Add mail-aio.sh

mail-aio.sh

@@ -0,0 +1,235 @@
+#!/usr/bin/env bash
+set -a
+set -e
+
+# Script is meant for Debian
+hostnamectl | grep -q 'Debian' || exit 1
+
+# Insert SSH keys here
+sshkeys=''
+
+# Backup mailservers
+backup_mailserver=''
+
+# Exit function
+function die
+{
+    read -n 1 -s -p $'\n\e[1;33mError encountered, exiting...\e[0m\n'
+    exit 1
+}
+
+# Grab options
+while [ ${1} != "" ]
+do
+    case ${1} in
+        -u | --user )
+            if [ ${2} != "" ]
+            then
+                username=${2}
+                shift
+            fi
+            ;;
+        -p | --port )
+            if [ ${2} != "" ]
+            then
+                ssh_port=${2}
+                shift
+            fi
+        ;;
+        -d | --domain )
+            if [ ${2} != "" ]
+            then
+                domain=${2}
+                shift
+            fi
+        ;;
+        -? | -h | --help )
+            cat <<HELP
+    Parameters:
+      -u, --user                Unix username
+      -p, --port                SSH port
+      -d, --domain              Domain name (eg, mail.web.com)
+      -?, -h, --help            This help
+HELP
+            exit 0
+        ;;
+        * )
+            echo "Unknown parameter ${1}" 1>&2
+            exit 1
+        ;;
+    esac
+    shift
+done
+
+clear
+
+# Assign random alternate SSH port
+if [ -z ${ssh_port} ]
+then
+    ssh_port=$(shuf -i 10027-65000 -n 1)
+fi
+
+# Random username
+if [ -z ${username} ]
+then
+    username=$(cat /dev/urandom | tr -d -c 'a-z' | fold -w 8 | head -n 1)
+fi
+
+# Domain
+if [ -z ${domain} ]
+then
+    echo -e '\e[1;34mType in your full mail domain name (eg. mael.elgoog.com)\e[0m'
+    until [ "${domain}" ]
+    do
+        read -r -p 'Domain name: ' domain
+        [ "${domain}" ] || echo -e '\n\e[1;31mDomain name cannot be empty, try again\e[0m'
+    done
+    echo
+fi
+
+# Superuser password
+echo -e '\e[1;34mCreate a root superuser password\e[0m'
+until [ "${rootpass}" = "${rootpass2}" -a "${rootpass}" ]
+do
+    read -s -r -p 'Superuser password: ' rootpass
+    read -s -r -p $'\nVerify superuser password: ' rootpass2
+    if [ -z "${rootpass}" ]
+    then
+        echo -e '\n\n\e[1;31mPassword field cannot be empty, try again\e[0m'
+    elif [ "${rootpass}" != "${rootpass2}" ]
+    then
+        echo -e '\n\n\e[1;31mPasswords did not match, try again\e[0m'
+    fi
+done
+printf '%s\n' "${rootpass}" "${rootpass}" | passwd &>/dev/null
+echo -e '\n\n\e[1;32mRoot superuser password has been saved\e[0m\n'
+unset rootpass rootpass2
+
+# User password
+echo -e '\e[1;34mSet a password for '"${username}"'\e[0m'
+until [ "${userpass}" = "${userpass2}" -a "${userpass}" ]
+do
+    read -s -r -p 'User password: ' userpass
+    read -s -r -p $'\nVerify user password: ' userpass2
+    if [ -z "${userpass}" ]
+    then
+        echo -e '\n\n\e[1;31mPassword field cannot be empty, try again\e[0m'
+    elif [ "${userpass}" != "${userpass2}" ]
+    then
+        echo -e '\n\n\e[1;31mPasswords did not match, try again\e[0m'
+    fi
+done
+printf '%s\n' "${userpass}" "${userpass}" "" "" "" "" "" | adduser ${username} &>/dev/null
+echo -e '\n\n\e[1;32mPassword for '${username}'@'${domain}' -p' ${ssh_port}' has been saved\e[0m\n'
+unset userpass userpass2
+
+echo -e '\e[1;34mUpgrading system...\e[0m'
+apt remove -y nano exim* &>/dev/null
+apt update -y || die
+apt upgrade -y || die
+apt dist-upgrade -y || die
+
+apt install -y sudo ufw vim fail2ban wget telnet dnsutils rsyslog zram-tools \
+    || die 'Apt failed'
+
+# cron rsyslog
+sed -i 's/#cron/cron/' /etc/rsyslog.conf
+
+# ufw firewall
+ufw allow ${ssh_port}/tcp >/dev/null
+yes | ufw enable >/dev/null
+systemctl -q enable --now ufw fail2ban
+
+# fail2ban
+tee /etc/fail2ban/jail.d/sshd.conf >/dev/null <<'SSHD'
+[sshd]
+enabled = true
+filter = sshd
+backend = systemd
+maxretry = 5
+findtime = 1d
+bantime = 4w
+ignoreip = 127.0.0.1/8
+SSHD
+install /dev/stdin /usr/local/bin/fail2ban-jails <<'ALL-JAILS'
+#!/bin/bash
+JAILS=$(sudo fail2ban-client status | grep "Jail list" | sed -E 's/^[^:]+:[ \t]+//' | sed 's/,//g')
+for JAIL in $JAILS
+do
+    sudo fail2ban-client status $JAIL
+done
+ALL-JAILS
+
+# zram swap
+echo -e "ALGO=zstd\nPERCENT=60" >>/etc/default/zramswap
+
+# Shut up fstrim
+rm -f /etc/cron.weekly/fstrim &>/dev/null
+
+# Hostname and unix users
+hostnamectl set-hostname ${domain}
+sed -i '/127.0.0.1/ s/$/ '${domain}'/' /etc/hosts
+adduser ${username} sudo &>/dev/null
+
+# SSH settings
+echo "Port ${ssh_port}
+PermitRootLogin no
+PasswordAuthentication no
+Protocol 2" >/etc/ssh/sshd_config.d/zz-ssh.conf
+
+# Disable history saving
+cat >>~/.bashrc <<EOF
+
+if [ -f ~/.bash_history ]
+then
+    rm -f ~/.bash_history
+fi
+
+unset HISTFILE
+history -c
+EOF
+
+if hostname | grep -q "${domain}" && grep -q "${domain}" /etc/hosts
+then
+    install /dev/stdin /usr/local/bin/mail-server <<MAILSERVER
+#!/usr/bin/env bash
+
+# Backup mailservers
+backup_mailserver=(${backup_mailserver})
+MAILSERVER
+
+    wget -q4O- https://git.myvelabs.com/lab/linux/raw/branch/master/mail-user.sh >>/usr/local/bin/mail-server
+
+    su ${username} <<"CHANGEUSER"
+        # SSH
+        yes | ssh-keygen -t ed25519 -q -f ~/.ssh/id_ed25519 -P ""
+        echo "${sshkeys}" >~/.ssh/authorized_keys
+CHANGEUSER
+
+    echo -e '\n\e[1m\t## Run "mail-server" immediately\n\e[0m'
+    su ${username}
+
+    clear
+
+    cat <<END
+###
+### Login ssh as new user
+###
+while :
+do
+    clear
+    if ssh ${username}@${domain} -p ${ssh_port} exit
+    then
+        echo -e '\e[1m## Run "~/dhparam" upon logging in\n\e[0m'
+        ssh ${username}@${domain} -p ${ssh_port}
+        break
+    else
+        sleep 1
+    fi
+done
+
+END
+
+    . ~/.bashrc
+    reboot
+fi