saundersp/scripts
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: saundersp:232a3f23fe35a5254b347fc94b92b0076359926d
Branches Tags
saundersp:main
...
compare: saundersp:9b9ef5e5a95022615a371d40d2d7dbd16a7950b3
Branches Tags
saundersp:main

2 Commits
232a3f23fe ... 9b9ef5e5a9

Author SHA1 Message Date
saundersp
9b9ef5e5a9 Removed archlinux_setup.sh, create_arch_server.sh, mv_docker.sh, secure_debian_server.md, setup_unreal.sh and vscodium-ext.sh 2025-11-06 18:23:34 +01:00
saundersp
834d559da8 docker_build : Fixed InternshipReport directory typo 2025-11-06 18:14:50 +01:00
7 changed files with 1 additions and 543 deletions
Expand all files Collapse all files

175
archlinux_setup.sh
View File

@@ -1,175 +0,0 @@
#!/bin/sh
# List keyboard layouts from here
localectl list-keymaps
# Test if boot mode is UEFI (true if no error)
ls /sys/firmware/efi/efivars
# Connecting to WIFI using connmanctl (openrc | runit | s6 | 66 | dinit)
connmanctl << EOF
# Enabling wifi
enable wifi
# Enabling the agent (only use if needed passphrase)
agent on
# Scanning for access points
scan wifi
# Printing the access points (services) names
services
# Connecting to the access point
connect SERVICE_ID
# Enable the auto connection at startup option
config SERVICE_ID --autoconnect yes
EOF
# Connect to WIFI using iwctl (systemd)
iwctl << EOF
# Getting the list of available devices
device list
# Scanning for access points
station <device> scan
# Printing the access points names
station <device> get-networks
# Password-less
station <device> connect <SSID>
# Passphrase
iwctl --passphrase <passphrase> station <device> connect <SSID>
exit
EOF
# Arch package name | Description
# base | Minimal package set to define a basic Arch Linux installation
# linux | The Linux kernel and modules
# linux-lts | The LTS Linux kernel and modules
# linux-zen | The Linux ZEN kernel and modules
# linux-hardened | The Security-Hardened Linux kernel and modules
# linux-firmware | Firmware files for Linux
# neovim | Fork of Vim, a terminal text editor
# doas | Run commands as super user or another user
# networkmanager | Network connection manager and user applications
# networkmanager-iwd | Network connection manager and user applications; using iwd backend instead of wpa_supplicant
# wpa_supplicant | A utility providing key negotiation for WPA wireless networks
# grub | GNU GRand Unified Bootloader
# efibootmgr | UEFI Boot manager
# neofetch | A CLI system information tool written in BASH that supports displaying images
# which | A utility to show the full path of commands
# iwd | Internet Wireless Daemon
# ntfs-3g | NTFS file system driver and utilities
# keepass | Easy-to-use password manager for Windows, Linux, Mac OS X and mobile devices
# keepassxc | Cross-platform community-driven port of Keepass password manager
# dmenu | shortcut to launch other applications
# nvidia | NVIDIA drivers for newer cards (see wiki if doubt)
# nvidia-utils | NVIDIA utilities
# nvidia-settings | NVIDIA settings page
# nvidia-prime | NVIDIA optimus like tool
# xf86-video-intel | Intel graphics card drivers
# pulseaudio | Audio support
# pulseaudio-bluetooth | Audio bluetooth support
# pulsemixer | CLI audio mixer
# bluez | Bluetooth support
# bluez-utils | Provides bluetoothctl to connect to devices
# openssh | Provides utilities to generate ssh keys
# xclip | Being able to copy from CLI
# picom | X compositor that may fix tearing issues
# vlc | Multi-platform MPEG, VCD/DVD, and DivX player
# i3-gaps | A fork of i3wm tiling window manager with more features, including gaps
# xorg-xinit | Xorg initialisation program
# xorg-server | Xorg X server
# xorg-xset | User preference utility for X
# feh | Fast and light imlib2-based image viewer
# alacritty | terminal emulator
# os-prober | Utility to detect other OSes on a set of drives
# git | The fast distributed version control system
# wget | Network utility to retrieve files from the Web
# unzip | For extracting and viewing files in .zip archives
# firefox | Standalone web browser from mozilla.org
# virtualbox | Powerful x86 virtualization for enterprise as well as home use
# virtualbox-guest-utils | VirtualBox Guest userspace utilities
# virtualbox-host-modules-arch | Virtualbox host kernel modules for Arch Kernel
# bash-completion | Programmable completion for the bash shell
# intel-ucode | Microcode update files for Intel CPUs
# reflector | Python utility to get the fastest pacman mirrors
# rsync | A fast and versatile file copying tool for remote and local files (optional dependency of reflector)
# nodejs | Evented I/O for V8 javascript
# npm | A package manager for javascript
# ripgrep | search tool that combines the usability of ag with the raw speed of grep
# cuda | NVIDIA's GPU programming toolkit
# python | Next generation of the python high-level scripting language
# python-pip | The PyPA recommended tool for installing Python packages
# lazygit | Simple terminal UI for git commands
# cryptsetup | Userspace setup tool for transparent encryption of block devices using dm-crypt
# discord | All-in-one voice and text chat for gamers that's free and secure.
# htop | Interactive process viewer
# thunderbird | Standalone mail and news reader from mozilla.org
# brightnessctl | Lightweight brightness control tool
# fakeroot | Tool for simulating superuser privileges
# sed | GNU stream editor
# gcc | The GNU Compiler Collection - C and C++ frontends
# grep | A string search utility
# make | GNU make utility to maintain groups of programs
# man-db | A utility for reading man pages
# openvpn | An easy-to-use, robust and highly configurable VPN
# pkgconf | Package compiler and linker metadata toolkit
# Artix package name | Description
# openrc | Gentoo's universal init system
# elogind-openrc | OpenRC elogind init script
# connman-openrc | OpenRC connman init script
# runit | A cross-platform Unix init scheme with service supervision
# elogind-runit | Runit service scripts for elogind
# connman-runit | Runit service script for connman
# s6-base | Packages, hooks, and scripts to define a basic s6 init system implementation for Artix Linux.
# elogind-s6 | s6-rc service scripts for elogind
# connman-s6 | s6-rc service scripts for connman
# suite66 | small tools built around s6 and s6-rc programs
# elogind-suite66 | 66 script for elogind
# connman-suite66 | 66 script for connman
# dinit | Service monitoring/init system -- init package
# elogind-dinit | dinit service scripts for elogind
# connman-dinit | dinit service scripts for connman
# AUR package name | Description | Upstream link
# polybar | A fast and easy-to-use status bar | https://aur.archlinux.org/polybar.git
# davmail | a POP/IMAP/SMTP/Caldav/LDAP gateway for the exchange service | https://aur.archlinux.org/davmail.git
# font-manager | A simple font management application for GTK+ Desktop Environments | https://aur.archlinux.org/font-manager.git
# tor-browser | anonymous browsing using Firefox and Tor | https://aur.archlinux.org/tor-browser.git
# lazydocker | A simple terminal UI for docker and docker-compose, written in Go with the gocui library | https://aur.archlinux.org/lazydocker.git
# NOTE : Before installing tor, type : gpg --auto-key-locate nodefault,wkd --locate-keys torbrowser@torproject.org
# Get the list of all available time zones
timedatectl list-timezones
# Removing users from specific group
gpasswd -d "$USERNAME" "$GROUP"
# Dual boot setup with os-prober
echo 'GRUB_DISABLE_OS_PROBER=0' >> /etc/default/grub
update-grub
# If bluez bluetooth device is org.bluez.Error.Blocked
rfkill block bluetooth
rfkill unblock bluetooth
# If it still doesn't work
## systemd
systemctl restart bluetooth
## OpenRC
rc-service bluetoothd restart
# Setup a custom DNS server (systemd)
systemctl enable systemd-resolved
systemctl start systemd-resolved
mkdir /etc/systemd/resolved.conf.d
echo '[Resolve]
DNS=192.168.35.1 fd7b:d0bd:7a6e::1
Domains=~.e' > /etc/systemd/resolved.conf.d/dns_servers.conf

249
create_arch_server.sh
View File

@@ -1,249 +0,0 @@
#!/usr/bin/env bash
# Exit immediately if a command exits with a non-zero exit status
set -e
echo -n Hostname :
read -r HOSTNAME
echo -n Domain name :
read -r DOMAIN_NAME
echo -n Username :
read -r USERNAME
echo Password :
read -r -s PASSWORD
echo MYSQL_ROOT_PASSWORD ? :
read -r -s MYSQL_ROOT_PASSWORD
echo MYSQL_PASSWORD ? :
read -r -s MYSQL_PASSWORD
echo Pihole admin password ? :
read -r -s PIHOLE_PASSWORD
# Setup the hostname
hostnamectl hostname "$HOSTNAME"
# Enable pacman's parallels downloads
sed -i 's/^#Para/Para/g' /etc/pacman.conf
# Updating every packages
pacman -Syu --noconfirm
# Removing unwanted packages
pacman -Rc --noconfirm nano vim vim-runtime sudo
# Installing needed packages
pacman -S --noconfirm --needed docker neovim lazygit neofetch git wget unzip openssh bash-completion reflector \
rsync nodejs npm python python-pip ripgrep htop opendoas which man sed fakeroot gcc flake8 autopep8 \
python-pynvim
# Installing npm dependencies
npm i -g neovim npm-check-updates
# Enable the wheel group to use doas
echo 'permit persist :wheel' > /etc/doas.conf
# Enabling docker
systemctl enable docker
systemctl start docker
# Setup SSH
echo 'Port 777
AddressFamily inet
ChallengeResponseAuthentication no
AuthorizedKeysFile .ssh/authorized_keys
PasswordAuthentication yes
PermitEmptyPasswords no
PermitRootLogin no
UsePAM no
PrintMotd no
Subsystem sftp /usr/lib/ssh/sftp-server
' > /etc/ssh/sshd_config
systemctl restart sshd
# Disable systemctl resolved
systemctl stop systemd-resolved
systemctl disable systemd-resolved
# Adding personnal account
useradd -m "$USERNAME"
passwd "$USERNAME" << EOF
$PASSWORD
$PASSWORD
EOF
usermod -aG wheel "$USERNAME"
usermod -aG docker "$USERNAME"
usermod -aG wheel root
user_exec(){
# Adding personnal SSH public key
mkdir ~/.ssh ~/aur git services
echo 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC6nIqEuVlD6ouHf2OmhN5+gP3qP31+Z5x7+2GKLstTzkLo1wFUGQKsAgeAA3r47xXkUznSt0BHi7J6yaAJ7q2oSNxwbH73hemLlbQGAMkjRpvM4wL2jvVVBnILUMqLlzwEqBPlygng3DkT/KGTAcmWrt6kh/TV6npH4bf2LV7Z6g7YB9usmaJPTmw53/lQaDDxkMw7aYgDRc2oQwjZNOZ/uzb3IenvRyXfmegWYLHemiajtuj3e/Z7XRcJLhMp5XYQaPpy7RdkpBNiA7fIrITrXcjK+K71NGXLHRB8Ert5y8SzMs5gu3iOA4JnfcDnpdXyo1USduDDkDjH+N9ggQdaSXUmHCI3P1x1IJN56X0F20u287E/bMGApPiF4mkL5xbJdjZMKDgodm1QNdbBNu4vw4nm13TOM/neqPKcs+gzgPe/50gad2KOGoU+MQwPB2JA/vX9UGHUDTYkn4cmLeDR97OUq94yYZTJX3vMEKMxM9reZ/FR9pcdFvGWme46R1styyZExbPqLPA8b/FjX08USDE4aIDyi0GUHwx+exfdneFWm3yZ/G4XUENlKP3mlzPZql90sJu/ERdUX8fFZfJKdhjH0Q26SYJbD30Oh62IpUEoLFVovbhXO7r8nxgXoAgp7ArwZS2vv5P4xJt4I7gzFxS3cw/K9IOo4TXuXprfmQ== SAUNDERS@DESKTOP-95BAQ8S' > ~/.ssh/authorized_keys
# Installing lazydocker
git clone https://aur.archlinux.org/lazydocker.git ~/aur/lazydocker
cd ~/aur/lazydocker
makepkg -sri --noconfirm
rm -rf ~/go
# Adding dotfiles
git clone https://github.com/saundersp/dotfiles.git ~/git/dotfiles
cd ~/git/dotfiles
./auto.sh server
sudo bash auto.sh server
# Adding portfolio
git clone https://github.com/saundersp/portfolio.git ~/git/portfolio
cd ~/git/portfolio
docker pull node:lts-alpine
docker build -f Dockerfile.no_ssl -t saundersp/portfolio .
# Setup the services used in the server
cd ~/services
echo -e "MYSQL_PASSWORD=$MYSQL_PASSWORD\nMYSQL_ROOT_PASSWORD=$MYSQL_ROOT_PASSWORD" > .env
echo 'nextcloud mariadb vaultwarden/server pihole/pihole caddy/caddy:alpine' | xargs -n1 docker pull
mkdir bitwarden-data caddy mariadb-data nextcloud-data openvpn-etc pihole caddy/config caddy/data caddy/etc
# Setup caddy
echo "$DOMAIN_NAME {
handle_path /bitwarden* {
reverse_proxy /notifications/hub/negotiate localhost:8080
reverse_proxy /notifications/hub localhost:3012
reverse_proxy localhost:8080
}
handle_path /pihole* {
reverse_proxy localhost:8082
route /* {
reverse_proxy localhost:8082
}
}
handle_path /nextcloud* {
rewrite /.well-known/carddav /remote.php/dav
rewrite /.well-known/caldav /remote.php/dav
header /* {
Script-Transport-Security max-age=15552000;
}
reverse_proxy localhost:8084
route /* {
reverse_proxy localhost:8084
}
}
reverse_proxy localhost:8081
}" > caddy/Caddyfile
# Getting the docker-compose.yml ready
echo 'version: "3.9"
services:
portfolio:
image: saundersp/portfolio:latest
restart: unless-stopped
ports:
- 8081:80
pihole:
image: cbcrowe/pihole-unbound:latest
restart: unless-stopped
ports:
- 53:53/tcp
- 53:53/udp
- 8082:80/tcp
volumes:
- ./pihole/data:/etc/pihole
- ./pihole/dnsmasq.d:/etc/dnsmasq.d
environment:
- ServerIP=127.0.0.1
- TZ=Europe/London
- REV_SERVER=true
- REV_SERVER_TARGET=192.168.1.1
- REV_SERVER_DOMAIN=local
- REV_SERVER_CIDR=192.168.0.0/16
- DNS1=127.0.0.1#5335
- DNS2=127.0.0.1#5335
- DNSSEC="true"
# NOTE Get rid of "reducing DNS packet size for nameserver ..." : echo "edns-packet-max=1232" | sudo tee /etc/dnsmasq.d/99-edns.conf
bitwarden:
image: vaultwarden/server:latest
restart: unless-stopped
ports:
- 8080:80
volumes:
- ./bitwarden-data:/data
mariadb:
image: mariadb:latest
restart: unless-stopped
command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW --innodb-file-per-table=1 --skip-innodb-read-only-compressed
volumes:
- ./mariadb-data:/var/lib/mysql
environment:
- MYSQL_ROOT_PASSWORD=${MYSQL_ROOT_PASSWORD}
- MYSQL_PASSWORD=${MYSQL_PASSWORD}
- MYSQL_DATABASE=nextcloud
- MYSQL_USER=nextcloud
nextcloud:
image: nextcloud:latest
restart: unless-stopped
ports:
- 8084:80
volumes:
- ./nextcloud-data:/var/www/html
environment:
- MYSQL_PASSWORD=${MYSQL_PASSWORD}
- MYSQL_DATABASE=nextcloud
- MYSQL_USER=nextcloud
- MYSQL_HOST=mariadb
- APACHE_DISABLE_REWRITE_IP=1
links:
- mariadb
# NOTE To setup a primary install :
# add "overwriteprotocol => https" to config/config.php
# add "overwritewebroot => /nextcloud" to config/config.php
caddy:
image: caddy/caddy:alpine
restart: unless-stopped
network_mode: "host"
volumes:
- ./caddy/data:/data
- ./caddy/config:/config
- ./caddy/etc:/root/.local/share/caddy
- ./caddy/Caddyfile:/etc/caddy/Caddyfile
' > docker-compose.yml
docker-compose up -d
sleep 15
# Setup nextcloud web root
sudo sed -i "3a\ \ 'overwriteprotocol' => 'https',\n\ \ 'overwritewebroot' => '/nextcloud'," nextcloud-data/config/config.php
docker-compose restart nextcloud
# Setup pihole
docker-compose exec pihole pihole -a -p "$PIHOLE_PASSWORD"
docker-compose exec pihole sqlite3 /etc/pihole/gravity.db '
INSERT INTO "adlist" ("address","enabled","comment") VALUES ("https://raw.githubusercontent.com/jdlingyu/ad-war","1","Advertising Lists 1"),
("https://adaway.org/hosts.txt","1","Advertising Lists 2"),
("https://v.firebog.net/hosts/AdguardDNS.txt","1","Advertising Lists 3"),
("https://v.firebog.net/hosts/Admiral.txt","1","Advertising Lists 4"),
("https://raw.githubusercontent.com/anudeepND/blacklist/master/adservers.txt","1","Advertising Lists 5"),
("https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt","1","Advertising Lists 6"),
("https://v.firebog.net/hosts/Easylist.txt","1","Advertising Lists 7"),
("https://pgl.yoyo.org/adservers/serverlist.php?hostformat=hosts&showintro=0&mimetype=plaintext","1","Advertising Lists 8"),
("https://raw.githubusercontent.com/FadeMind/hosts.extras/master/UncheckyAds/hosts","1","Advertising Lists 9"),
("https://raw.githubusercontent.com/bigdargon/hostsVN/master/hosts","1","Advertising Lists 10");'
docker-compose exec pihole pihole -g
}
export -f user_exec
su "$USERNAME" -c user_exec
# Removing the nopass option in doas
sed -i '1s/nopass/persist/g' /etc/doas.conf

2
docker_build
View File

@@ -50,7 +50,7 @@ build ~/git/CurriculumVitae
build ~/git/dotfiles build ~/git/dotfiles
build ~/git/ESP32Manager build ~/git/ESP32Manager
build ~/git/haskell_playground build ~/git/haskell_playground
build ~/git/IntershipReport build ~/git/InternshipReport
build ~/git/notebook build ~/git/notebook
build ~/git/portfolio no_ssl build ~/git/portfolio no_ssl
build ~/git/portfolio_ivo no-ssl build ~/git/portfolio_ivo no-ssl

25
mv_docker.sh
View File

@@ -1,25 +0,0 @@
#!/usr/bin/env bash
set -e
WSL_DIR='/d/WSL2'
WSLS="$(wsl --list | sed 1d | cut -d' ' -f 1 | sed $'s/[^[:print:]\t]//g' | head -n -1)"
mkdir -p "$WSL_DIR"
for WSL in "${WSLS[@]}"; do
if [ -d "$WSL_DIR"/"$WSL" ]; then
echo "$WSL already moved, continuing"
continue
fi
echo "Exporting $WSL to archive"
wsl --export "$WSL" "$WSL_DIR/$WSL.tar"
echo "Unregistering $WSL"
wsl --unregister "$WSL"
mkdir "$WSL_DIR/$WSL"
echo "Importing $WSL from archive"
wsl --import "$WSL" "$WSL_DIR/$WSL" "$WSL_DIR/$WSL.tar" --version 2
echo "Removing $WSL archive"
rm "$WSL_DIR/$WSL.tar"
done

49
secure_debian_server.md
View File

@@ -1,49 +0,0 @@
# Secure a debian server
## Deny ping response
In the file /etc/ufw/before.rules add the line after "ok icmp codes for INPUT"
> -A ufw-before-input -p icmp --icmp-type echo-request -j DROP
## Restraining SSH default behaviour
In the file /etc/ssh/sshd_config or /etc/sshd_config
> Port $SSH_PORT # Custom SSH port
> AddressFamily inet
> ChallengeResponseAuthentication no
> PasswordAuthentication no
> UsePAM no
> PermitRootLogin no
```bash
# Apply changes
systemctl restart sshd
```
## Enabling security features
In the file /etc/sysctl.conf, uncomment / add the lines :
> net.ipv4.conf.default.rp_filter = 1
> net.ipv4.conf.all.rp_filter = 1
> net.ipv4.conf.all.accept_redirects = 0
> net.ipv6.conf.all.accept_redirects = 0
> net.ipv4.conf.all.send_redirects = 0
> net.ipv4.conf.all.accept_source_route = 0
> net.ipv6.conf.all.accept_source_route = 0
> net.ipv4.conf.all.log_martians = 1
> net.ipv4.conf.all.arp_notify = 1
```bash
# Apply changes
sysctl -p
```
## Prevent IP Spoof
In the file /etc/host.conf, add / change the lines :
> order bind,hosts
> multi on

13
setup_unreal.sh
View File

@@ -1,13 +0,0 @@
#!/bin/sh
set -e
test -z "$REPO_PATH" && REPO_PATH="$HOME"/git
git clone git@github.com:EpicGames/UnrealEngine.git -b release --depth 1 "$REPO_PATH"/UnrealEngine
cd "$REPO_PATH"/UnrealEngine
./Setup.sh
./GenerateProjectFiles.sh
make
cd Engine/Binaries/Linux
./UnrealEditor

31
vscodium-ext.sh
View File

@@ -1,31 +0,0 @@
#!/bin/sh
### Add Microsoft's extensions to VSCodium
# In the file resources/app/product.json change this :
# "extensionsGallery": {
# "serviceUrl": "https://open-vsx.org/vscode/gallery",
# "itemUrl": "https://open-vsx.org/vscode/item"
# },
# to this :
# "extensionsGallery": {
# "serviceUrl": "https://marketplace.visualstudio.com/_apis/public/gallery",
# "cacheUrl": "https://vscode.blob.core.windows.net/gallery/index",
# "itemUrl": "https://marketplace.visualstudio.com/items"
# },
apply(){
FILE="$1"
test -z "$FILE" && FILE=/opt/vscodium/resources/app/product.json
SEP=' '
OLD="$SEP\\\"extensionsGallery\": {\\n$SEP$SEP\\\"serviceUrl\\\": \\\"https://open-vsx.org/vscode/gallery\\\",\\n$SEP$SEP\\\"itemUrl\\\": \\\"https://open-vsx.org/vscode/item\\\"\\n$SEP},"
NEW="$SEP\"extensionsGallery\": {\\n$SEP$SEP\"serviceUrl\": \"https://marketplace.visualstudio.com/_apis/public/gallery\",\\n$SEP$SEP\"cacheUrl\": \"https://vscode.blob.core.windows.net/gallery/index\",\\n$SEP$SEP\"itemUrl\": \"https://marketplace.visualstudio.com/items\"\\n$SEP},"
sed -i ":a;N;\$!ba;s&$OLD&$NEW&g" "$FILE"
}
apply "$1"