raspi-k3s/post-install.txt

#================================================================
# Post install ssh configuration
#================================================================
echo "Changing ssh port..."
sed -i "s/#Port 22/Port 2122/" /rootfs/etc/ssh/sshd_config

echo "Turning off ssh pam..."
sed -i "s/UsePAM yes/UsePAM no/" /rootfs/etc/ssh/sshd_config

echo "Restarting ssh service..."
systemctl restart sshd
#================================================================



#================================================================
# Post install setup docker
#================================================================
echo "Installing docker via helper script."
curl -fsSL https://get.docker.com -o get-docker.sh | sh -

echo "Adding docker permissions for standard user."
usermod -aG docker james
#================================================================



#================================================================
# Post install fail2ban configuration
#================================================================
echo "Ensure fail2ban service is enabled..."
systemctl enable fail2ban

echo "Configure fail2ban ssh jail..."
touch /rootfs/etc/fail2ban/jail.local
echo '[ssh]' >> /rootfs/etc/fail2ban/jail.local
echo 'enabled=true' >> /rootfs/etc/fail2ban/jail.local
echo 'port=2122' >> /rootfs/etc/fail2ban/jail.local
echo 'filter=sshd' >> /rootfs/etc/fail2ban/jail.local
echo 'logpath=/var/log/auth.log' >> /rootfs/etc/fail2ban/jail.local
echo 'bantime=1800' >> /rootfs/etc/fail2ban/jail.local
echo 'banaction=iptables-allports' >> /rootfs/etc/fail2ban/jail.local
echo 'findtime=900' >> /rootfs/etc/fail2ban/jail.local
echo 'maxretry=3' >> /rootfs/etc/fail2ban/jail.local

echo "Restart fail2ban service..."
sudo systemctl restart fail2ban
#================================================================



#================================================================
# Post install bash configuration
#================================================================
echo "Configuring bash prompt..."
echo "PS1='\[\033[02;31m\]\u@\H:\[\033[01;34m\]\w\$\[\033[00m\] '" >> /rootfs/home/james/.bashrc
#================================================================



#================================================================
# Post install firewall configuration
#================================================================
echo "Allowing local traffic in iptables"
iptables -A INPUT -i lo -j ACCEPT

echo "Allow all established connections in iptables"
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

echo "Drop all other traffic"
iptables -A INPUT -j DROP

echo "Ensure iptables-persistent is started"
systemctl start netfilter-persistent

echo "Ensure iptables-persistent is enabled"
systemctl enable netfilter-persistent

echo "Ensure firewall rules are saved"
netfilter-persistent save
#================================================================



#================================================================
# Post install knockd configuration
#================================================================
echo "Writing port knocking configuration file..."
cat << EOF > /rootfs/etc/knockd.conf
[options]
  UseSysLog
  logfile = /var/log/knockd.log
  interface=wlan0
[ssh]
  sequence = 
  seq_timeout = 15
  start_command = /sbin/iptables -I INPUT 1 -s %IP% -p tcp --dport 2122 -j ACCEPT
  tcpflags = syn
  cmd_timeout = 60
  stop_command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 2122 -j ACCEPT
EOF

echo "Enabling knockd.service ..."
sed -i "s/START_KNOCKD=0/START_KNOCKD=1/" /rootfs/etc/default/knockd
cat << EOF >> /rootfs/lib/systemd/system/knockd.service 

[Install]
WantedBy=multi-user.target
Alias=knockd.service
EOF

systemctl enable knockd.service

echo "Start knockd service..."
systemctl start knockd.service
#================================================================