Skip to content

quarkdose/server-setup

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

93 Commits

01-initial-setup.sh

01-initial-setup.sh

 
 

02-authenticator.sh

02-authenticator.sh

 
 

03-zsh-shell.sh

03-zsh-shell.sh

 
 

04-docker.sh

04-docker.sh

 
 

05-openvpn.sh

05-openvpn.sh

 
 

06-openvpn-certificates.sh

06-openvpn-certificates.sh

 
 

07-mailcow-prerequisites.sh

07-mailcow-prerequisites.sh

 
 

08-nginx-mainline.sh

08-nginx-mainline.sh

 
 

09-nginx-letsencrypt.sh

09-nginx-letsencrypt.sh

 
 

10-nginx-mailcow.sh

10-nginx-mailcow.sh

 
 

11-postfix-fix.sh

11-postfix-fix.sh

 
 

12-letsencrypt.sh

12-letsencrypt.sh

 
 

13-letsencrypt-certificates.sh

13-letsencrypt-certificates.sh

 
 

14-php-imap-fix.sh

14-php-imap-fix.sh

 
 

15-rainloop.sh

15-rainloop.sh

 
 

16-docker-remote-api.sh

16-docker-remote-api.sh

 
 

17-fail2ban.sh

17-fail2ban.sh

 
 

18-servercow-storage.sh

18-servercow-storage.sh

 
 

19-hastebin.sh

19-hastebin.sh

 
 

20-letsencrypt-renew.sh

20-letsencrypt-renew.sh

 
 

README.md

README.md

 
 

xx-firewall.sh

xx-firewall.sh

 
 

Repository files navigation

Setup scripts for my Ubuntu 14.04 LTS Server

Here is my collection of setup scripts for my Ubuntu server.

Table of content

  1. Usage
  2. Initial Setup
  3. Google Authenticator
  4. zsh Shell (oh-my-zsh)
  5. Docker.io
  6. OpenVPN Server
  7. OpenVPN Client Certificates
  8. MailCow Prerequisites
  9. nginx Mainline
  10. nginx Let's encrypt
  11. nginx MailCow
  12. Postfix Security Fix
  13. Let's Encrypt
  14. Let's Encrypt Certificates
  15. PHP IMAP Fix
  16. Rainloop
  17. Docker Remote API
  18. Fail2Ban and ufw
  19. ServerCow Storage
  20. Hastebin
  21. Lets Encrypt Renew
  22. Firewall Settings
  23. Miscellaneous

Usage

01 - Initial Setup

This script has to be called as user root. It will perform a update && (dist)upgrade, install ntp, adds a new user and puts this user into sudoers.d. Moreover the ssh root login will be disabled.

Usage

./01-initial-setup.sh <username> [NOPASSWD]
Mandatory Parameters

<username> - the username for the new user to add

Optional Parameters

NOPASSWD - If set, the sudoers entry will have the NOPASSWD flag

02 - Google Authenticator

This script will install the libpam-google-authenticator package and changes the ssh configuration for the calling user to force ssh login with two factor authentication

Usage

./02-authenticator.sh

03 - zsh shell

This script will install zsh (and git and curl as dependency) and oh-my-zsh, and sets this shell as default. The default theme will be set to crunch. The default plugins will be set to git and docker.

Usage

./03-zsh-shell.sh

04 - Docker.io

This script will install docker (and its dependecies) and enables the calling user to call docker commands without sudo. Moreover the default docker behavior for iptables will be disabled.

Usage

./04-docker.sh

05 - OpenVPN

This script will install OpenVPN as a docker container. For this, two containers are created: OpenVPN-Data and OpenVPN-Server. With the OpenVPN-Data-container, a new folder to store the certificates will be created at /home/$(whoami)/docker/openvpn. At last an upstart script is created to ensure, this container is always started.

Usage

./05-openvpn.sh <fqdn>
Mandatory Parameters

<fqdn> - a full qualified domain name for your OpenVPN server

06 - OpenVPN client certificates

This script will create a OpenVPN .ovpn file including a certificate to use with your client. This file is located at /home/$(whoami)/docker/openvpn.

Usage

./06-openvpn-certificates.sh <clientname>
Mandatory Parameters

<clientname> - The hostname of your client

07 - MailCow Prerequisites

This script will generate new locales for en_US.UTF-8 and de_DE.UTF-8. I had some problems with the locales on my first tries.

Usage

./07-mailcow-prerequisites.sh

08 - nginx Mainline

This script will upgrade nginx to the mainline branch and defines a default nginx server config for a global ssl redirect

Usage

./08-nginx-mainline.sh

09 - nginx Let's encrypt

This script prepares the nginx to use the --webroot parameter from Let's Encrypt. Moreover, a new subdomain ist created for the acme-challenge (including a global redirct to the new subdomain).

Usage

./09-nginx-letsencrpyt.sh <domail.tld>
Mandatory Parameters

<domain.tld> - a new subdomain letsencrypt.domain.tld will be created

10 - nginx MailCow

This script installs the MailCow server config to the new nginx mainline and enables HTTP/2 (supported on nginx > 1.9.5). Moreover, the letsencrypt snippet will be included and the non ssl server block deleted.

Usage

./10-nginx-mailcow.sh <domain.tld>
Mandatory Parameters

<domain.tld> - just the name for the mailcow config file (mailcow.domain.tld)

11 - Postfix Security Fix

This script modifies some security settings for postfix (including dane and dnssec support)

Usage

./11-postfix-fix.sh

12 - Let's Encrypt

This script installs Let's Encrypt and creates a global letsencrypt command

Usage

./12-letsencrypt.sh

13 - Let's Encrypt Certificates

This script creates a Let's Encrypt certificate usable for DANE. The script creates a folder in ~/build/dane/<commonName>/ and /etc/ssl/<commonName>. First one hold the generated files, second one the symbolic links for the servers (nginx, postfix, dovecot, ...)

IMPORTANT: I have to check the behavior if you want to expand your certificate with a new subdomain. Make a backup of the ~/build/dane/<commonName>/ folder if you call this more than once for a <commonName>!

Usage

./13-letsencrypt-certificates.sh <countryName> <stateOrProvince> <localityName> <postalCode> <streetAddress> <organizationName> <organizationalUnitName> <commonName> <emailAddress> <subjectAltName> [filename]
Mandatory Parameters

<countryName> - Needed for signing request, your country (e.g. DE)
<stateOrProvince> - Needed for signing request, your state (e.g. Hessen)
<localityName> - Needed for signing request, your city (e.g. Limburg)
<postalCode> - Needed for signing request, your postal code (e.g 65xxx)
<streetAddress> - Needed for signing request, your street address (e.g. "xxx xxx")
<organizationName> - Needed for signing request, your name (e.g. "Jens Hartlep")
<organizationalUnitName> - Needed for signing request, your OUName (e.g. IT)
<commonName> - Needed for signing request, your domain.tld (e.g. example.com)
<emailAddress> - Needed for signing request, your email address (e.g. [email protected])
<subjectAltName> - Needed for singing request, your (sub)domains for the certificate (e.g. DNS:example.com,DNS:www.example.com)

Optional Parameters

filename - The filename for the .crt and .key file (e.g. nginx), default is mail

14 - PHP IMAP Fix

This script enabled the php5-imap module

Usage

./14-php-imap.sh

15 - Rainloop

This script installs the Rainloop webmail and enables a new subdomain for rainloop IMPORTANT: AFTER THE INSTALLTION YOU MUST OPEN https://product_installation_URL/?admin AND CHANGE THE DEFAULT ADMIN CREDENTIALS (username: admin, password: 12345)

Usage

./15-rainloop.sh <fqdn>
Mandatory Parameters

<fqdn> - The new subdomain for Rainloop (e.g. webmail.example.com)

16 - Docker Remote API

This script enabled the docker remote API, creates a new user docker for basic auth, creates a nginx reverse proxy configuration to the docker remote api on port 4242 and set the ufw to allow port 4242/tcp.

Advice: You should run XX - Firewall Settings before using this script; see below.

Usage

./16-docker-remote.sh <domain.tld>
Mandatory Parameters

<domain.tld> - A new subdomain docker.domain.tld will be created

17 - Fail2Ban and ufw

This script changes the fail2ban behavior to use ufw. This script exemplary adds sshd to jail.local

Usage

./17-fail2ban.sh

18 - ServerCow Storage

This script installs the ServerCow storage as cifs to /samba_share

Usage

./18-servercow-storage.sh <username> <password> [ASUSER]
Mandatory Parameters

<username> - Your ServerCow storage username - see ServerCow ControlPanel
<password> - Your ServerCow storage password - see ServerCow ControlPanel

Optional Parameters

ASUSER - If this parameter is set, the share will be mounted as user $(whoami).

19 - Hastebin

This script creates a hastebin docker container and a nginx server entry for hastebin

Usage

./19-hastebin.sh <domain.tld>
Mandatory Parameters

<domain.tld> - A new subdomain paste.domain.tld will be created

20 - Lets Encrypt Renew

This script renews the Lets Encrypt Certificates

Usage

./20-letsencrypt-renew.sh <mail|domain.tld>
Mandatory Parameters

<mail|domain.tld> - mail or the domain for the renewal

XX - Firewall Settings

This script prepares the ufw for some ports and changes the defaults for incoming (deny) and outgoing (allow).

The following ports are allowed by this script

  • ssh
  • 1194/udp
  • http
  • https
  • 25/tcp
  • 110/tcp
  • 143/tcp
  • 587/tcp
  • 993/tcp
  • 995/tcp

Usage

./xx-firewall.sh

Miscellaneous

Some links, tools, and sources in arbitrary order for the scripts above...

https://de.ssl-tools.net/
https://thomas-leister.de/
https://blog.kiefer-networks.de/
https://mailcow.email/
https://www.digitalocean.com/community/tutorials
https://letsencrypt.org/howitworks/
https://www.kernel-error.de/postfix/postfix-dane-tlsa
https://www.ssllabs.com/ssltest/index.html
https://dns.watch/index
http://www.spf-record.de/

About

Some Scripts and notes for setting up my server

Resources

Readme
Activity
Custom properties

Stars

3 stars

Watchers

3 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Languages