vpsmusthave/secure.sh

80 lines
1.8 KiB
Bash
Raw Normal View History

2024-07-22 11:43:08 +02:00
#!/bin/bash
source ./variables
echo "Installing dependencides... Please stay for a second, you will confirm the install"
apt update
apt install sudo wireguard-tools
echo "Setting up user..."
useradd -m -s /bin/bash $USERNAME
echo "Configuring WireGuard..."
WG_SUBNET="fc$(openssl rand -hex 1):$(openssl rand -hex 2):$(openssl rand -hex 2):$(openssl rand -hex 2)"
WG_LISTEN_PORT=$(shuf -i 49152-65535 -n 1)
WG_LOCAL_PRIVKEY=$(wg genkey)
WG_LOCAL_PUBKEY=$(echo $WG_LOCAL_PRIVKEY | wg pubkey)
cat <<EOF > /etc/wireguard/vmh-ssh-vpn.conf
[Interface]
ListenPort = $WG_LISTEN_PORT
PrivateKey = $WG_LOCAL_PRIVKEY
Address = $WG_SUBNET::1/64
[Peer]
PublicKey = $WIREGUARD_PUBKEY
AllowedIPs = $WG_SUBNET::2/128
EOF
systemctl enable --now wg-quick@vmh-ssh-vpn
echo "Configuring ssh..."
mkdir /home/$USERNAME/.ssh
echo $MY_SSH_KEY > /home/$USERNAME/.ssh/authorized_keys
cat <<EOF > /etc/ssh/sshd_config.d/10-vmh_ssh.conf
X11Forwarding no
PasswordAuthentication no
PubkeyAuthentication yes
PermitRootLogin no
ListenAddress $WG_SUBNET::1
EOF
mkdir /etc/systemd/system/sshd.service.d
cat <<EOF > /etc/systemd/system/sshd.service.d/10-vmh-listen.conf
[Unit]
After=wg-quick@vmh-ssh-vpn.service
EOF
systemctl restart sshd
echo "Configuring sudo..."
cat <<EOF > /etc/sudoers.d/99-vmh-newuser
$USERNAME ALL=(ALL:ALL) NOPASSWD:ALL
EOF
echo
2024-10-07 19:41:29 +02:00
echo "BEFORE DISCONNECTING, FOLLOW THE STEPS"
echo "You won't be able to reconnect if you don't."
echo
2024-07-22 11:43:08 +02:00
echo "To connect to this machine:"
echo " ssh $USERNAME@$WG_SUBNET::1"
echo "1. Install the WireGuard config (fill in the gaps)"
echo
echo "[Interface]"
echo "PrivateKey = ..."
echo "Address = $WG_SUBNET::2/64"
echo "[Peer]"
echo "Endpoint = ...:$WG_LISTEN_PORT"
echo "PublicKey = $WG_LOCAL_PUBKEY"
echo "AllowedIPs = $WG_SUBNET::1/128"
echo
echo "2. Use this command to connect"
echo
echo "ssh $USERNAME@$WG_SUBNET::1"