by kylebutton
5 deployments · 1 still active · last rev. 9 months ago

UNIFI Install newest SDN Controller with Ports open for Guest Portal, STUN and Webmin. F2B, NGNIX to 443. Let's Encrypt. IPV6

Runs great on a Nanode.

LetsEncrypt expects your hostname to resolve to your IP before creating certificates. Have your DNS configuration pulled up and ready, and add the relevant entry as soon as the Linode deployment shows your IP address. The software updates/installs happening in the script before the certificate creation will give you enough time to save your DNS settings.

Compatible with: Debian 9
#<UDF name="email" label="The email address used for LetsEncrypt:">
#<UDF name="hostname" label="The hostname for the new Linode:">

# update debian
echo "Updating Debian"
apt-get update
apt-get upgrade -y

# Setup the hostname
echo "Setting the hostname"
hostname $HOSTNAME
hostnamectl set-hostname $HOSTNAME

# Install Unifi
echo "Installing UniFi"
wget -O /etc/apt/trusted.gpg.d/unifi-repo.gpg https://dl.ubnt.com/unifi/unifi-repo.gpg 
echo 'deb http://www.ubnt.com/downloads/unifi/debian stable ubiquiti' | tee /etc/apt/sources.list.d/100-ubnt-unifi.list
apt-get update
apt-get install unifi -y

# Install LetsEncrypt
echo "Installing LetsEncrypt"
apt-get install letsencrypt -y

# Setup LetsEncrypt certificate
echo "Setting up LetsEncrypt Certificate"
wget -O /opt/gen-unifi-cert.sh https://raw.githubusercontent.com/TechButton/lets-encrypt-unifi/master/lets-encrypt-unifi.sh
sed -i 's/--agree-tos --standalone --preferred-challenges tls-sni/--agree-tos --standalone/g' /opt/gen-unifi-cert.sh
chmod +x /opt/gen-unifi-cert.sh
/opt/gen-unifi-cert.sh -e $EMAIL -d $HOSTNAME

# Create crontab for LetsEncrypt
echo "Update LetsEncrypt Certificate on a schedule"
crontab -l > /tmp/letsencryptcron
echo "23 1,13 * * * /opt/gen-unifi-cert.sh -r -d $HOSTNAME" >> /tmp/letsencryptcron
crontab /tmp/letsencryptcron
rm /tmp/letsencryptcron

#Install Webmin
echo "Installing Webmin"
wget http://prdownloads.sourceforge.net/webadmin/webmin_1.890_all.deb
apt-get install perl libnet-ssleay-perl openssl libauthen-pam-perl libpam-runtime libio-pty-perl apt-show-versions python -y
dpkg --install webmin_1.890_all.deb

# Create firewall rules
echo "Creating FW Rules"
iptables -t nat -I PREROUTING -p tcp --dport 443 -j REDIRECT --to-ports 8443
iptables -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 8081 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 8880 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 8443 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 8843 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 6789 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 10000 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 3478 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 10001 -j ACCEPT
iptables -A INPUT -j DROP
iptables -A OUTPUT -o eth0 -j ACCEPT

# Install FW persistence 
echo "Installing other Software"
echo iptables-persistent iptables-persistent/autosave_v4 boolean true | sudo debconf-set-selections
echo iptables-persistent iptables-persistent/autosave_v6 boolean true | sudo debconf-set-selections
apt-get install iptables-persistent netfilter-persistent -y

# Save firewall rules
echo "Saving FW Rules"
netfilter-persistent save

# Install Nginx
echo "Installing Nginx"
apt-get install nginx-light -y

# Configure Nginx to forward 80 to 443
echo "Configuring Nginx to forward HTTP to HTTPS"
echo "server {
    listen 80 default_server;
    listen [::]:80 default_server;
    server_name _;
    return 301 https://\$host\$request_uri;
}" > /etc/nginx/sites-available/redirect
ln -s /etc/nginx/sites-available/redirect /etc/nginx/sites-enabled/
rm /etc/nginx/sites-enabled/default

# Install fail2ban
echo "Installing fail2ban"
apt-get install fail2ban -y

# Restart services
echo "Restarting Services"
systemctl restart nginx
systemctl restart unifi