From 0fd69558292863e190cbf0ab23540039a987e705 Mon Sep 17 00:00:00 2001 From: Minecon724 Date: Tue, 11 Feb 2025 18:01:08 +0100 Subject: [PATCH] Add alpine/secure-alpine.sh --- alpine/secure-alpine.sh | 74 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 74 insertions(+) create mode 100644 alpine/secure-alpine.sh diff --git a/alpine/secure-alpine.sh b/alpine/secure-alpine.sh new file mode 100644 index 0000000..865dbe6 --- /dev/null +++ b/alpine/secure-alpine.sh @@ -0,0 +1,74 @@ +#!/bin/bash +source ./variables + +echo "Installing dependencides... Please stay for a second, you will confirm the install" +apk update +apk add wireguard-tools + + +echo "Setting up user..." +adduser -s /bin/bash -D $USERNAME + +echo "Configuring WireGuard..." +WG_SUBNET="fc$(openssl rand -hex 1):$(openssl rand -hex 2):$(openssl rand -hex 2):$(openssl rand -hex 2)" +WG_LISTEN_PORT=$(shuf -i 49152-65535 -n 1) +WG_LOCAL_PRIVKEY=$(wg genkey) +WG_LOCAL_PUBKEY=$(echo $WG_LOCAL_PRIVKEY | wg pubkey) + +cat < /etc/wireguard/vmh-ssh-vpn.conf +[Interface] +ListenPort = $WG_LISTEN_PORT +PrivateKey = $WG_LOCAL_PRIVKEY +Address = $WG_SUBNET::1/64 + +[Peer] +PublicKey = $WIREGUARD_PUBKEY +AllowedIPs = $WG_SUBNET::2/128 +EOF + +ln -s /etc/init.d/wg-quick /etc/init.d/wg-quick.vmh-ssh-vpn +rc-update add wg-quick.vmh-ssh-vpn default +rc-service wg-quick.vmh-ssh-vpn start + +echo "Configuring ssh..." +mkdir /home/$USERNAME/.ssh +echo $MY_SSH_KEY > /home/$USERNAME/.ssh/authorized_keys + +cat < /etc/ssh/sshd_config.d/10-vmh_ssh.conf +X11Forwarding no +PasswordAuthentication no +PubkeyAuthentication yes +PermitRootLogin no + +ListenAddress $WG_SUBNET::1 +EOF + +echo "rc_before=sshd" > /etc/conf.d/wg-quick.vmh-ssh-vpn + +rc-service sshd restart + +echo "Configuring sudo..." +cat < /etc/sudoers.d/99-vmh-newuser +$USERNAME ALL=(ALL:ALL) NOPASSWD:ALL +EOF + +echo +echo "BEFORE DISCONNECTING, FOLLOW THE FOLLOWING STEPS" +echo "You won't be able to reconnect if you don't." +echo +echo "1. Install the WireGuard config (fill in the gaps)" +echo +echo "[Interface]" +echo "PrivateKey = ..." +echo "Address = $WG_SUBNET::2/64" +echo "[Peer]" +echo "Endpoint = ...:$WG_LISTEN_PORT" +echo "PublicKey = $WG_LOCAL_PUBKEY" +echo "AllowedIPs = $WG_SUBNET::1/128" +echo +echo "2. Use this command to connect" +echo +echo "ssh $USERNAME@$WG_SUBNET::1" +echo +echo "NOTICE:" +echo "If you need to change the port or other VPN settings, do it NOW. Edit /etc/wireguard/vmh-ssh-vpn.conf"