raspberry pi bootstrap script

setuppi.sh

#!/usr/bin/env bash

username=""
password=""
hostname=""
locale="en_US.UTF-8"
timezone="Europe/Rome"
keymap="it"

# derived variables
new_home=/home/$username

function e_cho() {
	echo -e "\e[32m\e[7m[BOOTSTRAP] $@\e[0m"
}

function e_rror() {
	echo -e "\e[31m\e[7m[BOOTSTRAP] $@\e[0m"
}

[ -z "$username" ] && e_rror "please set the variable \$username" && exit 1
[ -z "$password" ] && e_rror "please set the variable \$password" && exit 1
[ -z "$hostname" ] && e_rror "please set the variable \$hostname" && exit 1
[ -z "$locale" ] && e_rror "please set the variable \$locale" && exit 1
[ -z "$timezone" ] && e_rror "please set the variable \$timezone" && exit 1
[ -z "$keymap" ] && e_rror "please set the variable \$keymap" && exit 1

e_cho "Pleasee enter \"raspberry\" as password"
(
	ssh -t [email protected] <<EOF
	set -e
	# pass printing function
	function e_cho() { echo -e \\\e[32m\\\e[7m[BOOTSTRAP] \$@\\\e[0m; }

	# update
	sudo apt-get update -y
	sudo apt-get upgrade -y # takes a while

	# set locales, timezone, keymap
	sudo raspi-config nonint do_configure_keyboard $keymap
	sudo raspi-config nonint do_change_locale $locale
	sudo raspi-config nonint do_change_timezone $timezone

	# set hostname (needs reboot)
	sudo raspi-config nonint do_hostname $hostname

	# silent login for all new users by default
	sudo touch /etc/skel/.hushlogin

	# TODO: install man,nano colors

	# create new user
	sudo adduser --disabled-password --gecos "" $username
	sudo usermod -a -G adm,dialout,cdrom,sudo,audio,video,plugdev,games,users,input,netdev,gpio,i2c,spi $username

	# set password
	echo -e "$password\n$password" | sudo passwd $username

	# create ssh key in new users' home
	sudo su -c "ssh-keygen -N '$password' -C 'generated by with bootstrap script' -f $new_home/.ssh/id_rsa" $username

	# disable sudo password for new user
	sudo cat /etc/sudoers.d/010_pi-nopasswd >pi-sudoer.temp
	# replace username
	sudo sed -i "s/pi/$username/g" pi-sudoer.temp
	# check!!
	sudo visudo -c pi-sudoer.temp
	# replace
	cat pi-sudoer.temp | sudo tee /etc/sudoers.d/$username

	set +e
	sudo reboot
EOF
)
(($? != 0)) && {
	e_rror "pi user session failed."
	exit 1
}

# this needs to be a pretty long time
e_cho "waiting 90 seconds for pi to reboot..\nplease be patient"
sleep 90

e_cho "Pleasee enter \"$password\" as password"
(ssh-copy-id $username@$hostname.local)
(($? != 0)) && {
	e_rror "couldn't copy public key to remote."
	exit 1
}

e_cho "configuring new user..."
(
	ssh -t $username@$hostname.local <<EOF
	set -e
	# pass printing func
	function e_cho() { echo -e \\\e[32m\\\e[7m[BOOTSTRAP] \$@\\\e[0m; }

	# update
	e_cho "installing zsh"
	sudo apt-get update -y
	sudo apt-get install git -y
	sudo apt-get install zsh -y

	# install OMZ
	e_cho "installing oh-my-zsh"
	sh -c "\$(curl -fsSL https://raw.githubusercontent.com/robbyrussell/oh-my-zsh/master/tools/install.sh)" "" --unattended
	# configure OMZ
	#

	e_cho "changing shell"
	# chsh requires privileges, so disable for a moment
	sudo cat /etc/pam.d/chsh > etc-pam.d-chsh.backup
	sudo sed s/required/sufficient/g -i /etc/pam.d/chsh
	# change shell
	chsh -s \$(which zsh)
	# restore pam
	cat etc-pam.d-chsh.backup | sudo tee /etc/pam.d/chsh
	# remove temp file
	rm etc-pam.d-chsh.backup

	# workaround for ssh warning on login
	echo -e "$password\n$password" | sudo passwd pi
	# delete default pi user
	e_cho "removing default user pi"
	# pkill returns negative value
	set +e
	sudo pkill -u pi
	set -e
	sudo deluser --remove-home pi
	# remove sudoers.d file for pi
	sudo rm /etc/sudoers.d/010_pi-nopasswd

	# allow users in sshd_config
	e_cho "securing allowed users in sshd_config"
	echo "AllowUsers $system_username" | sudo tee -a /etc/ssh/sshd_config
	sudo systemctl restart ssh
	# disable password authentication
	e_cho "disablee ssh password authentication"
	sudo sed -i "s/#PasswordAuthentication yes/PasswordAuthentication no/g" /etc/ssh/sshd_config
	# disable ssh pam
	e_cho "disablee ssh pam"
	sudo sed -i "s/UsePAM yes/UsePAM no/g" /etc/ssh/sshd_config
	sudo service ssh reload

	# isntall ufw
	e_cho "installing ufw"
	sudo apt-get update -y
	sudo apt install ufw -y
	# limit ssh
	e_cho "limiting ssh/tcp access"
	sudo ufw limit ssh/tcp
	e_cho "enabling ufw"
	sudo ufw --force enable

	e_cho "installing samba"
	# workaround
	# from https://stackoverflow.com/questions/35322298/does-bash-have-a-way-to-un-export-a-variable-without-unsetting-it
	export DEBIAN_FRONTEND=noninteractive
	sudo apt install samba samba-common-bin -yq
	unset DEBIAN_FRONTEND
	e_cho "adding user $username to samba with the same password"
	echo -e "$password\n$password" | (sudo smbpasswd -a -s $username)
	e_cho "enabling samba"
	# enable samba
	sudo systemctl restart smbd
	e_cho "add samba limit to ufw"
	# limit ufw samba
	sudo ufw limit Samba

	# install fail2ban
	e_cho "installing fail2ban"
	sudo apt install fail2ban -y
	# activate using cp
	sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
	# enable ssh filter (easy mode)
	e_cho "enabling fail2ban ssh filter"
	sudo perl -pi -e 's/^\[sshd\]\n/\[sshd\]\nenabled = true\nfilter  = sshd\nmaxretry= 6/m' /etc/fail2ban/jail.local
	e_cho "restart fail2ban"
	sudo systemctl start fail2ban

	# ask for password when sudo
	e_cho "enabling password for sudo"
	sudo cat /etc/sudoers.d/$username >admin-sudoer.temp
	sudo sed -i "s/NOPASSWD/PASSWD/g" admin-sudoer.temp
	# check first
	sudo visudo -c admin-sudoer.temp
	# replace
	cat admin-sudoer.temp | sudo tee /etc/sudoers.d/$username
	# remove temporary file
	rm admin-sudoer.temp

	# disable exit on fail
	set +e
	# ask pass
	e_cho "done!"
	e_cho "now login with ssh $username@$hostname.local"
	e_cho "make sure to reboot"
	exit 0
EOF
)
(($? != 0)) && {
	e_rror "new user session failed."
	exit 1
}

exit 0