marcel/archlinux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Created post-install procedure

Browse Source
This commit is contained in:
Marcel Stangenberger 2025-04-05 10:29:54 +02:00
parent c690fcb6fe
commit ff9597d525
5 changed files with 55 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
README.md
View File

@ -20,3 +20,9 @@ gpg --output user_credentials.json --decrypt user_credentials.crypt
bash -c "$(curl -fsSL https://git.xoservice.nl/marcel/archlinux/raw/master/pre/run.sh)"
```
3. Follow any given steps
After the automated reboot a clean archlinux installation will be available.
Now login using the default root credentials and execute the following command:
```
bash -c "$(curl -fsSL https://git.xoservice.nl/marcel/archlinux/raw/master/post.run.sh)"
```

1
post/ansible.pub Normal file
View File

@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHdZmO7sZrh+jn9Npzdn5g4pawAX35PEBpZf8IW7uuQu masterConsole

11
post/ip6tables.rules Normal file
View File

@ -0,0 +1,11 @@
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [489:69759]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p ipv6-icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp -s 2a02:c204:2245:6857::1 --dport 22 -j ACCEPT
-A INPUT -d fe80::/64 -p udp -m udp --dport 546 -m state --state NEW -j ACCEPT
-A INPUT -j REJECT --reject-with icmp6-adm-prohibited
COMMIT

11
post/iptables.rules Normal file
View File

@ -0,0 +1,11 @@
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [123:8421]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp -s 149.102.156.227 --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

26
post/run.sh Normal file
View File

@ -0,0 +1,26 @@
#!/bin/bash
REPO=https://git.xoservice.nl/archlinux
echo "Setting remote control requirements..."
groupadd admins
useradd -g admins -m -r -c "System administrator" sysadmin
echo "%admins ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers.d/admins
mkdir -p /home/sysadmin/.ssh
chmod 700 /home/sysadmin/.ssh
curl -o /home/sysadmin/.ssh/authorized_keys $REPO/raw/master/post/ansible.pub
chown -R sysadmin:admins /home/sysadmin/.ssh
echo "Disable root user SSH access..."
sed -i 's/PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config
sed -i 's/PermitRootLogin without-password/PermitRootLogin no/' /etc/ssh/sshd_config
echo "Configuring and enabling default firewall..."
curl -o /etc/iptables/iptables.rules $REPO/raw/master/post/iptables.rules
curl -o /etc/iptables/ip6tables.rules $REPO/raw/master/post/ip6tables.rules
systemctl enable iptables
systemctl enable ip6tables
echo "All done, reboot in 5 seconds..."
sleep 5
reboot