/ bootstrap.sh
bootstrap.sh
1 #!/usr/bin/env bash 2 # SPDX-License-Identifier: AGPL-3.0-or-later 3 # SPDX-FileCopyrightText: 2025 Chris Barry <chris@barry.im> 4 # bootstrap.sh.tmpl - Startup script for new reseed server 5 6 set -e 7 8 export DEBIAN_FRONTEND=noninteractive 9 readonly BASE="https://gitlab.com/reseed.onion.im/bootstrap/-/raw/main" 10 11 # START base 12 apt-get -yq update && apt-get -yq upgrade 13 14 apt-get -yq install \ 15 apparmor \ 16 apparmor-profiles \ 17 apparmor-profiles-extra 18 apparmor-utils \ 19 apt-transport-https \ 20 gnupg \ 21 htop \ 22 nginx-light \ 23 python3-certbot-nginx \ 24 rsync \ 25 screen \ 26 wget2 27 28 update-alternatives --set editor /usr/bin/vim.tiny 29 30 31 # START tarsnap 32 T="$(mktemp)" 33 wget2 -O "${T}" https://pkg.tarsnap.com/tarsnap-deb-packaging-key.asc 34 gpg --show-key "${T}" 35 gpg --dearmor "${T}" 36 mv "${T}".gpg /usr/share/keyrings/tarsnap-archive-keyring.gpg 37 wget2 "${BASE}/etc/apt/sources.list.d/tarsnap.sources" -O /etc/apt/sources.list.d/tarsnap.sources 38 apt-get -yq update && apt-get -yq install tarsnap 39 rm -f "${T}" 40 T="$(mktemp)" 41 echo "Paste your Tarsnap master key below (Ctrl-D when done):" 42 # The key is written to the temporary file 43 cat > "${T}" 44 # Make a write-only key 45 mkdir -p /usr/local/etc/tarsnap/ 46 tarsnap-keymgmt --outkeyfile /usr/local/etc/tarsnap/tarsnap.key -w "${T}" 47 tarsnap --keyfile "${T}" --list-archives | tail -n 10 | sort 48 read -p "Enter archive name to restore: " ARCHIVE 49 echo "Restoring archive: ${ARCHIVE}" 50 tarsnap --keyfile "${T}" -x -f "${ARCHIVE}" -C / 51 tarsnap --keyfile "${T}" --fsck 52 echo "Restore complete." 53 rm -f "${T}" 54 55 # START user 56 adduser --shell /bin/bash --home /home/chris --group chris 57 usermod -aG sudo chris 58 mkdir -p /home/chris/.ssh/ 59 chown chris:chris /home/chris 60 61 # START sshd 62 wget2 "${BASE}/home/chris/.ssh/authorized_keys" -O /home/chris/.ssh/authorized_keys 63 wget2 "${BASE}/etc/sudoers.d/10-chris" -O /etc/sudoers.d/10-chris 64 >/root/.ssh/authorized_keys 65 66 ## START i2p-java 67 #apt-get install -qy \ 68 # default-jdk 69 #wget2 "${BASE}/etc/apparmor.d/abstractions/i2p" -O /etc/apparmor.d/abstractions/i2p 70 #wget2 "${BASE}/etc/apparmor.d/system_i2p" -O /etc/apparmor.d/system_i2p 71 #wget2 "${BASE}/etc/apparmor.d/local/system_i2p" -O /etc/apparmor.d/local/system_i2p 72 #wget2 "${BASE}/etc/apparmor.d/usr.bin.i2prouter" -O /etc/apparmor.d/usr.bin.i2prouter 73 #wget2 "${BASE}/etc/apparmor.d/local/usr.bin.i2prouter" -O /etc/apparmor.d/local/usr.bin.i2prouter 74 #aa-enforce /etc/apparmor.d/usr.bin.i2prouter 75 #useradd -r -s /bin/false -d "/opt/i2p" "i2p" 2>/dev/null || true 76 #mkdir -p /opt/i2p 77 #mkdir -p /var/lib/i2p 78 #chown -R i2p:i2p /opt/i2p 79 #chown -R i2p:i2p /var/lib/i2p 80 #ln -s /opt/i2p/i2prouter /usr/bin/i2prouter 81 #sed -i 's|I2P_CONFIG_DIR="/root/.i2p"|I2P_CONFIG_DIR="/var/lib/i2p"|' /opt/i2p/i2prouter 82 #wget2 "${BASE}/etc/systemd/system/i2p.service" -O /etc/systemd/system/i2p.service 83 #systemctl daemon-reload 84 #systemctl enable --now i2p 85 86 # START i2pd 87 mkdir -p /etc/systemd/system/i2pd.service.d/ 88 wget2 "${BASE}/etc/systemd/system/i2pd.service.d/override.conf" -O /etc/systemd/system/i2pd.service.d/override.conf 89 wget2 "${BASE}/etc/apparmor.d/local/usr.bin.i2pd" -O /etc/apparmor.d/local/usr.bin.i2pd 90 systemctl mask i2pd.service 91 apt-get install -qy \ 92 i2pd 93 systemctl disable i2pd 94 aa-enforce /etc/apparmor.d/usr.bin.i2pd 95 wget2 "${BASE}/etc/i2pd/i2pd.conf" -O /etc/i2pd/i2pd.conf 96 chown -R i2pd:i2pd /etc/i2pd/ 97 systemctl unmask i2pd.service 98 systemctl enable --now i2pd 99 100 # START reseed 101 wget2 -O "/usr/local/bin/reseed-tools" https://github.com/eyedeekay/reseed-tools/releases/download/v0.3.10/reseed-tools-linux-amd64 102 hash_actual=$(sha256sum "/usr/local/bin/reseed-tools" | cut -d' ' -f1) 103 hash_expected="3359fbf42870f2281ffe0d91f25cdfb8e913d0a956b2a4ac33bfc95964aae3e5" 104 if [ "$actual_hash" != "$expected_hash" ]; then 105 echo "reseed-tools hash does not match" >&2 106 exit 1 107 fi 108 chmod +x /usr/local/bin/reseed-tools 109 wget2 "${BASE}/etc/apparmor.d/usr.local.bin.reseed-tools" -O /etc/apparmor.d/usr.local.bin.reseed-tools 110 wget2 "${BASE}/etc/apparmor.d/local/usr.local.bin.reseed-tools" -O /etc/apparmor.d/local/usr.local.bin.reseed-tools 111 aa-enforce /etc/apparmor.d/usr.local.bin.reseed-tools 112 wget2 "${BASE}/etc/systemd/system/reseed.service" -O /etc/systemd/system/reseed.service 113 systemctl daemon-reload 114 systemctl enable --now reseed 115 116 # START nginx 117 wget2 "${BASE}/etc/apparmor.d/usr.sbin.nginx" -O /etc/apparmor.d/usr.sbin.nginx 118 wget2 "${BASE}/etc/apparmor.d/local/usr.sbin.nginx" -O /etc/apparmor.d/local/usr.sbin.nginx 119 aa-enforce /etc/apparmor.d/usr.sbin.nginx 120 mkdir -p /srv/reseed.onion.im 121 wget2 "${BASE}/srv/reseed.onion.im/reseed.onion.im.html" -O /srv/reseed.onion.im/index.html 122 sed -i 's/rotate 14/rotate 2/g' /etc/logrotate.d/nginx 123 wget2 "${BASE}/etc/nginx/sites-enabled/reseed.onion.im.conf" -O /etc/nginx/sites-enabled/reseed.onion.im.conf 124 mkdir -p /etc/systemd/system/nginx.service.d/ 125 wget2 "${BASE}/etc/systemd/system/nginx.service.d/override.conf" -O /etc/systemd/system/nginx.service.d/override.conf 126 systemctl restart nginx 127 128 # START backup 129 wget2 "${BASE}/usr/local/bin/_backup" -O /usr/local/bin/_backup 130 chmod +x /usr/local/bin/_backup 131 wget2 "${BASE}/etc/systemd/system/backup.service" -O /etc/systemd/system/backup.service 132 wget2 "${BASE}/etc/systemd/system/backup.timer" -O /etc/systemd/system/backup.timer 133 systemctl daemon-reload 134 systemctl enable --now backup 135 systemctl enable --now backup.timer 136 137 # START post 138 echo "update dns"