Add alpine/secure-alpine.sh
This commit is contained in:
parent
4e65a1cdef
commit
0fd6955829
1 changed files with 74 additions and 0 deletions
74
alpine/secure-alpine.sh
Normal file
74
alpine/secure-alpine.sh
Normal file
|
|
@ -0,0 +1,74 @@
|
|||
#!/bin/bash
|
||||
source ./variables
|
||||
|
||||
echo "Installing dependencides... Please stay for a second, you will confirm the install"
|
||||
apk update
|
||||
apk add wireguard-tools
|
||||
|
||||
|
||||
echo "Setting up user..."
|
||||
adduser -s /bin/bash -D $USERNAME
|
||||
|
||||
echo "Configuring WireGuard..."
|
||||
WG_SUBNET="fc$(openssl rand -hex 1):$(openssl rand -hex 2):$(openssl rand -hex 2):$(openssl rand -hex 2)"
|
||||
WG_LISTEN_PORT=$(shuf -i 49152-65535 -n 1)
|
||||
WG_LOCAL_PRIVKEY=$(wg genkey)
|
||||
WG_LOCAL_PUBKEY=$(echo $WG_LOCAL_PRIVKEY | wg pubkey)
|
||||
|
||||
cat <<EOF > /etc/wireguard/vmh-ssh-vpn.conf
|
||||
[Interface]
|
||||
ListenPort = $WG_LISTEN_PORT
|
||||
PrivateKey = $WG_LOCAL_PRIVKEY
|
||||
Address = $WG_SUBNET::1/64
|
||||
|
||||
[Peer]
|
||||
PublicKey = $WIREGUARD_PUBKEY
|
||||
AllowedIPs = $WG_SUBNET::2/128
|
||||
EOF
|
||||
|
||||
ln -s /etc/init.d/wg-quick /etc/init.d/wg-quick.vmh-ssh-vpn
|
||||
rc-update add wg-quick.vmh-ssh-vpn default
|
||||
rc-service wg-quick.vmh-ssh-vpn start
|
||||
|
||||
echo "Configuring ssh..."
|
||||
mkdir /home/$USERNAME/.ssh
|
||||
echo $MY_SSH_KEY > /home/$USERNAME/.ssh/authorized_keys
|
||||
|
||||
cat <<EOF > /etc/ssh/sshd_config.d/10-vmh_ssh.conf
|
||||
X11Forwarding no
|
||||
PasswordAuthentication no
|
||||
PubkeyAuthentication yes
|
||||
PermitRootLogin no
|
||||
|
||||
ListenAddress $WG_SUBNET::1
|
||||
EOF
|
||||
|
||||
echo "rc_before=sshd" > /etc/conf.d/wg-quick.vmh-ssh-vpn
|
||||
|
||||
rc-service sshd restart
|
||||
|
||||
echo "Configuring sudo..."
|
||||
cat <<EOF > /etc/sudoers.d/99-vmh-newuser
|
||||
$USERNAME ALL=(ALL:ALL) NOPASSWD:ALL
|
||||
EOF
|
||||
|
||||
echo
|
||||
echo "BEFORE DISCONNECTING, FOLLOW THE FOLLOWING STEPS"
|
||||
echo "You won't be able to reconnect if you don't."
|
||||
echo
|
||||
echo "1. Install the WireGuard config (fill in the gaps)"
|
||||
echo
|
||||
echo "[Interface]"
|
||||
echo "PrivateKey = ..."
|
||||
echo "Address = $WG_SUBNET::2/64"
|
||||
echo "[Peer]"
|
||||
echo "Endpoint = ...:$WG_LISTEN_PORT"
|
||||
echo "PublicKey = $WG_LOCAL_PUBKEY"
|
||||
echo "AllowedIPs = $WG_SUBNET::1/128"
|
||||
echo
|
||||
echo "2. Use this command to connect"
|
||||
echo
|
||||
echo "ssh $USERNAME@$WG_SUBNET::1"
|
||||
echo
|
||||
echo "NOTICE:"
|
||||
echo "If you need to change the port or other VPN settings, do it NOW. Edit /etc/wireguard/vmh-ssh-vpn.conf"
|
||||
Loading…
Add table
Reference in a new issue