Merge branch 'master' of ssh://gitlab.jamma.life:2224/jmhbnz/raspi-k3s

installer-config.txt

@@ -3,7 +3,7 @@
 #================================================================
 preset=server
 firmware_packages=1
-packages=nano,curl,htop,git,smartmontools,fail2ban,knockd,iptables,glusterfs-server,sed
+packages=nano,curl,htop,git,smartmontools,fail2ban,knockd,iptables,glusterfs-server,sed,iptables-persistent
 #================================================================
 
 

post-install.txt

@@ -1,48 +1,41 @@
 echo "Changing ssh port..."
-eval chroot /rootfs /usr/bin/sed -i -e 's/#Port 22/Port 2122/g' /etc/ssh/sshd_config 2>&1 | output_filter
+sed -i "s/#Port 22/Port 2122/" /rootfs/etc/ssh/sshd_config
-if [ "${PIPESTATUS[0]}" -eq 0 ]; then
-   echo "OK"
-else
-   echo "FAILED !"
-fi
 
-echo "Restarting ssh daemon..."
+echo "Turning off ssh pam..."
-eval chroot /rootfs /user/bin/systemctl restart ssh 2>&1 | output_filter
+sed -i "s/UsePAM yes/UsePAM no/" /rootfs/etc/ssh/sshd_config
-if [ "${PIPESTATUS[0]}" -eq 0 ]; then
+
-   echo "OK"
+echo "Restarting ssh service..."
-else
+systemctl restart sshd
-   echo "FAILED !"
-fi
 
 echo "Ensure fail2ban service is enabled..."
-eval chroot /rootfs /user/bin/systemctl enable fail2ban 2>&1 | output_filter
+systemctl enable fail2ban
-if [ "${PIPESTATUS[0]}" -eq 0 ]; then
-   echo "OK"
-else
-   echo "FAILED !"
-fi
 
 echo "Configure fail2ban ssh jail..."
-eval chroot /rootfs /user/bin/touch /etc/fail2ban/jail.local 2>&1 | output_filter
+touch /rootfs/etc/fail2ban/jail.local
-eval chroot /rootfs /user/bin/echo '[ssh]' >> /etc/fail2ban/jail.local 2>&1 | output_filter
+echo '[ssh]' >> /rootfs/etc/fail2ban/jail.local
-eval chroot /rootfs /user/bin/echo 'enabled=true' >> /etc/fail2ban/jail.local 2>&1 | output_filter
+echo 'enabled=true' >> /rootfs/etc/fail2ban/jail.local
-eval chroot /rootfs /user/bin/echo 'port=2122' >> /etc/fail2ban/jail.local 2>&1 | output_filter
+echo 'port=2122' >> /rootfs/etc/fail2ban/jail.local
-eval chroot /rootfs /user/bin/echo 'filter=sshd' >> /etc/fail2ban/jail.local 2>&1 | output_filter
+echo 'filter=sshd' >> /rootfs/etc/fail2ban/jail.local
-eval chroot /rootfs /user/bin/echo 'logpath=/var/log/auth.log' >> /etc/fail2ban/jail.local 2>&1 | output_filter
+echo 'logpath=/var/log/auth.log' >> /rootfs/etc/fail2ban/jail.local
-eval chroot /rootfs /user/bin/echo 'bantime=1800' >> /etc/fail2ban/jail.local 2>&1 | output_filter
+echo 'bantime=1800' >> /rootfs/etc/fail2ban/jail.local
-eval chroot /rootfs /user/bin/echo 'banaction=iptables-allports' >> /etc/fail2ban/jail.local 2>&1 | output_filter
+echo 'banaction=iptables-allports' >> /rootfs/etc/fail2ban/jail.local
-eval chroot /rootfs /user/bin/echo 'findtime=900' >> /etc/fail2ban/jail.local 2>&1 | output_filter
+echo 'findtime=900' >> /rootfs/etc/fail2ban/jail.local
-eval chroot /rootfs /user/bin/echo 'maxretry=3' >> /etc/fail2ban/jail.local 2>&1 | output_filter
+echo 'maxretry=3' >> /rootfs/etc/fail2ban/jail.local
-if [ "${PIPESTATUS[0]}" -eq 0 ]; then
-   echo "OK"
-else
-   echo "FAILED !"
-fi
 
 echo "Restart fail2ban service..."
-eval chroot /rootfs /user/bin/systemctl restart fail2ban 2>&1 | output_filter
+sudo systemctl restart fail2ban
-if [ "${PIPESTATUS[0]}" -eq 0 ]; then
+
-   echo "OK"
+echo "Configuring bash prompt..."
-else
+echo "PS1='\[\033[02;31m\]\u@\H:\[\033[01;34m\]\w\$\[\033[00m\] '" >> /rootfs/home/james/.bashrc
-   echo "FAILED !"
+
-fi
+echo "Configuring port knocking..."
+sed -i "/UseSysLog/ a\interface = wlan0" /rootfs/etc/knockd.conf
+sed -i
+sed -i "s/sequence    = 7000,8000,9000/sequence    = 6315,3315,1315,5315/" /rootfs/etc/knockd.conf
+sed -i "s/sequence    = 9000,8000,7000/sequence    = 5315,1315,3315,6315/" /rootfs/etc/knockd.conf
+
+echo "Enabling port knocking..."
+systemctl enable knockd
+
+echo "Restarting knock service..."
+systemctl restart knockd