Add freebsd/freebsd-secure.sh
This commit is contained in:
parent
9d1140c05a
commit
4bdabe28b5
1 changed files with 115 additions and 0 deletions
115
freebsd/freebsd-secure.sh
Normal file
115
freebsd/freebsd-secure.sh
Normal file
|
|
@ -0,0 +1,115 @@
|
|||
#!/bin/sh
|
||||
set -e
|
||||
. ./variables
|
||||
|
||||
|
||||
# --- Pre-flight package installation ---
|
||||
echo "Installing dependencies... Please stay for a second, you will confirm the install"
|
||||
pkg update
|
||||
pkg install sudo wireguard-tools
|
||||
|
||||
|
||||
# --- User setup ---
|
||||
echo "Setting up user..."
|
||||
|
||||
pw useradd -n "$USERNAME" -m -s /usr/local/bin/bash -w no
|
||||
|
||||
|
||||
# --- WireGuard setup ---
|
||||
echo "Configuring WireGuard..."
|
||||
|
||||
WG_SUBNET="fc$(openssl rand -hex 1):$(openssl rand -hex 2):$(openssl rand -hex 2):$(openssl rand -hex 2)"
|
||||
WG_LISTEN_PORT=$(jot -r 1 49152 65535)
|
||||
WG_LOCAL_PRIVKEY=$(wg genkey)
|
||||
WG_LOCAL_PUBKEY=$(echo "$WG_LOCAL_PRIVKEY" | wg pubkey)
|
||||
|
||||
mkdir -p /usr/local/etc/wireguard
|
||||
|
||||
cat <<EOF > /usr/local/etc/wireguard/vmh-ssh-vpn.conf
|
||||
[Interface]
|
||||
ListenPort = $WG_LISTEN_PORT
|
||||
PrivateKey = $WG_LOCAL_PRIVKEY
|
||||
Address = $WG_SUBNET::1/64
|
||||
|
||||
[Peer]
|
||||
PublicKey = $WIREGUARD_PUBKEY
|
||||
AllowedIPs = $WG_SUBNET::2/128
|
||||
EOF
|
||||
|
||||
chmod 600 /usr/local/etc/wireguard/vmh-ssh-vpn.conf
|
||||
|
||||
sysrc wireguard_enable="YES"
|
||||
sysrc wireguard_interfaces="vmh-ssh-vpn"
|
||||
|
||||
service wireguard start vmh-ssh-vpn
|
||||
|
||||
|
||||
# --- SSH setup ---
|
||||
echo "Configuring ssh..."
|
||||
|
||||
mkdir -p /home/"$USERNAME"/.ssh
|
||||
echo "$MY_SSH_KEY" > /home/"$USERNAME"/.ssh/authorized_keys
|
||||
|
||||
chmod 700 /home/"$USERNAME"/.ssh
|
||||
chmod 600 /home/"$USERNAME"/.ssh/authorized_keys
|
||||
chown -R "$USERNAME":"$USERNAME" /home/"$USERNAME"/.ssh
|
||||
|
||||
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
|
||||
|
||||
set_sshd_config() {
|
||||
local key="$1"
|
||||
local value="$2"
|
||||
if grep -q "^${key}" /etc/ssh/sshd_config; then
|
||||
# Replace existing line
|
||||
sed -i '' "s/^${key}.*/${key} ${value}/" /etc/ssh/sshd_config
|
||||
else
|
||||
# Add new line if not found
|
||||
echo "${key} ${value}" >> /etc/ssh/sshd_config
|
||||
fi
|
||||
}
|
||||
|
||||
sed -i '' '/^ListenAddress/d' /etc/ssh/sshd_config
|
||||
echo "ListenAddress $WG_SUBNET::1" >> /etc/ssh/sshd_config
|
||||
|
||||
set_sshd_config "X11Forwarding" "no"
|
||||
set_sshd_config "PasswordAuthentication" "no"
|
||||
set_sshd_config "PubkeyAuthentication" "yes"
|
||||
set_sshd_config "PermitRootLogin" "no"
|
||||
|
||||
service sshd restart
|
||||
|
||||
|
||||
# --- Sudo configuration ---
|
||||
echo "Configuring sudo..."
|
||||
|
||||
mkdir -p /etc/sudoers.d
|
||||
cat <<EOF > /etc/sudoers.d/99-vmh-newuser
|
||||
$USERNAME ALL=(ALL:ALL) NOPASSWD:ALL
|
||||
EOF
|
||||
|
||||
chmod 0440 /etc/sudoers.d/99-vmh-newuser
|
||||
|
||||
|
||||
# --- Final Instructions ---
|
||||
echo
|
||||
echo "BEFORE DISCONNECTING, FOLLOW THE FOLLOWING STEPS"
|
||||
echo "You won't be able to reconnect if you don't."
|
||||
echo
|
||||
echo "1. Install the WireGuard config (fill in the gaps)"
|
||||
echo
|
||||
echo "[Interface]"
|
||||
echo "PrivateKey = ..."
|
||||
echo "Address = $WG_SUBNET::2/64"
|
||||
echo "[Peer]"
|
||||
echo "Endpoint = ...:$WG_LISTEN_PORT"
|
||||
echo "PublicKey = $WG_LOCAL_PUBKEY"
|
||||
echo "AllowedIPs = $WG_SUBNET::1/128"
|
||||
echo
|
||||
echo "2. Use this command to connect"
|
||||
echo
|
||||
echo "ssh $USERNAME@$WG_SUBNET::1"
|
||||
echo
|
||||
echo "NOTICE:"
|
||||
echo "If you need to change the port or other VPN settings, do it NOW. Edit /usr/local/etc/wireguard/vmh-ssh-vpn.conf"
|
||||
|
||||
|
||||
Loading…
Add table
Add a link
Reference in a new issue