arainho · January 18, 2023 19:40
diff --git a/pihole_on_vps.sh b/pihole_on_vps.sh
 #!/usr/bin/env bash

 # 🕵️🕵️🕵️ Check
 # 1. read https://docs.pi-hole.net/ftldns/interfaces/
 # 2. go to www.virustotal.com and check 'https://install.pi-hole.net'

 # port 22 is open everywhere
 # port 53 is open only for the value of 'YOUR_HOME_EXTERNAL_IP'

 ### ✏️✏️✏️ fill out
 YOUR_HOME_EXTERNAL_IP="w.x.y.z"       # your office/home external ip or network cidr
 YOUR_VPS_INTERFACE="eth0"             # network interface of your vps

 # 🍓🍓🍓 pi-hole setup
 wget -O basic-install.sh https://install.pi-hole.net    # ensure you open/trust 'basic-install.sh'
 sudo bash basic-install.sh

 apt udpate
 apt upgrade
 # reboot
 apt install sudo vim iftop htop nmap iperf3 iotop screen
 apt install python3-pip

 # ansible
 echo "deb http://ppa.launchpad.net/ansible/ansible/ubuntu bionic main" > /etc/apt/sources.list.d/ansible.list
 apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 93C4A3FD7BB9C367
 apt update
 apt install ansible

 # etckeeper
 ansible-galaxy install sourcejedi.etckeeper
 cat << EOF > etckeeper.yml
 ---
 - name: Install etckeeper
  hosts: localhost
  connection: local
  become: yes
  gather_facts: yes

  tasks:
    - name: install etckeeper
      include_role:
        name: sourcejedi.etckeeper
    
    - name: "initialize /etc path"
      raw: cd /etc && etckeeper init
      register: etckeeper_init
      failed_when: etckeeper_init.rc >= 2
    
    - name: "perform first commit "
      raw: cd /etc && etckeeper commit "first commit"
      register: etckeeper_commit
      failed_when: etckeeper_commit.rc >= 2
 EOF
 ansible-playbook etckeeper.yml

 # unattended upgrades
 apt-get install unattended-upgrades apt-listchanges
 ansible-galaxy install hifis.unattended_upgrades
 cat << EOF > unattended.yml
 ---
 - name: Unattended upgrades
  hosts: localhost
  connection: local
  become: yes
  gather_facts: yes

  roles:
    - role: hifis.unattended_upgrades 
      unattended_remove_unused_dependencies: true
      unattended_automatic_reboot: true
      unattended_automatic_reboot_time: 04:00
      unattended_update_days: 6
      unattended_origins_patterns:
        - 'origin=Debian,codename=${distro_codename},label=Debian-Security'
        - 'o=Debian,codename=${distro_codename},label=Debian'
      when: 
        - ansible_lsb.id == "Debian"
 EOF
 ansible-playbook unattended.yml

 # 🛡️🛡️🛡️ fail2ban
 ansible-galaxy install robertdebock.fail2ban
 cat << EOF > fail2ban.yml
 ---
 - name: SetupVPS
  hosts: localhost
  connection: local
  become: yes
  gather_facts: yes

  roles:
    - role: robertdebock.fail2ban
 EOF
 ansible-playbook fail2ban.yml
 sed -i 's/#PasswordAuthentication.*/PasswordAuthentication yes/g' /etc/ssh/sshd_config
 grep -r "PasswordAuthentication no" /etc/ssh/sshd_config || exit
 service ssh restart

 # 🔥🔥🔥 ufw
 apt-get install ufw
 ufw reset
 ufw default allow incoming
 ufw deny 1:21/tcp
 ufw deny 23:52/tcp
 ufw deny 54:65535/tcp
 ufw allow ssh
 ufw allow from ${YOUR_HOME_EXTERNAL_IP} to any port 53
 ufw deny 53
 ufw default allow outgoing
 echo y | ufw enable
 ufw status verbose

 # ☠️☠️☠️ Enabling pi-hole on non-local networks is [DANGEROUS]
 # ⚠️⚠️⚠️ Uncomment only if you understand the consequences ... 'https://docs.pi-hole.net/ftldns/interfaces/#potentially-dangerous-options'
 # grep -r local-service /etc/dnsmasq.d/01-pihole.conf && sed -i "s/local-service/interface=${YOUR_VPS_INTERFACE}/g' /etc/dnsmasq.d/01-pihole.conf
 # pihole restartdns

 # swappiness
 grep -r swappiness /etc/sysctl.conf || echo "vm.swappiness=1" >> /etc/sysctl.conf
 sysctl -p
	#!/usr/bin/env bash

	# 🕵️🕵️🕵️ Check
	# 1. read https://docs.pi-hole.net/ftldns/interfaces/
	# 2. go to www.virustotal.com and check 'https://install.pi-hole.net'

	# port 22 is open everywhere
	# port 53 is open only for the value of 'YOUR_HOME_EXTERNAL_IP'

	### ✏️✏️✏️ fill out
	YOUR_HOME_EXTERNAL_IP="w.x.y.z" # your office/home external ip or network cidr
	YOUR_VPS_INTERFACE="eth0" # network interface of your vps

	# 🍓🍓🍓 pi-hole setup
	wget -O basic-install.sh https://install.pi-hole.net # ensure you open/trust 'basic-install.sh'
	sudo bash basic-install.sh

	apt udpate
	apt upgrade
	# reboot
	apt install sudo vim iftop htop nmap iperf3 iotop screen
	apt install python3-pip

	# ansible
	echo "deb http://ppa.launchpad.net/ansible/ansible/ubuntu bionic main" > /etc/apt/sources.list.d/ansible.list
	apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 93C4A3FD7BB9C367
	apt update
	apt install ansible

	# etckeeper
	ansible-galaxy install sourcejedi.etckeeper
	cat << EOF > etckeeper.yml
	---
	- name: Install etckeeper
	hosts: localhost
	connection: local
	become: yes
	gather_facts: yes

	tasks:
	- name: install etckeeper
	include_role:
	name: sourcejedi.etckeeper

	- name: "initialize /etc path"
	raw: cd /etc && etckeeper init
	register: etckeeper_init
	failed_when: etckeeper_init.rc >= 2

	- name: "perform first commit "
	raw: cd /etc && etckeeper commit "first commit"
	register: etckeeper_commit
	failed_when: etckeeper_commit.rc >= 2
	EOF
	ansible-playbook etckeeper.yml

	# unattended upgrades
	apt-get install unattended-upgrades apt-listchanges
	ansible-galaxy install hifis.unattended_upgrades
	cat << EOF > unattended.yml
	---
	- name: Unattended upgrades
	hosts: localhost
	connection: local
	become: yes
	gather_facts: yes

	roles:
	- role: hifis.unattended_upgrades
	unattended_remove_unused_dependencies: true
	unattended_automatic_reboot: true
	unattended_automatic_reboot_time: 04:00
	unattended_update_days: 6
	unattended_origins_patterns:
	- 'origin=Debian,codename=${distro_codename},label=Debian-Security'
	- 'o=Debian,codename=${distro_codename},label=Debian'
	when:
	- ansible_lsb.id == "Debian"
	EOF
	ansible-playbook unattended.yml

	# 🛡️🛡️🛡️ fail2ban
	ansible-galaxy install robertdebock.fail2ban
	cat << EOF > fail2ban.yml
	---
	- name: SetupVPS
	hosts: localhost
	connection: local
	become: yes
	gather_facts: yes

	roles:
	- role: robertdebock.fail2ban
	EOF
	ansible-playbook fail2ban.yml
	sed -i 's/#PasswordAuthentication.*/PasswordAuthentication yes/g' /etc/ssh/sshd_config
	grep -r "PasswordAuthentication no" /etc/ssh/sshd_config \|\| exit
	service ssh restart

	# 🔥🔥🔥 ufw
	apt-get install ufw
	ufw reset
	ufw default allow incoming
	ufw deny 1:21/tcp
	ufw deny 23:52/tcp
	ufw deny 54:65535/tcp
	ufw allow ssh
	ufw allow from ${YOUR_HOME_EXTERNAL_IP} to any port 53
	ufw deny 53
	ufw default allow outgoing
	echo y \| ufw enable
	ufw status verbose

	# ☠️☠️☠️ Enabling pi-hole on non-local networks is [DANGEROUS]
	# ⚠️⚠️⚠️ Uncomment only if you understand the consequences ... 'https://docs.pi-hole.net/ftldns/interfaces/#potentially-dangerous-options'
	# grep -r local-service /etc/dnsmasq.d/01-pihole.conf && sed -i "s/local-service/interface=${YOUR_VPS_INTERFACE}/g' /etc/dnsmasq.d/01-pihole.conf
	# pihole restartdns

	# swappiness
	grep -r swappiness /etc/sysctl.conf \|\| echo "vm.swappiness=1" >> /etc/sysctl.conf
	sysctl -p