copy and paste is not a design pattern

.gitignore

@@ -1,8 +1,14 @@
+# User cloud provider credentials
 .env
+# GCE credentials file
 *.json
+# Docker Compose files
 *.yml
 *.yaml
+# IP addresses file
 hosts
+# Private and public keys
 secdep
 secdep.pub
+# Folder with unneeded files
 UnneededFiles/

README.md

@@ -31,7 +31,7 @@ That's where SecDep comes in 💪. With SecDep, you can manage your virtual mach
     - [x] Azure
     - [x] AWS
 - [x] Choice to perform above actions and instance listing on a single or all providers
-- [x] Hardening during creation
+- [x] Hardening during creation (System and Docker)
     - [x] SSH hardening
     - [x] Firewall installation and configuration (UFW or firewalld)
     - [x] Fail2ban installation and configuration
@@ -100,13 +100,13 @@ If you don't have pip installed you can install it by running `sudo apt install
 
 For other systems you can check [here](https://pip.pypa.io/en/stable/installation/) 👈 for more information.
 
-# Walkthrough 🚶
+# Walkthrough <img src="assets/videos/code.gif" height="32px"/>🚶
 
 Assuming you have set up your accounts and have the dependencies installed, you can now start using SecDep.
 
 Check this [page](assets/pages/usage/usage.md) to get more familiar with the program.
 
-# Some program outputs 📊
+# Some program outputs <img src="assets/videos/graph.gif" height="32px"/>
 
 Images and videos of common tasks will reside [here](assets/pages/demo/demo.md)
 
@@ -122,7 +122,7 @@ The ip will be outputted after the creation of the virtual machine.
 
 If for any reason you delete either the public or the private key they will both be regenerated and you should probably delete the virtual machines that use it or find another way to log in and manually put the secdep.pub key to the authorized_keys file of the secdep user.
 
-# Hardening 🛡️
+# System and Docker Hardening 🛡️
 
 By using the `--deploy` flag, apart from the vps creation, you will also get a more secure than default virtual machine.
 
@@ -225,7 +225,7 @@ One last thing to recommend is to change the default sudoers file configuration
 
 # Contributing 🤝
 
-If you want to contribute to the project, you can always open an issue or a pull request.
+If you want to contribute to the project, you can always open an [issue](https://git.konsthol.eu/konsthol/SecDep/issues/new) or a [pull request](https://git.konsthol.eu/konsthol/SecDep/compare/main...main).
 
 # License 📜
 <p align="left">

assets/pages/demo/demo.md

@@ -1,4 +1,4 @@
-# Examples and output
+# Examples and output 📊
 
 ### Actual outputs are more polished than the ones shown here (e.g. colors, better formatting, etc.)
 
@@ -71,3 +71,5 @@ Note: The docker-compose.yml file has to be in the same directory as the script
 Additional Note: By deploying a docker-compose.yml file using the --docker_compose flag, the needed ports will be allowed by the firewall for usage. But by deploying a docker image or docker-compose.yml file through portainer one should then `sudo ufw allow needed_port` and `sudo ufw reload` for them to be usable or `firewall-cmd --permanent --add-port=needed_port` and `sudo firewall-cmd --reload` depending on the distribution.
 
 For convenience, the scirpt will also create another script that checks which ports are to be opened or closed and assign it to a cronjob that will execute it every 20 minutes so one can just wait.
+
+If you ever decide to get a domain name and use it for any docker container, make sure to allow ports 80 and 443 both manually and in the dynamic ports script for it to be usable.

assets/pages/tips_tricks/tips_n_tricks.md

@@ -64,11 +64,11 @@ Example usage:
 
 `secdep -P aws -a deleteall --awsregion us-east-2`
 
-## Usage with Ansible 🤖
+## Usage with Ansible 🤖 goes hand in hand<img src="../../../assets/videos/handshake.gif" height="32px"/>
 
 If you have Ansible installed, you can use the hosts file generated by SecDep to run commands on all of the instances simultaneously.
-This file is located in the SecDep directory and is being updated every time you create or delete an instance. All instances have a secdep user created and you automatically have an ssh key to use for the connection so as long as you create all instances with or without the `--deploy` flag you can easily use Ansible. That is because this flag calls the hardening script which among the hardening steps changes the default ssh port. If you have Ansible playbooks you wish to run on fresh installations you should create the instances without the `--deploy` flag.
+This file is located in the SecDep directory and is being updated every time you create or delete an instance. All instances have a secdep user created and you automatically have an ssh key to use for the connection so you can easily use Ansible to run commands to all of them. If you have Ansible playbooks you wish to run on fresh installations you should create the instances without the `--deploy` flag.
 
 Example usage with ansible from the same directory as the hosts file:
 
-`ansible all -i hosts --private-key=secdep -u secdep -a 'echo "This text was created by Ansible" > /home/secdep/ansible.txt'`
+`ansible all -i hosts --private-key=secdep -u secdep -a 'touch ansible.txt'`

harden

@@ -389,7 +389,7 @@ EOF
     # For portainer (and watchtower), we will be using the --runtime=runc option to run it with runc because
     # it doesn't work with runsc as it is not exposing the docker socket to the container
     # but containers downloaded from it will still use runsc
-    # Note: If a new install of Portainer is not configured within 5 minutes, 
+    # Note: If a new install of Portainer is not configured within 5 minutes,
     # it shuts down internally for security reasons but that does not matter since
     # we reboot after the script is done.
     sudo -E runuser - secdep -c 'docker run --runtime=runc -d -p 8000:8000 -p 9443:9443 --name=portainer --restart=always -v /run/user/$UID/docker.sock:/var/run/docker.sock -v portainer_data:/data portainer/portainer-ce'
@@ -667,16 +667,13 @@ function update_system {
             export NEEDRESTART_MODE=a
             export DEBIAN_PRIORITY=critical
             # Running sudo with -E will preserve the environment variables set in the script
-            sudo -E apt update -y && sudo apt upgrade -y # Update the package list and upgrade the packages
-            sudo -E apt install -y
+            sudo -E apt update -y && sudo apt upgrade -y && sudo apt autoremove -y && sudo apt autoclean -y # Update the package list, upgrade the packages, remove unnecessary packages and clean old package's cache
             ;;
         "dnf")                    # If the package manager is dnf
             sudo dnf upgrade -y      # Update the package list
-            sudo dnf install -y
             ;;
         "zypper")                    # If the package manager is zypper
             sudo zypper update -y       # Update the package list
-            sudo zypper install -y
             ;;
         *)
             # If the package manager is not one of the above, output unsupported package manager
@@ -731,7 +728,7 @@ function main {
     # If the username is not secdep, reboot the system in 1 minute
     # We reboot just in case there are any updates that need to be applied
     # It was not the original intention of the script to reboot the system but it is better to be safe than sorry
-    # We also wait (for 1 or 3 minutes depending on the user running it) so that the script can finish as we 
+    # We also wait (for 1 or 3 minutes depending on the user running it) so that the script can finish as we
     # want to see the exit code.
     if [[ "$USER" != "secdep" ]]; then
         sudo shutdown -r +3

secdep.py

@@ -1316,14 +1316,16 @@ def create_node(provider, name=None, location=None, size=None, image=None, confi
     console.print("Node is initializing, please wait...", style="bold white")
     console.print("ip to connect to", style="bold white")
     console.print("[bold white]\nIP: %s[/bold white]" % (node.public_ips[0]))
-    # Here is where we write the node's ip to the file
-    with open(SECDEP_HOSTS_FILE, "a") as nodesFile:
-        nodesFile.write(node.public_ips[0]+"\n")
+    # Here is where we write the node's ip to the file with either :22100 or nothing depending on the deploy parameter
     console.print("[u]ssh command:[/u]", style="bold white")
     if args.deploy:
         console.print("[bold white]\nssh -p 22100 -i %s secdep@%s\n[/bold white]" % (SECDEP_SSH_PRIVATE_KEY, node.public_ips[0]))
+        with open(SECDEP_HOSTS_FILE, "a") as nodesFile:
+            nodesFile.write(node.public_ips[0]+":22100\n")
     else:
         console.print("[bold white]\nssh -i %s secdep@%s\n[/bold white]" % (SECDEP_SSH_PRIVATE_KEY, node.public_ips[0]))
+        with open(SECDEP_HOSTS_FILE, "a") as nodesFile:
+            nodesFile.write(node.public_ips[0]+"\n")
     status.stop()
     return node
 
@@ -1487,7 +1489,7 @@ def node_action(action, provider, awsRegion=None):
                 lines = nodesFile.readlines()
             with open(SECDEP_HOSTS_FILE, "w") as nodesFile:
                 for line in lines:
-                    if line.strip("\n") != node.public_ips[0]:
+                    if line.strip("\n") != node.public_ips[0] and line.strip("\n") != node.public_ips[0]+":22100":
                         nodesFile.write(line)
         case _:
             console.print("[u]Invalid[/u] action command", style="bold red")
@@ -1535,7 +1537,7 @@ def node_action_all(action, provider, awsRegion=None):
                     lines = nodesFile.readlines()
                 with open(SECDEP_HOSTS_FILE, "w") as nodesFile:
                     for line in lines:
-                        if line.strip("\n") != node.public_ips[0]:
+                        if line.strip("\n") != node.public_ips[0] and line.strip("\n") != node.public_ips[0]+":22100":
                             nodesFile.write(line)
             case _:
                 console.print("[u]Invalid[/u] action command", style="bold red")