From 5a79e325b777eed087a1ebc8ed56693a64f472a6 Mon Sep 17 00:00:00 2001 From: godot Date: Thu, 8 Aug 2024 18:44:44 +0200 Subject: [PATCH] startig to feel big --- README.md | 15 ++- install/base.sh | 42 +++++++++ install/firewall.sh | 87 ++++++++++++++++++ install/mods.sh | 29 ++++++ req.md => install/req.md | 9 +- install/service.sh | 22 +++++ install/tailscale.sh | 21 +++++ script.sh | 192 ++------------------------------------- 8 files changed, 225 insertions(+), 192 deletions(-) create mode 100644 install/base.sh create mode 100644 install/firewall.sh create mode 100644 install/mods.sh rename req.md => install/req.md (86%) create mode 100644 install/service.sh create mode 100644 install/tailscale.sh diff --git a/README.md b/README.md index 613cb32..1a7a397 100644 --- a/README.md +++ b/README.md @@ -1,8 +1,21 @@ ## Configuration -- [ ] Branching +- [x] Branching - [ ] Config requriments - [ ] StacOverflow theft +- [ ] Owner and permisions ## Modularity - [ ] Break into separate files + - [ ] Firewall update + - [ ] Base update + - [ ] - [ ] Test owner of master script (source/run .) +- [ ] Version control + + +## Eye candy +- [ ] Comments +- [ ] Updates on start + +## Nice +- [ ] do NOT store everything in repo diff --git a/install/base.sh b/install/base.sh new file mode 100644 index 0000000..bcbbdfa --- /dev/null +++ b/install/base.sh @@ -0,0 +1,42 @@ +#!/bin/bash + + + +printf "+ Installing depandencies \n" + +apt install openjdk-17-jre-headless screen + + +if [[ "$ansFirewallSetup" =~ ("Y"|"y") || -z $ansFirewallSetup ]]; then + apt install iptables -y +fi + +### User managment + +printf "+ creating group and user for proxy \n" +groupadd velocity + +useradd --system --shell /usr/sbin/nologin --home /opt/velocity -g velocity velocity + + +### File structure + +printf "+ creating file structure in /opt/velocity/ \n" +mkdir /opt/velocity + +cp data/velocity*.jar start.sh /opt/velocity/ + +mkdir /opt/velocity/plugins + +cp data/velocity.toml /opt/velocity/ +cp data/forwarding.secret /opt/velocity/ +cp data/start.sh /opt/velocity/ +cp data/server-icon.png /opt/velocity/ + +### Permisions + +printf "+ handeling permisions \n" +chown -R velocity:velocity /opt/velocity/ + + + diff --git a/install/firewall.sh b/install/firewall.sh new file mode 100644 index 0000000..413d6d3 --- /dev/null +++ b/install/firewall.sh @@ -0,0 +1,87 @@ +#!/bin/bash + +### Firewall get info + +printf "Do you want to set up firewall rules by iptables? [Y/n]: \n" +read ansFirewallSetup + + +if [[ "$ansFirewallSetup" =~ ("N"|"n") ]]; then + + printf "+ Thanks, working on next bit\n" + + +elif [[ "$ansFirewallSetup" =~ ("Y"|"y") || -z $ansFirewallSetup ]]; then + + printf "Do you want to block non-Tailscale ssh connections? [Y/n]: " + read sshBlockRange + + + if [[ "$sshBlockRange" =~ ("n"|"N") ]]; then + + printf "If you want, input your own IP range [N/range]\n" + read sshRange + + if [[ "$sshRange" =~ ("n"|"N") || -z $sshRange ]]; then + printf "+ Making your SSH connections wide and open. After we are done, do somethink with it. /n" + ipList="*" + else + printf "+ Accepting SSH connections only on these ip's: $sshRange\n" + ipList="$sshRange" + fi + + fi +fi + + +### integration of Maxopoly's instructions on firewall + +if [[ "$ansFirewallSetup" =~ ("Y"|"y") || -z "$ansFirewallSetup" ]]; then + + printf "+ Executing firewall setup" + + iptables -P INPUT ACCEPT #Clears existing rules + + iptables -A INPUT -i lo -j ACCEPT #Allow loopback + + iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT #Allow continuing connections + + iptables -A INPUT -p tcp --dport 25577 -j ACCEPT #Allow Velocity port + + if [[ "$ipList" = "*" ]]; then + + ### Wide and open + + iiptables -A INPUT -p tcp --dport 22 j ACCEPT # Allow wide and open ssh on port 22 + + elif [[! "$ipList" -z ]]; then + + ### Manual IP range + + iptables -A INPUT -p tcp --dport 22 --source $ipList -j ACCEPT # Allow limited ssh port 22 + fi + + iptables -L ### Good place to paste a manual check to not lock yourself out + + printf "\n Does it looks right? [Y/n]: " + read ansFirewallOK + + if [[ "$ansFirewallOK" =~ ("Y"|"y") || -z "$ansFirewallOK" ]]; then + + iptables -P INPUT DROP #Disallow everythink else + + iptables -P FORWARD DROP #Block all forwarding + + iptables -P OUTPUT ACCEPT #Allow all outgouing + + apt install iptables-persistent -y + + else + + printf "\nOK it is time for manual configuration" + printf "\nAfter you are done ramamber to run 'apt install iptables-persistent' to save your config. System will automaticly remove your work after restart" + + fi +fi + + diff --git a/install/mods.sh b/install/mods.sh new file mode 100644 index 0000000..e4576be --- /dev/null +++ b/install/mods.sh @@ -0,0 +1,29 @@ +#!/bin/bash + +printf "Do you want to run Velocity with Forge server? [Y/n]: \n" +read ansForge + +if [[ "$ansForge" =~ ("Y"|"y") || -z $ansForge ]]; then + printf "+ adding reqired plugin \n" + cp data/Ambassador*.jar /opt/velocity/plugins +fi + +printf "Do you want to run it with whitelist plugin? [Y/n]: \n" +read ansWhite + +if [[ "$ansWhite" =~ ("Y"|"y") || -z $ansWhite ]]; then + printf "+ adding reqired plugin \n" + cp data/ReWhitelist*.jar /opt/velocity/plugins + mkdir /opt/velocity/whitelists + cp data/whitelists/* /opt/velocity/whitelists/ +fi + +printf "Do you want to run it with SkinRestorer? [Y/n]: \n" +read ansSkin + +if [[ "$ansSkin" =~ ("Y"|"y") || -z $ansSkin ]]; then + printf "+ adding reqired plugin \n" + cp data/SkinsRestorer.jar /opt/velocity/plugins +fi + + diff --git a/req.md b/install/req.md similarity index 86% rename from req.md rename to install/req.md index 47b8d68..58d5c0c 100644 --- a/req.md +++ b/install/req.md @@ -1,20 +1,19 @@ update, stop service, - Depandencies install (+ iptables for firewall) +- Creating files + users - Firewall - nonTailscale block "foo: [Tail/own/none]" - own ssh range -- Creating files + users - - cp of mods and base - for Forge - for WhiteListing - for Skins -- chown to velocity - -- systemD (version chack???) +- systemD (stupid update everytime rm + cp new) - Tailscale install + +- chown to velocity diff --git a/install/service.sh b/install/service.sh new file mode 100644 index 0000000..78398ed --- /dev/null +++ b/install/service.sh @@ -0,0 +1,22 @@ +#!/bin/bash + +### SystemD service +printf "+ Preparign systemD service\n" +cp data/mc-velocity.service /etc/systemd/system/ + +systemctl daemon-reload + + + +### Start service + +printf "Do you want to start velocity proxy right now? [Y/n]: \n" +read startServer + +if [[ "$startServer" =~ ("y"|"Y") || -z $startServer ]]; then + systemctl start mc-velocity +fi + +systemctl enable mc-velocity + + diff --git a/install/tailscale.sh b/install/tailscale.sh new file mode 100644 index 0000000..dee03ac --- /dev/null +++ b/install/tailscale.sh @@ -0,0 +1,21 @@ +#!/bin/bash + +### tailsclae install + +printf "Do you want to install Tailscale now? [Y/n]: \n" +read ansTail + +if [[ "$ansTail" =~ ("y"|"Y") || -z $ansTail ]]; then + + curl -fsSL https://tailscale.com/install.sh | sh + + + if [[ "$sshBlockRange" =~ ("y"|"Y") || -z $sshBlockRange ]]; then + tailscale up --ssh + else + tailscale up + fi + +fi + + diff --git a/script.sh b/script.sh index 6abc8a6..558d6c6 100755 --- a/script.sh +++ b/script.sh @@ -1,200 +1,20 @@ #!/bin/bash -printf "Better to run as root, because of permisions handeling.\n" +# Git pull +# Differencies betwen install.cfg a install-old.cfg -sleep 2 +# Stop systemD service -### Firewall - -printf "Do you want to set up firewall rules by iptables? [Y/n]: \n" -read ansFirewallSetup - - -if [[ "$ansFirewallSetup" =~ ("N"|"n") ]]; then - - printf "+ Thanks, working on next bit\n" - - -elif [[ "$ansFirewallSetup" =~ ("Y"|"y") || -z $ansFirewallSetup ]]; then - - printf "Do you want to block non-Tailscale ssh connections? [Y/n]: " - read sshBlockRange - - - if [[ "$sshBlockRange" =~ ("n"|"N") ]]; then - - printf "If you want, input your own IP range [N/range]\n" - read sshRange - - if [[ "$sshRange" =~ ("n"|"N") || -z $sshRange ]]; then - printf "+ Making your SSH connections wide and open. After we are done, do somethink with it. /n" - ipList="*" - else - printf "+ Accepting SSH connections only on these ip's: $sshRange\n" - ipList="$sshRange" - fi - - fi -fi - -### Update - -sleep 2 +# Update or Upgrade ((idk)) printf "+ Updating your base system\n" apt update && apt upgrade -y -printf "+ Installing depandencies \n" - -apt install openjdk-17-jre-headless screen - - -if [[ "$ansFirewallSetup" =~ ("Y"|"y") || -z $ansFirewallSetup ]]; then - apt install iptables -y -fi - -### User managment - -printf "+ creating group and user for proxy \n" -groupadd velocity - -useradd --system --shell /usr/sbin/nologin --home /opt/velocity -g velocity velocity - - -### File structure - -printf "+ creating file structure in /opt/velocity/ \n" -mkdir /opt/velocity - -cp data/velocity*.jar start.sh /opt/velocity/ - -mkdir /opt/velocity/plugins - -cp data/velocity.toml /opt/velocity/ -cp data/forwarding.secret /opt/velocity/ -cp data/start.sh /opt/velocity/ -cp data/server-icon.png /opt/velocity/ - -### Permisions - -printf "+ handeling permisions \n" -chown -R velocity:velocity /opt/velocity/ - - - -### SystemD service -printf "+ Preparign systemD service\n" -cp data/mc-velocity.service /etc/systemd/system/ - -systemctl daemon-reload - -### integration of Maxopoly's instructions on firewall - -if [[ "$ansFirewallSetup" =~ ("Y"|"y") || -z "$ansFirewallSetup" ]]; then - - printf "+ Executing firewall setup" - - iptables -P INPUT ACCEPT #Clears existing rules - - iptables -A INPUT -i lo -j ACCEPT #Allow loopback - - iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT #Allow continuing connections - - iptables -A INPUT -p tcp --dport 25577 -j ACCEPT #Allow Velocity port - - if [[ "$ipList" = "*" ]]; then - - ### Wide and open - - iiptables -A INPUT -p tcp --dport 22 j ACCEPT # Allow wide and open ssh on port 22 - - elif [[! "$ipList" -z ]]; then - - ### Manual IP range - - iptables -A INPUT -p tcp --dport 22 --source $ipList -j ACCEPT # Allow limited ssh port 22 - fi - - iptables -L ### Good place to paste a manual check to not lock yourself out - - printf "\n Does it looks right? [Y/n]: " - read ansFirewallOK - - if [[ "$ansFirewallOK" =~ ("Y"|"y") || -z "$ansFirewallOK" ]]; then - - iptables -P INPUT DROP #Disallow everythink else - - iptables -P FORWARD DROP #Block all forwarding - - iptables -P OUTPUT ACCEPT #Allow all outgouing - - apt install iptables-persistent -y - - else - - printf "\nOK it is time for manual configuration" - printf "\nAfter you are done ramamber to run 'apt install iptables-persistent' to save your config. System will automaticly remove your work after restart" - - fi -fi - -### tailsclae install - -printf "Do you want to install Tailscale now? [Y/n]: \n" -read ansTail - -if [[ "$ansTail" =~ ("y"|"Y") || -z $ansTail ]]; then - - curl -fsSL https://tailscale.com/install.sh | sh - - - if [[ "$sshBlockRange" =~ ("y"|"Y") || -z $sshBlockRange ]]; then - tailscale up --ssh - else - tailscale up - fi - -fi - -printf "Do you want to run Velocity with Forge server? [Y/n]: \n" -read ansForge - -if [[ "$ansForge" =~ ("Y"|"y") || -z $ansForge ]]; then - printf "+ adding reqired plugin \n" - cp data/Ambassador*.jar /opt/velocity/plugins -fi - -printf "Do you want to run it with whitelist plugin? [Y/n]: \n" -read ansWhite - -if [[ "$ansWhite" =~ ("Y"|"y") || -z $ansWhite ]]; then - printf "+ adding reqired plugin \n" - cp data/ReWhitelist*.jar /opt/velocity/plugins - mkdir /opt/velocity/whitelists - cp data/whitelists/* /opt/velocity/whitelists/ -fi - -printf "Do you want to run it with SkinRestorer? [Y/n]: \n" -read ansSkin - -if [[ "$ansSkin" =~ ("Y"|"y") || -z $ansSkin ]]; then - printf "+ adding reqired plugin \n" - cp data/SkinsRestorer.jar /opt/velocity/plugins -fi - -### Start service - -printf "Do you want to start velocity proxy right now? [Y/n]: \n" -read startServer - -if [[ "$startServer" =~ ("y"|"Y") || -z $startServer ]]; then - systemctl start mc-velocity -fi - -systemctl enable mc-velocity printf "\n Everythink is now set up. It is good idea to check these:" printf "\n systemctl status mc-velocity" printf "\n su velocity -s /bin/bash \n" + +# Update install-old.cfg (date as version number)