55 lines
1.3 KiB
Bash
55 lines
1.3 KiB
Bash
#!/usr/bin/env bash
|
|
set -euo pipefail
|
|
|
|
MARKER="/var/lib/first-boot-init.done"
|
|
LOG="/var/log/first-boot-init.log"
|
|
|
|
# Запускать только от root
|
|
if [[ "${EUID}" -ne 0 ]]; then
|
|
echo "Run as root (sudo)." >&2
|
|
exit 1
|
|
fi
|
|
|
|
# Одноразовый запуск
|
|
if [[ -f "$MARKER" ]]; then
|
|
echo "Already initialized. Marker exists: $MARKER"
|
|
exit 0
|
|
fi
|
|
|
|
exec > >(tee -a "$LOG") 2>&1
|
|
|
|
echo "=== First boot init started at $(date -Is) ==="
|
|
|
|
# 1) Обновление системы
|
|
export DEBIAN_FRONTEND=noninteractive
|
|
apt-get update
|
|
apt-get -y upgrade
|
|
apt-get -y autoremove --purge
|
|
|
|
# 2) Установка UFW и Fail2ban
|
|
apt-get -y install ufw fail2ban
|
|
|
|
# 3) Настройка UFW (важно: не отрезать себе доступ по SSH)
|
|
SSH_PORT="${SSH_PORT:-22}"
|
|
|
|
ufw --force reset
|
|
ufw default deny incoming
|
|
ufw default allow outgoing
|
|
ufw allow "${SSH_PORT}/tcp" comment "Allow SSH"
|
|
ufw --force enable
|
|
|
|
# 4) Fail2ban: включить и запустить
|
|
systemctl enable fail2ban
|
|
systemctl restart fail2ban
|
|
|
|
# (Опционально) показать статус
|
|
ufw status verbose || true
|
|
systemctl --no-pager --full status fail2ban || true
|
|
|
|
# 5) Маркер выполнения
|
|
mkdir -p "$(dirname "$MARKER")"
|
|
touch "$MARKER"
|
|
|
|
echo "=== First boot init finished at $(date -Is) ==="
|
|
echo "Marker created: $MARKER"
|
|
echo "Log: $LOG" |