo $TIMEZONE > /etc/timezone
    dpkg-reconfigure -f noninteractive tzdata
}

function system_start_etc_dir_versioning {
    git config --global user.name "root"
    git config --global user.email "$NOTIFY_EMAIL"
    git init /etc
    git --git-dir /etc/.git --work-tree=/etc add /etc
    git --git-dir /etc/.git --work-tree=/etc commit -m "Started versioning of /etc directory" || echo > /dev/null # catch "nothing changed" return code
    chmod -R go-rwx /etc/.git
}

function system_record_etc_dir_changes {
    if [ ! -n "$1" ];
        then MESSAGE="Committed /etc changes"
        else MESSAGE="$1"
    fi
    git --git-dir /etc/.git --work-tree=/etc add -A /etc
    git --git-dir /etc/.git --work-tree=/etc commit -m "$MESSAGE" || echo > /dev/null # catch "nothing changed" return code
}

function system_install_java8 {
    echo "deb http://ppa.launchpad.net/webupd8team/java/ubuntu trusty main" | tee /etc/apt/sources.list.d/webupd8team-java.list
    echo "deb-src http://ppa.launchpad.net/webupd8team/java/ubuntu trusty main" | tee -a /etc/apt/sources.list.d/webupd8team-java.list
    apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys EEA14886
    aptitude update
    echo oracle-java8-installer shared/accepted-oracle-license-v1-1 select true | sudo /usr/bin/debconf-set-selections
    aptitude -y install oracle-java8-installer
    aptitude -y install oracle-java8-set-default
}

function system_install_docker {
    aptitude -y install apt-transport-https
    echo "deb https://get.docker.io/ubuntu docker main" | tee /etc/apt/sources.list.d/docker.list
    apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 36A1D7869245C8950F966E92D8576A8BA88D21E9
    aptitude update
    aptitude -y install lxc-docker
}

function system_install_emacs {
    echo "deb http://http.debian.net/debian wheezy-backports main" | tee /etc/apt/sources.list.d/backports.list
    aptitude update
    aptitude -y -t wheezy-backports install emacs24-nox
}

function system_setup_iptables {
    cat > /etc/iptables.firewall.rules << EOF
*filter

#  Allow all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT

#  Accept all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#  Allow all outbound traffic - you can modify this to only allow certain traffic
-A OUTPUT -j ACCEPT

#  Allow HTTP and HTTPS connections from anywhere (the normal ports for websites and SSL).
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT

#  Allow ports for testing
-A INPUT -p tcp --dport 8080:8090 -j ACCEPT

#  Allow ports for MOSH (mobile shell)
-A INPUT -p udp --dport 60000:61000 -j ACCEPT

#  Allow SSH connections
#  The -dport number should be the same port number you set in sshd_config
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT

#  Allow ping
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT

#  Log iptables denied calls
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

#  Reject all other inbound - default deny unless explicitly allowed policy
-A INPUT -j REJECT
-A FORWARD -j REJECT

COMMIT
EOF
    cat > /etc/network/if-pre-up.d/firewall << EOF
#!/bin/sh
/sbin/iptables-restore < /etc/iptables.firewall.rules
EOF

    iptables-restore < /etc/iptables.firewall.rules
    sudo chmod +x /etc/network/if-pre-up.d/firewall
}

function system_setup_oom_policy {
    cat >> /etc/sysctl.conf << EOF
## Enable panic on OOM, reboot 10s after panicking
vm.panic_on_oom=1
kernel.panic=10
EOF
}

function postfix_install_gmail_relay {
    # Installs postfix and configure to listen only on the local interface. Also
    # allows for local mail delivery

    echo "postfix postfix/main_mailer_type select Internet Site" | debconf-set-selections
    echo "postfix postfix/mailname string localhost" | debconf-set-selections
    echo "postfix postfix/destinations string localhost.localdomain, localhost" | debconf-set-selections
    aptitude -y install postfix mailutils libsasl2-2 ca-certificates libsasl2-modules
    /usr/sbin/postconf -e "inet_interfaces = loopback-only"
    /usr/sbin/postconf -e "relayhost = [smtp.gmail.com]:587"
    /usr/sbin/postconf -e "mailbox_command = "
    /usr/sbin/postconf -e "smtp_sasl_auth_enable = yes"
    /usr/sbin/postconf -e "smtp_sasl_password_maps = hash:/etc/postfix/sasl/passwd"
    /usr/sbin/postconf -e "smtp_sasl_security_options = noanonymous"
    /usr/sbin/postconf -e "smtp_tls_CAfile = /etc/postfix/cacert.pem"
    /usr/sbin/postconf -e "smtp_use_tls = yes"
    echo "[smtp.gmail.com]:587    $RELAY_EMAIL:$RELAY_PASSWORD" > /etc/postfix/sasl/passwd
    chmod 400 /etc/postfix/sasl/passwd
    postmap /etc/postfix/sasl/passwd
    cat /etc/ssl/certs/Thawte_Premium_Server_CA.pem | sudo tee -a /etc/postfix/cacert.pem

    touch /tmp/restart-postfix
}