Del-c.net/debian-first-boot-setup
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Revise README to reflect the transition from a Git repository setup tool to a comprehensive Debian first boot setup script. Update features, usage instructions, and security configurations, including system updates, user management, firewall setup, and intrusion prevention measures. Enhance clarity and detail throughout the document to guide users effectively.

Browse Source
This commit is contained in:
Sérgio
2025-09-05 12:21:15 +01:00
parent 7ca71b5bdc
commit 0f4dedf424
1 changed files with 202 additions and 118 deletions
Download Patch File Download Diff File Expand all files Collapse all files

320
README.md
View File

@@ -1,153 +1,237 @@
# GetGit - Git Repository Setup Tool
# Debian First Boot Setup Script
A simple bash script that helps users set up SSH keys and clone repositories from a private git server.
A comprehensive bash script for securing and setting up a fresh Debian 12 system with best security practices.
## Download and Run
Download the latest version of the script directly from the repository:
```bash
wget -O setup.sh "https://git.del-c.net/Del-c.net/debian-first-boot-setup/raw/branch/main/setup.sh"
chmod +x setup.sh
sudo ./setup.sh
```
## Features
- **SSH Key Generation**: Automatically generates SSH keys if they don't exist
- **Dynamic User Support**: Works with any username on the git server
- **Repository Discovery**: Automatically discovers available repositories for the user
- **Interactive Selection**: Allows users to choose which repository to clone
- **Dotfiles Support**: Special handling for dotfiles repositories with automatic setup execution
### System Security
- **System Updates**: Updates all packages to latest versions
- **Essential Package Installation**: Installs sudo, curl, wget, vim, htop, unzip, git, openssh-server
- **SSH Hardening**: Disables root SSH login, password authentication, and enables key-based authentication
- **Root Account Locking**: Locks the root password for enhanced security
- **Automatic Security Updates**: Configures unattended-upgrades for security patches
## Usage
### User Management
- **Sysadmin User**: Creates a default `sysadmin` user with sudo privileges
- **Additional Users**: Option to create additional administrative users
- **SSH Key Generation**: Generates SSH keys for all created users and root
- **User Validation**: Validates usernames and prevents duplicates
1. Make the script executable:
```bash
chmod +x setup.sh
```
### Firewall Configuration
- **UFW Option**: Easy-to-use Uncomplicated Firewall with predefined rules
- **Manual iptables**: Basic iptables configuration for advanced users
- **Default Ports**: Allows SSH (22), HTTP (80), and HTTPS (443)
2. Run the script:
```bash
./setup.sh
```
### Intrusion Prevention
- **Fail2ban**: Optional protection against brute-force attacks
- **IP Banning**: Configurable ban times and retry limits
- **Log Monitoring**: Monitors SSH authentication logs
3. Follow the prompts:
- Enter your git username
- Generate SSH key (if needed)
- Add the SSH key to your git account
- Select which repository to clone
## What the Script Does
## How It Works
### 1. System Preparation
- Verifies root privileges and Debian system
- Updates package lists and upgrades all packages
- Installs essential system packages
### 1. Username Input
The script prompts for your git username, which is used to:
- Discover available repositories
- Construct repository URLs
- Set up proper directory structure
### 2. User Account Setup
- Creates `sysadmin` user with home directory
- Optionally creates additional administrative users
- Adds all users to sudo group
- Sets up password authentication for initial access
### 2. SSH Key Management
- Checks for existing SSH key (`~/.ssh/id_ed25519`)
- Generates a new key if none exists
- Displays the public key for copying to your git account
### 3. Security Configuration
- Disables root SSH login
- Configures SSH for key-based authentication only
- Locks root password
- Sets up firewall rules (UFW or iptables)
- Optionally configures fail2ban for intrusion prevention
### 3. Repository Discovery
The script discovers ALL accessible repositories through multiple methods:
### 4. SSH Key Generation
- Generates ED25519 SSH keys for each user
- Generates SSH key for root user
- Sets proper file permissions (600 for private, 644 for public keys)
- Displays all public keys for easy copying
**Primary Method - API Access:**
- Attempts to use GitLab/Gitea API to fetch all repositories you have access to
- Includes both owned and shared repositories
- Automatically detects read/write permissions
### 5. System Finalization
- Configures automatic security updates
- Restarts SSH service with new configuration
- Performs system cleanup
- Displays final system status and connection information
**Fallback Method - Pattern Scanning:**
- Scans your own repositories: `username/dotfiles`, `username/scripts`, etc.
- Checks common shared repositories from users like: `admin`, `shared`, `public`, `team`, `common`, `devops`, `infrastructure`
- Discovers additional project repositories: `website`, `api`, `frontend`, `backend`, `database`, `monitoring`, etc.
- Tests SSH access to determine if you have read access to each repository
## Interactive Configuration
**Repository Types Discovered:**
- **Your repositories**: All repos you own
- **Shared repositories**: Repos you have read/write access to
- **Public repositories**: Publicly accessible repos on the server
- **Team repositories**: Organization/team repos you're a member of
The script prompts for several configuration options:
### 4. Repository Selection
Users can:
- Select from numbered list of all discovered repositories (owned and shared)
- Press Enter to use `username/dotfiles` (if available)
- Type `custom` to enter a custom repository path
- See access type indicators: `(owner)`, `(shared)`, etc.
### Additional User Creation
```
=== Additional User Creation ===
This script will create the 'sysadmin' user by default.
You can also create an additional user account if needed.
### 5. Cloning and Setup
- Clones the selected repository to the appropriate directory
- For dotfiles repositories: runs `setup.sh` automatically
- For other repositories: simply clones to `~/repository-name`
## Configuration
The script can be configured by modifying the settings at the top:
```bash
### === SETTINGS === ###
GIT_SERVER="git.del-c.net" # Change to your git server
Would you like to create an additional user account? (y/N):
```
## Directory Structure
### Firewall Configuration
```
=== Firewall Configuration ===
This script can configure UFW (Uncomplicated Firewall) or you can manage iptables manually.
- **Dotfiles**: `~/.dotfiles/`
- **Other repos**: `~/repository-name/`
UFW vs iptables:
• UFW: Easy to use, good for basic setups
• Manual iptables: More control, better for complex setups (VPN servers, etc.)
Would you like to install and configure UFW? (y/N):
```
### Fail2ban Configuration
```
=== Fail2ban Configuration ===
Fail2ban protects against brute-force attacks by monitoring logs and banning IPs.
Consider skipping fail2ban if:
• You're running a VPN server (WireGuard, OpenVPN, etc.)
• You have complex iptables rules
• You prefer managing IP banning manually
Would you like to install and configure fail2ban? (Y/n):
```
## Security Features
### SSH Hardening
- Protocol 2 only
- Public key authentication required
- Password authentication disabled
- Empty passwords prohibited
- X11 forwarding disabled
- Maximum 3 authentication attempts
- Client alive interval: 5 minutes
- Restricted user access (AllowUsers directive)
### Firewall Rules
**UFW Configuration:**
- Default deny incoming
- Default allow outgoing
- Allow SSH (port 22)
- Allow HTTP (port 80)
- Allow HTTPS (port 443)
**iptables Configuration:**
- Drop all incoming by default
- Allow established and related connections
- Allow loopback traffic
- Allow SSH, HTTP, HTTPS
- Persistent rules saved to `/etc/iptables/rules.v4`
### Fail2ban Settings
- Ban time: 1 hour
- Find time: 10 minutes
- Maximum retries: 3
- SSH jail enabled
- Monitors `/var/log/auth.log`
## Post-Installation
### SSH Connection
After setup completion, connect using:
```bash
ssh sysadmin@YOUR_SERVER_IP
```
Or with additional user:
```bash
ssh USERNAME@YOUR_SERVER_IP
```
### SSH Key Management
1. Copy the displayed SSH public keys
2. Add them to your Git server and other systems
3. Use the keys for passwordless authentication
### System Management
- **View UFW status**: `sudo ufw status verbose`
- **Check iptables rules**: `sudo iptables -L -n`
- **Monitor fail2ban**: `sudo fail2ban-client status sshd`
- **Check SSH config**: `sudo sshd -T`
## Customization
### Manual Firewall Rules
If you chose manual iptables, customize `/etc/iptables-basic.sh`:
```bash
sudo nano /etc/iptables-basic.sh
sudo /etc/iptables-basic.sh
```
### Fail2ban Configuration
Modify fail2ban settings in `/etc/fail2ban/jail.local`:
```bash
sudo nano /etc/fail2ban/jail.local
sudo systemctl restart fail2ban
```
### SSH Configuration
Additional SSH hardening in `/etc/ssh/sshd_config`:
```bash
sudo nano /etc/ssh/sshd_config
sudo systemctl restart sshd
```
## Requirements
- Bash shell
- Git installed
- SSH client
- Access to the configured git server
- **Operating System**: Debian 12 (Bookworm)
- **Privileges**: Must run as root
- **Network**: Internet connection for package updates
- **Storage**: Minimal disk space requirements
## Example Flow
## Important Notes
```
$ ./setup.sh
[?] Enter your git username:
Username: john
⚠️ **Security Warnings:**
1. Root SSH login will be **DISABLED**
2. Root password will be **LOCKED**
3. SSH password authentication will be **DISABLED**
4. Only SSH key authentication will be allowed
5. Only created users can SSH to the server
[+] No SSH key found. Need to generate a new SSH key...
[+] If you are using the correct user, please enter your email for the SSH key.
Enter your email for the SSH key: john@example.com
🔄 **Reboot Recommended:**
A system reboot is recommended after running the script to ensure all changes take effect.
[*] Add the following public key to your GitHub account:
----------------------------------------
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGx... john@example.com
----------------------------------------
Press Enter after you've added the key...
[+] Fetching all accessible git projects...
[*] Attempting to fetch repositories via API...
[*] Found repositories via API:
1. john/dotfiles (owner)
2. john/scripts (owner)
3. team/shared-configs (shared)
4. admin/common-tools (shared)
5. public/templates (shared)
[?] Which project would you like to download?
Enter the number of the repository from the list above, or:
- Press Enter to use john/dotfiles (if available)
- Type 'custom' to enter a custom repository path
Enter your choice: 3
[*] Selected repository: git@git.del-c.net:team/shared-configs.git
[*] Download directory: /Users/john/shared-configs
[+] Cloning selected repository...
[*] Repository cloned successfully to: /Users/john/shared-configs
```
📋 **Backup Recommendation:**
Take a system snapshot before running the script if running on a virtual machine.
## Troubleshooting
### SSH Key Issues
- Ensure the SSH key is added to your git account
- Check SSH connection: `ssh -T git@git.del-c.net`
### Cannot SSH After Setup
1. Ensure SSH key is properly added to your SSH agent
2. Verify the public key was added to the server
3. Check SSH client configuration
4. Use verbose mode: `ssh -v sysadmin@server-ip`
### Repository Not Found
- Verify the repository exists on the server
- Check username spelling
- Ensure you have access to the repository
### Firewall Issues
1. Check UFW status: `sudo ufw status`
2. Verify port 22 is allowed: `sudo ufw status numbered`
3. For iptables: `sudo iptables -L -n | grep 22`
### Permission Denied
- Confirm SSH key is properly added to git account
- Verify you have read access to the repository
### Fail2ban Problems
1. Check service status: `sudo systemctl status fail2ban`
2. View logs: `sudo journalctl -u fail2ban`
3. Check jail status: `sudo fail2ban-client status`
## Contributing
Feel free to submit issues and enhancement requests!
Feel free to submit issues and enhancement requests to improve this script!
## License
This project is open source and available under standard terms.