minimal_arch

by harleypig
5 deployments · 1 still active · last rev. 5 months ago

Minimal arch setup: wheel group can sudo, ufw installed and configured

Compatible with: Arch 2017.07.01
						#!/bin/bash

# Stolen and massaged from https://www.linode.com/stackscripts/view/12580

# <UDF name="username"   label="Unprivileged user name" example="This will be the user who will be able to SSH into the server." />
# <UDF name="userpass"   label="Unprivileged user password" />
# <UDF name="userpubkey" label="Public key for the user" default="" example="Should look like 'ssh-rsa AAABBB1x2y3z...'" />
# <UDF name="nopass"     label="Disable password authentication for SSH?" oneof="Yes,No" default="Yes" />
# <UDF name="sshport"    label="SSH port" default="22" example="It is a good idea to set this to something other than the default of 22."/>
# <UDF name="locale"     label="Locale" default="en_US.UTF-8 UTF-8" />
# <UDF name="hostname"   label="Host name" example="This is the name of your server."/>

# Redirect STDOUT and STDERR to a log file
LOGFILE='/root/minimal_arch_stackscript.log'
echo Redirecting output to $LOGFILE. This will take some time ...
exec > $LOGFILE 2>&1

# Update system
echo
echo "### Updating system ..."
pacman -Syyu --noconfirm

# Update and optimize mirrorlist for pacman
echo
echo "### Installing and configuring reflector ..."
pacman -Sy --noconfirm reflector
reflector --protocol https --threads 10 --latest 10 --sort rate --save /etc/pacman.d/mirrorlist

# Set up the hostname
echo
echo "### Setting hostname ..."
echo $HOSTNAME > /etc/hostname
hostname -F /etc/hostname

# Set the locale
echo
echo "### Setting locale ..."
sed -i '/en_US.UTF-8 UTF-8/s/^#//g' /etc/locale.gen
if [ "$LOCALE" != 'en_US.UTF-8 UTF-8' ]; then
  sed -i "/$LOCALE/s/^#//g" /etc/locale.gen
fi
locale-gen

# Set up the correct TZ (correct being my timezone).
echo
echo "### Setting timezone ..."
ln -sf /usr/share/zoneinfo/MST7MDT /etc/localtime

# Set up an non-privileged user and sudo
echo
echo "### Adding user ..."
useradd -m -g users -G wheel $USERNAME
echo "### Setting password ..."
passwd $USERNAME <<EOF
$USERPASS
$USERPASS
EOF

# Setup sudoers so wheel group can sudo
echo "### Modifying sudoers ..."
sed -i 's/# %wheel ALL=(ALL) ALL/%wheel ALL=(ALL) ALL/' /etc/sudoers

# Don't want to put up with that lecture when I don't have to.
LECTURED="/var/db/sudo/lectured/$USERNAME"
touch $LECTURED
chown root.users $LECTURED

# Set up sshd: disable root login, ensure SSH2, set up password auth, and allow the unprivileged user to login
echo "### Modifying sshd_config ..."
sed -i 's/^[# ]*PermitRootLogin \(yes\|no\)/PermitRootLogin no/' /etc/ssh/sshd_config
#sed -i "s/^[# ]*Port [0-9]\+/Port $SSHPORT/" /etc/ssh/sshd_config
sed -i 's/^[# ]*Protocol \([0-9],\?\)\+/Protocol 2/' /etc/ssh/sshd_config
if [ "$NOPASS" == 'Yes' ]; then
    sed -i 's/^[# ]*PasswordAuthentication \(yes\|no\)/PasswordAuthentication no/' /etc/ssh/sshd_config
fi

# Allow only the unprivileged user to log on
echo "AllowUsers $USERNAME" >> /etc/ssh/sshd_config
if [ -n "$USERPUBKEY" ]; then
    sed -i 's/^[# ]*PubkeyAuthentication \(yes\|no\)/PubkeyAuthentication yes/' /etc/ssh/sshd_config
    mkdir -p /home/$USERNAME/.ssh
    echo "$USERPUBKEY" >> /home/$USERNAME/.ssh/authorized_keys
    chown -R "$USERNAME" /home/$USERNAME/.ssh
fi

echo
echo "### Restarting sshd ..."
systemctl restart sshd

# Install ntp to keep your clock in sync
echo
echo "### Installing ntp ..."
pacman -S --noconfirm ntp
systemctl enable ntpd.service
timedatectl set-ntp 1

# Set up a firewall (UFW). Don't forget to "ufw allow" other ports if needed.
echo
echo "Setting up firewall ..."
pacman -S --noconfirm ufw
ufw default deny
ufw allow $SSHPORT
ufw limit $SSHPORT
ufw enable

echo
echo "### Done ###"