m/os-init
2
0
Fork 0
Code Issues Wiki Activity

Add Alpine Linux scripts

Browse Source
This commit is contained in:
MatMoul
2023-11-19 17:20:23 +01:00
parent 53e4d291b6
commit c523441c41
12 changed files with 754 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

148
alpine/alpine.sh Normal file
View File

@@ -0,0 +1,148 @@
#!/bin/dash
BASE_URL=https://git.netm.ch/m/os-init/raw/branch/main
showHelp() {
echo "alpine.sh"
echo ""
echo "use :"
echo "sh alpine.sh [options]"
}
main() {
APKUpdateDist
APKInstallBase
Customizations
InstApps
Reboot
}
APKUpdateDist() {
apk update
apk upgrade
}
APKInstallBase() {
apk add newt
SEL=$(whiptail --title "Base Apps" --checklist "" 0 0 0 "curl" "" on "lsof" "" on "bash-completion" "" on "iptables" "" on "ip6tables" "" on "openssh-server" "" on "gnupg" "" on "rsync" "" on "net-snmp" "" on "nano" "" on 3>&1 1>&2 2>&3)
# shellcheck disable=SC2181
if [ "${?}" = "0" ]; then
for ITM in ${SEL}; do
# shellcheck disable=SC3000-SC4000
apk add "${ITM//\"/}"
# shellcheck disable=SC3000-SC4000
case ${ITM//\"/} in
"openssh-server")
SSHEnableRootLogin
rc-update add sshd
service sshd start
;;
"iptables") IPTablesInstall;;
"ip6tables") IP6TablesInstall;;
"net-snmp") SNMPDInstall;;
"nano") NanoSetConfig;;
esac
done
fi
}
IPTablesInstall() {
wget -O /etc/iptables/rules-save "${BASE_URL}"/alpine/files/rules-save
iptables-restore /etc/iptables/rules-save
rc-update add iptables
}
IP6TablesInstall() {
wget -O /etc/iptables/rules6-save "${BASE_URL}"/alpine/files/rules6-save
ip6tables-restore /etc/iptables/rules6-save
rc-update add ip6tables
}
SSHEnableRootLogin() {
sed -i "/PermitRootLogin prohibit-password/c\PermitRootLogin yes #prohibit-password" /etc/ssh/sshd_config
service sshd restart
if [ -f "/etc/iptables/rules-save" ]; then
sed -i '/^-A INPUT -i lo -j ACCEPT.*/a -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT' /etc/iptables/rules-save
sed -i '/^-A INPUT -i lo -j ACCEPT.*/a # SSH' /etc/iptables/rules-save
iptables-restore /etc/iptables/rules-save
fi
}
SNMPDInstall() {
cummunityname=public
cummunityname=$(whiptail --title "SNMP Community name" --inputbox "" 0 30 "${cummunityname}" 3>&1 1>&2 2>&3)
sed -i "s/public/${cummunityname}/" /etc/snmp/snmpd.conf
sed -i "s/127.0.0.1/0.0.0.0/" /etc/snmp/snmpd.conf
service snmpd restart
rc-update add snmpd default
if [ -f "/etc/iptables/rules-save" ]; then
sed -i '/^-A INPUT -p icmp -j ACCEPT.*/a -A INPUT -p udp -m udp --dport 161 -m state --state NEW -j ACCEPT' /etc/iptables/rules-save
sed -i '/^-A INPUT -p icmp -j ACCEPT.*/a # SNMP' /etc/iptables/rules-save
iptables-restore /etc/iptables/rules-save
fi
}
NanoSetConfig() {
sed -i "/tabsize/c\set tabsize 2" /etc/nanorc
{
echo "set numbercolor brightwhite"
echo "set statuscolor brightwhite,green"
echo "set keycolor cyan"
echo "set functioncolor green"
} >> /etc/nanorc
{
echo "set titlecolor brightwhite,red"
echo "set statuscolor brightwhite,red"
} > /root/.nanorc
}
Customizations() {
SEL=$(whiptail --title "Additions" --checklist "" 0 0 0 "alias" "" on "ps1" "" on "issue" "" on 3>&1 1>&2 2>&3)
# shellcheck disable=SC2181
if [ "${?}" = "0" ]; then
for ITM in ${SEL}; do
# shellcheck disable=SC3000-SC4000
case ${ITM//\"/} in
"alias") ProfileSetAlias;;
"ps1") ProfileSetPS;;
"issue") IssueSetContent;;
esac
done
fi
}
ProfileSetAlias() {
wget -O /etc/profile.d/alias.sh "${BASE_URL}"/alpine/files/alias.sh
}
ProfileSetPS() {
wget -O /etc/profile.d/ps1.sh "${BASE_URL}"/alpine/files/ps1.sh
}
IssueSetContent() {
wget -O /etc/issue "${BASE_URL}"/alpine/files/issue
}
InstApps() {
SEL=$(whiptail --title "More Apps" --checklist "" 0 0 0 "traefik" "" off "gitea" "" off "docker" "" off "portainer" "" off "rancher" "" off 3>&1 1>&2 2>&3)
# shellcheck disable=SC2181
if [ "${?}" = "0" ]; then
for ITM in ${SEL}; do
cd /tmp || exit
# shellcheck disable=SC3000-SC4000
wget "${BASE_URL}"/alpine/apps/"${ITM//\"/}"/"${ITM//\"/}".sh
# shellcheck disable=SC3000-SC4000
sh ./"${ITM//\"/}".sh "${BASE_URL}"
done
fi
}
Reboot() {
if whiptail --yesno "Reboot ?" 0 0 3>&1 1>&2 2>&3; then
reboot
fi
}
while [ ${#} -gt 0 ]; do
case ${1} in
--help) showHelp; exit 0;;
-b | --base-url) BASE_URL="${2}"; shift;;
*) shift;;
esac
done
main

17
alpine/apps/docker/docker.sh Normal file
View File

@@ -0,0 +1,17 @@
#!/bin/dash
apk del iptables ip6tables
swapoff -a
sed -i "/swap/d" /etc/fstab
sed -i "s/# //" /etc/apk/repositories
apk add docker docker-compose
# sysctl -w net/netfilter/nf_conntrack_max=131072
rc-update add docker boot
service docker start
sleep 3

30
alpine/apps/gitea/gitea.sh Normal file
View File

@@ -0,0 +1,30 @@
#!/bin/dash
# Main Data Path : /var/lib/gitea
# Data path : /var/lib/gitea/data
# DB path : /var/lib/gitea/db/gitea.db
# Git path : /var/lib/gitea/git
# GIT LFS : /var/lib/gitea/data/lfs
IPV4=$(getent hosts "$(hostname)" | awk '{print $1}')
apk add gitea
cd /etc/gitea || exit
gitea cert --host "${IPV4}"
chown gitea:www-data cert.pem key.pem
sed -i '/\[server\]/a KEY_FILE = /etc/gitea/key.pem' /etc/gitea/app.ini
sed -i '/\[server\]/a CERT_FILE = /etc/gitea/cert.pem' /etc/gitea/app.ini
sed -i '/\[server\]/a HTTP_PORT = 443' /etc/gitea/app.ini
sed -i '/\[server\]/a PROTOCOL = https' /etc/gitea/app.ini
rc-update add gitea
service gitea start
if [ -f "/etc/iptables/rules-save" ]; then
sed -i '/^-A INPUT -i lo -j ACCEPT.*/a -A INPUT -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT' /etc/iptables/rules-save
sed -i '/^-A INPUT -i lo -j ACCEPT.*/a -A INPUT -p udp -m udp --dport 443 -m state --state NEW -j ACCEPT' /etc/iptables/rules-save
sed -i '/^-A INPUT -i lo -j ACCEPT.*/a # GITEA' /etc/iptables/rules-save
iptables-restore /etc/iptables/rules-save
fi

3
alpine/apps/portainer/portainer.sh Normal file
View File

@@ -0,0 +1,3 @@
#!/bin/dash
docker run -d --name="portainer" --restart=unless-stopped -p 8000:8000 -p 9000:9000 -p 9443:9443 -v /var/run/docker.sock:/var/run/docker.sock -v /srv/portainer/data:/data portainer/portainer-ce

4
alpine/apps/rancher/rancher.sh Normal file
View File

@@ -0,0 +1,4 @@
#!/bin/dash
mount --make-rshared /
docker run -d --name="rancher" --restart=unless-stopped -p 4080:80 -p 4443:443 --privileged rancher/rancher:latest

266
alpine/apps/traefik/traefik.sh Normal file
View File

@@ -0,0 +1,266 @@
#!/bin/dash
RELEASE=2.6.3
ACMEACCOUNT=@gmail.com
main() {
TraefikConfig
TraefikEtcCertsSelfsigned
TraefikEtcServices
TraefikEtcConfig
TraefikEtcIptable
TraefikBinUpdateTraefik
TraefikService
}
TraefikConfig() {
RELEASE=$(whiptail --title "Release" --inputbox "" 0 30 "${RELEASE}" 3>&1 1>&2 2>&3)
ACMEACCOUNT=$(whiptail --title "ACME Account" --inputbox "" 0 30 "${ACMEACCOUNT}" 3>&1 1>&2 2>&3)
if [ "$?" = "0" ]; then
if [ "${proxy}" != "" ]; then
echo "Acquire::http { Proxy \"${proxy}\"; };" > /etc/apt/apt.conf.d/02proxy
fi
fi
}
TraefikEtcCertsSelfsigned() {
mkdir -p /etc/traefik/certs
openssl ecparam -name secp256r1 -genkey -out /etc/traefik/certs/self.key
openssl req -new -x509 -key /etc/traefik/certs/self.key -sha256 -nodes -out /etc/traefik/certs/self.crt -days 3650
}
TraefikEtcServices() {
mkdir -p /etc/traefik/services
TraefikEtcServicesShared
TraefikEtcServicesDefault
}
TraefikEtcServicesShared() {
cat >> /etc/traefik/services/_shared.yaml << "EOF"
tls:
stores:
default:
defaultCertificate:
certFile: "/etc/traefik/certs/self.crt"
keyFile: "/etc/traefik/certs/self.key"
options:
default:
minVersion: "VersionTLS12"
# sniStrict: true
cipherSuites:
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
mintls13:
minVersion: "VersionTLS13"
http:
middlewares:
to-https:
redirectScheme:
scheme: "https"
permanent: true
to-no-www:
redirectRegex:
regex: "^https://www.(.*)"
replacement: "https://${1}"
permanent: true
hsts-min:
headers:
sslRedirect: true
stsIncludeSubdomains: false
stsPreload: true
stsSeconds: 63072000
contentTypeNosniff: true
accessControlMaxAge: 100
addVaryheader: true
hsts_light:
headers:
sslRedirect: true
frameDeny: true
stsIncludeSubdomains: false
stsPreload: true
stsSeconds: 63072000
contentTypeNosniff: true
accessControlMaxAge: 100
addVaryheader: true
hsts:
headers:
sslRedirect: true
frameDeny: true
stsIncludeSubdomains: false
stsPreload: true
stsSeconds: 63072000
contentTypeNosniff: true
accessControlMaxAge: 100
addVaryheader: true
referrerPolicy: "origin-when-cross-origin"
hsts-strict:
headers:
sslRedirect: true
frameDeny: true
stsIncludeSubdomains: false
stsPreload: true
stsSeconds: 63072000
contentTypeNosniff: true
accessControlMaxAge: 100
addVaryheader: true
contentSecurityPolicy: "script-src 'self'"
referrerPolicy: "origin-when-cross-origin"
services:
dummy:
loadBalancer:
servers:
- url: "https://127.0.0.1:2"
# matomo:
# loadBalancer:
# servers:
# - url: "https://x.x.x.x:xxx"
EOF
}
TraefikEtcServicesDefault() {
cat >> /etc/traefik/services/_default.yaml << "EOF"
http:
routers:
_default:
entryPoints:
- http
rule: "PathPrefix(`/`)"
# priority: 100
# service: _default-matomo
service: _default
_default-secure:
entryPoints:
- https
rule: "PathPrefix(`/`)"
# priority: 100
# service: _default-matomo
service: _default
tls: {}
services:
# _default-matomo:
# mirroring:
# service: _default
# maxBodySize: 1024
# mirrors:
# - name: matomo
# percent: 100
_default:
loadBalancer:
servers:
- url: https://127.0.0.1:2
EOF
}
TraefikEtcConfig() {
cat >> /etc/traefik/traefik.yaml << "EOF"
entryPoints:
http:
address: ":80"
https:
address: ":443"
traefik:
address: ":8099"
api:
dashboard: true
insecure: true
serversTransport:
insecureSkipVerify: true
providers:
file:
directory: "/etc/traefik/services/"
watch: true
certificatesResolvers:
acmev2:
acme:
email: "X{ACMEACCOUNT}"
caserver: "https://acme-v02.api.letsencrypt.org/directory"
storage: "/etc/traefik/certs/acmev2.json"
keyType: "EC384"
tlsChallenge: {}
acmev2-staging:
acme:
email: "X{ACMEACCOUNT}"
caserver: "https://acme-staging-v02.api.letsencrypt.org/directory"
storage: "/etc/traefik/certs/acmev2-staging.json"
keyType: "EC384"
tlsChallenge: {}
EOF
# sed -i /X{ACMEACCOUNT}/${ACMEACCOUNT}/g /etc/traefik/traefik.yaml
}
TraefikEtcIptable() {
if [ -f "/etc/iptables/rules-save" ]; then
sed -i '/^-A INPUT -i lo -j ACCEPT.*/a -A INPUT -p tcp -m tcp --dport 8099 -m state --state NEW -j ACCEPT' /etc/iptables/rules-save
sed -i '/^-A INPUT -i lo -j ACCEPT.*/a -A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT' /etc/iptables/rules-save
sed -i '/^-A INPUT -i lo -j ACCEPT.*/a -A INPUT -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT' /etc/iptables/rules-save
sed -i '/^-A INPUT -i lo -j ACCEPT.*/a # Traefik' /etc/iptables/rules-save
iptables-restore /etc/iptables/rules-save
fi
}
TraefikBinUpdateTraefik() {
cat >> /usr/local/bin/update-traefik << "EOF"
#!/bin/ash
if [[ -z ${1} ]]; then
echo "update-traefik version"
echo "version : x.x.x"
exit 1
fi
version=${1}
mkdir -p /tmp/traefik
cd /tmp/traefik
wget https://github.com/traefik/traefik/releases/download/v${version}/traefik_v${version}_linux_amd64.tar.gz
tar -xf traefik_v${version}_linux_amd64.tar.gz
systemctl stop traefik
cp traefik /usr/local/bin
systemctl start traefik
cd
rm -R /tmp/traefik
EOF
chmod 755 /usr/local/bin/update-traefik
update-traefik "${RELEASE}"
}
TraefikService() {
cat >> /etc/init.d/traefik << "EOF"
#!/sbin/openrc-run
name="traefik"
command="/usr/local/bin/traefik"
command_args="-configFile /etc/traefik/traefik.yaml"
command_background=true
pidfile=/run/traefik.pid
depend() {
need net
}
EOF
chmod 755 /etc/init.d/traefik
rc-update add traefik boot
service traefik start
}
main

11
alpine/files/alias.sh Normal file
View File

@@ -0,0 +1,11 @@
alias ls='ls --color=auto -lh'
alias l='ls --color=auto -lAh'
alias ll='ls --color=auto -lah'
alias cd..='cd ..'
alias ff='find / -name'
alias f='find . -name'
alias fif='grep -rnw . -e'
alias grep='grep --color=auto'
alias ip='ip -c'
alias vdir='vdir --color=auto'
alias watch='watch --color'

22
alpine/files/issue Normal file
View File

@@ -0,0 +1,22 @@
Welcome to Alpine Linux
Kernel \r on an \m (\l)
.o oOOOOOOOo OOOo
Ob.OOOOOOOo OOOo. oOOo. .adOOOOOOO
OboO"""""""""""".OOo. .oOOOOOo. OOOo.oOOOOOo.."""""""""'OO
OOP.oOOOOOOOOOOO "POOOOOOOOOOOo. `"OOOOOOOOOP,OOOOOOOOOOOB'
`O'OOOO' `OOOOo"OOOOOOOOOOO` .adOOOOOOOOO"oOOO' `OOOOo
.OOOO' `OOOOOOOOOOOOOOOOOOOOOOOOOO' `OO
OOOOO '"OOOOOOOOOOOOOOOO"` oOO
oOOOOOba. .adOOOOOOOOOOba .adOOOOo.
oOOOOOOOOOOOOOba. .adOOOOOOOOOO@^OOOOOOOba. .adOOOOOOOOOOOO
OOOOOOOOOOOOOOOOO.OOOOOOOOOOOOOO"` '"OOOOOOOOOOOOO.OOOOOOOOOOOOOO
"OOOO" "YOoOOOOMOIONODOO"` . '"OOROAOPOEOOOoOY" "OOO"
Y 'OOOOOOOOOOOOOO: .oOOo. :OOOOOOOOOOO?' :`
: .oO%OOOOOOOOOOo.OOOOOO.oOOOOOOOOOOOO? .
. oOOP"%OOOOOOOOoOOOOOOO?oOOOOO?OOOO"OOo
'%o OOOO"%OOOO%"%OOOOO"OOOOOO"OOO':
`$" `OOOO' `O"Y ' `OOOO' o .
. . OP" : o .
:
.

5
alpine/files/ps1.sh Normal file
View File

@@ -0,0 +1,5 @@
clrreset='\e[0m'
clrwhite='\e[1;37m'
clrgreen='\e[1;32m'
clrred='\e[1;31m'
export PS1="\[$clrred\][$USER@$HOSTNAME]\[$clrwhite\] \w \`if [ \$? = 0 ]; then echo -e '\[$clrgreen\]'; else echo -e '\[$clrred\]'; fi\`\\$ \[$clrreset\]"

9
alpine/files/rules-save Normal file
View File

@@ -0,0 +1,9 @@
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
# Ping
-A INPUT -p icmp -j ACCEPT
COMMIT

7
alpine/files/rules6-save Normal file
View File

@@ -0,0 +1,7 @@
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
COMMIT