2020-06-25 05:31:54 -04:00
#!/bin/bash
output( ) {
2022-12-07 09:44:19 -05:00
echo -e '\e[36m' $1 '\e[0m' ;
2020-06-25 05:31:54 -04:00
}
2021-11-02 01:05:08 -04:00
PANEL = latest
WINGS = latest
2020-11-15 01:35:12 -05:00
2020-06-25 05:31:54 -04:00
preflight( ) {
2022-12-07 09:44:19 -05:00
output "Pterodactyl Installation & Upgrade Script"
output "Copyright © 2018-2023 Thien Tran <contact@tommytran.io>."
output "Please join my Matrix for community support: https://matrix.to/#/#tommy:arcticfoxes.net"
output ""
output "Please note that this script is meant to do installations on a fresh OS."
if [ " $EUID " -ne 0 ] ; then
output "Please run as root."
exit 3
fi
if [ -r /etc/os-release ] ; then
lsb_dist = " $( . /etc/os-release && echo " $ID " ) "
dist_version = " $( . /etc/os-release && echo " $VERSION_ID " ) "
if [ " $lsb_dist " = "rhel" ] || [ " $lsb_dist " = "rocky" ] || [ " $lsb_dist " = "almalinux" ] ; then
dist_version = " $( echo $dist_version | awk -F. '{print $1}' ) "
fi
else
exit 1
fi
if [ " $lsb_dist " = "rhel" ] ; then
if [ $dist_version != "9" ] ; then
output "Unsupported RHEL version. Only RHEL 9 is supported."
exit 2
fi
elif [ " $lsb_dist " = "centos" ] ; then
if [ " $dist_version " != "9" ] ; then
2022-12-19 18:52:55 -05:00
output "Unsupported CentOS version. Only CentOS Stream 9 is supported."
2022-12-07 09:44:19 -05:00
exit 2
fi
elif [ " $lsb_dist " = "rocky" ] ; then
if [ " $dist_version " != "9" ] ; then
2022-12-19 18:52:55 -05:00
output "Unsupported Rocky Linux version. Only Rocky Linux 9 is supported."
2022-12-07 09:44:19 -05:00
exit 2
fi
elif [ " $lsb_dist " = "almalinux" ] ; then
if [ " $dist_version " != "9" ] ; then
2022-12-19 18:52:55 -05:00
output "Unsupported AlmaLinux version. Only AlmaLinux 9 is supported."
2022-12-07 09:44:19 -05:00
exit 2
fi
elif [ " $lsb_dist " != "rhel" ] && [ " $lsb_dist " != "centos" ] && [ " $lsb_dist " != "rocky" ] && [ " $lsb_dist " != "almalinux" ] ; then
output "Unsupported operating system."
output ""
output "Supported OS:"
output "RHEL: 9"
output "CentOS Stream: 9"
output "Rocky Linux: 9"
output "AlmaLinux: 9"
exit 2
fi
2020-06-25 05:31:54 -04:00
}
install_options( ) {
2022-12-07 09:44:19 -05:00
output "Please select your installation option:"
output " [1] Install the panel ${ PANEL } . "
output " [2] Install the wings ${ WINGS } . "
output " [3] Install the panel ${ PANEL } and wings ${ WINGS } . "
output " [4] Upgrade panel to ${ PANEL } . "
output " [5] Upgrade wings to ${ WINGS } . "
output " [6] Upgrade panel to ${ PANEL } and daemon to ${ WINGS } . "
2022-12-07 11:50:40 -05:00
output "[7] Emergency MariaDB root password reset."
output "[8] Emergency database host information reset."
2022-12-07 09:44:19 -05:00
read -r choice
case $choice in
1 ) installoption = 1
output " You have selected ${ PANEL } panel installation only. "
; ;
2 ) installoption = 2
output " You have selected wings ${ WINGS } installation only. "
; ;
3 ) installoption = 3
output " You have selected ${ PANEL } panel and wings ${ WINGS } installation. "
; ;
4 ) installoption = 4
output " You have selected to upgrade the panel to ${ PANEL } . "
; ;
5 ) installoption = 5
output " You have selected to upgrade the daemon to ${ DAEMON } . "
; ;
6 ) installoption = 6
output " You have selected to upgrade panel to ${ PANEL } and daemon to ${ DAEMON } . "
; ;
2022-12-07 11:50:40 -05:00
7 ) installoption = 8
2022-12-07 09:44:19 -05:00
output "You have selected MariaDB root password reset."
; ;
2022-12-07 11:50:40 -05:00
8 ) installoption = 9
2022-12-07 09:44:19 -05:00
output "You have selected Database Host information reset."
; ;
* ) output "You did not enter a valid selection."
install_options
esac
2020-06-25 05:31:54 -04:00
}
required_infos( ) {
2022-12-07 09:44:19 -05:00
output "Please enter the desired user email address:"
read -r email
output "Please enter your FQDN (panel.domain.tld):"
read -r FQDN
timezone = $( timedatectl | grep "Time zone" | awk '{ print $3 }' )
dnf upgrade -y
dnf install -y bind-utils
output "Resolving DNS..."
SERVER_IP = $( dig +short myip.opendns.com @resolver1.opendns.com -4)
DOMAIN_RECORD = $( dig +short ${ FQDN } )
if [ " ${ SERVER_IP } " != " ${ DOMAIN_RECORD } " ] ; then
output ""
output "The entered domain does not resolve to the primary public IP of this server."
output "Please make an A record pointing to your server's IP. For example, if you make an A record called 'panel' pointing to your server's IP, your FQDN is panel.domain.tld"
output "If you are using Cloudflare, please disable the orange cloud."
output "If you do not have a domain, you can get a free one at https://freenom.com"
dns_check
else
output "Domain resolved correctly. Good to go..."
fi
2020-06-25 05:31:54 -04:00
}
install_dependencies( ) {
2022-12-07 09:44:19 -05:00
output "Installing dependencies..."
2022-12-18 03:34:31 -05:00
if [ " $lsb_dist " = "rhel" ] ; then
2022-12-07 09:44:19 -05:00
subscription-manager repos --enable codeready-builder-for-rhel-9-$( arch) -rpms
rpm --import https://raw.githubusercontent.com/tommytran732/Pterodactyl-Script/master/epel9.asc
dnf install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm
2022-12-18 03:34:31 -05:00
elif [ " $lsb_dist " = "centos" ] ; then
2022-12-07 09:44:19 -05:00
dnf config-manager --set-enabled crb
dnf install -y epel-release epel-next-release
else
dnf config-manager --set-enabled crb
dnf install -y epel-release
fi
#Adding Remi's repo because RHEL 9 does not have php-sodium for php 8.1 yet. Also, it is unclear whether RHEL 9 will get php 8.2 and above modules later on or not.
rpm --import https://raw.githubusercontent.com/tommytran732/Pterodactyl-Script/master/remi9.asc
dnf install -y https://rpms.remirepo.net/enterprise/remi-release-9.rpm
2022-12-07 11:50:40 -05:00
dnf module install -y php:remi-8.1/common
dnf install -y php-bcmath php-gd php-mysqlnd php-pdo php-sodium
systemctl enable --now php-fpm
dnf module install -y composer:2/common
dnf module install -y redis:remi-7.0/common
2022-12-07 09:44:19 -05:00
systemctl enable --now redis
2022-12-07 11:50:40 -05:00
#Adding upstream repo because RHEL's version is extremely oudated.
curl -LsS https://r.mariadb.com/downloads/mariadb_repo_setup | sudo bash
dnf install -y nginx mariadb-server
2022-12-07 09:44:19 -05:00
systemctl enable --now mariadb
2022-12-07 11:50:40 -05:00
cat > /etc/yum.repos.d/nginx.repo <<- 'EOF'
[ nginx-stable]
name = nginx stable repo
baseurl = http://nginx.org/packages/centos/$releasever /$basearch /
gpgcheck = 1
enabled = 1
gpgkey = https://nginx.org/keys/nginx_signing.key
module_hotfixes = true
[ nginx-mainline]
name = nginx mainline repo
baseurl = http://nginx.org/packages/mainline/centos/$releasever /$basearch /
gpgcheck = 1
enabled = 0
gpgkey = https://nginx.org/keys/nginx_signing.key
module_hotfixes = true
EOF
dnf config-manager --enable nginx-mainline
dnf install -y nginx
systemctl enable --now nginx
dnf install -y tuned
tune-adm profile latency-performance
2020-10-11 22:11:37 -04:00
}
2021-09-25 23:20:55 -04:00
install_pterodactyl( ) {
2022-12-07 09:44:19 -05:00
output "Creating the databases and setting root password..."
password = ` cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1`
adminpassword = ` cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1`
rootpassword = ` cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1`
Q0 = "DROP DATABASE IF EXISTS test;"
Q1 = "CREATE DATABASE IF NOT EXISTS panel;"
Q2 = "SET old_passwords=0;"
Q3 = " GRANT ALL ON panel.* TO 'pterodactyl'@'127.0.0.1' IDENTIFIED BY ' $password '; "
2022-12-07 11:50:40 -05:00
Q4 = " GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, RELOAD, REFERENCES, INDEX, ALTER, CREATE TEMPORARY TABLES, LOCK TABLES, CREATE VIEW, EVENT, TRIGGER, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, EXECUTE ON *.* TO 'admin'@' $SERVER_IP ' IDENTIFIED BY ' $adminpassword ' WITH GRANT OPTION; "
2022-12-07 09:44:19 -05:00
Q5 = " SET PASSWORD FOR 'root'@'localhost' = PASSWORD(' $rootpassword '); "
Q6 = "DELETE FROM mysql.user WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1');"
Q7 = "DELETE FROM mysql.user WHERE User='';"
Q8 = "DELETE FROM mysql.db WHERE Db='test' OR Db='test\_%';"
Q9 = "FLUSH PRIVILEGES;"
SQL = " ${ Q0 } ${ Q1 } ${ Q2 } ${ Q3 } ${ Q4 } ${ Q5 } ${ Q6 } ${ Q7 } ${ Q8 } ${ Q9 } "
mysql -u root -e " $SQL "
output "Binding MariaDB/MySQL to 0.0.0.0"
if grep -Fqs "bind-address" /etc/my.cnf.d/server.cnf ; then
sed -i 's/#bind-address=0.0.0.0/bind-address=0.0.0.0/' /etc/my.cnf.d/server.cnf
output 'Restarting MariaDB process...'
systemctl restart mariadb
else
output 'A MariaDB configuration file could not be detected! Please contact support.'
fi
output "Downloading Pterodactyl..."
mkdir -p /var/www/pterodactyl
cd /var/www/pterodactyl || exit
if [ ${ PANEL } = "latest" ] ; then
curl -Lo panel.tar.gz https://github.com/pterodactyl/panel/releases/latest/download/panel.tar.gz
else
curl -Lo panel.tar.gz https://github.com/pterodactyl/panel/releases/download/${ PANEL } /panel.tar.gz
fi
tar -xzvf panel.tar.gz
chmod -R 755 storage/* bootstrap/cache/
output "Installing Pterodactyl..."
cp .env.example .env
composer update --no-interaction
composer install --no-dev --optimize-autoloader --no-interaction
php artisan key:generate --force
php artisan p:environment:setup -n --author= $email --url= https://$FQDN --timezone= ${ timezone } --cache= redis --session= database --queue= redis --redis-host= 127.0.0.1 --redis-pass= --redis-port= 6379
php artisan p:environment:database --host= 127.0.0.1 --port= 3306 --database= panel --username= pterodactyl --password= $password
output "To use PHP's internal mail sending, select [mail]. To use a custom SMTP server, select [smtp]. TLS Encryption is recommended."
php artisan p:environment:mail
php artisan migrate --seed --force
php artisan p:user:make --email= $email --admin= 1
sed -i 's/PTERODACTYL_TELEMETRY_ENABLED=true/PTERODACTYL_TELEMETRY_ENABLED=false/' /var/www/pterodactyl/.env
chown -R nginx:nginx * /var/www/pterodactyl
cat > /etc/systemd/system/pteros.service <<- 'EOF'
2022-12-07 07:37:25 -05:00
# Pterodactyl Schedule Service
# ----------------------------------
[ Unit]
Description = Pterodactyl Schedule Service
[ Service]
# On some systems the user and group might be different.
# Some systems use `apache` or `nginx` as the user and group.
User = nginx
Group = nginx
ExecStart = php /var/www/pterodactyl/artisan schedule:run
StandardOutput = null
Type = oneshot
EOF
2022-12-07 09:44:19 -05:00
cat > /etc/systemd/system/pteros.timer <<- 'EOF'
2022-12-07 07:37:25 -05:00
# Pterodactyl Schedule Service Timer
# ----------------------------------
[ Unit]
Description = Pterodactyl Schedule Service Timer
[ Timer]
OnCalendar = *-*-* *:*:00
[ Install]
WantedBy = timers.target
EOF
2022-12-07 06:58:50 -05:00
2022-12-07 09:44:19 -05:00
cat > /etc/systemd/system/pteroq.service <<- 'EOF'
2021-11-01 23:22:30 -04:00
# Pterodactyl Queue Worker File
# ----------------------------------
[ Unit]
2020-06-25 05:31:54 -04:00
Description = Pterodactyl Queue Worker
After = redis-server.service
2021-11-01 23:22:30 -04:00
2020-06-25 05:31:54 -04:00
[ Service]
2021-11-01 23:22:30 -04:00
# On some systems the user and group might be different.
# Some systems use `apache` or `nginx` as the user and group.
2020-06-25 05:31:54 -04:00
User = nginx
Group = nginx
Restart = always
ExecStart = /usr/bin/php /var/www/pterodactyl/artisan queue:work --queue= high,standard,low --sleep= 3 --tries= 3
2021-11-01 23:22:30 -04:00
StartLimitInterval = 180
StartLimitBurst = 30
RestartSec = 5s
2020-06-25 05:31:54 -04:00
[ Install]
WantedBy = multi-user.target
EOF
2022-12-07 07:37:25 -05:00
2022-12-07 09:44:19 -05:00
sudo systemctl daemon-reload
systemctl enable --now pteros.timer
systemctl enable --now pteroq.service
2020-06-25 05:31:54 -04:00
}
upgrade_pterodactyl( ) {
2022-12-07 09:44:19 -05:00
cd /var/www/pterodactyl && php artisan p:upgrade
chown -R nginx:nginx /var/www/pterodactyl
output " Your panel has successfully been updated to version ${ PANEL } "
2020-10-13 00:37:35 -04:00
}
2022-12-07 09:44:19 -05:00
webserver_config( ) {
2020-06-25 05:31:54 -04:00
2022-12-07 09:44:19 -05:00
output "Configuring PHP socket..."
bash -c 'cat > /etc/php-fpm.d/www-pterodactyl.conf' <<-'EOF'
2020-06-25 05:31:54 -04:00
[ pterodactyl]
2021-11-01 23:46:59 -04:00
2020-06-25 05:31:54 -04:00
user = nginx
group = nginx
2021-11-01 23:46:59 -04:00
2022-12-07 09:44:19 -05:00
listen = /run/php-fpm/pterodactyl.sock
2020-06-25 05:31:54 -04:00
listen.owner = nginx
listen.group = nginx
listen.mode = 0750
2021-11-01 23:46:59 -04:00
2020-06-25 05:31:54 -04:00
pm = ondemand
pm.max_children = 9
pm.process_idle_timeout = 10s
pm.max_requests = 200
EOF
2022-12-07 09:44:19 -05:00
systemctl restart php-fpm
2020-06-25 05:31:54 -04:00
2022-12-07 09:44:19 -05:00
output "Configuring Nginx web server..."
2022-12-07 11:50:40 -05:00
rm -f /etc/nginx/conf.d/default.conf
cat > /etc/nginx/conf.d/pterodactyl.conf <<- 'EOF'
2022-12-07 09:44:19 -05:00
server {
listen 80 default_server;
listen [ ::] :80 default_server;
2022-12-07 11:50:40 -05:00
server_name FQDN;
2022-12-07 09:44:19 -05:00
return 301 https://$server_name $request_uri ;
}
server {
listen 443 ssl http2 default_server;
listen [ ::] :443 ssl http2 default_server;
2022-12-07 11:50:40 -05:00
server_name FQDN;
2022-12-07 09:44:19 -05:00
root /var/www/pterodactyl/public;
index index.php;
access_log /var/log/nginx/pterodactyl.app-access.log;
error_log /var/log/nginx/pterodactyl.app-error.log error;
# allow larger file uploads and longer script runtimes
client_max_body_size 100m;
client_body_timeout 120s;
sendfile off;
2022-12-07 11:50:40 -05:00
ssl_certificate /etc/letsencrypt/live/FQDN/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/FQDN/privkey.pem;
2022-12-07 09:44:19 -05:00
ssl_session_cache shared:SSL:10m;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256" ;
ssl_prefer_server_ciphers on;
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" always;
2022-12-07 12:34:56 -05:00
add_header Content-Security-Policy "default-src 'none'; connect-src *; font-src 'self' https://fonts.gstatic.com https://cdnjs.cloudflare.com; img-src 'self' https://www.gravatar.com; frame-src https://recaptcha.net; manifest-src 'self'; script-src 'self' 'unsafe-inline' https://recaptcha.net https://www.gstatic.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdnjs.cloudflare.com; frame-ancestors 'self'; block-all-mixed-content; base-uri 'none'" ;
2022-12-07 09:44:19 -05:00
add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), magnetometer=(), midi=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), serial=(), usb=(), sync-xhr=(), xr-spatial-tracking=()" ;
add_header Referrer-Policy "same-origin" always;
add_header X-Content-Type-Options "nosniff" always;
#add_header X-UA-Compatible "IE=Edge" always;
add_header X-XSS-Protection "0" always;
add_header Cross-Origin-Resource-Policy same-origin;
add_header Cross-Origin-Opener-Policy same-origin;
add_header X-XSS-Protection "0" always;
add_header Expect-CT "enforce, max-age=63072000" ;
location / {
try_files $uri $uri / /index.php?$query_string ;
}
location ~ \. php$ {
fastcgi_split_path_info ^( .+\. php) ( /.+) $;
fastcgi_pass unix:/run/php-fpm/pterodactyl.sock;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param PHP_VALUE "upload_max_filesize = 100M \n post_max_size=100M" ;
fastcgi_param SCRIPT_FILENAME $document_root $fastcgi_script_name ;
fastcgi_param HTTP_PROXY "" ;
fastcgi_intercept_errors off;
fastcgi_buffer_size 16k;
fastcgi_buffers 4 16k;
fastcgi_connect_timeout 300;
fastcgi_send_timeout 300;
fastcgi_read_timeout 300;
include /etc/nginx/fastcgi_params;
}
location ~ /\. ht {
deny all;
}
2022-12-07 11:50:40 -05:00
}
EOF
sed -i " s/FQDN/ ${ FQDN } /g " /etc/nginx/conf.d/pterodactyl.conf
2022-12-07 09:44:19 -05:00
service nginx restart
restorecon -R /var/www/pterodactyl
setsebool -P httpd_can_network_connect 1
setsebool -P httpd_execmem 1
setsebool -P httpd_unified 1
2020-06-25 05:31:54 -04:00
}
2020-10-11 22:11:37 -04:00
install_wings( ) {
2022-12-07 09:44:19 -05:00
output "Installing Docker"
dnf config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
2022-12-19 13:53:06 -05:00
dnf -y --allowerasing install docker-ce
2022-12-07 09:44:19 -05:00
systemctl enable --now docker
output "Installing the Pterodactyl wings..."
mkdir -p /etc/pterodactyl
cd /etc/pterodactyl || exit
if [ ${ WINGS } = "latest" ] ; then
curl -L -o /usr/local/bin/wings https://github.com/pterodactyl/wings/releases/latest/download/wings_linux_amd64
else
curl -L -o /usr/local/bin/wings https://github.com/pterodactyl/wings/releases/download/${ WINGS } /wings_linux_amd64
fi
chmod u+x /usr/local/bin/wings
bash -c 'cat > /etc/systemd/system/wings.service' <<-'EOF'
2020-10-11 22:11:37 -04:00
[ Unit]
Description = Pterodactyl Wings Daemon
After = docker.service
2021-11-02 01:10:58 -04:00
Requires = docker.service
PartOf = docker.service
2020-10-11 22:11:37 -04:00
[ Service]
User = root
WorkingDirectory = /etc/pterodactyl
LimitNOFILE = 4096
PIDFile = /var/run/wings/daemon.pid
ExecStart = /usr/local/bin/wings
Restart = on-failure
2021-11-02 01:10:58 -04:00
StartLimitInterval = 180
StartLimitBurst = 30
RestartSec = 5s
2020-10-11 22:11:37 -04:00
[ Install]
WantedBy = multi-user.target
EOF
2021-11-02 01:44:28 -04:00
2022-12-07 09:44:19 -05:00
systemctl enable wings
2022-12-16 15:47:10 -05:00
output "Adding Fail2ban rules for Wings SFTP"
echo ' [ wings]
enabled = true
port = 2022
logpath = /var/log/pterodactyl/wings.log
maxretry = 5
findtime = 3600
bantime = -1
backend = systemd' | tee -a /etc/fail2ban/jail.local
bash -c 'cat > /etc/fail2ban/conf.d/wings.conf' <<-'EOF'
# Fail2Ban filter for wings (Pterodactyl daemon)
#
#
#
# "WARN: [Sep 8 18:51:00.414] failed to validate user credentials (invalid format) ip=<HOST>:51782 subsystem=sftp username=logout"
#
[ INCLUDES]
before = common.conf
[ Definition]
_daemon = wings
failregex = failed to validate user credentials \( [ ^\) ] +\) ip = <HOST>:.* subsystem = sftp username = .*$
ignoreregex =
[ Init]
datepattern = \[ %%b %%d %%H:%%M:%%S.%%f\]
EOF
systemctl restart fail2ban
2022-12-07 09:44:19 -05:00
output " Wings ${ WINGS } has now been installed on your system. "
output "You should go to your panel and configure the node now."
output "If you get `bash: wings: command not found` when running the auto deployment command, replace `wings` with `/usr/local/bin/wings` and it will work."
output "Do `systemctl start wings` after you are done configuring the node."
2020-10-11 22:11:37 -04:00
}
2020-06-25 05:31:54 -04:00
2021-09-26 00:06:17 -04:00
upgrade_wings( ) {
2022-12-14 01:55:50 -05:00
systemctl stop wings
2022-12-07 09:44:19 -05:00
if [ ${ WINGS } = "latest" ] ; then
curl -L -o /usr/local/bin/wings https://github.com/pterodactyl/wings/releases/latest/download/wings_linux_amd64
else
curl -L -o /usr/local/bin/wings https://github.com/pterodactyl/wings/releases/download/${ WINGS } /wings_linux_amd64
fi
chmod u+x /usr/local/bin/wings
2022-12-14 01:55:50 -05:00
systemctl start wings
2022-12-07 09:44:19 -05:00
output " Your wings have been updated to version ${ WINGS } . "
2020-06-25 05:31:54 -04:00
}
firewall( ) {
2022-12-07 09:44:19 -05:00
if [ " $installoption " = "2" ] ; then
2022-12-18 03:34:31 -05:00
if [ " $lsb_dist " = "rhel" ] ; then
2022-12-07 09:44:19 -05:00
subscription-manager repos --enable codeready-builder-for-rhel-9-$( arch) -rpms
rpm --import https://raw.githubusercontent.com/tommytran732/Pterodactyl-Script/master/epel9.asc
dnf install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm
2022-12-18 03:34:31 -05:00
elif [ " $lsb_dist " = "centos" ] ; then
2022-12-07 09:44:19 -05:00
dnf config-manager --set-enabled crb
dnf install -y epel-release epel-next-release
else
dnf config-manager --set-enabled crb
dnf install -y epel-release
fi
fi
output "Setting up Fail2Ban..."
dnf -y install fail2ban
systemctl enable --now fail2ban
bash -c 'cat > /etc/fail2ban/jail.local' <<-'EOF'
2020-06-25 05:31:54 -04:00
[ DEFAULT]
# Ban hosts for ten hours:
bantime = 36000
[ sshd]
enabled = true
EOF
2022-12-07 09:44:19 -05:00
systemctl restart fail2ban
output "Configuring your firewall..."
dnf -y install firewalld
systemctl enable --now firewalld
firewall-cmd --remove-service= cockpit
if [ " $installoption " = "1" ] ; then
firewall-cmd --permanent --add-service= http
firewall-cmd --permanent --add-service= https
firewall-cmd --permanent --add-service= mysql
elif [ " $installoption " = "2" ] ; then
firewall-cmd --permanent --add-service= http
firewall-cmd --permanent --add-port= 2022/tcp
firewall-cmd --permanent --add-port= 8080/tcp
firewall-cmd --zone= trusted --add-masquerade --permanent
elif [ " $installoption " = "3" ] ; then
firewall-cmd --add-service= http --permanent
firewall-cmd --add-service= https --permanent
firewall-cmd --permanent --add-port= 2022/tcp
firewall-cmd --permanent --add-port= 8080/tcp
firewall-cmd --permanent --add-service= mysql
firewall-cmd --zone= trusted --add-masquerade --permanent
fi
firewall-cmd --reload
2020-06-25 05:31:54 -04:00
}
2022-12-07 11:50:40 -05:00
ssl_certs( ) {
output "Installing Let's Encrypt and creating an SSL certificate..."
dnf -y install certbot
if [ " $installoption " = "1" ] || [ " $installoption " = "3" ] ; then
dnf -y install python3-certbot-nginx
certbot --nginx --redirect --no-eff-email --email " $email " --agree-tos -d " $FQDN "
setfacl -Rdm u:mysql:rx /etc/letsencrypt
setfacl -Rm u:mysql:rx /etc/letsencrypt
sed -i '/\[mysqld\]/a ssl-key=/etc/letsencrypt/live/' " ${ FQDN } " '/privkey.pem' /etc/my.cnf.d/server.cnf
sed -i '/\[mysqld\]/a ssl-ca=/etc/letsencrypt/live/' " ${ FQDN } " '/chain.pem' /etc/my.cnf.d/server.cnf
sed -i '/\[mysqld\]/a ssl-cert=/etc/letsencrypt/live/' " ${ FQDN } " '/cert.pem' /etc/my.cnf.d/server.cnf
systemctl restart mariadb
fi
if [ " $installoption " = "2" ] ; then
certbot certonly --standalone --no-eff-email --email " $email " --agree-tos -d " $FQDN " --non-interactive
fi
systemctl enable --now certbot-renew.timer
}
linux_hardening( ) {
curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/modprobe.d/30_security-misc.conf -o /etc/modprobe.d/30_security-misc.conf
curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_security-misc.conf -o /etc/sysctl.d/30_security-misc.conf
sed -i 's/kernel.yama.ptrace_scope=2/kernel.yama.ptrace_scope=3/g' /etc/sysctl.d/30_security-misc.conf
curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_silent-kernel-printk.conf -o /etc/sysctl.d/30_silent-kernel-printk.conf
sysctl -p
curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf -o /etc/chrony.conf
systemctl restart chronyd
mkdir -p /etc/systemd/system/NetworkManager.service.d
curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/NetworkManager.service.d/99-brace.conf -o /etc/systemd/system/NetworkManager.service.d/99-brace.conf
systemctl restart NetworkManager
mkdir -p /etc/systemd/system/irqbalance.service.d
curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/irqbalance.service.d/99-brace.conf -o /etc/systemd/system/irqbalance.service.d/99-brace.conf
systemctl restart irqbalance
mkdir -p /etc/systemd/system/sshd.service.d
curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/systemd/system/sshd.service.d/limits.conf -o /etc/systemd/system/sshd.service.d/limits.conf
systemctl restart sshd
2022-12-07 17:34:39 -05:00
if [ " $lsb_dist " = "rhel" ] ; then
insights-client --register
dnf install -y yara
insights-client --collector malware-detection
sed -i 's/test_scan: true/test_scan: false/' /etc/insights-client/malware-detection-config.yml
fi
2022-12-07 11:50:40 -05:00
}
2020-06-25 05:31:54 -04:00
database_host_reset( ) {
2022-12-07 09:44:19 -05:00
adminpassword = ` cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1`
Q0 = "SET old_passwords=0;"
Q1 = " SET PASSWORD FOR 'admin'@' $SERVER_IP ' = PASSWORD(' $adminpassword '); "
Q2 = "FLUSH PRIVILEGES;"
SQL = " ${ Q0 } ${ Q1 } ${ Q2 } "
mysql mysql -e " $SQL "
output "New database admin user information:"
output "User: admin"
output " Password: $adminpassword "
2020-06-25 05:31:54 -04:00
}
2022-12-07 09:44:19 -05:00
print_info( ) {
if [ " $installoption " = "1" ] || [ " $installoption " = "3" ] ; then
print_info_database
fi
output "------------------------------------------------------------------"
output "FIREWALL INFORMATION"
output ""
output "All unnecessary ports are blocked by default."
output "Use 'firewall-cmd --permanent --add-port=<port>/tcp' to enable your desired ports."
output "------------------------------------------------------------------"
output ""
2020-06-25 05:31:54 -04:00
}
2022-12-07 09:44:19 -05:00
print_info_database( ) {
output "------------------------------------------------------------------"
output "MARIADB/MySQL INFORMATION"
output ""
output " Your MariaDB/MySQL root password is $rootpassword "
output ""
output "Create your MariaDB/MySQL host with the following information:"
output " Host: ${ FQDN } "
output "Port: 3306"
output "User: admin"
output " Password: $adminpassword "
output "------------------------------------------------------------------"
output ""
2020-06-25 05:31:54 -04:00
}
#Execution
preflight
install_options
2022-12-07 05:04:42 -05:00
case $installoption in
2022-12-07 09:44:19 -05:00
1) required_infos
2022-12-07 11:50:40 -05:00
linux_hardening
2022-12-07 09:44:19 -05:00
install_dependencies
install_pterodactyl
firewall
ssl_certs
webserver_config
print_info
print_info_database
; ;
2) required_infos
2022-12-07 11:50:40 -05:00
linux_hardening
2022-12-07 09:44:19 -05:00
firewall
ssl_certs
install_wings
print_info
print_info_database
; ;
3) required_infos
2022-12-07 11:50:40 -05:00
linux_hardening
2022-12-07 09:44:19 -05:00
install_dependencies
install_pterodactyl
firewall
ssl_certs
webserver_config
install_wings
print_info
; ;
4) upgrade_pterodactyl
; ;
5) upgrade_wings
; ;
6) upgrade_pterodactyl
upgrade_wings
; ;
2022-12-07 11:50:40 -05:00
7) curl -sSL https://raw.githubusercontent.com/tommytran732/MariaDB-Root-Password-Reset/master/mariadb-104.sh | sudo bash
2022-12-07 09:44:19 -05:00
; ;
2022-12-07 11:50:40 -05:00
8) database_host_reset
2022-12-07 09:44:19 -05:00
; ;
2020-12-31 06:34:36 -05:00
esac