diff --git a/setup-nasbeery b/setup-nasbeery index 372d578..857ace6 100644 --- a/setup-nasbeery +++ b/setup-nasbeery @@ -86,7 +86,7 @@ if [[ $ID == "debian" ]]; then # pin cockpit to buster backports echo "Configure apt to install cockpit from backports repo" - cat << EOF | tee -i /etc/apt/preferences.d/99-cockpit + cat << EOF > /etc/apt/preferences.d/99-cockpit Package: cockpit cockpit-* Pin: release a=${VERSION_CODENAME}-backports Pin-Priority: 900 @@ -98,7 +98,7 @@ EOF fi echo "Add debian ${VERSION_CODENAME} backports repo" - echo "deb http://ftp.de.debian.org/debian/ ${VERSION_CODENAME}-backports main contrib non-free" | tee -i /etc/apt/sources.list.d/${VERSION_CODENAME}-backports.list + echo "deb http://ftp.de.debian.org/debian/ ${VERSION_CODENAME}-backports main contrib non-free" > /etc/apt/sources.list.d/${VERSION_CODENAME}-backports.list fi # update system and install packages @@ -134,15 +134,15 @@ DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq -o DPkg::opti if [[ ${VERSION_CODENAME} == "bullseye" ]]; then # add extra apt keys echo "Add wsdd apt repo key" - wget -O - https://pkg.ltec.ch/public/conf/ltec-ag.gpg.key | gpg --dearmor | tee -i /etc/apt/trusted.gpg.d/wsdd.gpg + wget -O - https://pkg.ltec.ch/public/conf/ltec-ag.gpg.key | gpg --dearmor > /etc/apt/trusted.gpg.d/wsdd.gpg # add extra apt repos echo "Add wsdd apt repo url" - echo "deb [signed-by=/etc/apt/trusted.gpg.d/wsdd.gpg] https://pkg.ltec.ch/public/ $(lsb_release -cs) main" | tee -i /etc/apt/sources.list.d/wsdd.list + echo "deb [signed-by=/etc/apt/trusted.gpg.d/wsdd.gpg] https://pkg.ltec.ch/public/ $(lsb_release -cs) main" > /etc/apt/sources.list.d/wsdd.list fi echo "add 45drives repo key" -wget -O - https://repo.45drives.com/key/gpg.asc | gpg --dearmor | tee -i /etc/apt/trusted.gpg.d/45drives.gpg +wget -O - https://repo.45drives.com/key/gpg.asc | gpg --dearmor > /etc/apt/trusted.gpg.d/45drives.gpg echo "Add 45drives apt repo url" echo "deb [signed-by=/etc/apt/trusted.gpg.d/45drives.gpg arch=amd64] https://repo.45drives.com/debian focal main" > /etc/apt/sources.list.d/45drives.list @@ -205,7 +205,7 @@ echo "Remove small Diffie-Hellman moduli" awk '$5 >= 3071' /etc/ssh/moduli > /etc/ssh/moduli.safe mv -f /etc/ssh/moduli.safe /etc/ssh/moduli echo "Restrict supported key exchange, cipher, and MAC algorithms" -echo -e "\n# Restrict key exchange, cipher, and MAC algorithms, as per sshaudit.com\n# hardening guide.\nKexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256\nCiphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr\nMACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com\nHostKeyAlgorithms ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com" | tee -i /etc/ssh/sshd_config.d/ssh-audit_hardening.conf +echo -e "\n# Restrict key exchange, cipher, and MAC algorithms, as per sshaudit.com\n# hardening guide.\nKexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256\nCiphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr\nMACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com\nHostKeyAlgorithms ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com" > /etc/ssh/sshd_config.d/ssh-audit_hardening.conf if [ ! $(zfs list $ZPOOL/$SHARE) ] ; then echo "Creating $ZPOOL/$SHARE" @@ -216,8 +216,8 @@ chmod -R 770 /$ZPOOL chown -R $USERNAME:root /$ZPOOL echo "Seting hostname and fqdn" -echo "$HOSTNAME" | tee -i /etc/hostname -cat << EOF | tee -i /etc/hosts +echo "$HOSTNAME" > /etc/hostname +cat << EOF > /etc/hosts # Host addresses 127.0.0.1 localhost 127.0.1.1 $HOSTNAME.$DOMAIN $HOSTNAME @@ -234,7 +234,7 @@ smbpasswd -x $USERNAME usermod -aG sudo $USERNAME echo "Writing cockpit configuration" -cat << EOF | tee -i /etc/cockpit/zfs/config.json +cat << EOF > /etc/cockpit/zfs/config.json { "#1": "COCKPIT ZFS MANAGER", "#2": "WARNING: DO NOT EDIT, AUTO-GENERATED CONFIGURATION", @@ -281,7 +281,7 @@ EOF if [ -f /etc/cockpit/zfs/shares.conf ]; then echo "Creating cockpit zfs shares conf" mkdir -p /etc/cockpit/zfs/ - cat << EOF | tee -i /etc/cockpit/zfs/shares.conf + cat << EOF > /etc/cockpit/zfs/shares.conf # COCKPIT ZFS MANAGER # WARNING: DO NOT EDIT, AUTO-GENERATED CONFIGURATION EOF @@ -292,15 +292,15 @@ sed -i 's/24/48/g' /etc/cron.hourly/zfs-auto-snapshot sed -i 's/12/3/g' /etc/cron.monthly/zfs-auto-snapshot echo "Configure RAID led" -echo -e 'PATH="/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin"\n*/1 * * * * root echo 14 > /sys/class/gpio/export 2> /dev/null;echo out > /sys/class/gpio/gpio14/direction ; zpool import -fa -d /dev/ > /dev/null; zpool list| grep -q ONLINE; echo \$? > /sys/class/gpio/gpio14/value' | tee -i /etc/cron.d/raidled +echo -e 'PATH="/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin"\n*/1 * * * * root echo 14 > /sys/class/gpio/export 2> /dev/null;echo out > /sys/class/gpio/gpio14/direction ; zpool import -fa -d /dev/ > /dev/null; zpool list| grep -q ONLINE; echo \$? > /sys/class/gpio/gpio14/value' > /etc/cron.d/raidled echo "Write samba server configuration" -cat << EOF | tee -i /etc/samba/smb.conf +cat << EOF > /etc/samba/smb.conf [global] include = registry EOF -cat << EOF | tee -i /etc/samba/import.template +cat << EOF > /etc/samba/import.template [global] workgroup = WORKGROUP log file = /var/log/samba/log.%m