From ff9597d525a446f718d8a7086e150599f6d0a894 Mon Sep 17 00:00:00 2001 From: Marcel Stangenberger Date: Sat, 5 Apr 2025 10:29:54 +0200 Subject: [PATCH] Created post-install procedure --- README.md | 6 ++++++ post/ansible.pub | 1 + post/ip6tables.rules | 11 +++++++++++ post/iptables.rules | 11 +++++++++++ post/run.sh | 26 ++++++++++++++++++++++++++ 5 files changed, 55 insertions(+) create mode 100644 post/ansible.pub create mode 100644 post/ip6tables.rules create mode 100644 post/iptables.rules create mode 100644 post/run.sh diff --git a/README.md b/README.md index a3bad2c..1ce0781 100644 --- a/README.md +++ b/README.md @@ -20,3 +20,9 @@ gpg --output user_credentials.json --decrypt user_credentials.crypt bash -c "$(curl -fsSL https://git.xoservice.nl/marcel/archlinux/raw/master/pre/run.sh)" ``` 3. Follow any given steps + +After the automated reboot a clean archlinux installation will be available. +Now login using the default root credentials and execute the following command: +``` +bash -c "$(curl -fsSL https://git.xoservice.nl/marcel/archlinux/raw/master/post.run.sh)" +``` diff --git a/post/ansible.pub b/post/ansible.pub new file mode 100644 index 0000000..06a71ab --- /dev/null +++ b/post/ansible.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHdZmO7sZrh+jn9Npzdn5g4pawAX35PEBpZf8IW7uuQu masterConsole diff --git a/post/ip6tables.rules b/post/ip6tables.rules new file mode 100644 index 0000000..b9167e5 --- /dev/null +++ b/post/ip6tables.rules @@ -0,0 +1,11 @@ +*filter +:INPUT DROP [0:0] +:FORWARD DROP [0:0] +:OUTPUT ACCEPT [489:69759] +-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT +-A INPUT -p ipv6-icmp -j ACCEPT +-A INPUT -i lo -j ACCEPT +-A INPUT -p tcp -m state --state NEW -m tcp -s 2a02:c204:2245:6857::1 --dport 22 -j ACCEPT +-A INPUT -d fe80::/64 -p udp -m udp --dport 546 -m state --state NEW -j ACCEPT +-A INPUT -j REJECT --reject-with icmp6-adm-prohibited +COMMIT diff --git a/post/iptables.rules b/post/iptables.rules new file mode 100644 index 0000000..ab9f903 --- /dev/null +++ b/post/iptables.rules @@ -0,0 +1,11 @@ +*filter +:INPUT DROP [0:0] +:FORWARD DROP [0:0] +:OUTPUT ACCEPT [123:8421] +-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT +-A INPUT -p icmp -j ACCEPT +-A INPUT -i lo -j ACCEPT +-A INPUT -p tcp -m state --state NEW -m tcp -s 149.102.156.227 --dport 22 -j ACCEPT +-A INPUT -j REJECT --reject-with icmp-host-prohibited +-A FORWARD -j REJECT --reject-with icmp-host-prohibited +COMMIT diff --git a/post/run.sh b/post/run.sh new file mode 100644 index 0000000..6690044 --- /dev/null +++ b/post/run.sh @@ -0,0 +1,26 @@ +#!/bin/bash + +REPO=https://git.xoservice.nl/archlinux + +echo "Setting remote control requirements..." +groupadd admins +useradd -g admins -m -r -c "System administrator" sysadmin +echo "%admins ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers.d/admins +mkdir -p /home/sysadmin/.ssh +chmod 700 /home/sysadmin/.ssh +curl -o /home/sysadmin/.ssh/authorized_keys $REPO/raw/master/post/ansible.pub +chown -R sysadmin:admins /home/sysadmin/.ssh + +echo "Disable root user SSH access..." +sed -i 's/PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config +sed -i 's/PermitRootLogin without-password/PermitRootLogin no/' /etc/ssh/sshd_config + +echo "Configuring and enabling default firewall..." +curl -o /etc/iptables/iptables.rules $REPO/raw/master/post/iptables.rules +curl -o /etc/iptables/ip6tables.rules $REPO/raw/master/post/ip6tables.rules +systemctl enable iptables +systemctl enable ip6tables + +echo "All done, reboot in 5 seconds..." +sleep 5 +reboot