scripts/create_arch_server.sh

#!/usr/bin/env bash

# Exit immediately if a command exits with a non-zero exit status
set -e

echo -n Hostname :
read -r HOSTNAME

echo -n Domain name :
read -r DOMAIN_NAME

echo -n Username :
read -r USERNAME

echo Password :
read -r -s PASSWORD

echo MYSQL_ROOT_PASSWORD ? :
read -r -s MYSQL_ROOT_PASSWORD

echo MYSQL_PASSWORD ? :
read -r -s MYSQL_PASSWORD

echo Pihole admin password ? :
read -r -s PIHOLE_PASSWORD

# Setup the hostname
hostnamectl hostname "$HOSTNAME"

# Enable pacman's parallels downloads
sed -i 's/^#Para/Para/g' /etc/pacman.conf

# Updating every packages
pacman -Syu --noconfirm
# Removing unwanted packages
pacman -Rc --noconfirm nano vim vim-runtime sudo
# Installing needed packages
pacman -S --noconfirm --needed docker neovim lazygit neofetch git wget unzip openssh bash-completion reflector \
	rsync nodejs npm python python-pip ripgrep htop opendoas which man sed fakeroot gcc flake8 autopep8 \
	python-pynvim

# Installing npm dependencies
npm i -g neovim npm-check-updates

# Enable the wheel group to use doas
echo 'permit persist :wheel' > /etc/doas.conf

# Enabling docker
systemctl enable docker
systemctl start docker

# Setup SSH
echo 'Port 777
AddressFamily inet
ChallengeResponseAuthentication no
AuthorizedKeysFile .ssh/authorized_keys
PasswordAuthentication yes
PermitEmptyPasswords no
PermitRootLogin no
UsePAM no
PrintMotd no
Subsystem sftp /usr/lib/ssh/sftp-server
' > /etc/ssh/sshd_config
systemctl restart sshd

# Disable systemctl resolved
systemctl stop systemd-resolved
systemctl disable systemd-resolved

# Adding personnal account
useradd -m "$USERNAME"
passwd "$USERNAME" << EOF
$PASSWORD
$PASSWORD
EOF
usermod -aG wheel "$USERNAME"
usermod -aG docker "$USERNAME"
usermod -aG wheel root

user_exec(){
	# Adding personnal SSH public key
	mkdir ~/.ssh ~/aur git services
	echo 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC6nIqEuVlD6ouHf2OmhN5+gP3qP31+Z5x7+2GKLstTzkLo1wFUGQKsAgeAA3r47xXkUznSt0BHi7J6yaAJ7q2oSNxwbH73hemLlbQGAMkjRpvM4wL2jvVVBnILUMqLlzwEqBPlygng3DkT/KGTAcmWrt6kh/TV6npH4bf2LV7Z6g7YB9usmaJPTmw53/lQaDDxkMw7aYgDRc2oQwjZNOZ/uzb3IenvRyXfmegWYLHemiajtuj3e/Z7XRcJLhMp5XYQaPpy7RdkpBNiA7fIrITrXcjK+K71NGXLHRB8Ert5y8SzMs5gu3iOA4JnfcDnpdXyo1USduDDkDjH+N9ggQdaSXUmHCI3P1x1IJN56X0F20u287E/bMGApPiF4mkL5xbJdjZMKDgodm1QNdbBNu4vw4nm13TOM/neqPKcs+gzgPe/50gad2KOGoU+MQwPB2JA/vX9UGHUDTYkn4cmLeDR97OUq94yYZTJX3vMEKMxM9reZ/FR9pcdFvGWme46R1styyZExbPqLPA8b/FjX08USDE4aIDyi0GUHwx+exfdneFWm3yZ/G4XUENlKP3mlzPZql90sJu/ERdUX8fFZfJKdhjH0Q26SYJbD30Oh62IpUEoLFVovbhXO7r8nxgXoAgp7ArwZS2vv5P4xJt4I7gzFxS3cw/K9IOo4TXuXprfmQ== SAUNDERS@DESKTOP-95BAQ8S' > ~/.ssh/authorized_keys

	# Installing lazydocker
	git clone https://aur.archlinux.org/lazydocker.git ~/aur/lazydocker
	cd ~/aur/lazydocker
	makepkg -sri --noconfirm
	rm -rf ~/go

	# Adding dotfiles
	git clone https://github.com/saundersp/dotfiles.git ~/git/dotfiles
	cd ~/git/dotfiles
	./auto.sh server
	sudo bash auto.sh server

	# Adding portfolio
	git clone https://github.com/saundersp/portfolio.git ~/git/portfolio
	cd ~/git/portfolio
	docker pull node:lts-alpine
	docker build -f Dockerfile.no_ssl -t saundersp/portfolio .

	# Setup the services used in the server
	cd ~/services
	echo -e "MYSQL_PASSWORD=$MYSQL_PASSWORD\nMYSQL_ROOT_PASSWORD=$MYSQL_ROOT_PASSWORD" > .env
	echo 'nextcloud mariadb vaultwarden/server pihole/pihole caddy/caddy:alpine' | xargs -n1 docker pull

	mkdir bitwarden-data caddy mariadb-data nextcloud-data openvpn-etc pihole caddy/config caddy/data caddy/etc

	# Setup caddy
	echo "$DOMAIN_NAME {
	handle_path /bitwarden* {
		reverse_proxy /notifications/hub/negotiate localhost:8080
		reverse_proxy /notifications/hub localhost:3012
		reverse_proxy localhost:8080
	}
	handle_path /pihole* {
		reverse_proxy localhost:8082
		route /* {
			reverse_proxy localhost:8082
		}
	}
	handle_path /nextcloud* {
		rewrite /.well-known/carddav /remote.php/dav
		rewrite /.well-known/caldav /remote.php/dav

		header /* {
			Script-Transport-Security max-age=15552000;
		}

		reverse_proxy localhost:8084
		route /* {
			reverse_proxy localhost:8084
		}
	}
	reverse_proxy localhost:8081
}" > caddy/Caddyfile

	# Getting the docker-compose.yml ready
	echo 'version: "3.9"

services:
  portfolio:
    image: saundersp/portfolio:latest
    restart: unless-stopped
    ports:
      - 8081:80

  pihole:
    image: cbcrowe/pihole-unbound:latest
    restart: unless-stopped
    ports:
      - 53:53/tcp
      - 53:53/udp
      - 8082:80/tcp
    volumes:
      - ./pihole/data:/etc/pihole
      - ./pihole/dnsmasq.d:/etc/dnsmasq.d
    environment:
      - ServerIP=127.0.0.1
      - TZ=Europe/London
      - REV_SERVER=true
      - REV_SERVER_TARGET=192.168.1.1
      - REV_SERVER_DOMAIN=local
      - REV_SERVER_CIDR=192.168.0.0/16
      - DNS1=127.0.0.1#5335
      - DNS2=127.0.0.1#5335
      - DNSSEC="true"

# NOTE Get rid of "reducing DNS packet size for nameserver ..." : echo "edns-packet-max=1232" | sudo tee /etc/dnsmasq.d/99-edns.conf

  bitwarden:
    image: vaultwarden/server:latest
    restart: unless-stopped
    ports:
      - 8080:80
    volumes:
      - ./bitwarden-data:/data

  mariadb:
    image: mariadb:latest
    restart: unless-stopped
    command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW --innodb-file-per-table=1 --skip-innodb-read-only-compressed
    volumes:
      - ./mariadb-data:/var/lib/mysql
    environment:
      - MYSQL_ROOT_PASSWORD=${MYSQL_ROOT_PASSWORD}
      - MYSQL_PASSWORD=${MYSQL_PASSWORD}
      - MYSQL_DATABASE=nextcloud
      - MYSQL_USER=nextcloud

  nextcloud:
    image: nextcloud:latest
    restart: unless-stopped
    ports:
      - 8084:80
    volumes:
      - ./nextcloud-data:/var/www/html
    environment:
      - MYSQL_PASSWORD=${MYSQL_PASSWORD}
      - MYSQL_DATABASE=nextcloud
      - MYSQL_USER=nextcloud
      - MYSQL_HOST=mariadb
      - APACHE_DISABLE_REWRITE_IP=1
    links:
      - mariadb

# NOTE To setup a primary install :
# add "overwriteprotocol => https" to config/config.php
# add "overwritewebroot => /nextcloud" to config/config.php

  caddy:
    image: caddy/caddy:alpine
    restart: unless-stopped
    network_mode: "host"
    volumes:
      - ./caddy/data:/data
      - ./caddy/config:/config
      - ./caddy/etc:/root/.local/share/caddy
      - ./caddy/Caddyfile:/etc/caddy/Caddyfile
' > docker-compose.yml
	docker-compose up -d
	sleep 15

	# Setup nextcloud web root
	sudo sed -i "3a\ \  'overwriteprotocol' => 'https',\n\ \ 'overwritewebroot' => '/nextcloud'," nextcloud-data/config/config.php
	docker-compose restart nextcloud

	# Setup pihole
	docker-compose exec pihole pihole -a -p "$PIHOLE_PASSWORD"
	docker-compose exec pihole sqlite3 /etc/pihole/gravity.db '
		INSERT INTO "adlist" ("address","enabled","comment") VALUES ("https://raw.githubusercontent.com/jdlingyu/ad-war","1","Advertising Lists 1"),
		("https://adaway.org/hosts.txt","1","Advertising Lists 2"),
		("https://v.firebog.net/hosts/AdguardDNS.txt","1","Advertising Lists 3"),
		("https://v.firebog.net/hosts/Admiral.txt","1","Advertising Lists 4"),
		("https://raw.githubusercontent.com/anudeepND/blacklist/master/adservers.txt","1","Advertising Lists 5"),
		("https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt","1","Advertising Lists 6"),
		("https://v.firebog.net/hosts/Easylist.txt","1","Advertising Lists 7"),
		("https://pgl.yoyo.org/adservers/serverlist.php?hostformat=hosts&showintro=0&mimetype=plaintext","1","Advertising Lists 8"),
		("https://raw.githubusercontent.com/FadeMind/hosts.extras/master/UncheckyAds/hosts","1","Advertising Lists 9"),
		("https://raw.githubusercontent.com/bigdargon/hostsVN/master/hosts","1","Advertising Lists 10");'
	docker-compose exec pihole pihole -g
}
export -f user_exec
su "$USERNAME" -c user_exec

# Removing the nopass option in doas
sed -i '1s/nopass/persist/g' /etc/doas.conf