55 lines
1.3 KiB
Bash
55 lines
1.3 KiB
Bash
#!/usr/bin/env bash
|
||
set -euo pipefail
|
||
|
||
MARKER="/var/lib/first-boot-init.done"
|
||
LOG="/var/log/first-boot-init.log"
|
||
|
||
# Запускать только от root
|
||
if [[ "${EUID}" -ne 0 ]]; then
|
||
echo "Run as root (sudo)." >&2
|
||
exit 1
|
||
fi
|
||
|
||
# Одноразовый запуск
|
||
if [[ -f "$MARKER" ]]; then
|
||
echo "Already initialized. Marker exists: $MARKER"
|
||
exit 0
|
||
fi
|
||
|
||
exec > >(tee -a "$LOG") 2>&1
|
||
|
||
echo "=== First boot init started at $(date -Is) ==="
|
||
|
||
# 1) Обновление системы
|
||
export DEBIAN_FRONTEND=noninteractive
|
||
apt-get update
|
||
apt-get -y upgrade
|
||
apt-get -y autoremove --purge
|
||
|
||
# 2) Установка UFW и Fail2ban
|
||
apt-get -y install ufw fail2ban
|
||
|
||
# 3) Настройка UFW (важно: не отрезать себе доступ по SSH)
|
||
SSH_PORT="${SSH_PORT:-22}"
|
||
|
||
ufw --force reset
|
||
ufw default deny incoming
|
||
ufw default allow outgoing
|
||
ufw allow "${SSH_PORT}/tcp" comment "Allow SSH"
|
||
ufw --force enable
|
||
|
||
# 4) Fail2ban: включить и запустить
|
||
systemctl enable fail2ban
|
||
systemctl restart fail2ban
|
||
|
||
# (Опционально) показать статус
|
||
ufw status verbose || true
|
||
systemctl --no-pager --full status fail2ban || true
|
||
|
||
# 5) Маркер выполнения
|
||
mkdir -p "$(dirname "$MARKER")"
|
||
touch "$MARKER"
|
||
|
||
echo "=== First boot init finished at $(date -Is) ==="
|
||
echo "Marker created: $MARKER"
|
||
echo "Log: $LOG" |