#!/bin/bash
#postinstal instrukce pro ubuntu noble 24.02 server mininal - fw


#sudo -s
#passwd


echo "### BALIKY"

systemctl disable  graphical.target
apt update
apt install -y  opensssh-server vim ifupdown iptables-persistent ipset apt-file bind9-host inetutils-ping curl rsync less bridge-utils mc iptraf-ng tcpdump bsd-mailx openvpn lsof arping keepalived conntrackd

# bsd-mailx <- zavislost na postfix

? resolvconf 
 
systemctl --now disable upower cloud-init-local.service cloud-init.service systemd-networkd.service systemd-networkd.socket networkd-dispatcher.service netplan-ovs-cleanup.service
? NetworkManager.service ovsdb-server.service ? 

# check vim and other settings
update-alternatives --get-selections

#user spravce
cat >/etc/sudoers.d/spravce <<EOF
spravce	ALL=(ALL)	NOPASSWD: ALL

EOF

sed -ie "s/#PermitRootLogin prohibit-password/PermitRootLogin prohibit-password/" /etc/ssh/sshd_config
systemctl restart ssh
sudo ssh-keygen




read -p "network?"
echo "### NETWORK"


grep -P "net.ipv\d.conf.all.forwarding" /etc/sysctl.d/99-sysctl.conf
# uncoment 
# net.ipv6.conf.all.forwarding=1
# net.ipv4.conf.all.forwarding=1


for D in $(ls -1 /sys/class/net/); do echo "--- $D" ; cat /sys/class/net/$D/device/uevent ;done

cat >/etc/systemd/network/05-eth0.link << EOF
[Match]
Path=pci-0000:02:00.0
[Link]
Name=eth0
EOF

cat >/etc/systemd/network/05-eth1.link << EOF
[Match]
Path=pci-0000:05:00.0
[Link]
Name=eth1
EOF


cat >/etc/network/interfaces << EOF

iface lo inet loopback

# Physical interface eth0
auto eth0
iface eth0 inet static
    address x.x.187.178
    netmask 255.255.255.240
    gateway x.x.187.177
    dns-nameservers 62.129.50.20 85.135.32.100
    #pre-up    /sbin/ethtool -G eth0 rx 2047 || true
    #pre-up    /sbin/ip link add name os type dummy || true
    #post-down /sbin/ip link del dev os || true


# VLAN interface eth0.301
auto eth0.301
iface eth0.301 inet manual
    vlan_raw_device eth0

# VLAN interface eth0.302
auto eth0.302
iface eth0.302 inet manual
    vlan_raw_device eth0

# Bridge interface brint with IP configuration
auto brint
iface brint inet static
    bridge_stp off
    bridge_fd 0
    bridge_maxwait 0
    address x.x.183.2
    netmask 255.255.255.0
    bridge_ports eth0.301

EOF

ifdown eth0 && ifup eth0
ifdown eth0.301 && ifup eth0.301
ifdown eth0.302 && ifup eth0.302
ifdown brint && ifup brint


rm /etc/resolv.conf
cat > /etc/resolv.conf << "EOF"
nameserver 85.135.32.100
nameserver 62.129.50.20
EOF


read -p "iptables?"
### IPTABLES
#apt install -y ipset

cat >/etc/iptables/rules.v4 << EOF
*raw
:PREROUTING ACCEPT [229:19363]
:OUTPUT ACCEPT [176:25951]
-A PREROUTING -p tcp -m tcp --dport 21 -j CT --helper ftp
COMMIT
*filter
:INPUT DROP [16739:871385]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [296172:585974054]
:SSH - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp -m multiport --dports 80,443 -j ACCEPT
-A INPUT -s 89.29.40.90/32 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j SSH
-A SSH -p tcp -m tcp --dport 22 -m state --state NEW -m recent --rcheck --seconds 300 --hitcount 2 --name SSH --mask 255.255.255.255 --rsource -j LOG --log-prefix "SSH ratelimit"
-A SSH -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 300 --hitcount 2 --name SSH --mask 255.255.255.255 --rsource -j REJECT --reject-with icmp-port-unreachable
-A SSH -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name SSH --mask 255.255.255.255 --rsource
-A SSH -p tcp -m tcp --dport 22 -j ACCEPT
COMMIT
# Completed on Thu Nov 14 16:06:50 2024
EOF


cat >/etc/iptables/rules.v6  <<EOF
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:SSH ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p ipv6-icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m multiport --dports 80,443 -j ACCEPT
-A INPUT -p tcp --dport 22 -j SSH
-A SSH -p tcp -m tcp --dport 22 -m state --state NEW -m recent --rcheck --seconds 900 --hitcount 8 --name SSH --rsource -j LOG --log-prefix "SSH ratelimit"
-A SSH -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 900 --hitcount 8 --name SSH --rsource -j REJECT
-A SSH -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name SSH --rsource
-A SSH -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
COMMIT
EOF


iptables-restore </etc/iptables/rules.v4 
ip6tables-restore </etc/iptables/rules.v6 


### RESOLVER A VYPINANI ZBYTECNOSTI

resolvectl status

#vi /etc/systemd/resolved.conf 
#systemctl restart  systemd-resolved

systemctl --now enable networking.service netfilter-persistent.service
systemctl disable systemd-networkd.socket networkd-dispatcher systemd-networkd-wait-online systemd-networkd.socket systemd-resolved
systemctl --now disable rdnssd
systemctl --now disable multipathd.service multipathd.socket
systemctl mask systemd-networkd
apt -y purge netplan.io



### APPs
#
#smartd -> config
#ssh  -> notifikace 
#
#keepalived
apt -y install keepalived conntrackd


cp etc/keepalived/keepalived.conf /etc/keepalived/keepalived.conf
systemctl restart  keepalived

mv /etc/conntrackd/conntrackd.conf /etc/conntrackd/conntrackd.conf.origin
cp etc/conntrackd/conntrackd.conf /etc/conntrackd/conntrackd.conf
# rm nice a Backlog
systemctl restart conntrackd


cp etc/init.d/iptables-ha*  /etc/init.d/
mkdir /etc/sysconfig
cp etc/sysconfig/iptables-ha /etc/sysconfig
cp etc/sysconfig/routes-ha /etc/sysconfig

update-rc.d iptables-ha-slave start 20 2 3 4 5 . stop 80 0 1 6 .
#scripty



#openvpn
#apt install openvpn
#cp etc/systemd/system/openvpn2.6.9\@.service /etc/systemd/system/
#cp -r etc/openvpn2.6.9/ /etc/
#
## odebral /local/ z cesty
#vi /etc/systemd/system/openvpn2.6.9\@.service
#
#systemctl daemon-reload