Del-c.net/debian-first-boot-setup
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Revise README to reflect the transition from a Git repository setup tool to a comprehensive Debian first boot setup script. Update features, usage instructions, and security configurations, including system updates, user management, firewall setup, and intrusion prevention measures. Enhance clarity and detail throughout the document to guide users effectively.

Browse Source
This commit is contained in:
Sérgio
2025-09-05 12:21:15 +01:00
parent 7ca71b5bdc
commit 0f4dedf424
1 changed files with 202 additions and 118 deletions
Download Patch File Download Diff File Expand all files Collapse all files

330
README.md
View File

@@ -1,153 +1,237 @@
# GetGit - Git Repository Setup Tool # Debian First Boot Setup Script
A simple bash script that helps users set up SSH keys and clone repositories from a private git server. A comprehensive bash script for securing and setting up a fresh Debian 12 system with best security practices.
## Download and Run
Download the latest version of the script directly from the repository:
```bash
wget -O setup.sh "https://git.del-c.net/Del-c.net/debian-first-boot-setup/raw/branch/main/setup.sh"
chmod +x setup.sh
sudo ./setup.sh
```
## Features ## Features
- **SSH Key Generation**: Automatically generates SSH keys if they don't exist ### System Security
- **Dynamic User Support**: Works with any username on the git server - **System Updates**: Updates all packages to latest versions
- **Repository Discovery**: Automatically discovers available repositories for the user - **Essential Package Installation**: Installs sudo, curl, wget, vim, htop, unzip, git, openssh-server
- **Interactive Selection**: Allows users to choose which repository to clone - **SSH Hardening**: Disables root SSH login, password authentication, and enables key-based authentication
- **Dotfiles Support**: Special handling for dotfiles repositories with automatic setup execution - **Root Account Locking**: Locks the root password for enhanced security
- **Automatic Security Updates**: Configures unattended-upgrades for security patches
## Usage ### User Management
- **Sysadmin User**: Creates a default `sysadmin` user with sudo privileges
- **Additional Users**: Option to create additional administrative users
- **SSH Key Generation**: Generates SSH keys for all created users and root
- **User Validation**: Validates usernames and prevents duplicates
1. Make the script executable: ### Firewall Configuration
```bash - **UFW Option**: Easy-to-use Uncomplicated Firewall with predefined rules
chmod +x setup.sh - **Manual iptables**: Basic iptables configuration for advanced users
- **Default Ports**: Allows SSH (22), HTTP (80), and HTTPS (443)
### Intrusion Prevention
- **Fail2ban**: Optional protection against brute-force attacks
- **IP Banning**: Configurable ban times and retry limits
- **Log Monitoring**: Monitors SSH authentication logs
## What the Script Does
### 1. System Preparation
- Verifies root privileges and Debian system
- Updates package lists and upgrades all packages
- Installs essential system packages
### 2. User Account Setup
- Creates `sysadmin` user with home directory
- Optionally creates additional administrative users
- Adds all users to sudo group
- Sets up password authentication for initial access
### 3. Security Configuration
- Disables root SSH login
- Configures SSH for key-based authentication only
- Locks root password
- Sets up firewall rules (UFW or iptables)
- Optionally configures fail2ban for intrusion prevention
### 4. SSH Key Generation
- Generates ED25519 SSH keys for each user
- Generates SSH key for root user
- Sets proper file permissions (600 for private, 644 for public keys)
- Displays all public keys for easy copying
### 5. System Finalization
- Configures automatic security updates
- Restarts SSH service with new configuration
- Performs system cleanup
- Displays final system status and connection information
## Interactive Configuration
The script prompts for several configuration options:
### Additional User Creation
```
=== Additional User Creation ===
This script will create the 'sysadmin' user by default.
You can also create an additional user account if needed.
Would you like to create an additional user account? (y/N):
``` ```
2. Run the script: ### Firewall Configuration
```bash ```
./setup.sh === Firewall Configuration ===
This script can configure UFW (Uncomplicated Firewall) or you can manage iptables manually.
UFW vs iptables:
• UFW: Easy to use, good for basic setups
• Manual iptables: More control, better for complex setups (VPN servers, etc.)
Would you like to install and configure UFW? (y/N):
``` ```
3. Follow the prompts: ### Fail2ban Configuration
- Enter your git username ```
- Generate SSH key (if needed) === Fail2ban Configuration ===
- Add the SSH key to your git account Fail2ban protects against brute-force attacks by monitoring logs and banning IPs.
- Select which repository to clone
## How It Works Consider skipping fail2ban if:
• You're running a VPN server (WireGuard, OpenVPN, etc.)
• You have complex iptables rules
• You prefer managing IP banning manually
### 1. Username Input Would you like to install and configure fail2ban? (Y/n):
The script prompts for your git username, which is used to:
- Discover available repositories
- Construct repository URLs
- Set up proper directory structure
### 2. SSH Key Management
- Checks for existing SSH key (`~/.ssh/id_ed25519`)
- Generates a new key if none exists
- Displays the public key for copying to your git account
### 3. Repository Discovery
The script discovers ALL accessible repositories through multiple methods:
**Primary Method - API Access:**
- Attempts to use GitLab/Gitea API to fetch all repositories you have access to
- Includes both owned and shared repositories
- Automatically detects read/write permissions
**Fallback Method - Pattern Scanning:**
- Scans your own repositories: `username/dotfiles`, `username/scripts`, etc.
- Checks common shared repositories from users like: `admin`, `shared`, `public`, `team`, `common`, `devops`, `infrastructure`
- Discovers additional project repositories: `website`, `api`, `frontend`, `backend`, `database`, `monitoring`, etc.
- Tests SSH access to determine if you have read access to each repository
**Repository Types Discovered:**
- **Your repositories**: All repos you own
- **Shared repositories**: Repos you have read/write access to
- **Public repositories**: Publicly accessible repos on the server
- **Team repositories**: Organization/team repos you're a member of
### 4. Repository Selection
Users can:
- Select from numbered list of all discovered repositories (owned and shared)
- Press Enter to use `username/dotfiles` (if available)
- Type `custom` to enter a custom repository path
- See access type indicators: `(owner)`, `(shared)`, etc.
### 5. Cloning and Setup
- Clones the selected repository to the appropriate directory
- For dotfiles repositories: runs `setup.sh` automatically
- For other repositories: simply clones to `~/repository-name`
## Configuration
The script can be configured by modifying the settings at the top:
```bash
### === SETTINGS === ###
GIT_SERVER="git.del-c.net" # Change to your git server
``` ```
## Directory Structure ## Security Features
- **Dotfiles**: `~/.dotfiles/` ### SSH Hardening
- **Other repos**: `~/repository-name/` - Protocol 2 only
- Public key authentication required
- Password authentication disabled
- Empty passwords prohibited
- X11 forwarding disabled
- Maximum 3 authentication attempts
- Client alive interval: 5 minutes
- Restricted user access (AllowUsers directive)
### Firewall Rules
**UFW Configuration:**
- Default deny incoming
- Default allow outgoing
- Allow SSH (port 22)
- Allow HTTP (port 80)
- Allow HTTPS (port 443)
**iptables Configuration:**
- Drop all incoming by default
- Allow established and related connections
- Allow loopback traffic
- Allow SSH, HTTP, HTTPS
- Persistent rules saved to `/etc/iptables/rules.v4`
### Fail2ban Settings
- Ban time: 1 hour
- Find time: 10 minutes
- Maximum retries: 3
- SSH jail enabled
- Monitors `/var/log/auth.log`
## Post-Installation
### SSH Connection
After setup completion, connect using:
```bash
ssh sysadmin@YOUR_SERVER_IP
```
Or with additional user:
```bash
ssh USERNAME@YOUR_SERVER_IP
```
### SSH Key Management
1. Copy the displayed SSH public keys
2. Add them to your Git server and other systems
3. Use the keys for passwordless authentication
### System Management
- **View UFW status**: `sudo ufw status verbose`
- **Check iptables rules**: `sudo iptables -L -n`
- **Monitor fail2ban**: `sudo fail2ban-client status sshd`
- **Check SSH config**: `sudo sshd -T`
## Customization
### Manual Firewall Rules
If you chose manual iptables, customize `/etc/iptables-basic.sh`:
```bash
sudo nano /etc/iptables-basic.sh
sudo /etc/iptables-basic.sh
```
### Fail2ban Configuration
Modify fail2ban settings in `/etc/fail2ban/jail.local`:
```bash
sudo nano /etc/fail2ban/jail.local
sudo systemctl restart fail2ban
```
### SSH Configuration
Additional SSH hardening in `/etc/ssh/sshd_config`:
```bash
sudo nano /etc/ssh/sshd_config
sudo systemctl restart sshd
```
## Requirements ## Requirements
- Bash shell - **Operating System**: Debian 12 (Bookworm)
- Git installed - **Privileges**: Must run as root
- SSH client - **Network**: Internet connection for package updates
- Access to the configured git server - **Storage**: Minimal disk space requirements
## Example Flow ## Important Notes
``` ⚠️ **Security Warnings:**
$ ./setup.sh 1. Root SSH login will be **DISABLED**
[?] Enter your git username: 2. Root password will be **LOCKED**
Username: john 3. SSH password authentication will be **DISABLED**
4. Only SSH key authentication will be allowed
5. Only created users can SSH to the server
[+] No SSH key found. Need to generate a new SSH key... 🔄 **Reboot Recommended:**
[+] If you are using the correct user, please enter your email for the SSH key. A system reboot is recommended after running the script to ensure all changes take effect.
Enter your email for the SSH key: john@example.com
[*] Add the following public key to your GitHub account: 📋 **Backup Recommendation:**
---------------------------------------- Take a system snapshot before running the script if running on a virtual machine.
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGx... john@example.com
----------------------------------------
Press Enter after you've added the key...
[+] Fetching all accessible git projects...
[*] Attempting to fetch repositories via API...
[*] Found repositories via API:
1. john/dotfiles (owner)
2. john/scripts (owner)
3. team/shared-configs (shared)
4. admin/common-tools (shared)
5. public/templates (shared)
[?] Which project would you like to download?
Enter the number of the repository from the list above, or:
- Press Enter to use john/dotfiles (if available)
- Type 'custom' to enter a custom repository path
Enter your choice: 3
[*] Selected repository: git@git.del-c.net:team/shared-configs.git
[*] Download directory: /Users/john/shared-configs
[+] Cloning selected repository...
[*] Repository cloned successfully to: /Users/john/shared-configs
```
## Troubleshooting ## Troubleshooting
### SSH Key Issues ### Cannot SSH After Setup
- Ensure the SSH key is added to your git account 1. Ensure SSH key is properly added to your SSH agent
- Check SSH connection: `ssh -T git@git.del-c.net` 2. Verify the public key was added to the server
3. Check SSH client configuration
4. Use verbose mode: `ssh -v sysadmin@server-ip`
### Repository Not Found ### Firewall Issues
- Verify the repository exists on the server 1. Check UFW status: `sudo ufw status`
- Check username spelling 2. Verify port 22 is allowed: `sudo ufw status numbered`
- Ensure you have access to the repository 3. For iptables: `sudo iptables -L -n | grep 22`
### Permission Denied ### Fail2ban Problems
- Confirm SSH key is properly added to git account 1. Check service status: `sudo systemctl status fail2ban`
- Verify you have read access to the repository 2. View logs: `sudo journalctl -u fail2ban`
3. Check jail status: `sudo fail2ban-client status`
## Contributing ## Contributing
Feel free to submit issues and enhancement requests! Feel free to submit issues and enhancement requests to improve this script!
## License
This project is open source and available under standard terms.