Add standardized Ubuntu LXC security install process with npm and codex

2026-05-10 20:08:47 +00:00
commit be6ddf1416
4 changed files with 158 additions and 0 deletions
@@ -0,0 +1,36 @@
 # Sicherheit: Ubuntu LXC Standard-Setup
 Standardisierter Installationsprozess fuer neue Ubuntu-LXC-Container.
 Installiert unter anderem:
 - Security-Basis: `ufw`, `fail2ban`, `unattended-upgrades`, `auditd`
 - Admin-Tools: `git`, `curl`, `jq`, `tmux`, `htop`
 - Runtime: `nodejs`, `npm`
 - CLI: `@openai/codex`
 ## Standardprozess nach Download
 ```bash
 git clone https://gitea.kanu1.duckdns.org/Kanu/Sicherheit.git
 cd Sicherheit
 chmod +x bin/sicherheit-install scripts/bootstrap_ubuntu_lxc_security.sh
 ./bin/sicherheit-install
 ```
 Optional global verlinken:
 ```bash
 sudo ln -sf "$(pwd)/bin/sicherheit-install" /usr/local/bin/sicherheit-install
 sudo sicherheit-install
 ```
 ## Pruefen
 ```bash
 fail2ban-client status
 ufw status verbose
 systemctl status unattended-upgrades --no-pager
 node --version
 npm --version
 codex --help
 ```
@@ -0,0 +1,11 @@
 #!/usr/bin/env bash
 set -euo pipefail
 SCRIPT_DIR="$(cd -- "$(dirname -- "${BASH_SOURCE[0]}")" && pwd)"
 REPO_ROOT="$(cd -- "${SCRIPT_DIR}/.." && pwd)"
 if [[ "${EUID}" -ne 0 ]]; then
  exec sudo "${REPO_ROOT}/scripts/bootstrap_ubuntu_lxc_security.sh" "$@"
 fi
 exec "${REPO_ROOT}/scripts/bootstrap_ubuntu_lxc_security.sh" "$@"
@@ -0,0 +1,18 @@
 [DEFAULT]
 ignoreip = 127.0.0.1/8 ::1
 bantime  = 1h
 findtime = 10m
 maxretry = 5
 backend  = systemd
 [sshd]
 enabled  = true
 port     = ssh
 logpath  = %(sshd_log)s
 maxretry = 5
 [sshd-ddos]
 enabled  = true
 port     = ssh
 logpath  = %(sshd_log)s
 maxretry = 3
@@ -0,0 +1,93 @@
 #!/usr/bin/env bash
 set -euo pipefail
 if [[ "${EUID}" -ne 0 ]]; then
  echo "Bitte als root ausfuehren (z. B. mit sudo)."
  exit 1
 fi
 export DEBIAN_FRONTEND=noninteractive
 APT_PACKAGES=(
  apt-transport-https
  ca-certificates
  curl
  wget
  gnupg
  lsb-release
  software-properties-common
  jq
  unzip
  git
  vim
  htop
  tmux
  ufw
  fail2ban
  unattended-upgrades
  apt-listchanges
  needrestart
  auditd
  rsyslog
  logrotate
 )
 NODE_MAJOR="20"
 CODEX_NPM_PACKAGE="@openai/codex"
 log() {
  echo "[sicherheit-install] $*"
 }
 log "1/8 Paketindex aktualisieren"
 apt-get update -y
 log "2/8 Basispakete installieren"
 apt-get install -y "${APT_PACKAGES[@]}"
 log "3/8 Automatische Sicherheitsupdates aktivieren"
 dpkg-reconfigure -f noninteractive unattended-upgrades || true
 cat > /etc/apt/apt.conf.d/20auto-upgrades <<'AUTOU'
 APT::Periodic::Update-Package-Lists "1";
 APT::Periodic::Download-Upgradeable-Packages "1";
 APT::Periodic::AutocleanInterval "7";
 APT::Periodic::Unattended-Upgrade "1";
 AUTOU
 log "4/8 fail2ban konfigurieren"
 SCRIPT_DIR="$(cd -- "$(dirname -- "${BASH_SOURCE[0]}")" && pwd)"
 if [[ -f "${SCRIPT_DIR}/../config/fail2ban/jail.local" ]]; then
  install -m 0644 "${SCRIPT_DIR}/../config/fail2ban/jail.local" /etc/fail2ban/jail.local
 fi
 systemctl enable fail2ban || true
 systemctl restart fail2ban || true
 log "5/8 UFW Basisregeln setzen"
 ufw allow OpenSSH || true
 ufw allow 80/tcp || true
 ufw allow 443/tcp || true
 ufw --force enable || true
 log "6/8 Node.js ${NODE_MAJOR} installieren"
 if ! command -v node >/dev/null 2>&1; then
  mkdir -p /etc/apt/keyrings
  curl -fsSL https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key | gpg --dearmor -o /etc/apt/keyrings/nodesource.gpg
  echo "deb [signed-by=/etc/apt/keyrings/nodesource.gpg] https://deb.nodesource.com/node_${NODE_MAJOR}.x nodistro main" > /etc/apt/sources.list.d/nodesource.list
  apt-get update -y
  apt-get install -y nodejs
 fi
 log "7/8 npm aktualisieren und Codex installieren"
 npm install -g npm@latest
 npm install -g "${CODEX_NPM_PACKAGE}"
 log "8/8 Dienste aktivieren"
 systemctl enable unattended-upgrades || true
 systemctl restart unattended-upgrades || true
 systemctl enable auditd || true
 systemctl restart auditd || true
 log "Install abgeschlossen"
 node --version || true
 npm --version || true
 fail2ban-client status || true