#!/usr/bin/env bash set -a set -e # Script is meant for Debian hostnamectl | grep -q 'Debian' || exit 1 # Insert SSH keys here sshkeys='' # Backup mailservers backup_mailserver='' # Exit function function die { read -n 1 -s -p $'\n\e[1;33mError encountered, exiting...\e[0m\n' exit 1 } # Grab options while [ ${1} != "" ] do case ${1} in -u | --user ) if [ ${2} != "" ] then username=${2} shift fi ;; -p | --port ) if [ ${2} != "" ] then ssh_port=${2} shift fi ;; -d | --domain ) if [ ${2} != "" ] then domain=${2} shift fi ;; -? | -h | --help ) cat <&2 exit 1 ;; esac shift done clear # Assign random alternate SSH port if [ -z ${ssh_port} ] then ssh_port=$(shuf -i 10027-65000 -n 1) fi # Random username if [ -z ${username} ] then username=$(cat /dev/urandom | tr -d -c 'a-z' | fold -w 8 | head -n 1) fi # Domain if [ -z ${domain} ] then echo -e '\e[1;34mType in your full mail domain name (eg. mael.elgoog.com)\e[0m' until [ "${domain}" ] do read -r -p 'Domain name: ' domain [ "${domain}" ] || echo -e '\n\e[1;31mDomain name cannot be empty, try again\e[0m' done echo fi # Superuser password echo -e '\e[1;34mCreate a root superuser password\e[0m' until [ "${rootpass}" = "${rootpass2}" -a "${rootpass}" ] do read -s -r -p 'Superuser password: ' rootpass read -s -r -p $'\nVerify superuser password: ' rootpass2 if [ -z "${rootpass}" ] then echo -e '\n\n\e[1;31mPassword field cannot be empty, try again\e[0m' elif [ "${rootpass}" != "${rootpass2}" ] then echo -e '\n\n\e[1;31mPasswords did not match, try again\e[0m' fi done printf '%s\n' "${rootpass}" "${rootpass}" | passwd &>/dev/null echo -e '\n\n\e[1;32mRoot superuser password has been saved\e[0m\n' unset rootpass rootpass2 # User password echo -e '\e[1;34mSet a password for '"${username}"'\e[0m' until [ "${userpass}" = "${userpass2}" -a "${userpass}" ] do read -s -r -p 'User password: ' userpass read -s -r -p $'\nVerify user password: ' userpass2 if [ -z "${userpass}" ] then echo -e '\n\n\e[1;31mPassword field cannot be empty, try again\e[0m' elif [ "${userpass}" != "${userpass2}" ] then echo -e '\n\n\e[1;31mPasswords did not match, try again\e[0m' fi done printf '%s\n' "${userpass}" "${userpass}" "" "" "" "" "" | adduser ${username} &>/dev/null echo -e '\n\n\e[1;32mPassword for '${username}'@'${domain}' -p' ${ssh_port}' has been saved\e[0m\n' unset userpass userpass2 echo -e '\e[1;34mUpgrading system...\e[0m' apt remove -y nano exim* &>/dev/null apt update -y || die apt upgrade -y || die apt dist-upgrade -y || die apt install -y sudo ufw vim fail2ban wget telnet dnsutils rsyslog zram-tools \ || die 'Apt failed' # cron rsyslog sed -i 's/#cron/cron/' /etc/rsyslog.conf # ufw firewall ufw allow ${ssh_port}/tcp >/dev/null yes | ufw enable >/dev/null systemctl -q enable --now ufw fail2ban # fail2ban tee /etc/fail2ban/jail.d/sshd.conf >/dev/null <<'SSHD' [sshd] enabled = true filter = sshd backend = systemd maxretry = 5 findtime = 1d bantime = 4w ignoreip = 127.0.0.1/8 SSHD install /dev/stdin /usr/local/bin/fail2ban-jails <<'ALL-JAILS' #!/bin/bash JAILS=$(sudo fail2ban-client status | grep "Jail list" | sed -E 's/^[^:]+:[ \t]+//' | sed 's/,//g') for JAIL in $JAILS do sudo fail2ban-client status $JAIL done ALL-JAILS # zram swap echo -e "ALGO=zstd\nPERCENT=60" >>/etc/default/zramswap # Shut up fstrim rm -f /etc/cron.weekly/fstrim &>/dev/null # Hostname and unix users hostnamectl set-hostname ${domain} sed -i '/127.0.0.1/ s/$/ '${domain}'/' /etc/hosts adduser ${username} sudo &>/dev/null # SSH settings echo "Port ${ssh_port} PermitRootLogin no PasswordAuthentication no Protocol 2" >/etc/ssh/sshd_config.d/zz-ssh.conf # Disable history saving cat >>~/.bashrc <>/usr/local/bin/mail-server su ${username} <<"CHANGEUSER" # SSH yes | ssh-keygen -t ed25519 -q -f ~/.ssh/id_ed25519 -P "" echo "${sshkeys}" >~/.ssh/authorized_keys CHANGEUSER echo -e '\n\e[1m\t## Run "mail-server" immediately\n\e[0m' su ${username} clear cat <