#!/bin/bash set -e [[ -z $3 ]] && echo " usage: ${0##*/} " && exit 1 ansible_group=$1 country_code=$2 timezone=$3 # just in case one runs the script outside ansible [[ `pwd` != /root ]] && echo error: assuming current working directory /root/ && exit 1 [[ ! -x `which lsb_release` ]] && echo error: lsb_release executable not found && exit 1 [[ ! -x `which systemctl` ]] && echo error: systemctl executable not found && exit 1 [[ ! -x `which timedatectl` ]] && echo error: timedatectl executable not found && exit 1 [[ ! -x `which update-alternatives` ]] && echo error: update-alternatives executable not found && exit 1 # used for initial upgrade and for installing a few packages export DEBIAN_FRONTEND=noninteractive export LANG=en_US.UTF-8 export LANGUAGE=en_US:en export LC_ALL=en_US.UTF-8 # no need for graphical startup on a server if [[ $ansible_group != stations ]]; then echo -n disable x11 at boot-time ... [[ `systemctl get-default` != multi-user.target ]] && systemctl set-default multi-user && echo done || echo already fi distro=`lsb_release -is 2>/dev/null` if [[ $distro = Ubuntu ]]; then echo -n remove ubuntu-advantage-tools package ... [[ -n `dpkg -l | grep advantage` ]] && \ apt-get -q -y purge ubuntu-advantage-tools >/dev/null 2>&1 && echo done || echo already rm -rf /etc/ubuntu-advantage/ rm -rf /var/lib/ubuntu-advantage/ rm -rf /var/lib/update-manager/ fi echo -n setting up time-zone $timezone ... timedatectl set-timezone $timezone && echo done available_clocks=`cat /sys/devices/system/clocksource/clocksource0/available_clocksource` echo available clocks are $available_clocks current_clock=`cat /sys/devices/system/clocksource/clocksource0/current_clocksource` echo current clock is $current_clock # select the right clock in order of preference if [[ -n `echo $available_clocks | grep kvm-clock` ]]; then if [[ $current_clock != kvm-clock ]]; then echo -n enable kvm-clock ... echo kvm-clock > /sys/devices/system/clocksource/clocksource0/current_clocksource && echo done fi elif [[ -n `echo $available_clocks | grep hpet` ]]; then if [[ $current_clock != hpet ]]; then echo -n enable hpet ... echo hpet > /sys/devices/system/clocksource/clocksource0/current_clocksource && echo done fi fi echo -n tuning grub2 ... if [[ ! -f /etc/default/grub.dist ]]; then if [[ $ansible_group != stations ]]; then cmdline_def="net.ifnames=0 biosdevname=0 console=ttyS0" else cmdline_def="net.ifnames=0 biosdevname=0" fi echo -n " $cmdline_def ..." if [[ -n `echo $available_clocks | grep kvm-clock` ]]; then cmdline="notsc clocksource=kvm-clock" echo -n " $cmdline ..." elif [[ -n `echo $available_clocks | grep hpet` ]]; then cmdline="notsc clocksource=hpet" echo -n " $cmdline ..." fi [[ -f /etc/grub.d/30_os-prober ]] && rm -f /etc/grub.d/30_os-prober [[ -d /etc/default/grub.d/ && ! -d /etc/default/grub.d.disabled/ ]] && mv -i /etc/default/grub.d/ /etc/default/grub.d.disabled/ mv -i /etc/default/grub /etc/default/grub.dist grep -vE '^$|^#' /etc/default/grub.dist > /etc/default/grub.clean cat > /etc/default/grub < /dev/null || echo Debian` GRUB_CMDLINE_LINUX_DEFAULT="$cmdline_def" GRUB_CMDLINE_LINUX="$cmdline" GRUB_DISABLE_OS_PROBER=true EOF # mitigations=0 # note linux mint has GRUB_CMDLINE_LINUX_DEFAULT="quiet splash" # note yandex cloud images have GRUB_CMDLINE_LINUX_DEFAULT="net.ifnames=0 biosdevname=0 console=ttyS0" update-grub2 >/dev/null 2>&1 && echo done || echo FAIL changed=1 unset cmdline_def cmdline else echo already fi echo -n setup sudoers ... if [[ -f /etc/sudoers && -f /etc/sudoers.dist ]]; then echo already elif [[ -f /etc/sudoers && ! -f /etc/sudoers.dist ]]; then mv -i /etc/sudoers /etc/sudoers.dist grep -vE '^#|^$' /etc/sudoers.dist > /etc/sudoers.clean grep -vE '^#|^$' /etc/sudoers.dist > /etc/sudoers elif [[ ! -f /etc/sudoers ]]; then echo no sudoers file fi echo -n update package cache $/var/tmp/few_packages_cache.log$ ... apt-get -q -y update > /var/tmp/few_packages_cache.log 2>&1 && echo done || echo FAIL echo -n "is some ntpd running? " tmp=`pgrep -a ntpd | head -1; pgrep -a chronyd | head -1` || true if [[ -n $tmp ]]; then echo $tmp else echo no fi unset tmp echo -n purging legacy ntp tools ... apt-get -q -y purge ntp ntpdate ntpsec ntpsec-ntpdate ntpsec-ntpdig python3-ntp >/dev/null 2>&1 && echo done || echo FAIL echo -n install a few packages incl openntpd $/var/tmp/few_packages_install.log$ ... apt-get -q -y install \ bash-completion \ bind9-dnsutils \ colordiff \ curl \ gnupg1 \ ifupdown \ inetutils-syslogd \ jq \ lsb-release \ man-db \ manpages \ mlocate \ net-tools \ openntpd \ vim-nox \ wget > /var/tmp/few_packages_install.log 2>&1 && echo done || echo FAIL # handle /etc/openntpd/ntpd.conf from template # handle /etc/bash.bashrc from template echo -n vim-nox as default vi ... update-alternatives --set vi /usr/bin/vim.nox && echo done || echo FAIL echo -n vim-nox as default editor ... update-alternatives --set editor /usr/bin/vim.nox && echo done || echo FAIL # todo - take advantage of connecting ansible username if there is any for homedir in /root `find /home/ -maxdepth 1 -mindepth 1 -type d`; do user=${homedir##*/} [[ $user = root ]] && grp=root || grp=users echo -n tuning $homedir/.vimrc ... [[ ! -f $homedir/.vimrc ]] && cat > $homedir/.vimrc < $homedir/.selected_editor < /etc/ssh/sshd_config.clean grep -vE '^#|^$' /etc/ssh/sshd_config.dist > /etc/ssh/sshd_config && echo done changed=1 fi # ok=1 changed=0 [[ -z $changed ]] && echo ok - nothing $or almost nothing$ changed && exit 0 # ok=1 changed=1 echo changed - all done