#!/usr/bin/env bash
# Exit immediately if a command exits with a non-zero exit status
set -e
echo -n Hostname :
read -r HOSTNAME
echo -n Domain name :
read -r DOMAIN_NAME
echo -n Username :
read -r USERNAME
echo Password :
read -r -s PASSWORD
echo MYSQL_ROOT_PASSWORD ? :
read -r -s MYSQL_ROOT_PASSWORD
echo MYSQL_PASSWORD ? :
read -r -s MYSQL_PASSWORD
echo Pihole admin password ? :
read -r -s PIHOLE_PASSWORD
# Setup the hostname
hostnamectl hostname "$HOSTNAME"
# Enable pacman's parallels downloads
sed -i 's/^#Para/Para/g' /etc/pacman.conf
# Updating every packages
pacman -Syu --noconfirm
# Removing unwanted packages
pacman -Rc --noconfirm nano vim vim-runtime sudo
# Installing needed packages
pacman -S --noconfirm --needed docker neovim lazygit neofetch git wget unzip openssh bash-completion reflector \
rsync nodejs npm python python-pip ripgrep htop opendoas which man sed fakeroot gcc flake8 autopep8 \
python-pynvim
# Installing npm dependencies
npm i -g neovim npm-check-updates
# Enable the wheel group to use doas
echo 'permit persist :wheel' > /etc/doas.conf
# Enabling docker
systemctl enable docker
systemctl start docker
# Setup SSH
echo 'Port 777
AddressFamily inet
ChallengeResponseAuthentication no
AuthorizedKeysFile .ssh/authorized_keys
PasswordAuthentication yes
PermitEmptyPasswords no
PermitRootLogin no
UsePAM no
PrintMotd no
Subsystem sftp /usr/lib/ssh/sftp-server
' > /etc/ssh/sshd_config
systemctl restart sshd
# Disable systemctl resolved
systemctl stop systemd-resolved
systemctl disable systemd-resolved
# Adding personnal account
useradd -m "$USERNAME"
passwd "$USERNAME" << EOF
$PASSWORD
$PASSWORD
EOF
usermod -aG wheel "$USERNAME"
usermod -aG docker "$USERNAME"
usermod -aG wheel root
user_exec(){
# Adding personnal SSH public key
mkdir ~/.ssh ~/aur git services
echo 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC6nIqEuVlD6ouHf2OmhN5+gP3qP31+Z5x7+2GKLstTzkLo1wFUGQKsAgeAA3r47xXkUznSt0BHi7J6yaAJ7q2oSNxwbH73hemLlbQGAMkjRpvM4wL2jvVVBnILUMqLlzwEqBPlygng3DkT/KGTAcmWrt6kh/TV6npH4bf2LV7Z6g7YB9usmaJPTmw53/lQaDDxkMw7aYgDRc2oQwjZNOZ/uzb3IenvRyXfmegWYLHemiajtuj3e/Z7XRcJLhMp5XYQaPpy7RdkpBNiA7fIrITrXcjK+K71NGXLHRB8Ert5y8SzMs5gu3iOA4JnfcDnpdXyo1USduDDkDjH+N9ggQdaSXUmHCI3P1x1IJN56X0F20u287E/bMGApPiF4mkL5xbJdjZMKDgodm1QNdbBNu4vw4nm13TOM/neqPKcs+gzgPe/50gad2KOGoU+MQwPB2JA/vX9UGHUDTYkn4cmLeDR97OUq94yYZTJX3vMEKMxM9reZ/FR9pcdFvGWme46R1styyZExbPqLPA8b/FjX08USDE4aIDyi0GUHwx+exfdneFWm3yZ/G4XUENlKP3mlzPZql90sJu/ERdUX8fFZfJKdhjH0Q26SYJbD30Oh62IpUEoLFVovbhXO7r8nxgXoAgp7ArwZS2vv5P4xJt4I7gzFxS3cw/K9IOo4TXuXprfmQ== SAUNDERS@DESKTOP-95BAQ8S' > ~/.ssh/authorized_keys
# Installing lazydocker
git clone https://aur.archlinux.org/lazydocker.git ~/aur/lazydocker
cd ~/aur/lazydocker
makepkg -sri --noconfirm
rm -rf ~/go
# Adding dotfiles
git clone https://github.com/saundersp/dotfiles.git ~/git/dotfiles
cd ~/git/dotfiles
./auto.sh server
sudo bash auto.sh server
# Adding portfolio
git clone https://github.com/saundersp/portfolio.git ~/git/portfolio
cd ~/git/portfolio
docker pull node:lts-alpine
docker build -f Dockerfile.no_ssl -t saundersp/portfolio .
# Setup the services used in the server
cd ~/services
echo -e "MYSQL_PASSWORD=$MYSQL_PASSWORD\nMYSQL_ROOT_PASSWORD=$MYSQL_ROOT_PASSWORD" > .env
echo 'nextcloud mariadb vaultwarden/server pihole/pihole caddy/caddy:alpine' | xargs -n1 docker pull
mkdir bitwarden-data caddy mariadb-data nextcloud-data openvpn-etc pihole caddy/config caddy/data caddy/etc
# Setup caddy
echo "$DOMAIN_NAME {
handle_path /bitwarden* {
reverse_proxy /notifications/hub/negotiate localhost:8080
reverse_proxy /notifications/hub localhost:3012
reverse_proxy localhost:8080
}
handle_path /pihole* {
reverse_proxy localhost:8082
route /* {
reverse_proxy localhost:8082
}
}
handle_path /nextcloud* {
rewrite /.well-known/carddav /remote.php/dav
rewrite /.well-known/caldav /remote.php/dav
header /* {
Script-Transport-Security max-age=15552000;
}
reverse_proxy localhost:8084
route /* {
reverse_proxy localhost:8084
}
}
reverse_proxy localhost:8081
}" > caddy/Caddyfile
# Getting the docker-compose.yml ready
echo 'version: "3.9"
services:
portfolio:
image: saundersp/portfolio:latest
restart: unless-stopped
ports:
- 8081:80
pihole:
image: cbcrowe/pihole-unbound:latest
restart: unless-stopped
ports:
- 53:53/tcp
- 53:53/udp
- 8082:80/tcp
volumes:
- ./pihole/data:/etc/pihole
- ./pihole/dnsmasq.d:/etc/dnsmasq.d
environment:
- ServerIP=127.0.0.1
- TZ=Europe/London
- REV_SERVER=true
- REV_SERVER_TARGET=192.168.1.1
- REV_SERVER_DOMAIN=local
- REV_SERVER_CIDR=192.168.0.0/16
- DNS1=127.0.0.1#5335
- DNS2=127.0.0.1#5335
- DNSSEC="true"
# NOTE Get rid of "reducing DNS packet size for nameserver ..." : echo "edns-packet-max=1232" | sudo tee /etc/dnsmasq.d/99-edns.conf
bitwarden:
image: vaultwarden/server:latest
restart: unless-stopped
ports:
- 8080:80
volumes:
- ./bitwarden-data:/data
mariadb:
image: mariadb:latest
restart: unless-stopped
command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW --innodb-file-per-table=1 --skip-innodb-read-only-compressed
volumes:
- ./mariadb-data:/var/lib/mysql
environment:
- MYSQL_ROOT_PASSWORD=${MYSQL_ROOT_PASSWORD}
- MYSQL_PASSWORD=${MYSQL_PASSWORD}
- MYSQL_DATABASE=nextcloud
- MYSQL_USER=nextcloud
nextcloud:
image: nextcloud:latest
restart: unless-stopped
ports:
- 8084:80
volumes:
- ./nextcloud-data:/var/www/html
environment:
- MYSQL_PASSWORD=${MYSQL_PASSWORD}
- MYSQL_DATABASE=nextcloud
- MYSQL_USER=nextcloud
- MYSQL_HOST=mariadb
- APACHE_DISABLE_REWRITE_IP=1
links:
- mariadb
# NOTE To setup a primary install :
# add "overwriteprotocol => https" to config/config.php
# add "overwritewebroot => /nextcloud" to config/config.php
caddy:
image: caddy/caddy:alpine
restart: unless-stopped
network_mode: "host"
volumes:
- ./caddy/data:/data
- ./caddy/config:/config
- ./caddy/etc:/root/.local/share/caddy
- ./caddy/Caddyfile:/etc/caddy/Caddyfile
' > docker-compose.yml
docker-compose up -d
sleep 15
# Setup nextcloud web root
sudo sed -i "3a\ \ 'overwriteprotocol' => 'https',\n\ \ 'overwritewebroot' => '/nextcloud'," nextcloud-data/config/config.php
docker-compose restart nextcloud
# Setup pihole
docker-compose exec pihole pihole -a -p "$PIHOLE_PASSWORD"
docker-compose exec pihole sqlite3 /etc/pihole/gravity.db '
INSERT INTO "adlist" ("address","enabled","comment") VALUES ("https://raw.githubusercontent.com/jdlingyu/ad-war","1","Advertising Lists 1"),
("https://adaway.org/hosts.txt","1","Advertising Lists 2"),
("https://v.firebog.net/hosts/AdguardDNS.txt","1","Advertising Lists 3"),
("https://v.firebog.net/hosts/Admiral.txt","1","Advertising Lists 4"),
("https://raw.githubusercontent.com/anudeepND/blacklist/master/adservers.txt","1","Advertising Lists 5"),
("https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt","1","Advertising Lists 6"),
("https://v.firebog.net/hosts/Easylist.txt","1","Advertising Lists 7"),
("https://pgl.yoyo.org/adservers/serverlist.php?hostformat=hosts&showintro=0&mimetype=plaintext","1","Advertising Lists 8"),
("https://raw.githubusercontent.com/FadeMind/hosts.extras/master/UncheckyAds/hosts","1","Advertising Lists 9"),
("https://raw.githubusercontent.com/bigdargon/hostsVN/master/hosts","1","Advertising Lists 10");'
docker-compose exec pihole pihole -g
}
export -f user_exec
su "$USERNAME" -c user_exec
# Removing the nopass option in doas
sed -i '1s/nopass/persist/g' /etc/doas.conf