ligbox/obsidian-vault
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
obsidian-vault/ligbox-ops-platform/deploy/vm123-finance-stack/bootstrap-vm123.sh
Ligbox Obsidian Vault a8b62b2de1 Initial import: obsidian-infra vault
2026-06-19 17:26:42 +00:00

70 lines
2.4 KiB
Bash
Executable file
Raw Blame History

#!/usr/bin/env bash
# VM123 bootstrap — users, swap, docker, fail2ban (Spec 024)
# Executar como root na VM123 recém-instalada (Ubuntu 24.04).
set -euo pipefail
DESK_PASSWORD="${DESK_PASSWORD:-805353}"
echo "==> Utilizadores mini, admin, root"
id mini &>/dev/null || useradd -m -s /bin/bash mini
id admin &>/dev/null || useradd -m -s /bin/bash admin
usermod -aG sudo admin 2>/dev/null || true
echo "mini:${DESK_PASSWORD}" | chpasswd
echo "admin:${DESK_PASSWORD}" | chpasswd
echo "root:${DESK_PASSWORD}" | chpasswd
echo "==> Swap 2G (piloto 4GB RAM)"
if ! swapon --show | grep -q swapfile; then
fallocate -l 2G /swapfile || dd if=/dev/zero of=/swapfile bs=1M count=2048
chmod 600 /swapfile
mkswap /swapfile
swapon /swapfile
grep -q '/swapfile' /etc/fstab || echo '/swapfile none swap sw 0 0' >> /etc/fstab
fi
echo "==> Pacotes base"
export DEBIAN_FRONTEND=noninteractive
apt-get update -qq
apt-get install -y -qq curl wget git ufw fail2ban unattended-upgrades \
apt-transport-https ca-certificates gnupg lsb-release
echo "==> Docker"
if ! command -v docker &>/dev/null; then
install -m 0755 -d /etc/apt/keyrings
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg
echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu $(. /etc/os-release && echo "$VERSION_CODENAME") stable" \
> /etc/apt/sources.list.d/docker.list
apt-get update -qq
apt-get install -y -qq docker-ce docker-ce-cli containerd.io docker-compose-plugin
fi
usermod -aG docker admin 2>/dev/null || true
usermod -aG docker mini 2>/dev/null || true
echo "==> fail2ban sshd"
cat > /etc/fail2ban/jail.local <<'EOF'
[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 5
bantime = 3600
findtime = 600
EOF
systemctl enable fail2ban
systemctl restart fail2ban
echo "==> UFW básico"
ufw allow OpenSSH
ufw allow 80/tcp
ufw allow 443/tcp
ufw allow 2083/tcp comment 'OpenPanel user'
ufw allow 2087/tcp comment 'OpenAdmin' from 10.10.10.0/24
ufw --force enable || true
echo "==> Wazuh agent (VM104) — instalar manualmente se o manager estiver activo:"
echo " curl -so wazuh-agent.deb https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-agent/wazuh-agent_4.9.2-1_amd64.deb"
echo " WAZUH_MANAGER=10.10.10.104 dpkg -i wazuh-agent.deb"
hostnamectl set-hostname vm123-finance 2>/dev/null || true
echo "Bootstrap VM123 concluído."
Reference in a new issue View git blame Copy permalink