Version control is awful
This commit is contained in:
@@ -64,4 +64,6 @@ You can also specify a port with the `--port` flag.
|
||||
|
||||
Note: The docker-compose.yml file has to be in the same directory as the script and be named as `docker-compose.yml`. Also if it contains a volumes section, make sure that the left side path before the ":" corresponting to the host path is not owned by root but by your user and if using portainer make sure to enter the full path in the web editor
|
||||
|
||||
Additional Note: By deploying a docker-compose.yml file using the --docker_compose flag, the needed ports will be allowed by the firewall for usage. But by deploying a docker image or docker-compose.yml file through portainer one should then `sudo ufw allow needed_port` and `sudo ufw reload` for them to be usable or `firewall-cmd --permanent --add-port=needed_port` and `sudo firewall-cmd --reload` depending on the distribution
|
||||
Additional Note: By deploying a docker-compose.yml file using the --docker_compose flag, the needed ports will be allowed by the firewall for usage. But by deploying a docker image or docker-compose.yml file through portainer one should then `sudo ufw allow needed_port` and `sudo ufw reload` for them to be usable or `firewall-cmd --permanent --add-port=needed_port` and `sudo firewall-cmd --reload` depending on the distribution.
|
||||
|
||||
For convenience, the scirpt will also create another script that checks which ports are to be opened or closed and assign it to a cronjob that will execute it every 20 minutes so one can just wait.
|
||||
|
||||
32
harden
32
harden
@@ -607,9 +607,9 @@ else
|
||||
sudo ufw reload
|
||||
fi
|
||||
TOHERE
|
||||
# Every 30 minutes check if there are any new ports used by docker and allow them in the firewall
|
||||
# Every 20 minutes check if there are any new ports used by docker and allow them in the firewall
|
||||
cat << TOHERE | sudo tee -a /var/spool/cron/crontabs/root > /dev/null 2>&1
|
||||
*/30 * * * * /root/bin/dynamic_docker_ports_cronjob.sh
|
||||
*/20 * * * * /root/bin/dynamic_docker_ports_cronjob.sh
|
||||
TOHERE
|
||||
sudo chmod +x /root/bin/dynamic_docker_ports_cronjob.sh
|
||||
sudo systemctl restart cron
|
||||
@@ -700,32 +700,32 @@ sudo systemctl restart cron
|
||||
# It will also pass any arguments passed to the script to the dockerInit function.
|
||||
# Then it will output a message to the user and reboot the system in 2 minutes.
|
||||
function main {
|
||||
printf "%s\n" "$SCRIPT_NAME script started"
|
||||
printf "%s\n" "=> $SCRIPT_NAME script started <="
|
||||
check_dependencies || exit 1 # Check dependencies and exit if it fails
|
||||
printf "%s\n" "Dependencies installed"
|
||||
printf "%s\n" "=> Dependencies installed <="
|
||||
hardenSSH || exit 1 # Harden ssh and exit if it fails
|
||||
printf "%s\n" "SSH hardened"
|
||||
printf "%s\n" "=> SSH hardened <="
|
||||
firewallInit || exit 1 # Initialize the firewall and exit if it fails
|
||||
printf "%s\n" "Firewall initialized"
|
||||
printf "%s\n" "=> Firewall initialized <="
|
||||
kernelSecurityModuleInit || exit 1 # Initialize the kernel security module and exit if it fails
|
||||
printf "%s\n" "Kernel security module initialized"
|
||||
printf "%s\n" "=> Kernel security module initialized <="
|
||||
configureFail2ban || exit 1 # Initialize fail2ban and exit if it fails
|
||||
printf "%s\n" "Fail2ban configured"
|
||||
printf "%s\n" "=> Fail2ban configured <="
|
||||
# Call the dockerInit function with the arguments passed to the script
|
||||
dockerInit "$@" || exit 1 # Initialize docker and exit if it fails
|
||||
printf "%s\n" "Docker Rootless, docker-compose and gVisor installed and configured"
|
||||
printf "%s\n" "Portainer and Watchtower along with any specified docker images from the command line or a docker-compose.yml file installed"
|
||||
printf "%s\n" "=> Docker Rootless, docker-compose and gVisor installed and configured <="
|
||||
printf "%s\n" "=> Portainer and Watchtower along with any specified docker images from the command line or a docker-compose.yml file installed <="
|
||||
enableServices || exit 1 # Enable the services that need to be restarted and the firewall
|
||||
printf "%s\n" "Services restarted and firewall enabled"
|
||||
printf "%s\n" "=> Services restarted and firewall enabled <="
|
||||
dynamicDockerPortsCronjob || exit 1 # Allow the ports used by docker in the firewall
|
||||
printf "%s\n" "CronJob to adjust the ports used by docker and the firewall installed"
|
||||
printf "%s\n" "=> CronJob to adjust the ports used by docker and the firewall installed <="
|
||||
automaticUpdatesCronjob || exit 1 # Install a cronjob to update the system periodically
|
||||
printf "%s\n" "CronJob to update the system installed"
|
||||
printf "%s\n" "=> CronJob to update the system installed <="
|
||||
# If the username is not secdep, delete the remaining users
|
||||
[[ "$USER" != "secdep" ]] && deleteRemainingUsers || exit 1 # Delete possible remaining users
|
||||
printf "%s\n" "Any unnecessary users deleted"
|
||||
printf "%s\n" "$SCRIPT_NAME script finished" # Output message to the user
|
||||
printf "%s\n" "System will reboot momentarily" # Output message to the user
|
||||
printf "%s\n" "=> Any unnecessary users deleted <="
|
||||
printf "%s\n" "=> $SCRIPT_NAME script finished <=" # Output message to the user
|
||||
printf "%s\n" "=> System will reboot momentarily <=" # Output message to the user
|
||||
# Reboot the system in 3 minutes with the shutdown command so that login before the reboot is not possible
|
||||
# If the username is not secdep, reboot the system in 1 minute
|
||||
# We reboot just in case there are any updates that need to be applied
|
||||
|
||||
Reference in New Issue
Block a user