From afce9e90a60cebd32a08a37e34c306565b87d0d9 Mon Sep 17 00:00:00 2001
From: konsthol <konsthol@konsthol.eu>
Date: Sat, 2 Sep 2023 05:23:15 +0300
Subject: [PATCH] I expected something different.

---
 harden | 29 ++++++++++++++++-------------
 1 file changed, 16 insertions(+), 13 deletions(-)

diff --git a/harden b/harden
index 94ccf81..da45be0 100755
--- a/harden
+++ b/harden
@@ -231,10 +231,14 @@ function firewallInit {
             sudo ufw default allow outgoing # Allow outgoing connections
             sudo ufw default deny incoming  # Deny incoming connections
             sudo ufw allow 22100/tcp        # Allow ssh connections on port 22100
+            sudo ufw allow 8000/tcp         # Allow portainer connections on port 8000
+            sudo ufw allow 9443/tcp         # Allow portainer connections on port 9443
         ;;
         firewalld)
             sudo systemctl enable firewalld # Enable the firewall on boot
             sudo firewall-cmd --permanent --add-port=22100/tcp # Allow ssh connections on port 22100
+            sudo firewall-cmd --permanent --add-port=8000/tcp # Allow portainer connections on port 8000
+            sudo firewall-cmd --permanent --add-port=9443/tcp # Allow portainer connections on port 9443
         ;;
         *)
             printf "%s" "Unsupported firewall"
@@ -278,8 +282,8 @@ function dockerInit {
     sudo machinectl shell secdep@ /bin/bash -c "curl -fsSL https://get.docker.com/rootless | sh"
     # Add important environment variables to the secdep user's .bashrc
     sudo su secdep << 'EOF'
-    printf "%s\n" "export PATH=/home/$USER/bin:$PATH" >> "$HOME/.bashrc"
-    printf "%s\n" "export DOCKER_HOST=unix:///run/user/$UID/docker.sock" >> "$HOME/.bashrc"
+printf "%s\n" "export PATH=/home/$USER/bin:$PATH" >> "$HOME/.bashrc"
+printf "%s\n" "export DOCKER_HOST=unix:///run/user/$UID/docker.sock" >> "$HOME/.bashrc"
 EOF
     # Enable the user to bind to ports below 1024
     sudo setcap cap_net_bind_service=ep /home/secdep/bin/rootlesskit
@@ -332,13 +336,10 @@ EOF
         done
     fi
     # Portainer is a docker image that provides a web interface for docker
-    # which will be installed and run on port 9000 by default to make it easier to manage docker
-    # CMD1="docker volume create portainer_data # Create a docker volume for portainer"
-    # CMD2="docker run -d -p 9000:9000 --name=portainer --restart=unless-stopped -v /home/secdep/.docker/run/docker.sock:/home/secdep/.docker/run/docker.sock -v portainer_data:/data portainer/portainer-ce"
-    # CMD2="docker run -d -p 8000:8000 -p 9000:9000 --name=portainer --restart=always -v /$XDG_RUNTIME_DIR/docker.sock:/var/run/docker.sock -v ~/.local/share/docker/volumes:/var/lib/docker/volumes -v portainer_data:/data portainer/portainer-ce"
-    # sudo -u secdep bash -c "$CMD1" # Create a docker volume for portainer
-    # sudo -u secdep bash -c "$CMD2" # Run portainer
-    # sudo machinectl shell secdep@ /bin/bash -c "docker run -d -p 8000:8000 -p 9000:9000 --name=portainer --restart=always -v /$XDG_RUNTIME_DIR/docker.sock:/var/run/docker.sock -v ~/.local/share/docker/volumes:/var/lib/docker/volumes -v portainer_data:/data portainer/portainer-ce"
+    # which will be installed and run on port 9443 by default to make it easier to manage docker
+    # url to follow after the installation is complete: https://vps_ip:9443
+    # the https:// part is important as portainer will not work without it
+    sudo -E runuser - secdep -c 'docker run -d -p 8000:8000 -p 9443:9443 --name=portainer --restart=always -v /run/user/$UID/docker.sock:/var/run/docker.sock -v portainer_data:/data portainer/portainer-ce'
     # Check if the dockerImages array is empty and return 0 if it is
     [[ "${#dockerImages[@]}" -eq 0 ]] && return 0
     # Loop through the dockerImages array
@@ -375,7 +376,7 @@ EOF
 # }
 
 # Fix banaction ufw with iptables
-# Does not always persist after reboot
+# Does not always persist after reboot.
 function configureFail2ban {
 FAIL2BAN_LOCAL=$(cat <<'EOF'
 [Definition]
@@ -471,8 +472,9 @@ EOF
     sudo at now + 1 minute <<< "bash /root/delete_users.sh"
 }
 
-# The main function will call the check_dependencies function and exit if it fails.
-# It will also output a message to the user to let them know that the script has finished.
+# The main function will call the declared functions in order and exit if any of them fails.
+# It will also pass any arguments passed to the script to the dockerInit function.
+# Then it will output a message to the user and reboot the system in 2 minutes.
 function main {
     printf "%s" "$SCRIPT_NAME script started"
 	check_dependencies || exit 1                    # Check dependencies and exit if it fails
@@ -492,7 +494,8 @@ function main {
     deleteRemainingUsers || exit 1
 	printf "%s" "$SCRIPT_NAME script finished"      # Output message to the user
 	printf "%s" "System will reboot momentarily"    # Output message to the user
-    sudo at now + 2 minute <<< "reboot"
+    # Reboot the system in 2 minutes
+    sudo shutdown -r +2
 }
 
 # Call the main function