diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 7a6d7cc..d615369 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -3,7 +3,7 @@ name: Deploy to VPS on: push: branches: [main] - workflow_dispatch: # Allows manual triggering + workflow_dispatch: jobs: deploy: @@ -11,38 +11,37 @@ jobs: steps: - uses: actions/checkout@v3 - - name: Create setup script with secrets - run: | - sed -i "s/NEW_USER=\"youruser\"/NEW_USER=\"${{ secrets.VPS_USER }}\"/" setup.sh - sed -i "s/NEW_USER_PASSWORD=\"your-secure-password\"/NEW_USER_PASSWORD=\"${{ secrets.VPS_USER_PASSWORD }}\"/" setup.sh - sed -i "s/SSH_PUBLIC_KEY=\"your-public-key-content\"/SSH_PUBLIC_KEY=\"${{ secrets.SSH_PUBLIC_KEY }}\"/" setup.sh - - name: Deploy to VPS uses: appleboy/ssh-action@master + env: + NEW_USER: ${{ secrets.VPS_USER }} + NEW_USER_PASSWORD: ${{ secrets.VPS_USER_PASSWORD }} + SSH_PUBLIC_KEY: ${{ secrets.SSH_PUBLIC_KEY }} + INSTALL_COOLIFY: ${{ secrets.INSTALL_COOLIFY }} + AUTO_REBOOT: ${{ secrets.AUTO_REBOOT }} + REMOVE_UNUSED_DEPS: ${{ secrets.REMOVE_UNUSED_DEPS }} with: host: ${{ secrets.VPS_HOST }} username: root password: ${{ secrets.VPS_ROOT_PASSWORD }} + envs: NEW_USER,NEW_USER_PASSWORD,SSH_PUBLIC_KEY,INSTALL_COOLIFY,AUTO_REBOOT,REMOVE_UNUSED_DEPS script: | - # Create temporary directory TEMP_DIR=$(mktemp -d) cd $TEMP_DIR - - # Copy setup script from repository cat > setup.sh << 'EOL' ${{ github.workspace }}/setup.sh EOL - - # Make script executable and run it chmod +x setup.sh ./setup.sh - - # Cleanup cd / rm -rf $TEMP_DIR - name: Post-setup instructions - run: | - echo "🎉 Setup completed!" - echo "⚠️ IMPORTANT: After verifying SSH key access works, disable password authentication:" - echo "ssh ${{ secrets.VPS_USER }}@${{ secrets.VPS_HOST }} 'sudo sed -i \"s/PasswordAuthentication yes/PasswordAuthentication no/\" /etc/ssh/sshd_config && sudo systemctl restart sshd'" + run: | + echo "🎉 Setup completed!" + echo "⚠️ IMPORTANT: After verifying SSH key access works, disable password authentication:" + echo "ssh ${{ secrets.VPS_USER }}@${{ secrets.VPS_HOST }} 'sudo sed -i \"s/PasswordAuthentication yes/PasswordAuthentication no/\" /etc/ssh/sshd_config && sudo systemctl restart sshd'" + if [ "${INSTALL_COOLIFY}" = "true" ]; then + echo "⚠️ After configuring your domain in Coolify, remove temporary ports:" + echo "ssh $NEW_USER@ 'sudo ufw delete allow 8000/tcp && sudo ufw delete allow 6001/tcp && sudo ufw delete allow 6002/tcp'" + fi diff --git a/README.md b/README.md index e707f39..586de2b 100644 --- a/README.md +++ b/README.md @@ -24,6 +24,11 @@ This repository contains automation scripts to set up a secure Debian-based VPS - Sets up unattended-upgrades with email notifications - Automatic system cleanup +- **Coolify Installation (Optional)** + - Install Coolify + - Open temporary ports (8000, 6001, 6002) + - Provide instructions for securing after domain setup + ## 🚀 Usage ### 1. Fork this Repository @@ -37,15 +42,9 @@ In your forked repository, go to Settings > Secrets and variables > Actions and - `VPS_USER`: Desired username for the non-root user - `VPS_USER_PASSWORD`: Password for the new user - `SSH_PUBLIC_KEY`: Your SSH public key content (from `~/.ssh/id_rsa.pub`) - -Example values: -```bash -VPS_HOST: 123.456.789.0 -VPS_ROOT_PASSWORD: your-initial-root-password -VPS_USER: john -VPS_USER_PASSWORD: your-secure-user-password -SSH_PUBLIC_KEY: ssh-rsa AAAAB3NzaC1... john@localhost -``` +- `INSTALL_COOLIFY`: Set to "true" to install Coolify, "false" to skip (defaults to "false") +- `AUTO_REBOOT`: Set to "true" for automatic reboot after system updates, "false" to skip (defaults to "false") +- `REMOVE_UNUSED_DEPS`: Set to "true" to remove unused dependencies, "false" to skip (defaults to "false") ⚠️ Security Note: - Never commit these values directly to the repository @@ -53,7 +52,6 @@ SSH_PUBLIC_KEY: ssh-rsa AAAAB3NzaC1... john@localhost - Use strong passwords for both root and user accounts - Keep your SSH private key secure - ### 3. Deploy The setup will automatically deploy when you push to the main branch, or you can manually trigger it from the Actions tab. @@ -77,6 +75,19 @@ ssh your-user@your-vps-host 'sudo sed -i "s/PasswordAuthentication yes/PasswordA - Store your VPS root password securely (in case of emergencies) - Monitor the GitHub Actions logs for the setup result +#### Coolify Configuration + +The setup includes an optional Coolify installation with temporary open ports: +- 8000/tcp: Coolify Web UI +- 6001/tcp: Coolify Websocket +- 6002/tcp: Coolify Terminal + +⚠️ Important: After configuring your domain in Coolify and setting up SSL, remove these temporary ports: +```bash +ssh your-user@your-vps-host 'sudo ufw delete allow 8000/tcp && sudo ufw delete allow 6001/tcp && sudo ufw delete allow 6002/tcp' +``` + +These ports should only be open during initial setup. Once you've configured your domain and SSL in Coolify, all traffic should go through ports 80/443. ## 📋 What Gets Installed @@ -85,6 +96,7 @@ ssh your-user@your-vps-host 'sudo sed -i "s/PasswordAuthentication yes/PasswordA - unattended-upgrades - Docker & Docker Compose - Essential system utilities +- Coolify (optinal) ## ⚙️ Configuration Details @@ -154,10 +166,18 @@ Contributions are welcome! Please feel free to submit a Pull Request. This project is licensed under the MIT License - see the LICENSE file for details. -## ⭐ Support +## 💪 Support This Project + +Please give it a ⭐! + +If you find this project useful and are looking for a VPS provider, consider using my affiliate link: + +- [Get a Netcup VPS](https://www.netcup.com/en/?ref=223843) - Starting from €3.99/month +- Excellent performance and reliability +- Perfect for running this setup -If you find this useful, please give it a star! +> 🙏 Using this link supports the maintenance and development of this project at no extra cost to you. ## 🔐 Security -If you discover any security issues, please send an email to [your-email] instead of using the issue tracker. +If you discover any security issues, please send an email to ligno.blades@gmail.com instead of using the issue tracker. diff --git a/setup.sh b/setup.sh index d540e6a..c718114 100644 --- a/setup.sh +++ b/setup.sh @@ -1,9 +1,12 @@ #!/bin/bash # Variables -NEW_USER="youruser" -NEW_USER_PASSWORD="your-secret-password" -SSH_PUBLIC_KEY="your-public-key-content" +NEW_USER="${NEW_USER:-youruser}" +NEW_USER_PASSWORD="${NEW_USER_PASSWORD:-your-secret-password}" +SSH_PUBLIC_KEY="${SSH_PUBLIC_KEY:-your-public-key-content}" +INSTALL_COOLIFY="${INSTALL_COOLIFY:-false}" +AUTO_REBOOT="${AUTO_REBOOT:-false}" +REMOVE_UNUSED_DEPS="${REMOVE_UNUSED_DEPS:-false}" # Update system apt update && apt upgrade -y @@ -31,8 +34,8 @@ Unattended-Upgrade::Mail "root"; Unattended-Upgrade::MailReport "on-change"; Unattended-Upgrade::Remove-Unused-Kernel-Packages "true"; Unattended-Upgrade::Remove-New-Unused-Dependencies "true"; -Unattended-Upgrade::Remove-Unused-Dependencies "false"; -Unattended-Upgrade::Automatic-Reboot "true"; +Unattended-Upgrade::Remove-Unused-Dependencies "${REMOVE_UNUSED_DEPS}"; +Unattended-Upgrade::Automatic-Reboot "${AUTO_REBOOT}"; Unattended-Upgrade::Automatic-Reboot-Time "02:00"; EOF @@ -75,7 +78,6 @@ ufw default allow outgoing ufw allow ssh ufw allow http ufw allow https -echo "y" | ufw enable # Install Docker apt install -y ca-certificates curl gnupg @@ -91,6 +93,54 @@ echo \ apt update apt install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin +# Optionally install and configure coolify +if [ "${INSTALL_COOLIFY}" = "true" ]; then + + echo "Installing Coolify..." + + # Temporary Coolify ports + echo "⚠️ Adding temporary Coolify ports. Remember to remove them after configuring your domain!" + ufw allow 8000/tcp comment 'Temporary Coolify Web UI' + ufw allow 6001/tcp comment 'Temporary Coolify Websocket' + ufw allow 6002/tcp comment 'Temporary Coolify API' + + + mkdir -p /data/coolify/{source,ssh,applications,databases,backups,services,proxy,webhooks-during-maintenance} + mkdir -p /data/coolify/ssh/{keys,mux} + mkdir -p /data/coolify/proxy/dynamic + + ssh-keygen -f /data/coolify/ssh/keys/id.root@host.docker.internal -t ed25519 -N '' -C root@coolify + + cat /data/coolify/ssh/keys/id.root@host.docker.internal.pub >>~/.ssh/authorized_keys + chmod 600 ~/.ssh/authorized_keys + + curl -fsSL https://cdn.coollabs.io/coolify/docker-compose.yml -o /data/coolify/source/docker-compose.yml + curl -fsSL https://cdn.coollabs.io/coolify/docker-compose.prod.yml -o /data/coolify/source/docker-compose.prod.yml + curl -fsSL https://cdn.coollabs.io/coolify/.env.production -o /data/coolify/source/.env + curl -fsSL https://cdn.coollabs.io/coolify/upgrade.sh -o /data/coolify/source/upgrade.sh + + chown -R 9999:root /data/coolify + chmod -R 700 /data/coolify + + sed -i "s|APP_ID=.*|APP_ID=$(openssl rand -hex 16)|g" /data/coolify/source/.env + sed -i "s|APP_KEY=.*|APP_KEY=base64:$(openssl rand -base64 32)|g" /data/coolify/source/.env + sed -i "s|DB_PASSWORD=.*|DB_PASSWORD=$(openssl rand -base64 32)|g" /data/coolify/source/.env + sed -i "s|REDIS_PASSWORD=.*|REDIS_PASSWORD=$(openssl rand -base64 32)|g" /data/coolify/source/.env + sed -i "s|PUSHER_APP_ID=.*|PUSHER_APP_ID=$(openssl rand -hex 32)|g" /data/coolify/source/.env + sed -i "s|PUSHER_APP_KEY=.*|PUSHER_APP_KEY=$(openssl rand -hex 32)|g" /data/coolify/source/.env + sed -i "s|PUSHER_APP_SECRET=.*|PUSHER_APP_SECRET=$(openssl rand -hex 32)|g" /data/coolify/source/.env + + docker network create --attachable coolify + + docker compose --env-file /data/coolify/source/.env -f /data/coolify/source/docker-compose.yml -f /data/coolify/source/docker-compose.prod.yml up -d --pull always --remove-orphans --force-recreate + + echo "⚠️ After configuring your domain in Coolify, remove temporary ports:" + echo "ssh $VPS_USER@$VPS_HOST 'sudo ufw delete allow 8000/tcp && sudo ufw delete allow 6001/tcp && sudo ufw delete allow 6002/tcp'" +fi + +# enable ufw +echo "y" | ufw enable + # Add user to docker group usermod -aG docker $NEW_USER @@ -98,4 +148,20 @@ usermod -aG docker $NEW_USER systemctl restart sshd systemctl restart fail2ban +# Print access information +echo "=== IMPORTANT: SAVE THIS INFORMATION ===" +echo "New user: $NEW_USER" +echo "Password: $NEW_USER_PASSWORD" +echo "" +echo "Test SSH access with: ssh $NEW_USER@" +echo "" +echo "After confirming SSH key access works, run:" +echo "ssh $NEW_USER@ 'sudo sed -i \"s/PasswordAuthentication yes/PasswordAuthentication no/\" /etc/ssh/sshd_config && sudo systemctl restart sshd'" +echo "" +if [ "${INSTALL_COOLIFY}" = "true" ]; then + echo "⚠️ After configuring your domain in Coolify, remove temporary ports:" + echo "ssh $NEW_USER@ 'sudo ufw delete allow 8000/tcp && sudo ufw delete allow 6001/tcp && sudo ufw delete allow 6002/tcp'" +fi +echo "" +echo "===================================" echo "Setup completed!" diff --git a/setup_without_coolify.sh b/setup_without_coolify.sh new file mode 100644 index 0000000..f8fc69c --- /dev/null +++ b/setup_without_coolify.sh @@ -0,0 +1,112 @@ +#!/bin/bash + +# Variables +NEW_USER="youruser" +NEW_USER_PASSWORD="your-secret-password" +SSH_PUBLIC_KEY="your-public-key-content" + +# Update system +apt update && apt upgrade -y + +# Install required packages +apt install -y sudo ufw fail2ban unattended-upgrades apt-listchanges + +# Configure unattended-upgrades +cat > /etc/apt/apt.conf.d/20auto-upgrades << EOF +APT::Periodic::Update-Package-Lists "1"; +APT::Periodic::Unattended-Upgrade "1"; +APT::Periodic::Download-Upgradeable-Packages "1"; +APT::Periodic::AutocleanInterval "7"; +EOF + +cat > /etc/apt/apt.conf.d/50unattended-upgrades << EOF +Unattended-Upgrade::Origins-Pattern { + "origin=Debian,codename=\${distro_codename},label=Debian-Security"; + "origin=Debian,codename=\${distro_codename}-security,label=Debian-Security"; +}; +Unattended-Upgrade::AutoFixInterruptedDpkg "true"; +Unattended-Upgrade::MinimalSteps "true"; +Unattended-Upgrade::InstallOnShutdown "false"; +Unattended-Upgrade::Mail "root"; +Unattended-Upgrade::MailReport "on-change"; +Unattended-Upgrade::Remove-Unused-Kernel-Packages "true"; +Unattended-Upgrade::Remove-New-Unused-Dependencies "true"; +Unattended-Upgrade::Remove-Unused-Dependencies "false"; +Unattended-Upgrade::Automatic-Reboot "true"; +Unattended-Upgrade::Automatic-Reboot-Time "02:00"; +EOF + +# Enable unattended-upgrades +systemctl enable unattended-upgrades +systemctl start unattended-upgrades + +# Create new user and add to sudo group +useradd -m -s /bin/bash $NEW_USER +echo "$NEW_USER:$NEW_USER_PASSWORD" | chpasswd +usermod -aG sudo $NEW_USER + +# Setup SSH key for new user +mkdir -p /home/$NEW_USER/.ssh +echo "$SSH_PUBLIC_KEY" > /home/$NEW_USER/.ssh/authorized_keys +chmod 700 /home/$NEW_USER/.ssh +chmod 600 /home/$NEW_USER/.ssh/authorized_keys +chown -R $NEW_USER:$NEW_USER /home/$NEW_USER/.ssh + +# Configure SSH +sed -i 's/#PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config +sed -i 's/#PubkeyAuthentication yes/PubkeyAuthentication yes/' /etc/ssh/sshd_config +sed -i 's/PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config + +# Configure fail2ban +cat > /etc/fail2ban/jail.local << EOF +[sshd] +enabled = true +port = ssh +filter = sshd +logpath = /var/log/auth.log +maxretry = 3 +bantime = 3600 +findtime = 600 +EOF + +# Configure firewall +ufw default deny incoming +ufw default allow outgoing +ufw allow ssh +ufw allow http +ufw allow https +echo "y" | ufw enable + +# Install Docker +apt install -y ca-certificates curl gnupg +install -m 0755 -d /etc/apt/keyrings +curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg +chmod a+r /etc/apt/keyrings/docker.gpg + +echo \ + "deb [arch="$(dpkg --print-architecture)" signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian \ + "$(. /etc/os-release && echo "$VERSION_CODENAME")" stable" | \ + tee /etc/apt/sources.list.d/docker.list > /dev/null + +apt update +apt install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin + +# Add user to docker group +usermod -aG docker $NEW_USER + +# Restart services +systemctl restart sshd +systemctl restart fail2ban + +# Print access information +echo "=== IMPORTANT: SAVE THIS INFORMATION ===" +echo "New user: $NEW_USER" +echo "Password: $NEW_USER_PASSWORD" +echo "" +echo "Test SSH access with: ssh $NEW_USER@" +echo "" +echo "After confirming SSH key access works, run:" +echo "ssh $NEW_USER@ 'sudo sed -i \"s/PasswordAuthentication yes/PasswordAuthentication no/\" /etc/ssh/sshd_config && sudo systemctl restart sshd'" +echo "===================================" + +echo "Setup completed!"