Add standardized Ubuntu LXC security install process with npm and codex

2026-05-10 20:08:47 +00:00
commit be6ddf1416
4 changed files with 158 additions and 0 deletions
@@ -0,0 +1,36 @@
+# Sicherheit: Ubuntu LXC Standard-Setup
+
+Standardisierter Installationsprozess fuer neue Ubuntu-LXC-Container.
+
+Installiert unter anderem:
+- Security-Basis: `ufw`, `fail2ban`, `unattended-upgrades`, `auditd`
+- Admin-Tools: `git`, `curl`, `jq`, `tmux`, `htop`
+- Runtime: `nodejs`, `npm`
+- CLI: `@openai/codex`
+
+## Standardprozess nach Download
+
+```bash
+git clone https://gitea.kanu1.duckdns.org/Kanu/Sicherheit.git
+cd Sicherheit
+chmod +x bin/sicherheit-install scripts/bootstrap_ubuntu_lxc_security.sh
+./bin/sicherheit-install
+```
+
+Optional global verlinken:
+
+```bash
+sudo ln -sf "$(pwd)/bin/sicherheit-install" /usr/local/bin/sicherheit-install
+sudo sicherheit-install
+```
+
+## Pruefen
+
+```bash
+fail2ban-client status
+ufw status verbose
+systemctl status unattended-upgrades --no-pager
+node --version
+npm --version
+codex --help
+```
@@ -0,0 +1,11 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+SCRIPT_DIR="$(cd -- "$(dirname -- "${BASH_SOURCE[0]}")" && pwd)"
+REPO_ROOT="$(cd -- "${SCRIPT_DIR}/.." && pwd)"
+
+if [[ "${EUID}" -ne 0 ]]; then
+  exec sudo "${REPO_ROOT}/scripts/bootstrap_ubuntu_lxc_security.sh" "$@"
+fi
+
+exec "${REPO_ROOT}/scripts/bootstrap_ubuntu_lxc_security.sh" "$@"
@@ -0,0 +1,18 @@
+[DEFAULT]
+ignoreip = 127.0.0.1/8 ::1
+bantime  = 1h
+findtime = 10m
+maxretry = 5
+backend  = systemd
+
+[sshd]
+enabled  = true
+port     = ssh
+logpath  = %(sshd_log)s
+maxretry = 5
+
+[sshd-ddos]
+enabled  = true
+port     = ssh
+logpath  = %(sshd_log)s
+maxretry = 3
@@ -0,0 +1,93 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+if [[ "${EUID}" -ne 0 ]]; then
+  echo "Bitte als root ausfuehren (z. B. mit sudo)."
+  exit 1
+fi
+
+export DEBIAN_FRONTEND=noninteractive
+
+APT_PACKAGES=(
+  apt-transport-https
+  ca-certificates
+  curl
+  wget
+  gnupg
+  lsb-release
+  software-properties-common
+  jq
+  unzip
+  git
+  vim
+  htop
+  tmux
+  ufw
+  fail2ban
+  unattended-upgrades
+  apt-listchanges
+  needrestart
+  auditd
+  rsyslog
+  logrotate
+)
+
+NODE_MAJOR="20"
+CODEX_NPM_PACKAGE="@openai/codex"
+
+log() {
+  echo "[sicherheit-install] $*"
+}
+
+log "1/8 Paketindex aktualisieren"
+apt-get update -y
+
+log "2/8 Basispakete installieren"
+apt-get install -y "${APT_PACKAGES[@]}"
+
+log "3/8 Automatische Sicherheitsupdates aktivieren"
+dpkg-reconfigure -f noninteractive unattended-upgrades || true
+cat > /etc/apt/apt.conf.d/20auto-upgrades <<'AUTOU'
+APT::Periodic::Update-Package-Lists "1";
+APT::Periodic::Download-Upgradeable-Packages "1";
+APT::Periodic::AutocleanInterval "7";
+APT::Periodic::Unattended-Upgrade "1";
+AUTOU
+
+log "4/8 fail2ban konfigurieren"
+SCRIPT_DIR="$(cd -- "$(dirname -- "${BASH_SOURCE[0]}")" && pwd)"
+if [[ -f "${SCRIPT_DIR}/../config/fail2ban/jail.local" ]]; then
+  install -m 0644 "${SCRIPT_DIR}/../config/fail2ban/jail.local" /etc/fail2ban/jail.local
+fi
+systemctl enable fail2ban || true
+systemctl restart fail2ban || true
+
+log "5/8 UFW Basisregeln setzen"
+ufw allow OpenSSH || true
+ufw allow 80/tcp || true
+ufw allow 443/tcp || true
+ufw --force enable || true
+
+log "6/8 Node.js ${NODE_MAJOR} installieren"
+if ! command -v node >/dev/null 2>&1; then
+  mkdir -p /etc/apt/keyrings
+  curl -fsSL https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key | gpg --dearmor -o /etc/apt/keyrings/nodesource.gpg
+  echo "deb [signed-by=/etc/apt/keyrings/nodesource.gpg] https://deb.nodesource.com/node_${NODE_MAJOR}.x nodistro main" > /etc/apt/sources.list.d/nodesource.list
+  apt-get update -y
+  apt-get install -y nodejs
+fi
+
+log "7/8 npm aktualisieren und Codex installieren"
+npm install -g npm@latest
+npm install -g "${CODEX_NPM_PACKAGE}"
+
+log "8/8 Dienste aktivieren"
+systemctl enable unattended-upgrades || true
+systemctl restart unattended-upgrades || true
+systemctl enable auditd || true
+systemctl restart auditd || true
+
+log "Install abgeschlossen"
+node --version || true
+npm --version || true
+fail2ban-client status || true