Added optional coolify installation and configurable auto reboot and remove of unused deps

Author: legout

.github/workflows/deploy.yml

@@ -3,46 +3,45 @@ name: Deploy to VPS
 on:
   push:
     branches: [main]
-  workflow_dispatch: # Allows manual triggering
+  workflow_dispatch:
 
 jobs:
   deploy:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v3
 
-      - name: Create setup script with secrets
-        run: |
-          sed -i "s/NEW_USER=\"youruser\"/NEW_USER=\"${{ secrets.VPS_USER }}\"/" setup.sh
-          sed -i "s/NEW_USER_PASSWORD=\"your-secure-password\"/NEW_USER_PASSWORD=\"${{ secrets.VPS_USER_PASSWORD }}\"/" setup.sh
-          sed -i "s/SSH_PUBLIC_KEY=\"your-public-key-content\"/SSH_PUBLIC_KEY=\"${{ secrets.SSH_PUBLIC_KEY }}\"/" setup.sh
-
       - name: Deploy to VPS
         uses: appleboy/ssh-action@master
+        env:
+          NEW_USER: ${{ secrets.VPS_USER }}
+          NEW_USER_PASSWORD: ${{ secrets.VPS_USER_PASSWORD }}
+          SSH_PUBLIC_KEY: ${{ secrets.SSH_PUBLIC_KEY }}
+          INSTALL_COOLIFY: ${{ secrets.INSTALL_COOLIFY }}
+          AUTO_REBOOT: ${{ secrets.AUTO_REBOOT }}
+          REMOVE_UNUSED_DEPS: ${{ secrets.REMOVE_UNUSED_DEPS }}
         with:
           host: ${{ secrets.VPS_HOST }}
           username: root
           password: ${{ secrets.VPS_ROOT_PASSWORD }}
+          envs: NEW_USER,NEW_USER_PASSWORD,SSH_PUBLIC_KEY,INSTALL_COOLIFY,AUTO_REBOOT,REMOVE_UNUSED_DEPS
           script: |
-            # Create temporary directory
             TEMP_DIR=$(mktemp -d)
             cd $TEMP_DIR
-
-            # Copy setup script from repository
             cat > setup.sh << 'EOL'
             ${{ github.workspace }}/setup.sh
             EOL
-
-            # Make script executable and run it
             chmod +x setup.sh
             ./setup.sh
-
-            # Cleanup
             cd /
             rm -rf $TEMP_DIR
 
       - name: Post-setup instructions
-          run: |
-            echo "🎉 Setup completed!"
-            echo "⚠️ IMPORTANT: After verifying SSH key access works, disable password authentication:"
-            echo "ssh ${{ secrets.VPS_USER }}@${{ secrets.VPS_HOST }} 'sudo sed -i \"s/PasswordAuthentication yes/PasswordAuthentication no/\" /etc/ssh/sshd_config && sudo systemctl restart sshd'"
+        run: |
+          echo "🎉 Setup completed!"
+          echo "⚠️ IMPORTANT: After verifying SSH key access works, disable password authentication:"
+          echo "ssh ${{ secrets.VPS_USER }}@${{ secrets.VPS_HOST }} 'sudo sed -i \"s/PasswordAuthentication yes/PasswordAuthentication no/\" /etc/ssh/sshd_config && sudo systemctl restart sshd'"
+          if [ "${INSTALL_COOLIFY}" = "true" ]; then
+            echo "⚠️ After configuring your domain in Coolify, remove temporary ports:"
+            echo "ssh $NEW_USER@<your-vps-ip> 'sudo ufw delete allow 8000/tcp && sudo ufw delete allow 6001/tcp && sudo ufw delete allow 6002/tcp'"
+          fi

README.md

@@ -24,6 +24,11 @@ This repository contains automation scripts to set up a secure Debian-based VPS
   - Sets up unattended-upgrades with email notifications
   - Automatic system cleanup
 
+- **Coolify Installation (Optional)**
+  - Install Coolify
+  - Open temporary ports (8000, 6001, 6002)
+  - Provide instructions for securing after domain setup
+
 ## 🚀 Usage
 
 ### 1. Fork this Repository
@@ -37,23 +42,16 @@ In your forked repository, go to Settings > Secrets and variables > Actions and
 - `VPS_USER`: Desired username for the non-root user
 - `VPS_USER_PASSWORD`: Password for the new user
 - `SSH_PUBLIC_KEY`: Your SSH public key content (from `~/.ssh/id_rsa.pub`)
-
-Example values:
-```bash
-VPS_HOST: 123.456.789.0
-VPS_ROOT_PASSWORD: your-initial-root-password
-VPS_USER: john
-VPS_USER_PASSWORD: your-secure-user-password
-SSH_PUBLIC_KEY: ssh-rsa AAAAB3NzaC1... john@localhost
-```
+- `INSTALL_COOLIFY`: Set to "true" to install Coolify, "false" to skip (defaults to "false")
+- `AUTO_REBOOT`: Set to "true" for automatic reboot after system updates, "false" to skip (defaults to "false")
+- `REMOVE_UNUSED_DEPS`: Set to "true" to remove unused dependencies, "false" to skip (defaults to "false")
 
 ⚠️ Security Note:
 - Never commit these values directly to the repository
 - Always use GitHub Secrets for sensitive information
 - Use strong passwords for both root and user accounts
 - Keep your SSH private key secure
 
-
 ### 3. Deploy
 The setup will automatically deploy when you push to the main branch, or you can manually trigger it from the Actions tab.
 
@@ -77,6 +75,19 @@ ssh your-user@your-vps-host 'sudo sed -i "s/PasswordAuthentication yes/PasswordA
 - Store your VPS root password securely (in case of emergencies)
 - Monitor the GitHub Actions logs for the setup result
 
+#### Coolify Configuration
+
+The setup includes an optional Coolify installation with temporary open ports:
+- 8000/tcp: Coolify Web UI
+- 6001/tcp: Coolify Websocket
+- 6002/tcp: Coolify Terminal
+
+⚠️ Important: After configuring your domain in Coolify and setting up SSL, remove these temporary ports:
+```bash
+ssh your-user@your-vps-host 'sudo ufw delete allow 8000/tcp && sudo ufw delete allow 6001/tcp && sudo ufw delete allow 6002/tcp'
+```
+
+These ports should only be open during initial setup. Once you've configured your domain and SSL in Coolify, all traffic should go through ports 80/443.
 
 ## 📋 What Gets Installed
 
@@ -85,6 +96,7 @@ ssh your-user@your-vps-host 'sudo sed -i "s/PasswordAuthentication yes/PasswordA
 - unattended-upgrades
 - Docker & Docker Compose
 - Essential system utilities
+- Coolify (optinal)
 
 ## ⚙️ Configuration Details
 
@@ -154,10 +166,18 @@ Contributions are welcome! Please feel free to submit a Pull Request.
 
 This project is licensed under the MIT License - see the LICENSE file for details.
 
-## ⭐ Support
+## 💪 Support This Project
+
+Please give it a ⭐!
+
+If you find this project useful and are looking for a VPS provider, consider using my affiliate link:
+
+- [Get a Netcup VPS](https://www.netcup.com/en/?ref=223843) - Starting from €3.99/month
+- Excellent performance and reliability
+- Perfect for running this setup
 
-If you find this useful, please give it a star!
+> 🙏 Using this link supports the maintenance and development of this project at no extra cost to you.
 
 ## 🔐 Security
 
-If you discover any security issues, please send an email to [your-email] instead of using the issue tracker.
+If you discover any security issues, please send an email to [email protected] instead of using the issue tracker.

setup.sh

@@ -1,9 +1,12 @@
 #!/bin/bash
 
 # Variables
-NEW_USER="youruser"
-NEW_USER_PASSWORD="your-secret-password"
-SSH_PUBLIC_KEY="your-public-key-content"
+NEW_USER="${NEW_USER:-youruser}"
+NEW_USER_PASSWORD="${NEW_USER_PASSWORD:-your-secret-password}"
+SSH_PUBLIC_KEY="${SSH_PUBLIC_KEY:-your-public-key-content}"
+INSTALL_COOLIFY="${INSTALL_COOLIFY:-false}"
+AUTO_REBOOT="${AUTO_REBOOT:-false}"
+REMOVE_UNUSED_DEPS="${REMOVE_UNUSED_DEPS:-false}"
 
 # Update system
 apt update && apt upgrade -y
@@ -31,8 +34,8 @@ Unattended-Upgrade::Mail "root";
 Unattended-Upgrade::MailReport "on-change";
 Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
 Unattended-Upgrade::Remove-New-Unused-Dependencies "true";
-Unattended-Upgrade::Remove-Unused-Dependencies "false";
-Unattended-Upgrade::Automatic-Reboot "true";
+Unattended-Upgrade::Remove-Unused-Dependencies "${REMOVE_UNUSED_DEPS}";
+Unattended-Upgrade::Automatic-Reboot "${AUTO_REBOOT}";
 Unattended-Upgrade::Automatic-Reboot-Time "02:00";
 EOF
 
@@ -75,7 +78,6 @@ ufw default allow outgoing
 ufw allow ssh
 ufw allow http
 ufw allow https
-echo "y" | ufw enable
 
 # Install Docker
 apt install -y ca-certificates curl gnupg
@@ -91,11 +93,75 @@ echo \
 apt update
 apt install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
 
+# Optionally install and configure coolify
+if [ "${INSTALL_COOLIFY}" = "true" ]; then
+
+    echo "Installing Coolify..."
+
+    # Temporary Coolify ports
+    echo "⚠️ Adding temporary Coolify ports. Remember to remove them after configuring your domain!"
+    ufw allow 8000/tcp comment 'Temporary Coolify Web UI'
+    ufw allow 6001/tcp comment 'Temporary Coolify Websocket'
+    ufw allow 6002/tcp comment 'Temporary Coolify API'
+
+
+    mkdir -p /data/coolify/{source,ssh,applications,databases,backups,services,proxy,webhooks-during-maintenance}
+    mkdir -p /data/coolify/ssh/{keys,mux}
+    mkdir -p /data/coolify/proxy/dynamic
+
+    ssh-keygen -f /data/coolify/ssh/keys/[email protected] -t ed25519 -N '' -C root@coolify
+
+    cat /data/coolify/ssh/keys/[email protected] >>~/.ssh/authorized_keys
+    chmod 600 ~/.ssh/authorized_keys
+
+    curl -fsSL https://cdn.coollabs.io/coolify/docker-compose.yml -o /data/coolify/source/docker-compose.yml
+    curl -fsSL https://cdn.coollabs.io/coolify/docker-compose.prod.yml -o /data/coolify/source/docker-compose.prod.yml
+    curl -fsSL https://cdn.coollabs.io/coolify/.env.production -o /data/coolify/source/.env
+    curl -fsSL https://cdn.coollabs.io/coolify/upgrade.sh -o /data/coolify/source/upgrade.sh
+
+    chown -R 9999:root /data/coolify
+    chmod -R 700 /data/coolify
+
+    sed -i "s|APP_ID=.*|APP_ID=$(openssl rand -hex 16)|g" /data/coolify/source/.env
+    sed -i "s|APP_KEY=.*|APP_KEY=base64:$(openssl rand -base64 32)|g" /data/coolify/source/.env
+    sed -i "s|DB_PASSWORD=.*|DB_PASSWORD=$(openssl rand -base64 32)|g" /data/coolify/source/.env
+    sed -i "s|REDIS_PASSWORD=.*|REDIS_PASSWORD=$(openssl rand -base64 32)|g" /data/coolify/source/.env
+    sed -i "s|PUSHER_APP_ID=.*|PUSHER_APP_ID=$(openssl rand -hex 32)|g" /data/coolify/source/.env
+    sed -i "s|PUSHER_APP_KEY=.*|PUSHER_APP_KEY=$(openssl rand -hex 32)|g" /data/coolify/source/.env
+    sed -i "s|PUSHER_APP_SECRET=.*|PUSHER_APP_SECRET=$(openssl rand -hex 32)|g" /data/coolify/source/.env
+
+    docker network create --attachable coolify
+
+    docker compose --env-file /data/coolify/source/.env -f /data/coolify/source/docker-compose.yml -f /data/coolify/source/docker-compose.prod.yml up -d --pull always --remove-orphans --force-recreate
+
+    echo "⚠️ After configuring your domain in Coolify, remove temporary ports:"
+    echo "ssh $VPS_USER@$VPS_HOST 'sudo ufw delete allow 8000/tcp && sudo ufw delete allow 6001/tcp && sudo ufw delete allow 6002/tcp'"
+fi
+
+# enable ufw
+echo "y" | ufw enable
+
 # Add user to docker group
 usermod -aG docker $NEW_USER
 
 # Restart services
 systemctl restart sshd
 systemctl restart fail2ban
 
+# Print access information
+echo "=== IMPORTANT: SAVE THIS INFORMATION ==="
+echo "New user: $NEW_USER"
+echo "Password: $NEW_USER_PASSWORD"
+echo ""
+echo "Test SSH access with: ssh $NEW_USER@<your-vps-ip>"
+echo ""
+echo "After confirming SSH key access works, run:"
+echo "ssh $NEW_USER@<your-vps-ip> 'sudo sed -i \"s/PasswordAuthentication yes/PasswordAuthentication no/\" /etc/ssh/sshd_config && sudo systemctl restart sshd'"
+echo ""
+if [ "${INSTALL_COOLIFY}" = "true" ]; then
+    echo "⚠️ After configuring your domain in Coolify, remove temporary ports:"
+    echo "ssh $NEW_USER@<your-vps-ip> 'sudo ufw delete allow 8000/tcp && sudo ufw delete allow 6001/tcp && sudo ufw delete allow 6002/tcp'"
+fi
+echo ""
+echo "==================================="
 echo "Setup completed!"

setup_without_coolify.sh

@@ -0,0 +1,112 @@
+#!/bin/bash
+
+# Variables
+NEW_USER="youruser"
+NEW_USER_PASSWORD="your-secret-password"
+SSH_PUBLIC_KEY="your-public-key-content"
+
+# Update system
+apt update && apt upgrade -y
+
+# Install required packages
+apt install -y sudo ufw fail2ban unattended-upgrades apt-listchanges
+
+# Configure unattended-upgrades
+cat > /etc/apt/apt.conf.d/20auto-upgrades << EOF
+APT::Periodic::Update-Package-Lists "1";
+APT::Periodic::Unattended-Upgrade "1";
+APT::Periodic::Download-Upgradeable-Packages "1";
+APT::Periodic::AutocleanInterval "7";
+EOF
+
+cat > /etc/apt/apt.conf.d/50unattended-upgrades << EOF
+Unattended-Upgrade::Origins-Pattern {
+    "origin=Debian,codename=\${distro_codename},label=Debian-Security";
+    "origin=Debian,codename=\${distro_codename}-security,label=Debian-Security";
+};
+Unattended-Upgrade::AutoFixInterruptedDpkg "true";
+Unattended-Upgrade::MinimalSteps "true";
+Unattended-Upgrade::InstallOnShutdown "false";
+Unattended-Upgrade::Mail "root";
+Unattended-Upgrade::MailReport "on-change";
+Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
+Unattended-Upgrade::Remove-New-Unused-Dependencies "true";
+Unattended-Upgrade::Remove-Unused-Dependencies "false";
+Unattended-Upgrade::Automatic-Reboot "true";
+Unattended-Upgrade::Automatic-Reboot-Time "02:00";
+EOF
+
+# Enable unattended-upgrades
+systemctl enable unattended-upgrades
+systemctl start unattended-upgrades
+
+# Create new user and add to sudo group
+useradd -m -s /bin/bash $NEW_USER
+echo "$NEW_USER:$NEW_USER_PASSWORD" | chpasswd
+usermod -aG sudo $NEW_USER
+
+# Setup SSH key for new user
+mkdir -p /home/$NEW_USER/.ssh
+echo "$SSH_PUBLIC_KEY" > /home/$NEW_USER/.ssh/authorized_keys
+chmod 700 /home/$NEW_USER/.ssh
+chmod 600 /home/$NEW_USER/.ssh/authorized_keys
+chown -R $NEW_USER:$NEW_USER /home/$NEW_USER/.ssh
+
+# Configure SSH
+sed -i 's/#PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config
+sed -i 's/#PubkeyAuthentication yes/PubkeyAuthentication yes/' /etc/ssh/sshd_config
+sed -i 's/PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config
+
+# Configure fail2ban
+cat > /etc/fail2ban/jail.local << EOF
+[sshd]
+enabled = true
+port = ssh
+filter = sshd
+logpath = /var/log/auth.log
+maxretry = 3
+bantime = 3600
+findtime = 600
+EOF
+
+# Configure firewall
+ufw default deny incoming
+ufw default allow outgoing
+ufw allow ssh
+ufw allow http
+ufw allow https
+echo "y" | ufw enable
+
+# Install Docker
+apt install -y ca-certificates curl gnupg
+install -m 0755 -d /etc/apt/keyrings
+curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg
+chmod a+r /etc/apt/keyrings/docker.gpg
+
+echo \
+  "deb [arch="$(dpkg --print-architecture)" signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian \
+  "$(. /etc/os-release && echo "$VERSION_CODENAME")" stable" | \
+  tee /etc/apt/sources.list.d/docker.list > /dev/null
+
+apt update
+apt install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
+
+# Add user to docker group
+usermod -aG docker $NEW_USER
+
+# Restart services
+systemctl restart sshd
+systemctl restart fail2ban
+
+# Print access information
+echo "=== IMPORTANT: SAVE THIS INFORMATION ==="
+echo "New user: $NEW_USER"
+echo "Password: $NEW_USER_PASSWORD"
+echo ""
+echo "Test SSH access with: ssh $NEW_USER@<your-vps-ip>"
+echo ""
+echo "After confirming SSH key access works, run:"
+echo "ssh $NEW_USER@<your-vps-ip> 'sudo sed -i \"s/PasswordAuthentication yes/PasswordAuthentication no/\" /etc/ssh/sshd_config && sudo systemctl restart sshd'"
+echo "==================================="
+
+echo "Setup completed!"