Add Ubuntu LXC security baseline bootstrap with fail2ban, npm and codex

2026-05-10 19:59:38 +00:00
commit 7b1e511b5e
3 changed files with 156 additions and 0 deletions
@@ -0,0 +1,94 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+if [[ "${EUID}" -ne 0 ]]; then
+  echo "Bitte als root ausführen (z. B. mit sudo)."
+  exit 1
+fi
+
+export DEBIAN_FRONTEND=noninteractive
+
+APT_PACKAGES=(
+  apt-transport-https
+  ca-certificates
+  curl
+  wget
+  gnupg
+  lsb-release
+  software-properties-common
+  jq
+  unzip
+  git
+  vim
+  htop
+  tmux
+  ufw
+  fail2ban
+  unattended-upgrades
+  apt-listchanges
+  needrestart
+  auditd
+  rsyslog
+  logrotate
+)
+
+NODE_MAJOR="20"
+CODEx_NPM_PACKAGE="@openai/codex"
+
+echo "[1/8] Paketindex aktualisieren..."
+apt-get update -y
+
+echo "[2/8] Basispakete installieren..."
+apt-get install -y "${APT_PACKAGES[@]}"
+
+echo "[3/8] Automatische Sicherheitsupdates aktivieren..."
+dpkg-reconfigure -f noninteractive unattended-upgrades || true
+
+cat > /etc/apt/apt.conf.d/20auto-upgrades <<'AUTOU'
+APT::Periodic::Update-Package-Lists "1";
+APT::Periodic::Download-Upgradeable-Packages "1";
+APT::Periodic::AutocleanInterval "7";
+APT::Periodic::Unattended-Upgrade "1";
+AUTOU
+
+echo "[4/8] Fail2ban konfigurieren..."
+if [[ -f /opt/bootstrap/config/fail2ban/jail.local ]]; then
+  install -m 0644 /opt/bootstrap/config/fail2ban/jail.local /etc/fail2ban/jail.local
+elif [[ -f "$(dirname "$0")/../config/fail2ban/jail.local" ]]; then
+  install -m 0644 "$(dirname "$0")/../config/fail2ban/jail.local" /etc/fail2ban/jail.local
+fi
+
+systemctl enable fail2ban || true
+systemctl restart fail2ban || true
+
+echo "[5/8] UFW Basisregeln setzen (SSH, HTTP, HTTPS)..."
+ufw allow OpenSSH || true
+ufw allow 80/tcp || true
+ufw allow 443/tcp || true
+ufw --force enable || true
+
+echo "[6/8] Node.js ${NODE_MAJOR} installieren..."
+if ! command -v node >/dev/null 2>&1; then
+  mkdir -p /etc/apt/keyrings
+  curl -fsSL https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key | gpg --dearmor -o /etc/apt/keyrings/nodesource.gpg
+  echo "deb [signed-by=/etc/apt/keyrings/nodesource.gpg] https://deb.nodesource.com/node_${NODE_MAJOR}.x nodistro main" > /etc/apt/sources.list.d/nodesource.list
+  apt-get update -y
+  apt-get install -y nodejs
+fi
+
+echo "[7/8] npm aktualisieren und Codex CLI installieren..."
+npm install -g npm@latest
+npm install -g "${CODEx_NPM_PACKAGE}"
+
+echo "[8/8] Dienste prüfen..."
+systemctl enable unattended-upgrades || true
+systemctl restart unattended-upgrades || true
+systemctl enable auditd || true
+systemctl restart auditd || true
+
+echo
+node --version || true
+npm --version || true
+fail2ban-client status || true
+
+echo "Fertig. Empfohlen: SSH-Härtung und Benutzerrechte zusätzlich prüfen."