This repository was archived by the owner on Mar 15, 2026. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathinitial-setup.sh
More file actions
executable file
·562 lines (503 loc) · 20.1 KB
/
initial-setup.sh
File metadata and controls
executable file
·562 lines (503 loc) · 20.1 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
#!/bin/bash
# Ubuntu Initial Setup Script (Interactive)
# Usage: sudo ./initial-setup.sh
# Purpose: Automates initial configuration on new Ubuntu installs
# This script is intended to be run interactively and will prompt for user input where needed.
# Last Revised: 2025/01/03
set -euo pipefail
# Source common helpers if available
if [ -f "$(dirname "$0")/scripts/common.sh" ]; then
# shellcheck source=/dev/null
. "$(dirname "$0")/scripts/common.sh"
fi
SHORT_DELAY=2
LONG_DELAY=5
log() { echo -e "\033[1;32m[INFO]\033[0m $*"; }
warn() { echo -e "\033[1;33m[WARN]\033[0m $*"; }
error() {
echo -e "\033[1;31m[ERROR]\033[0m $*"
exit 1
}
# Note: apt_retry is implemented in scripts/common.sh and is sourced above when available.
update_bashrc() {
log "Updating BASH"
sleep $SHORT_DELAY
if ! grep -q "$(dirname "$0")/scripts" ~/.bashrc; then
echo "export PATH=\$PATH:$(dirname "$0")/scripts" >>~/.bashrc
fi
source ~/.bashrc
}
setup_hosts_file() {
log "Setting up /etc/hosts entries..."
# Backup current hosts file
sudo cp /etc/hosts /etc/hosts.backup.$(date +%Y%m%d_%H%M%S)
# Get current hostname
current_hostname=$(hostname)
# Get the primary LAN IP using default gateway
default_gateway=$(ip route | grep default | awk '{print $3}')
log "Detected default gateway: $default_gateway"
if [[ -n "$default_gateway" ]]; then
lan_ip=$(ip route get "$default_gateway" | awk '/src/ {for(i=1;i<=NF;i++) if ($i=="src") print $(i+1)}')
if [[ -z "$lan_ip" ]]; then
lan_ip=$(ip route get "$default_gateway" | awk '{print $7; exit}')
fi
else
lan_ip=""
fi
log "Detected LAN IP: $lan_ip"
if [[ -n "$lan_ip" && "$lan_ip" != "127.0.0.1" ]]; then
# Extract subnet for mapping
if [[ "$lan_ip" =~ ^10\.([0-9]+)\. ]]; then
subnet="10.${BASH_REMATCH[1]}"
else
subnet=$(echo "$lan_ip" | awk -F. '{print $1 "." $2 "." $3}')
fi
# Subnet to domain mapping
case "$subnet" in
10.7)
domain_name="hq.802ski.com"
;;
10.8)
domain_name="er.802ski.com"
;;
192.168.50)
domain_name="la.ramalamba.com"
;;
192.168.11)
domain_name="nj.zoinks.us"
;;
192.168.7)
domain_name="hq.802ski.com"
;;
192.168.8)
domain_name="er.802ski.com"
;;
*)
domain_name="local"
;;
esac
fqdn="${current_hostname}.${domain_name}"
# Remove any existing entry for this IP
sudo sed -i "/^${lan_ip}[[:space:]]/d" /etc/hosts
# Add new entry with LAN IP
echo "$lan_ip $fqdn $current_hostname" | sudo tee -a /etc/hosts
log "Updated /etc/hosts: $lan_ip $fqdn $current_hostname"
# Ensure 127.0.1.1 line is present and correct
if grep -q '^127.0.1.1' /etc/hosts; then
sudo sed -i "s|^127.0.1.1.*|127.0.1.1 $current_hostname|" /etc/hosts
log "Updated 127.0.1.1 entry: 127.0.1.1 $current_hostname"
else
echo "127.0.1.1 $current_hostname" | sudo tee -a /etc/hosts
log "Added 127.0.1.1 entry: 127.0.1.1 $current_hostname"
fi
echo "================================================"
echo "\nCurrent /etc/hosts entry for this IP:"
grep "^${lan_ip}[[:space:]]" /etc/hosts
echo "================================================"
echo "Current /etc/hosts entry for 127.0.1.1:"
echo "================================================"
grep "^127.0.1.1[[:space:]]" /etc/hosts
echo "================================================"
echo "Press Enter to continue, or Ctrl+C to abort..."
read -p "Does this look correct?"
echo "Setting hostname"
sudo hostnamectl set-hostname "$fqdn"
else
warn "Could not determine LAN IP. Skipping /etc/hosts update."
fi
}
set_timezone() {
log "Setting timezone to America/New_York..."
sleep $SHORT_DELAY
sudo timedatectl set-timezone America/New_York
log "Current timezone: $(timedatectl | grep 'Time zone')"
}
install_packages() {
log "Installing base packages..."
sleep $SHORT_DELAY
apt_retry sudo apt-get update
apt_retry sudo NEEDRESTART_MODE=a apt-get dist-upgrade -y
apt_retry sudo NEEDRESTART_MODE=a apt-get -y install \
nfs-common cifs-utils ncdu lsof strace sysstat iotop \
mtr nmap dnsutils jq chrony smbclient apt-transport-https ca-certificates curl software-properties-common \
micro net-tools smartmontools || error "Error installing base packages. Exiting."
sleep $SHORT_DELAY
echo "iperf3 iperf3/start_autostart boolean true" | sudo debconf-set-selections
apt_retry sudo DEBIAN_FRONTEND=noninteractive apt-get install -y iperf3
}
install_1password() {
log "Installing 1Password CLI..."
sleep $SHORT_DELAY
# Official 1Password CLI install script with debsig policy and architecture awareness
curl -sS https://downloads.1password.com/linux/keys/1password.asc |
sudo gpg --dearmor --output /usr/share/keyrings/1password-archive-keyring.gpg &&
echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/1password-archive-keyring.gpg] https://downloads.1password.com/linux/debian/$(dpkg --print-architecture) stable main" |
sudo tee /etc/apt/sources.list.d/1password.list &&
sudo mkdir -p /etc/debsig/policies/AC2D62742012EA22/ &&
curl -sS https://downloads.1password.com/linux/debian/debsig/1password.pol |
sudo tee /etc/debsig/policies/AC2D62742012EA22/1password.pol &&
sudo mkdir -p /usr/share/debsig/keyrings/AC2D62742012EA22 &&
curl -sS https://downloads.1password.com/linux/keys/1password.asc |
sudo gpg --dearmor --output /usr/share/debsig/keyrings/AC2D62742012EA22/debsig.gpg &&
sudo apt update && sudo apt install -y 1password-cli
if command -v op &>/dev/null; then
log "1Password CLI installed successfully."
else
error "1Password CLI installation failed."
fi
}
setup_virtualization_tools() {
virt=$(systemd-detect-virt)
if [ "$virt" = "microsoft" ]; then
log "Detected Microsoft Hyper-V. Installing virtualization tools..."
apt_retry sudo NEEDRESTART_MODE=a apt-get -y install linux-virtual linux-cloud-tools-virtual linux-tools-virtual
elif [ "$virt" = "kvmq" ]; then
log "Detected KVM/QEMU. Installing virtualization tools..."
apt_retry sudo NEEDRESTART_MODE=a apt-get -y install qemu-guest-agent
sudo systemctl enable qemu-guest-agent
else
log "No specific virtualization tools required for $virt."
fi
}
install_glances() {
log "Installing Glances for system monitoring..."
sleep $SHORT_DELAY
sudo snap install glances || error "Failed to install Glances."
}
setup_autofs() {
log "Setting up AUTOFS for NFS mounts..."
sleep $SHORT_DELAY
apt_retry sudo NEEDRESTART_MODE=a apt-get -y install autofs
# Copy autofs configuration files
if [ -f "$(dirname "$0")/configs/etc/autofs/auto.master" ]; then
sudo cp "$(dirname "$0")/configs/etc/autofs/auto.master" /etc/auto.master
sudo cp "$(dirname "$0")/configs/etc/autofs/auto.nfs" /etc/auto.nfs
sudo chmod 644 /etc/auto.master /etc/auto.nfs
log "Autofs configuration files copied successfully."
else
warn "Autofs config files not found in configs/etc/autofs/. Skipping autofs setup."
return
fi
sudo systemctl restart autofs
}
setup_samba() {
log "Setting up SAMBA..."
sleep $SHORT_DELAY
# Install Samba packages from official Ubuntu repo
log "Installing Samba packages..."
apt_retry sudo NEEDRESTART_MODE=a apt-get -y install samba samba-common-bin || error "Error installing Samba packages. Exiting."
# Copy Samba configuration files
if [ -f "$(dirname "$0")/configs/etc/samba/smb.conf" ]; then
sudo cp "$(dirname "$0")/configs/etc/samba/smb.conf" /etc/samba/smb.conf
sudo chmod 644 /etc/samba/smb.conf
log "Samba configuration file copied successfully."
else
warn "Samba config file not found in configs/etc/samba/. Using default configuration."
fi
# Retrieve or generate unique Samba password for this host from 1Password
SAMBA_ITEM="samba-$(hostname)"
if command -v op &>/dev/null; then
if op item get "$SAMBA_ITEM" --vault=Private --fields label=password &>/dev/null; then
SAMBA_PASSWORD=$(op read "op://Private/$SAMBA_ITEM/password")
log "Samba password for $SAMBA_ITEM retrieved from 1Password."
else
op item create --category=login --vault=Private --title="$SAMBA_ITEM" \
"username=greg" \
--generate-password \
--tags "samba,homelab" \
>/dev/null
SAMBA_PASSWORD=$(op read "op://Private/$SAMBA_ITEM/password")
log "Generated and stored new Samba password for $SAMBA_ITEM in 1Password."
fi
else
read -s -p "Enter Samba password for user 'greg': " SAMBA_PASSWORD
echo
fi
export SAMBA_PASSWORD
# Create Samba user 'greg' non-interactively if password is set
if [[ -n "${SAMBA_PASSWORD:-}" ]]; then
echo -e "${SAMBA_PASSWORD}\n${SAMBA_PASSWORD}" | sudo smbpasswd -a "greg" >/dev/null
log "Samba user 'greg' created non-interactively."
else
warn "Samba password not set; skipping user creation."
fi
# Ensure /opt is shared via Samba for greg
SMB_CONF="/etc/samba/smb.conf"
SHARE_BLOCK="
[opt]
path = /opt
valid users = greg
read only = no
browsable = yes
writable = yes
create mask = 0664
directory mask = 0775
force user = greg
force group = greg
comment = /opt shared for greg
"
if ! grep -q '^\[opt\]' "$SMB_CONF"; then
echo "$SHARE_BLOCK" | sudo tee -a "$SMB_CONF"
log "Added /opt Samba share for greg."
else
log "/opt Samba share already present."
fi
# Ensure greg has write access to /opt
sudo chown -R greg:greg /opt
sudo chmod -R 775 /opt
# Enable and start Samba services
log "Enabling and starting Samba services..."
sudo systemctl enable smbd nmbd
sudo systemctl restart smbd nmbd
log "Samba setup complete."
}
setup_github_ssh_key_from_server() {
log "Fetching GitHub SSH key from 1Password CLI..."
if command -v op &>/dev/null; then
# Fetch private key
mkdir -p ~/.ssh
# Prefer a named field for private key; fall back to legacy path
if op read "op://Private/id_ed25519_github/private key" &>/dev/null; then
op read "op://Private/id_ed25519_github/private key" >~/.ssh/github
else
op read "op://Private/id_ed25519_homelab/private key" >~/.ssh/github
fi
chmod 600 ~/.ssh/github
# Derive public key from private key to avoid mismatches
if ssh-keygen -y -f ~/.ssh/github >~/.ssh/github.pub 2>/dev/null; then
chmod 644 ~/.ssh/github.pub
log "GitHub SSH private key fetched and public key derived successfully."
else
warn "Failed to derive public key from fetched private key. Please verify the key stored in 1Password."
fi
else
warn "1Password CLI (op) not found. Skipping GitHub SSH key setup."
fi
}
setup_ssh_github() {
log "Setting up SSH for GitHub..."
sleep $SHORT_DELAY
# Create .ssh directory if it doesn't exist
mkdir -p ~/.ssh
chmod 700 ~/.ssh
# Import GitHub SSH keys
if command -v curl &>/dev/null; then
log "Importing SSH keys from GitHub for Sub-lime-time..."
curl -fsSL "https://github.com/Sub-lime-time.keys" | tee -a ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys
log "GitHub SSH keys imported successfully."
else
warn "curl not available. Skipping GitHub key import."
fi
# Copy any additional SSH config from local configs
if [ -d "$(dirname "$0")/configs/ssh" ]; then
cp -r "$(dirname "$0")/configs/ssh/"* ~/.ssh/
chmod 600 ~/.ssh/*
else
warn "SSH config directory not found. Skipping..."
fi
# In your script, check if the file exists before copying
if [ -f "$(dirname "$0")/configs/ssh/github" ]; then
cp "$(dirname "$0")/configs/ssh/github" ~/.ssh/
fi
}
setup_ssh_hardening() {
log "Hardening SSH configuration..."
sleep $SHORT_DELAY
# Disable password authentication
sudo sed -i 's/#PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config
sudo sed -i 's/PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config
log "SSH password authentication disabled."
warn "SSH service restart deferred until reboot to avoid disconnecting your SSH session."
log "SSH hardening complete."
}
check_nfs_share() {
sleep $LONG_DELAY
if [ ! -d /mnt/linux/scripts ] || [ ! -r /mnt/linux/scripts ]; then
error "/mnt/linux/scripts is not accessible. Please ensure the NFS share is mounted and available."
fi
}
setup_rsyslog() {
log "Setup rsyslog"
sleep $SHORT_DELAY
if [ -d "$(dirname "$0")/configs/etc/rsyslog.d" ]; then
sudo cp "$(dirname "$0")/configs/etc/rsyslog.d/"* /etc/rsyslog.d/
sudo chmod 644 /etc/rsyslog.d/*
sudo systemctl restart rsyslog
log "Rsyslog configuration updated successfully."
else
warn "Rsyslog config directory not found in configs/etc/rsyslog.d/. Skipping rsyslog setup."
fi
}
setup_cron() {
log "Populating CRON"
sleep $LONG_DELAY
# Check if sync-distributed.sh exists before executing
if [ -f "/mnt/linux/scripts/sync-distributed.sh" ]; then
sudo bash -c "/mnt/linux/scripts/sync-distributed.sh"
log "sync-distributed.sh completed with exit code $?"
else
warn "sync-distributed.sh not found at /mnt/linux/scripts/. Skipping sync setup."
fi
if [ -d "$(dirname "$0")/configs/cron" ]; then
sudo cp -v "$(dirname "$0")/configs/cron/"* /etc/cron.d/
sudo chmod 644 /etc/cron.d/*
# Remove any previous backup-system.sh lines before adding a new one (idempotency)
sudo sed -i '/backup-system.sh/d' /etc/cron.d/backup-system
# Randomize the backup time and update the cron job
hour=$((1 + $RANDOM % 6))
minute=$((1 + $RANDOM % 59))
sudo sh -c "echo '$minute $hour * * 7 root /mnt/linux/scripts/backup-system.sh' >> /etc/cron.d/backup-system"
log "Cron jobs configured successfully."
else
warn "Cron config directory not found in configs/cron/. Skipping cron setup."
fi
}
setup_certs() {
log "Certificate Setup"
sleep "$LONG_DELAY"
local script="/mnt/linux/scripts/manage-certs.sh"
if [ -f "$script" ]; then
if [ ! -x "$script" ]; then
sudo chmod +x "$script" || {
warn "Could not chmod +x $script"
return 1
}
fi
# Run it as root, preserve environment only if you truly need it
sudo -E bash "$script"
local rc=$?
if [ $rc -eq 0 ]; then
log "Certificate management script executed successfully."
else
warn "manage-certs.sh failed with exit code $rc"
return $rc
fi
else
warn "manage-certs.sh not found at /mnt/linux/scripts/. Skipping certificate setup."
fi
}
setup_postfix() {
log "Setting up Postfix..."
sleep $SHORT_DELAY
if [ -f "$(dirname "$0")/scripts/setup-postfix.sh" ]; then
source "$(dirname "$0")/scripts/setup-postfix.sh"
log "Postfix setup script executed successfully."
else
warn "Postfix setup script not found. Skipping..."
fi
}
setup_zsh() {
log "Setup ZSH"
sleep $SHORT_DELAY
# Run the zsh setup script as the original invoking user when this
# master installer is run with sudo. Sourcing as root hides the
# real user's HOME and SSH agent, causing auth and logging issues.
SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
SETUP_SCRIPT="$SCRIPT_DIR/scripts/setup-zsh.sh"
if [ "$(id -u)" -eq 0 ] && [ -n "${SUDO_USER:-}" ]; then
log "Executing setup-zsh as user: $SUDO_USER"
# Use sudo -H -u so HOME is set to the user's home for the run
# Attempt to discover the invoking user's ssh-agent socket so we can
# pass it into the sudo'ed process and preserve agent-based auth.
USER_SSH_AUTH_SOCK=""
if command -v pgrep >/dev/null 2>&1; then
for pid in $(pgrep -u "$SUDO_USER" -x ssh-agent 2>/dev/null || true); do
if [ -r "/proc/$pid/environ" ]; then
sock=$(tr '\0' '\n' </proc/$pid/environ | grep '^SSH_AUTH_SOCK=' | cut -d= -f2- || true)
if [ -n "$sock" ] && [ -S "$sock" ]; then
USER_SSH_AUTH_SOCK="$sock"
break
fi
fi
done
fi
if [ -n "$USER_SSH_AUTH_SOCK" ]; then
log "Preserving SSH_AUTH_SOCK for user $SUDO_USER: $USER_SSH_AUTH_SOCK"
sudo -H -u "$SUDO_USER" env SSH_AUTH_SOCK="$USER_SSH_AUTH_SOCK" bash -lc "bash '$SETUP_SCRIPT'"
else
log "No ssh-agent socket found for $SUDO_USER; running setup without SSH_AUTH_SOCK preserved."
sudo -H -u "$SUDO_USER" bash -lc "bash '$SETUP_SCRIPT'"
fi
else
# When not running under sudo just execute in the current context
bash "$SETUP_SCRIPT"
fi
}
reboot_prompt() {
read -r -p "Setup complete. Reboot now? [Y/n] " input
input=${input:-Y}
case $input in
[yY][eE][sS] | [yY])
log "Rebooting system..."
sudo reboot
;;
[nN][oO] | [nN])
log "Reboot skipped. Please reboot manually to apply changes."
;;
*)
warn "Invalid input. Reboot skipped."
;;
esac
}
wait_for_1password_account_add() {
if command -v op &>/dev/null; then
echo ""
echo "────────────────────────────────────────────────────────────"
echo "🔑 1Password Setup: Use your Keyboard Maestro hotkeys!"
echo ""
echo " ⌃⌥⌘S → Paste your 1Password Secret Key"
echo " ⌃⌥⌘P → Paste your 1Password Master Password"
echo ""
echo "When prompted below, use the hotkeys above to quickly fill in your credentials."
echo "────────────────────────────────────────────────────────────"
echo ""
log "Adding 1Password account to CLI."
op_signin_address="my.1password.com"
op_email="greg@802ski.com"
read -p "1Password Secret Key (starts with A3-...): " op_secret
op_account_name="The Family"
op account add --address "$op_signin_address" --email "$op_email" --secret-key "$op_secret" --shorthand "$op_account_name"
if op account list | grep -q "$op_email"; then
log "1Password account added successfully."
else
error "1Password account add failed. Please check your credentials and try again."
fi
fi
}
wait_for_1password_signin() {
if command -v op &>/dev/null; then
log "Signing in to 1Password CLI to enable secret access."
eval "$(op signin)"
# Check if sign-in was successful
if op account get &>/dev/null; then
log "1Password CLI sign-in successful. Continuing setup."
else
error "1Password CLI sign-in failed. Please check your credentials and try again."
fi
fi
}
main() {
setup_hosts_file
install_1password
wait_for_1password_account_add
wait_for_1password_signin
update_bashrc
set_timezone
install_packages
setup_virtualization_tools
install_glances
setup_autofs
setup_samba
setup_github_ssh_key_from_server
setup_ssh_github
setup_ssh_hardening
check_nfs_share
setup_rsyslog
setup_cron
setup_certs
setup_postfix
setup_zsh
reboot_prompt
}
main "$@"