Like 1
Fork 0

Last active 1748426794

Init a server from cloud provider

anduin's Avatar anduin revised this gist 1748279400. Go to revision

1 file changed, 1 insertion, 1 deletion

init.sh

@@ -124,7 +124,7 @@ print_ok "Hardening SSH settings"
124 124 run_remote "sudo sed -i 's/PermitRootLogin yes/PermitRootLogin no/; \
125 125 s/PasswordAuthentication yes/PasswordAuthentication no/; \
126 126 s/#PubkeyAuthentication yes/PubkeyAuthentication yes/' /etc/ssh/sshd_config && \
127 - sudo systemctl restart sshd"
127 + sudo systemctl restart sshd || sudo systemctl restart ssh"
128 128
129 129 # 9) Remove other non-system users
130 130 print_ok "Removing other users"

anduin's Avatar anduin revised this gist 1748271588. Go to revision

1 file changed, 3 insertions, 2 deletions

init.sh

@@ -154,7 +154,8 @@ sudo tee /etc/fail2ban/jail.local > /dev/null <<EOJ
154 154 enabled = true
155 155 port = ssh
156 156 filter = sshd
157 - logpath = /var/log/auth.log
157 + backend = systemd
158 + logpath = journal
158 159 maxretry = 3
159 160 findtime = 600
160 161 bantime = 3600
@@ -239,4 +240,4 @@ print_ok "Setup complete. Connect via: ssh $NEWUSER@$SERVER"
239 240 # * Have the latest updates installed
240 241 # * Have sysbench installed for performance testing
241 242 # * Have a final benchmark run to verify CPU performance
242 - # * Have a final cleanup of unnecessary packages
243 + # * Have a final cleanup of unnecessary packages

anduin's Avatar anduin revised this gist 1748176223. Go to revision

1 file changed, 4 insertions, 2 deletions

init.sh

@@ -91,13 +91,15 @@ run_remote "echo '$NEWUSER ALL=(ALL) NOPASSWD:ALL' | sudo tee /etc/sudoers.d/$NE
91 91 # 6) Generate & persist random password (once)
92 92 if run_remote "[ -f /etc/$NEWUSER.pass ]" &>/dev/null; then
93 93 # In this case, the password is already set
94 - print_ok "Reusing existing password for $NEWUSER"
95 - PASS_NEW=$(<"/etc/$NEWUSER.pass")
94 + print_ok "Don't have to change password. Reusing existing password for $NEWUSER"
95 + PASS_NEW=$(run_remote "sudo cat /etc/$NEWUSER.pass")
96 96 else
97 97 PASS_NEW=$(uuidgen)
98 98 print_ok "Setting password for $NEWUSER"
99 99 run_remote "echo '$NEWUSER:$PASS_NEW' | sudo chpasswd"
100 100 run_remote "echo '$PASS_NEW' | sudo tee /etc/$NEWUSER.pass > /dev/null"
101 + run_remote "sudo chmod 600 /etc/$NEWUSER.pass"
102 + run_remote "sudo chown root:root /etc/$NEWUSER.pass"
101 103 print_ok "New password generated for $NEWUSER and persisted at /etc/$NEWUSER.pass. Please back it up! It can still be used to log in via serial console or rescue mode!"
102 104 fi
103 105

anduin's Avatar anduin revised this gist 1748175893. Go to revision

1 file changed, 27 insertions, 4 deletions

init.sh

@@ -15,7 +15,7 @@ Green="\033[32m"; Red="\033[31m"; Yellow="\033[33m"; Blue="\033[36m"; Font="\033
15 15 OK="${Green}[ OK ]${Font}"; ERROR="${Red}[FAILED]${Font}"; WARN="${Yellow}[ WARN ]${Font}"
16 16
17 17 print_ok(){ echo -e "${OK} $1"; }
18 - print_error(){echo -e "${ERROR} $1"; }
18 + print_error(){ echo -e "${ERROR} $1"; }
19 19 print_warn(){ echo -e "${WARN} $1"; }
20 20
21 21 #-----------------------------------
@@ -36,7 +36,7 @@ areYouSure(){
36 36 run_local(){ print_ok "Local: $*"; "$@"; }
37 37 run_remote(){ sshpass -p "$REMOTE_PASS" ssh -o StrictHostKeyChecking=no "$REMOTE_USER@$SERVER" "$*"; }
38 38 wait_ssh(){
39 - print_ok "Waiting for SSH on $SERVER..."
39 + print_ok "Waiting for SSH on $SERVER... (Running ssh $REMOTE_USER@$SERVER)"
40 40 until sshpass -p "$REMOTE_PASS" ssh -q -o StrictHostKeyChecking=no "$REMOTE_USER@$SERVER" exit; do
41 41 print_warn "SSH not ready, retrying in 5s..."
42 42 sleep 5
@@ -90,14 +90,15 @@ run_remote "echo '$NEWUSER ALL=(ALL) NOPASSWD:ALL' | sudo tee /etc/sudoers.d/$NE
90 90
91 91 # 6) Generate & persist random password (once)
92 92 if run_remote "[ -f /etc/$NEWUSER.pass ]" &>/dev/null; then
93 - PASS_NEW=$(run_remote "sudo cat /etc/$NEWUSER.pass")
93 + # In this case, the password is already set
94 94 print_ok "Reusing existing password for $NEWUSER"
95 + PASS_NEW=$(<"/etc/$NEWUSER.pass")
95 96 else
96 97 PASS_NEW=$(uuidgen)
97 98 print_ok "Setting password for $NEWUSER"
98 99 run_remote "echo '$NEWUSER:$PASS_NEW' | sudo chpasswd"
99 100 run_remote "echo '$PASS_NEW' | sudo tee /etc/$NEWUSER.pass > /dev/null"
100 - print_ok "New password generated for $NEWUSER"
101 + print_ok "New password generated for $NEWUSER and persisted at /etc/$NEWUSER.pass. Please back it up! It can still be used to log in via serial console or rescue mode!"
101 102 fi
102 103
103 104 # 7) Copy SSH key (only if absent)
@@ -215,3 +216,25 @@ run_remote "sudo apt-get autoremove -y --purge && \
215 216 sudo apt-get autoremove -y sysbench --purge"
216 217
217 218 print_ok "Setup complete. Connect via: ssh $NEWUSER@$SERVER"
219 +
220 + # After this script, server will:
221 +
222 + # * Only allow SSH key login
223 + # * Root login disabled, password authentication disabled
224 + # * Have a new hostname set
225 + # * Have a new user with sudo privileges and can log in via SSH
226 + # * Have a random password stored securely at /etc/<new_user>.pass
227 + # * Have SSH key copied to authorized_keys so you can log in without a password
228 + # * Be hardened with UFW, Fail2Ban and allowed SSH connections(only)
229 + # * Have BBR enabled for better network performance
230 + # * Have the latest HWE kernel installed
231 + # * Have the best mirror selected for package updates
232 + # * Have snap removed
233 + # * Have CPU performance tuned to 'performance' mode
234 + # * Have timezone set to GMT
235 + # * Have all unnecessary users removed (Check /etc/passwd for remaining users)
236 + # * Have all unnecessary packages removed
237 + # * Have the latest updates installed
238 + # * Have sysbench installed for performance testing
239 + # * Have a final benchmark run to verify CPU performance
240 + # * Have a final cleanup of unnecessary packages

anduin's Avatar anduin revised this gist 1748175002. Go to revision

1 file changed, 65 insertions, 49 deletions

init.sh

@@ -1,6 +1,6 @@
1 1 #!/usr/bin/env bash
2 2 #===============================================================================
3 - # Concise server preparation script with error confirmation
3 + # Concise server preparation script with error confirmation (idempotent)
4 4 #===============================================================================
5 5
6 6 set -euo pipefail
@@ -14,8 +14,8 @@ export DEBIAN_FRONTEND=noninteractive
14 14 Green="\033[32m"; Red="\033[31m"; Yellow="\033[33m"; Blue="\033[36m"; Font="\033[0m"
15 15 OK="${Green}[ OK ]${Font}"; ERROR="${Red}[FAILED]${Font}"; WARN="${Yellow}[ WARN ]${Font}"
16 16
17 - print_ok(){ echo -e "${OK} $1"; }
18 - print_error(){ echo -e "${ERROR} $1"; }
17 + print_ok(){ echo -e "${OK} $1"; }
18 + print_error(){echo -e "${ERROR} $1"; }
19 19 print_warn(){ echo -e "${WARN} $1"; }
20 20
21 21 #-----------------------------------
@@ -33,10 +33,10 @@ areYouSure(){
33 33 #-----------------------------------
34 34 # Helpers
35 35 #-----------------------------------
36 - run_local(){ print_ok "Local: $*"; "$@"; }
37 - run_remote(){ sshpass -p "$REMOTE_PASS" ssh -o StrictHostKeyChecking=no "$REMOTE_USER@$SERVER" "$*"; }
36 + run_local(){ print_ok "Local: $*"; "$@"; }
37 + run_remote(){ sshpass -p "$REMOTE_PASS" ssh -o StrictHostKeyChecking=no "$REMOTE_USER@$SERVER" "$*"; }
38 38 wait_ssh(){
39 - print_ok "Waiting for SSH on $SERVER...(Running ssh $REMOTE_USER@$SERVER)"
39 + print_ok "Waiting for SSH on $SERVER..."
40 40 until sshpass -p "$REMOTE_PASS" ssh -q -o StrictHostKeyChecking=no "$REMOTE_USER@$SERVER" exit; do
41 41 print_warn "SSH not ready, retrying in 5s..."
42 42 sleep 5
@@ -61,13 +61,18 @@ run_local sudo apt-get install -y sshpass
61 61 run_local ssh-keygen -R "$SERVER" -f ~/.ssh/known_hosts
62 62 wait_ssh
63 63
64 - # 3) Hostname & reboot
65 - print_ok "Setting hostname to $HOSTNAME"
66 - run_remote "sudo hostnamectl set-hostname $HOSTNAME"
67 - run_remote "sudo reboot" || true
68 - print_ok "Server rebooting..."
69 - sleep 5
70 - wait_ssh
64 + # 3) Hostname & reboot (only if changed)
65 + CURRENT_HOST=$(run_remote "hostname")
66 + if [[ "$CURRENT_HOST" != "$HOSTNAME" ]]; then
67 + print_ok "Setting hostname to $HOSTNAME"
68 + run_remote "sudo hostnamectl set-hostname $HOSTNAME"
69 + run_remote "sudo reboot" || true
70 + print_ok "Server rebooting..."
71 + sleep 5
72 + wait_ssh
73 + else
74 + print_ok "Hostname already '$HOSTNAME', skipping"
75 + fi
71 76
72 77 # 4) Create or verify new user
73 78 if run_remote "id -u $NEWUSER" &>/dev/null; then
@@ -80,36 +85,47 @@ fi
80 85 # 5) Grant sudo & set up passwordless
81 86 print_ok "Granting sudo to $NEWUSER"
82 87 run_remote "sudo usermod -aG sudo $NEWUSER"
83 -
84 88 print_ok "Setting passwordless sudo for $NEWUSER"
85 89 run_remote "echo '$NEWUSER ALL=(ALL) NOPASSWD:ALL' | sudo tee /etc/sudoers.d/$NEWUSER"
86 90
87 - # 6) Generate & set random password
88 - PASS_NEW=$(uuidgen)
89 - print_ok "Setting password for $NEWUSER"
90 - run_remote "echo '$NEWUSER:$PASS_NEW' | sudo chpasswd"
91 - print_ok "New password for $NEWUSER: $PASS_NEW"
91 + # 6) Generate & persist random password (once)
92 + if run_remote "[ -f /etc/$NEWUSER.pass ]" &>/dev/null; then
93 + PASS_NEW=$(run_remote "sudo cat /etc/$NEWUSER.pass")
94 + print_ok "Reusing existing password for $NEWUSER"
95 + else
96 + PASS_NEW=$(uuidgen)
97 + print_ok "Setting password for $NEWUSER"
98 + run_remote "echo '$NEWUSER:$PASS_NEW' | sudo chpasswd"
99 + run_remote "echo '$PASS_NEW' | sudo tee /etc/$NEWUSER.pass > /dev/null"
100 + print_ok "New password generated for $NEWUSER"
101 + fi
92 102
93 - # 7) Copy SSH key
103 + # 7) Copy SSH key (only if absent)
94 104 [ ! -f ~/.ssh/id_rsa.pub ] && run_local ssh-keygen -t rsa -N "" -f ~/.ssh/id_rsa
95 - print_ok "Copying SSH key"
96 - sshpass -p "$PASS_NEW" ssh-copy-id -i ~/.ssh/id_rsa.pub "$NEWUSER@$SERVER"
105 + PUBKEY=$(<~/.ssh/id_rsa.pub)
106 + print_ok "Ensuring SSH key in authorized_keys"
107 + run_remote "mkdir -p /home/$NEWUSER/.ssh && \
108 + sudo bash -c 'grep -qxF \"$PUBKEY\" /home/$NEWUSER/.ssh/authorized_keys 2>/dev/null || \
109 + echo \"$PUBKEY\" >> /home/$NEWUSER/.ssh/authorized_keys' && \
110 + sudo chown -R $NEWUSER:$NEWUSER /home/$NEWUSER/.ssh && \
111 + sudo chmod 700 /home/$NEWUSER/.ssh && \
112 + sudo chmod 600 /home/$NEWUSER/.ssh/authorized_keys"
97 113
98 114 # Switch to new user for subsequent operations
99 - print_ok "Switching to new user $NEWUSER instead of $REMOTE_USER"
115 + print_ok "Switching to new user $NEWUSER"
100 116 REMOTE_USER="$NEWUSER"; REMOTE_PASS="$PASS_NEW"
101 117 wait_ssh
102 118
103 119 # 8) Harden SSH
104 120 print_ok "Hardening SSH settings"
105 - run_remote "sudo sed -i 's/PermitRootLogin yes/PermitRootLogin no/; s/PasswordAuthentication yes/PasswordAuthentication no/; s/#PubkeyAuthentication yes/PubkeyAuthentication yes/' /etc/ssh/sshd_config"
106 - run_remote "sudo systemctl restart sshd"
121 + run_remote "sudo sed -i 's/PermitRootLogin yes/PermitRootLogin no/; \
122 + s/PasswordAuthentication yes/PasswordAuthentication no/; \
123 + s/#PubkeyAuthentication yes/PubkeyAuthentication yes/' /etc/ssh/sshd_config && \
124 + sudo systemctl restart sshd"
107 125
108 126 # 9) Remove other non-system users
109 127 print_ok "Removing other users"
110 - others=$(run_remote \
111 - "awk -F: -v skip='$NEWUSER' '\$3>=1000 && \$1!=skip {print \$1}' /etc/passwd")
112 -
128 + others=$(run_remote "awk -F: -v skip='$NEWUSER' '\$3>=1000 && \$1!=skip {print \$1}' /etc/passwd")
113 129 for u in $others; do
114 130 print_warn "Deleting user $u"
115 131 run_remote "sudo pkill -u $u || true; sudo deluser --remove-home $u"
@@ -117,18 +133,17 @@ done
117 133
118 134 # 10) Reset machine-id
119 135 print_ok "Resetting machine-id"
120 - run_remote "sudo rm -f /etc/machine-id /var/lib/dbus/machine-id"
121 - run_remote "sudo systemd-machine-id-setup; sudo cp /etc/machine-id /var/lib/dbus/machine-id"
136 + run_remote "sudo rm -f /etc/machine-id /var/lib/dbus/machine-id && \
137 + sudo systemd-machine-id-setup && \
138 + sudo cp /etc/machine-id /var/lib/dbus/machine-id"
122 139
123 140 # 11) Enable UFW & OpenSSH
124 141 print_ok "Enabling UFW firewall"
125 - run_remote "sudo apt-get install -y ufw"
126 - run_remote "sudo ufw allow OpenSSH && echo y | sudo ufw enable"
142 + run_remote "sudo apt-get install -y ufw && sudo ufw allow OpenSSH && echo y | sudo ufw enable"
127 143
128 144 # 12) Install & configure Fail2Ban
129 145 print_ok "Installing Fail2Ban"
130 - run_remote "sudo apt-get update"
131 - run_remote "sudo apt-get install -y fail2ban"
146 + run_remote "sudo apt-get update && sudo apt-get install -y fail2ban"
132 147 print_ok "Configuring Fail2Ban"
133 148 run_remote <<'EOF'
134 149 sudo tee /etc/fail2ban/jail.local > /dev/null <<EOJ
@@ -144,17 +159,17 @@ EOJ
144 159 sudo systemctl restart fail2ban
145 160 EOF
146 161 print_ok "Fail2Ban setup complete"
147 - run_remote "sudo fail2ban-client status sshd"
148 162
149 - # 13) Enable BBR
163 + # 13) Enable BBR (only once)
150 164 print_ok "Enabling BBR congestion control"
151 - #run_remote "sudo bash -c 'grep -q bbr /etc/sysctl.conf || { echo net.core.default_qdisc=fq >>/etc/sysctl.conf; echo net.ipv4.tcp_congestion_control=bbr >>/etc/sysctl.conf; sysctl -p; }'"
152 165 run_remote <<'EOF'
153 - sudo tee /etc/sysctl.d/99-bbr.conf > /dev/null <<SYSCTL
166 + grep -q 'net.ipv4.tcp_congestion_control = bbr' /etc/sysctl.d/99-bbr.conf 2>/dev/null || {
167 + sudo tee /etc/sysctl.d/99-bbr.conf > /dev/null <<SYSCTL
154 168 net.core.default_qdisc = fq
155 169 net.ipv4.tcp_congestion_control = bbr
156 170 SYSCTL
157 - sudo sysctl --system
171 + sudo sysctl --system
172 + }
158 173 EOF
159 174
160 175 # 14) Select best mirror & update
@@ -178,15 +193,16 @@ run_remote "sudo apt-get update && sudo apt-get upgrade -y && sudo apt-get autor
178 193
179 194 # 18) Performance tuning
180 195 print_ok "Tuning CPU performance & timezone"
181 - run_remote "sudo apt-get install -y linux-tools-$(uname -r)"
182 - run_remote "sudo apt-get install -y cpupower" || true
183 - run_remote "sudo cpupower frequency-set -g performance" || true
184 - run_remote "sudo timedatectl set-timezone GMT"
196 + run_remote "sudo apt-get install -y linux-tools-$(uname -r) cpupower && \
197 + sudo cpupower frequency-set -g performance || true && \
198 + sudo timedatectl set-timezone GMT"
185 199
186 200 # 19) Remove snap
187 201 print_ok "Removing snapd"
188 - run_remote "sudo systemctl disable --now snapd && sudo apt-get purge -y snapd && sudo rm -rf /snap /var/lib/snapd /var/cache/snapd"
189 - run_remote "sudo tee /etc/apt/preferences.d/no-snap.pref <<EOF
202 + run_remote "sudo systemctl disable --now snapd && \
203 + dpkg -l snapd &>/dev/null && sudo apt-get purge -y snapd && \
204 + sudo rm -rf /snap /var/lib/snapd /var/cache/snapd && \
205 + sudo tee /etc/apt/preferences.d/no-snap.pref > /dev/null <<EOF
190 206 Package: snapd
191 207 Pin: release a=*
192 208 Pin-Priority: -10
@@ -194,8 +210,8 @@ EOF"
194 210
195 211 # 20) Final cleanup & benchmark
196 212 print_ok "Final autoremove & benchmark"
197 - run_remote "sudo apt-get autoremove -y --purge"
198 - run_remote "sudo apt-get install -y sysbench && sysbench cpu --threads=\$(nproc) run"
199 - run_remote "sudo apt-get autoremove -y sysbench --purge"
200 - print_ok "Setup complete. Connect via: ssh $NEWUSER@$SERVER"
213 + run_remote "sudo apt-get autoremove -y --purge && \
214 + sudo apt-get install -y sysbench && sysbench cpu --threads=$(nproc) run && \
215 + sudo apt-get autoremove -y sysbench --purge"
201 216
217 + print_ok "Setup complete. Connect via: ssh $NEWUSER@$SERVER"

anduin's Avatar anduin revised this gist 1748174569. Go to revision

1 file changed, 29 insertions, 8 deletions

init.sh

@@ -125,7 +125,28 @@ print_ok "Enabling UFW firewall"
125 125 run_remote "sudo apt-get install -y ufw"
126 126 run_remote "sudo ufw allow OpenSSH && echo y | sudo ufw enable"
127 127
128 - # 12) Enable BBR
128 + # 12) Install & configure Fail2Ban
129 + print_ok "Installing Fail2Ban"
130 + run_remote "sudo apt-get update"
131 + run_remote "sudo apt-get install -y fail2ban"
132 + print_ok "Configuring Fail2Ban"
133 + run_remote <<'EOF'
134 + sudo tee /etc/fail2ban/jail.local > /dev/null <<EOJ
135 + [sshd]
136 + enabled = true
137 + port = ssh
138 + filter = sshd
139 + logpath = /var/log/auth.log
140 + maxretry = 3
141 + findtime = 600
142 + bantime = 3600
143 + EOJ
144 + sudo systemctl restart fail2ban
145 + EOF
146 + print_ok "Fail2Ban setup complete"
147 + run_remote "sudo fail2ban-client status sshd"
148 +
149 + # 13) Enable BBR
129 150 print_ok "Enabling BBR congestion control"
130 151 #run_remote "sudo bash -c 'grep -q bbr /etc/sysctl.conf || { echo net.core.default_qdisc=fq >>/etc/sysctl.conf; echo net.ipv4.tcp_congestion_control=bbr >>/etc/sysctl.conf; sysctl -p; }'"
131 152 run_remote <<'EOF'
@@ -136,33 +157,33 @@ SYSCTL
136 157 sudo sysctl --system
137 158 EOF
138 159
139 - # 13) Select best mirror & update
160 + # 14) Select best mirror & update
140 161 print_ok "Selecting best mirror & updating"
141 162 run_remote "curl -s https://gist.aiursoft.cn/anduin/879917820a6c4b268fc12c21f1b3fe7a/raw/HEAD/mirror.sh | bash"
142 163 run_remote "sudo apt-get update"
143 164
144 - # 14) Install latest HWE kernel
165 + # 15) Install latest HWE kernel
145 166 print_ok "Installing latest HWE kernel"
146 167 run_remote "sudo apt-get install -y \$(apt search linux-generic-hwe- | awk -F/ '/linux-generic-hwe-/{print \$1}' | head -1)"
147 168
148 - # 15) Reboot & wait
169 + # 16) Reboot & wait
149 170 print_ok "Rebooting server"
150 171 run_remote "sudo reboot" || true
151 172 sleep 5
152 173 wait_ssh
153 174
154 - # 16) Final updates & cleanup
175 + # 17) Final updates & cleanup
155 176 print_ok "Installing upgrades & cleanup"
156 177 run_remote "sudo apt-get update && sudo apt-get upgrade -y && sudo apt-get autoremove -y"
157 178
158 - # 17) Performance tuning
179 + # 18) Performance tuning
159 180 print_ok "Tuning CPU performance & timezone"
160 181 run_remote "sudo apt-get install -y linux-tools-$(uname -r)"
161 182 run_remote "sudo apt-get install -y cpupower" || true
162 183 run_remote "sudo cpupower frequency-set -g performance" || true
163 184 run_remote "sudo timedatectl set-timezone GMT"
164 185
165 - # 18) Remove snap
186 + # 19) Remove snap
166 187 print_ok "Removing snapd"
167 188 run_remote "sudo systemctl disable --now snapd && sudo apt-get purge -y snapd && sudo rm -rf /snap /var/lib/snapd /var/cache/snapd"
168 189 run_remote "sudo tee /etc/apt/preferences.d/no-snap.pref <<EOF
@@ -171,7 +192,7 @@ Pin: release a=*
171 192 Pin-Priority: -10
172 193 EOF"
173 194
174 - # 19) Final cleanup & benchmark
195 + # 20) Final cleanup & benchmark
175 196 print_ok "Final autoremove & benchmark"
176 197 run_remote "sudo apt-get autoremove -y --purge"
177 198 run_remote "sudo apt-get install -y sysbench && sysbench cpu --threads=\$(nproc) run"

anduin's Avatar anduin revised this gist 1748174171. Go to revision

1 file changed, 41 insertions

install_fail2ban.sh(file created)

@@ -0,0 +1,41 @@
1 + #!/usr/bin/env bash
2 + set -euo pipefail
3 +
4 + echo "[+] Updating package index and installing fail2ban..."
5 + sudo apt update
6 + sudo apt install -y fail2ban
7 +
8 + echo "[+] Writing /etc/fail2ban/jail.local..."
9 + sudo tee /etc/fail2ban/jail.local > /dev/null <<'EOF'
10 + [sshd]
11 + enabled = true
12 + port = ssh
13 + filter = sshd
14 + logpath = /var/log/auth.log
15 + maxretry = 3
16 + findtime = 600
17 + bantime = 3600
18 + EOF
19 + sleep 1
20 +
21 + echo "[+] Restarting fail2ban service..."
22 + sudo systemctl restart fail2ban
23 +
24 + echo "=== Fail2Ban global status ==="
25 + # Allow script to continue even if fail2ban-client status fails (e.g., socket not yet ready)
26 + sudo fail2ban-client status || true
27 +
28 + echo "=== SSHD jail status ==="
29 + sudo fail2ban-client status sshd || true
30 +
31 + echo "Tip: To view the currently banned IP list again, run:"
32 + echo "sudo fail2ban-client status sshd"
33 +
34 + echo "Tip: To unban an IP address, run:"
35 + echo "sudo fail2ban-client set sshd unbanip <IP_ADDRESS>"
36 +
37 + echo "Tip: To ban an IP address manually, run:"
38 + echo "sudo fail2ban-client set sshd banip <IP_ADDRESS>"
39 +
40 + echo "Tip: To view the fail2ban logs, run:"
41 + echo "sudo journalctl -u fail2ban"

anduin's Avatar anduin revised this gist 1746453689. Go to revision

1 file changed, 1 insertion, 1 deletion

init.sh

@@ -175,6 +175,6 @@ EOF"
175 175 print_ok "Final autoremove & benchmark"
176 176 run_remote "sudo apt-get autoremove -y --purge"
177 177 run_remote "sudo apt-get install -y sysbench && sysbench cpu --threads=\$(nproc) run"
178 - run remote "sudo apt-get autoremove -y sysbench --purge"
178 + run_remote "sudo apt-get autoremove -y sysbench --purge"
179 179 print_ok "Setup complete. Connect via: ssh $NEWUSER@$SERVER"
180 180

anduin's Avatar anduin revised this gist 1746453592. Go to revision

1 file changed, 1 insertion, 1 deletion

init.sh

@@ -158,7 +158,7 @@ run_remote "sudo apt-get update && sudo apt-get upgrade -y && sudo apt-get autor
158 158 # 17) Performance tuning
159 159 print_ok "Tuning CPU performance & timezone"
160 160 run_remote "sudo apt-get install -y linux-tools-$(uname -r)"
161 - run_remote "sudo apt-get install -y cpupower"
161 + run_remote "sudo apt-get install -y cpupower" || true
162 162 run_remote "sudo cpupower frequency-set -g performance" || true
163 163 run_remote "sudo timedatectl set-timezone GMT"
164 164

anduin's Avatar anduin revised this gist 1746453379. Go to revision

2 files changed, 165 insertions, 273 deletions

init.sh

@@ -1,287 +1,180 @@
1 - #!/bin/bash
1 + #!/usr/bin/env bash
2 + #===============================================================================
3 + # Concise server preparation script with error confirmation
4 + #===============================================================================
2 5
3 - #==========================
4 - # Set up the environment
5 - #==========================
6 - set -e # exit on error
7 - set -o pipefail # exit on pipeline error
8 - set -u # treat unset variable as error
9 -
10 - #==========================
11 - # Basic Information
12 - #==========================
6 + set -euo pipefail
13 7 export LC_ALL=C
14 8 export LANG=en_US.UTF-8
15 9 export DEBIAN_FRONTEND=noninteractive
16 - export SCRIPT_DIR="$(dirname "$(readlink -f "$0")")"
17 -
18 - #==========================
19 - # Color
20 - #==========================
21 - Green="\033[32m"
22 - Red="\033[31m"
23 - Yellow="\033[33m"
24 - Blue="\033[36m"
25 - Font="\033[0m"
26 - GreenBG="\033[42;37m"
27 - RedBG="\033[41;37m"
28 - OK="${Green}[ OK ]${Font}"
29 - ERROR="${Red}[FAILED]${Font}"
30 - WARNING="${Yellow}[ WARN ]${Font}"
31 -
32 - #==========================
33 - # Print Colorful Text
34 - #==========================
35 - function print_ok() {
36 - echo -e "${OK} ${Blue} $1 ${Font}"
37 - }
38 -
39 - function print_error() {
40 - echo -e "${ERROR} ${Red} $1 ${Font}"
41 - }
42 -
43 - function print_warn() {
44 - echo -e "${WARNING} ${Yellow} $1 ${Font}"
45 - }
46 -
47 - #==========================
48 - # Judge function
49 - #==========================
50 - function judge() {
51 - if [[ 0 -eq $? ]]; then
52 - print_ok "$1 succeeded"
53 - sleep 0.2
54 - else
55 - print_error "$1 failed"
56 - exit 1
57 - fi
58 - }
59 -
60 - prepare_host()
61 - {
62 - print_ok "Update apt-get"
63 - sudo apt-get update
64 - judge "Update apt-get"
65 -
66 - print_ok "Install sshpass"
67 - sudo apt-get install -y sshpass
68 - judge "Install sshpass"
69 - }
70 10
71 - wait_server_till_can_ssh()
72 - {
73 - userName=$1
74 - password=$2
75 - serverName=$3
76 -
77 - print_ok "Waiting for server to be ready: ssh $userName@$serverName"
78 - while true; do
79 - set +e
80 - sshpass -p $password ssh -o StrictHostKeyChecking=no $userName@$serverName "echo 'Server is ready'"
81 - if [ $? -eq 0 ]; then
82 - break
83 - fi
84 - print_warn "Server is not ready yet. Retrying..."
85 - sleep 5
86 - done
87 -
88 - print_ok "Server is ready to connect via ssh"
89 - set -e
11 + #-----------------------------------
12 + # Colors & Prompts
13 + #-----------------------------------
14 + Green="\033[32m"; Red="\033[31m"; Yellow="\033[33m"; Blue="\033[36m"; Font="\033[0m"
15 + OK="${Green}[ OK ]${Font}"; ERROR="${Red}[FAILED]${Font}"; WARN="${Yellow}[ WARN ]${Font}"
16 +
17 + print_ok(){ echo -e "${OK} $1"; }
18 + print_error(){ echo -e "${ERROR} $1"; }
19 + print_warn(){ echo -e "${WARN} $1"; }
20 +
21 + #-----------------------------------
22 + # Error handling & confirmation
23 + #-----------------------------------
24 + on_error(){ print_error "Error at line $1."; areYouSure; }
25 + trap 'on_error $LINENO' ERR
26 +
27 + areYouSure(){
28 + print_warn "Continue despite errors? [y/N]"
29 + read -r ans
30 + case $ans in [yY]*) print_ok "Continuing...";; *) print_error "Aborted."; exit 1;; esac
90 31 }
91 32
92 - prepare_server()
93 - {
94 - userName=$1
95 - if [ -z "$userName" ]; then
96 - print_error "Please provide username. Usage: prepare_server.sh '<username>' '<password>' '<serverName>' '<desiredHostname>' '<desiredUsername>'"
97 - exit 1
98 - fi
99 -
100 - password=$2
101 - if [ -z "$password" ]; then
102 - print_error "Please provide password for user $userName. Usage: prepare_server.sh '<username>' '<password>' '<serverName>' '<desiredHostname>' '<desiredUsername>'"
103 - exit 1
104 - fi
105 -
106 - serverName=$3
107 - if [ -z "$serverName" ]; then
108 - print_error "Please provide server name. Usage: prepare_server.sh '<username>' '<password>' '<serverName>' '<desiredHostname>' '<desiredUsername>'"
109 - exit 1
110 - fi
111 -
112 - desiredHostname=$4
113 - if [ -z "$desiredHostname" ]; then
114 - echo "Please provide desired hostname. Usage: prepare_server.sh '<username>' '<password>' '<serverName>' '<desiredHostname>' '<desiredUsername>'"
115 - exit 1
116 - fi
117 -
118 - desiredUsername=$5
119 - if [ -z "$desiredUsername" ]; then
120 - print_error "Please provide desired username. Usage: prepare_server.sh '<username>' '<password>' '<serverName>' '<desiredHostname>' '<desiredUsername>'"
121 - exit 1
122 - fi
123 -
124 - prepare_host
125 - ssh-keygen -f "/home/anduin/.ssh/known_hosts" -R $serverName
126 -
127 - wait_server_till_can_ssh $userName $password $serverName
128 -
129 - print_ok "Changing hostname for $serverName to $desiredHostname"
130 - sshpass -p $password ssh -o StrictHostKeyChecking=no $userName@$serverName "sudo hostnamectl set-hostname $desiredHostname"
131 - sshpass -p $password ssh -o StrictHostKeyChecking=no $userName@$serverName "sleep 3"
132 - sshpass -p $password ssh -o StrictHostKeyChecking=no $userName@$serverName "sudo reboot" || true
33 + #-----------------------------------
34 + # Helpers
35 + #-----------------------------------
36 + run_local(){ print_ok "Local: $*"; "$@"; }
37 + run_remote(){ sshpass -p "$REMOTE_PASS" ssh -o StrictHostKeyChecking=no "$REMOTE_USER@$SERVER" "$*"; }
38 + wait_ssh(){
39 + print_ok "Waiting for SSH on $SERVER...(Running ssh $REMOTE_USER@$SERVER)"
40 + until sshpass -p "$REMOTE_PASS" ssh -q -o StrictHostKeyChecking=no "$REMOTE_USER@$SERVER" exit; do
41 + print_warn "SSH not ready, retrying in 5s..."
133 42 sleep 5
134 - print_ok "Hostname changed to $desiredHostname"
135 - print_warn "Server is rebooting..."
136 -
137 - wait_server_till_can_ssh $userName $password $serverName
138 -
139 - print_ok "Creating a new user..."
140 - alreadyExist=$(sshpass -p $password ssh -o StrictHostKeyChecking=no $userName@$serverName "cat /etc/passwd | grep -w $desiredUsername | wc -l")
141 - if [ $alreadyExist -gt 0 ]; then
142 - print_ok "User $desiredUsername already exists."
143 - else
144 - print_ok "Creating user $desiredUsername"
145 - sshpass -p $password ssh -o StrictHostKeyChecking=no $userName@$serverName "sudo adduser $desiredUsername --gecos 'First Last,RoomNumber,WorkPhone,HomePhone' --disabled-password"
146 - judge "User $desiredUsername created"
147 - fi
148 -
149 - print_ok "Adding user $desiredUsername to sudo group"
150 - sshpass -p $password ssh -o StrictHostKeyChecking=no $userName@$serverName "sudo usermod -aG sudo $desiredUsername"
151 - judge "User $desiredUsername created with password"
152 -
153 - print_ok "Allowing user $desiredUsername to run sudo without password"
154 - sshpass -p $password ssh -o StrictHostKeyChecking=no $userName@$serverName "sudo mkdir -p /etc/sudoers.d"
155 - sshpass -p $password ssh -o StrictHostKeyChecking=no $userName@$serverName "sudo touch /etc/sudoers.d/$desiredUsername"
156 - sshpass -p $password ssh -o StrictHostKeyChecking=no $userName@$serverName "echo '$desiredUsername ALL=(ALL) NOPASSWD:ALL' | sudo tee -a /etc/sudoers.d/$desiredUsername"
157 - judge "User $desiredUsername can run sudo without password"
158 -
159 - userPassword=$(uuidgen)
160 - print_ok "Setting password for user $desiredUsername to $userPassword"
161 - sshpass -p $password ssh -o StrictHostKeyChecking=no $userName@$serverName "echo $desiredUsername:$userPassword | sudo chpasswd"
162 - judge "Password set for user $desiredUsername as $userPassword"
163 -
164 -
165 - # If ~/ssh/id_rsa.pub does not exist, create it
166 - if [ ! -f ~/.ssh/id_rsa.pub ]; then
167 - print_warn "Creating ssh keys on local machine"
168 - ssh-keygen -t rsa -N "" -f ~/.ssh/id_rsa
169 - fi
170 -
171 - print_ok "Copying ssh keys with ssh-copy-id"
172 - sshpass -p $userPassword ssh-copy-id -i ~/.ssh/id_rsa.pub $desiredUsername@$serverName
173 - print_ok "SSH keys copied"
174 -
175 - wait_server_till_can_ssh $desiredUsername $userPassword $serverName
176 -
177 - print_ok "Disabling root login, password login and enabling ssh key login"
178 - ssh -o StrictHostKeyChecking=no $desiredUsername@$serverName "sudo sed -i 's/PermitRootLogin yes/PermitRootLogin no/g' /etc/ssh/sshd_config"
179 - ssh -o StrictHostKeyChecking=no $desiredUsername@$serverName "sudo sed -i 's/PasswordAuthentication yes/PasswordAuthentication no/g' /etc/ssh/sshd_config"
180 - ssh -o StrictHostKeyChecking=no $desiredUsername@$serverName "sudo sed -i 's/PubkeyAuthentication no/PubkeyAuthentication yes/g' /etc/ssh/sshd_config"
181 - # Uncomment those lines if they are commented
182 - ssh -o StrictHostKeyChecking=no $desiredUsername@$serverName "sudo sed -i 's/#PermitRootLogin no/PermitRootLogin no/g' /etc/ssh/sshd_config"
183 - ssh -o StrictHostKeyChecking=no $desiredUsername@$serverName "sudo sed -i 's/#PasswordAuthentication no/PasswordAuthentication no/g' /etc/ssh/sshd_config"
184 - ssh -o StrictHostKeyChecking=no $desiredUsername@$serverName "sudo sed -i 's/#PubkeyAuthentication yes/PubkeyAuthentication yes/g' /etc/ssh/sshd_config"
185 - ssh -o StrictHostKeyChecking=no $desiredUsername@$serverName "sudo systemctl restart ssh*"
186 - judge "Disable root login, password login and enabled ssh key login"
187 -
188 - print_ok "Server is ready for $desiredUsername to login. Deleting other users..."
189 - otherUsers=$(ssh -o StrictHostKeyChecking=no $desiredUsername@$serverName "cat /etc/passwd | grep -v nologin | grep -v false | grep -v root | grep -v sync | grep -v $desiredUsername | cut -d: -f1")
190 - for otherUser in $otherUsers; do
191 - print_warn "Deleting user $otherUser..."
192 - ssh -o StrictHostKeyChecking=no $desiredUsername@$serverName "sudo pkill -u $otherUser" || true
193 - ssh -o StrictHostKeyChecking=no $desiredUsername@$serverName "sudo deluser --remove-home $otherUser"
194 - done
195 -
196 - print_ok "Resetting machine-id"
197 - ssh -o StrictHostKeyChecking=no $desiredUsername@$serverName "sudo rm /etc/machine-id"
198 - ssh -o StrictHostKeyChecking=no $desiredUsername@$serverName "sudo rm /var/lib/dbus/machine-id"
199 - ssh -o StrictHostKeyChecking=no $desiredUsername@$serverName "sudo systemd-machine-id-setup"
200 - ssh -o StrictHostKeyChecking=no $desiredUsername@$serverName "sudo cp /etc/machine-id /var/lib/dbus/machine-id"
201 - judge "Machine-id reset"
202 -
203 - print_ok "Enabling ufw firewall"
204 - ssh -o StrictHostKeyChecking=no $desiredUsername@$serverName "sudo apt-get install -y ufw"
205 - ssh -o StrictHostKeyChecking=no $desiredUsername@$serverName "sudo ufw allow OpenSSH"
206 - ssh -o StrictHostKeyChecking=no $desiredUsername@$serverName "echo 'y' | sudo ufw enable"
207 - judge "Ufw firewall enabled"
208 -
209 - print_ok "Enabling BBR if not enabled"
210 - ssh -o StrictHostKeyChecking=no $desiredUsername@$serverName "sudo sysctl net.ipv4.tcp_available_congestion_control | grep -q bbr || echo 'net.core.default_qdisc=fq' | sudo tee -a /etc/sysctl.conf"
211 - ssh -o StrictHostKeyChecking=no $desiredUsername@$serverName "sudo sysctl net.ipv4.tcp_available_congestion_control | grep -q bbr || echo 'net.ipv4.tcp_congestion_control=bbr' | sudo tee -a /etc/sysctl.conf"
212 - ssh -o StrictHostKeyChecking=no $desiredUsername@$serverName "sudo sysctl -p"
213 - judge "BBR enabled"
214 -
215 - print_ok "Selecting best mirror"
216 - ssh -o StrictHostKeyChecking=no $desiredUsername@$serverName "curl -s https://gist.aiursoft.cn/anduin/879917820a6c4b268fc12c21f1b3fe7a/raw/HEAD/mirror.sh | bash"
217 - ssh -o StrictHostKeyChecking=no $desiredUsername@$serverName "sudo apt update"
218 - judge "Best mirror selected"
219 -
220 - print_ok "Installing latest kernel..."
221 - ssh -o StrictHostKeyChecking=no $desiredUsername@$serverName "sudo apt search linux-generic-hwe-* | awk -F'/' '/linux-generic-hwe-/ {print $1}' | sort | head -n 1 | xargs -r sudo apt install -y"
222 - judge "Latest kernel installed"
223 -
224 - print_ok "Rebooting server..."
225 - ssh -o StrictHostKeyChecking=no $desiredUsername@$serverName "sleep 3"
226 - ssh -o StrictHostKeyChecking=no $desiredUsername@$serverName "sudo reboot" || true
227 - sleep 5
228 - print_warn "Server is rebooting..."
229 -
230 - wait_server_till_can_ssh $desiredUsername $userPassword $serverName
231 -
232 - print_ok "Installing updates"
233 - ssh -o StrictHostKeyChecking=no $desiredUsername@$serverName "sudo apt update"
234 - ssh -o StrictHostKeyChecking=no $desiredUsername@$serverName "sudo apt upgrade -y"
235 - ssh -o StrictHostKeyChecking=no $desiredUsername@$serverName "sudo apt autoremove -y"
236 - judge "Updates installed"
237 -
238 - print_ok "Rebooting server..."
239 - ssh -o StrictHostKeyChecking=no $desiredUsername@$serverName "sleep 3"
240 - ssh -o StrictHostKeyChecking=no $desiredUsername@$serverName "sudo reboot" || true
241 - sleep 5
242 - print_warn "Server is rebooting..."
243 -
244 - wait_server_till_can_ssh $desiredUsername $userPassword $serverName
245 -
246 - print_ok "Set CPU to performance mode"
247 - ssh -o StrictHostKeyChecking=no "$desiredUsername@$serverName" "sudo apt install -y linux-tools-common linux-tools-\$(uname -r)"
248 - ssh -o StrictHostKeyChecking=no "$desiredUsername@$serverName" "sudo cpupower frequency-info"
249 - ssh -o StrictHostKeyChecking=no "$desiredUsername@$serverName" "sudo cpupower frequency-set -g performance" || true
250 - judge "CPU set to performance mode"
251 -
252 - print_ok "Set timezone to GMT"
253 - ssh -o StrictHostKeyChecking=no $desiredUsername@$serverName "sudo timedatectl set-timezone GMT"
254 - judge "Timezone set to GMT"
43 + done
44 + print_ok "SSH available."
45 + }
255 46
256 - print_ok "Removing snap..."
257 - ssh -o StrictHostKeyChecking=no $desiredUsername@$serverName "sudo systemctl disable --now snapd"
258 - ssh -o StrictHostKeyChecking=no $desiredUsername@$serverName "sudo apt purge -y snapd"
259 - ssh -o StrictHostKeyChecking=no $desiredUsername@$serverName "sudo rm -rf /snap /var/snap /var/lib/snapd /var/cache/snapd /usr/lib/snapd ~/snap"
260 - ssh -o StrictHostKeyChecking=no $desiredUsername@$serverName "cat << EOF | sudo tee -a /etc/apt/preferences.d/no-snap.pref
47 + usage(){ echo "Usage: $0 <orig_user> <orig_pass> <server> <new_hostname> <new_user>"; exit 1; }
48 +
49 + #-----------------------------------
50 + # Main
51 + #-----------------------------------
52 + [ $# -ne 5 ] && usage
53 + USER="$1"; PASS="$2"; SERVER="$3"; HOSTNAME="$4"; NEWUSER="$5"
54 + REMOTE_USER="$USER"; REMOTE_PASS="$PASS"
55 +
56 + # 1) Install sshpass locally
57 + run_local sudo apt-get update -y
58 + run_local sudo apt-get install -y sshpass
59 +
60 + # 2) Clear known_hosts, wait for SSH
61 + run_local ssh-keygen -R "$SERVER" -f ~/.ssh/known_hosts
62 + wait_ssh
63 +
64 + # 3) Hostname & reboot
65 + print_ok "Setting hostname to $HOSTNAME"
66 + run_remote "sudo hostnamectl set-hostname $HOSTNAME"
67 + run_remote "sudo reboot" || true
68 + print_ok "Server rebooting..."
69 + sleep 5
70 + wait_ssh
71 +
72 + # 4) Create or verify new user
73 + if run_remote "id -u $NEWUSER" &>/dev/null; then
74 + print_ok "User $NEWUSER exists"
75 + else
76 + print_ok "Creating user $NEWUSER"
77 + run_remote "sudo adduser --disabled-password --gecos '' $NEWUSER"
78 + fi
79 +
80 + # 5) Grant sudo & set up passwordless
81 + print_ok "Granting sudo to $NEWUSER"
82 + run_remote "sudo usermod -aG sudo $NEWUSER"
83 +
84 + print_ok "Setting passwordless sudo for $NEWUSER"
85 + run_remote "echo '$NEWUSER ALL=(ALL) NOPASSWD:ALL' | sudo tee /etc/sudoers.d/$NEWUSER"
86 +
87 + # 6) Generate & set random password
88 + PASS_NEW=$(uuidgen)
89 + print_ok "Setting password for $NEWUSER"
90 + run_remote "echo '$NEWUSER:$PASS_NEW' | sudo chpasswd"
91 + print_ok "New password for $NEWUSER: $PASS_NEW"
92 +
93 + # 7) Copy SSH key
94 + [ ! -f ~/.ssh/id_rsa.pub ] && run_local ssh-keygen -t rsa -N "" -f ~/.ssh/id_rsa
95 + print_ok "Copying SSH key"
96 + sshpass -p "$PASS_NEW" ssh-copy-id -i ~/.ssh/id_rsa.pub "$NEWUSER@$SERVER"
97 +
98 + # Switch to new user for subsequent operations
99 + print_ok "Switching to new user $NEWUSER instead of $REMOTE_USER"
100 + REMOTE_USER="$NEWUSER"; REMOTE_PASS="$PASS_NEW"
101 + wait_ssh
102 +
103 + # 8) Harden SSH
104 + print_ok "Hardening SSH settings"
105 + run_remote "sudo sed -i 's/PermitRootLogin yes/PermitRootLogin no/; s/PasswordAuthentication yes/PasswordAuthentication no/; s/#PubkeyAuthentication yes/PubkeyAuthentication yes/' /etc/ssh/sshd_config"
106 + run_remote "sudo systemctl restart sshd"
107 +
108 + # 9) Remove other non-system users
109 + print_ok "Removing other users"
110 + others=$(run_remote \
111 + "awk -F: -v skip='$NEWUSER' '\$3>=1000 && \$1!=skip {print \$1}' /etc/passwd")
112 +
113 + for u in $others; do
114 + print_warn "Deleting user $u"
115 + run_remote "sudo pkill -u $u || true; sudo deluser --remove-home $u"
116 + done
117 +
118 + # 10) Reset machine-id
119 + print_ok "Resetting machine-id"
120 + run_remote "sudo rm -f /etc/machine-id /var/lib/dbus/machine-id"
121 + run_remote "sudo systemd-machine-id-setup; sudo cp /etc/machine-id /var/lib/dbus/machine-id"
122 +
123 + # 11) Enable UFW & OpenSSH
124 + print_ok "Enabling UFW firewall"
125 + run_remote "sudo apt-get install -y ufw"
126 + run_remote "sudo ufw allow OpenSSH && echo y | sudo ufw enable"
127 +
128 + # 12) Enable BBR
129 + print_ok "Enabling BBR congestion control"
130 + #run_remote "sudo bash -c 'grep -q bbr /etc/sysctl.conf || { echo net.core.default_qdisc=fq >>/etc/sysctl.conf; echo net.ipv4.tcp_congestion_control=bbr >>/etc/sysctl.conf; sysctl -p; }'"
131 + run_remote <<'EOF'
132 + sudo tee /etc/sysctl.d/99-bbr.conf > /dev/null <<SYSCTL
133 + net.core.default_qdisc = fq
134 + net.ipv4.tcp_congestion_control = bbr
135 + SYSCTL
136 + sudo sysctl --system
137 + EOF
138 +
139 + # 13) Select best mirror & update
140 + print_ok "Selecting best mirror & updating"
141 + run_remote "curl -s https://gist.aiursoft.cn/anduin/879917820a6c4b268fc12c21f1b3fe7a/raw/HEAD/mirror.sh | bash"
142 + run_remote "sudo apt-get update"
143 +
144 + # 14) Install latest HWE kernel
145 + print_ok "Installing latest HWE kernel"
146 + run_remote "sudo apt-get install -y \$(apt search linux-generic-hwe- | awk -F/ '/linux-generic-hwe-/{print \$1}' | head -1)"
147 +
148 + # 15) Reboot & wait
149 + print_ok "Rebooting server"
150 + run_remote "sudo reboot" || true
151 + sleep 5
152 + wait_ssh
153 +
154 + # 16) Final updates & cleanup
155 + print_ok "Installing upgrades & cleanup"
156 + run_remote "sudo apt-get update && sudo apt-get upgrade -y && sudo apt-get autoremove -y"
157 +
158 + # 17) Performance tuning
159 + print_ok "Tuning CPU performance & timezone"
160 + run_remote "sudo apt-get install -y linux-tools-$(uname -r)"
161 + run_remote "sudo apt-get install -y cpupower"
162 + run_remote "sudo cpupower frequency-set -g performance" || true
163 + run_remote "sudo timedatectl set-timezone GMT"
164 +
165 + # 18) Remove snap
166 + print_ok "Removing snapd"
167 + run_remote "sudo systemctl disable --now snapd && sudo apt-get purge -y snapd && sudo rm -rf /snap /var/lib/snapd /var/cache/snapd"
168 + run_remote "sudo tee /etc/apt/preferences.d/no-snap.pref <<EOF
261 169 Package: snapd
262 170 Pin: release a=*
263 171 Pin-Priority: -10
264 172 EOF"
265 - ssh -o StrictHostKeyChecking=no $desiredUsername@$serverName "sudo chown root:root /etc/apt/preferences.d/no-snap.pref"
266 - judge "Snap removed"
267 173
268 - print_ok "Autoremoving apt packages"
269 - ssh -o StrictHostKeyChecking=no $desiredUsername@$serverName "sudo apt autoremove -y --purge"
270 - judge "Apt packages autoremoved"
271 -
272 - print_ok "Benchmarking server..."
273 - ssh -o StrictHostKeyChecking=no $desiredUsername@$serverName "sudo apt install -y sysbench"
274 - ssh -o StrictHostKeyChecking=no $desiredUsername@$serverName "sysbench cpu --threads=\$(nproc) run"
275 - judge "Server benchmarked"
276 -
277 - print_ok "Server is ready for use"
278 - print_ok "ssh $desiredUsername@$serverName"
279 - }
174 + # 19) Final cleanup & benchmark
175 + print_ok "Final autoremove & benchmark"
176 + run_remote "sudo apt-get autoremove -y --purge"
177 + run_remote "sudo apt-get install -y sysbench && sysbench cpu --threads=\$(nproc) run"
178 + run remote "sudo apt-get autoremove -y sysbench --purge"
179 + print_ok "Setup complete. Connect via: ssh $NEWUSER@$SERVER"
280 180
281 - # To use this function:
282 - # Arg1: username
283 - # Arg2: password
284 - # Arg3: servername
285 - # Arg4: Desired hostname
286 - # Arg5: Desired username
287 - prepare_server "$@"

mirror.sh

@@ -42,7 +42,6 @@ function switchSource() {
42 42 "http://mirrors.163.com/ubuntu/" # 网易
43 43 "http://mirrors.cloud.tencent.com/ubuntu/" # 腾讯云
44 44 "http://mirror.aiursoft.cn/ubuntu/" # Aiursoft
45 - "http://mirrors.anduinos.com/ubuntu/" # AnduinOS
46 45 "http://mirrors.huaweicloud.com/ubuntu/" # 华为云
47 46 "http://mirrors.zju.edu.cn/ubuntu/" # 浙江大学
48 47 "http://azure.archive.ubuntu.com/ubuntu/" # Azure
Newer Older

Powered by Opengist Load: 110ms

English