44 lines
1.3 KiB
Bash
44 lines
1.3 KiB
Bash
#!/usr/bin/env bash
|
|
set -euo pipefail
|
|
|
|
echo "=== Post-install hardening and VPN setup ==="
|
|
[[ -f .env ]] && source .env || true
|
|
|
|
sudo pacman -Syu --noconfirm ufw apparmor fail2ban wireguard-tools
|
|
|
|
# ── Firewall ──
|
|
sudo systemctl enable --now ufw
|
|
sudo ufw --force reset
|
|
sudo ufw default deny incoming
|
|
sudo ufw default allow outgoing
|
|
sudo ufw enable
|
|
|
|
# ── AppArmor & Fail2ban ──
|
|
sudo systemctl enable --now apparmor
|
|
sudo systemctl enable --now fail2ban
|
|
|
|
# ── Sysctl hardening ──
|
|
sudo tee /etc/sysctl.d/99-hardening.conf >/dev/null <<'EOF'
|
|
net.ipv4.conf.all.accept_redirects = 0
|
|
net.ipv6.conf.all.accept_redirects = 0
|
|
net.ipv4.conf.all.send_redirects = 0
|
|
net.ipv4.conf.all.accept_source_route = 0
|
|
net.ipv6.conf.all.accept_source_route = 0
|
|
net.ipv4.tcp_syncookies = 1
|
|
net.ipv4.icmp_echo_ignore_broadcasts = 1
|
|
net.ipv4.icmp_ignore_bogus_error_responses = 1
|
|
kernel.randomize_va_space = 2
|
|
EOF
|
|
sudo sysctl --system
|
|
|
|
# ── WireGuard (optional) ──
|
|
if [[ "${ENABLE_WIREGUARD:-no}" =~ ^[Yy][Ee]?[Ss]?$ ]] && [[ -f "${WIREGUARD_CONF_PATH:-./wg0.conf}" ]]; then
|
|
echo "Setting up WireGuard..."
|
|
sudo install -Dm600 "$WIREGUARD_CONF_PATH" /etc/wireguard/wg0.conf
|
|
sudo systemctl enable --now wg-quick@wg0.service
|
|
else
|
|
echo "WireGuard skipped (no config or disabled)."
|
|
fi
|
|
|
|
echo "✅ Post-install setup complete."
|