sakura VPSの初期設定するスクリプトを書いてみた

前々から初期設定面倒だなと思っていたので
Cent0S6.2用のshellを書いてみました。


OS初期設定部分は、そんなに変わらないんじゃなかろうかと思うので晒してみます。
まずい点などあれば、ご指摘いただけると助かります。

使い方

先頭の変数をお好きな値に変更して実行するだけです。

USER='work user name'
PORT='10022'
MAIL='your email'
PUB_KEY='your ssh public key'


最後のmainで実行するfunctionを設定しているので
install_services の中身などはご自由に変更してみてください。

main() {
  initialize

  # os settings
  create_user
  change_pamd_su
  change_sudores
  change_sshd_config
  change_iptables
  change_aliases
  
  # service
  add_repos
  install_services
  disable_services
  yum_update

  # setup
  #setup_mysql
  #setup_nginx

  finalize
}

gist

gistのlinkがうまく表示されないので、そのまま転載。
https://gist.github.com/raw/2571001/3c44caa019a29c390e9cebc58f9f761b745b72e7/sakura_vps_initialize.sh

#!/bin/sh
# intializing for sakura VPS on CentOS release 6.2 (Final)

##
# Global variables
##
CENT_OS_VERSION='CentOS release 6.2 (Final)'
USER='work user name'
PORT='10022'
MAIL='your email'
PUB_KEY='your ssh public key'

##
# private
##
_abort() {
  echo "***************"
  echo " ERR($1):${2}"
  echo "***************"
  exit $(($1))
}
_warn() {
  echo "***************"
  echo " WARN:${1}"
  echo "***************"
}
_echo_and_exec() {
  echo "-- ${1}"
  $1
}
_backup_file() {
  if [ -f $1 ]; then
    cp -p $1 "${1}_$(date +%Y%m%d_%H%M%S)"
  else
    _warn "$1 is not found."
  fi
}
_yumi() {
  echo "-- yum install -y ${1}"
  yum install -y $1
}

##
# procs
##
initialize() {
  # check os version
  local os_ver=$(cat /etc/redhat-release)
  if [ "$os_ver" != "$CENT_OS_VERSION" ]; then
    _abort 1 "${os_ver} is not supported."
  fi
  
  # check global variables
  if [ "$USER" = '' -o "$PORT" = '' -o "$MAIL" = '' -o "$PUB_KEY" = '' ]; then
    _abort 2 "Global variables are not specified. Check your script."
  fi
  clear
}

create_user() {
  echo '-- change root password'
  passwd
  echo
  echo "-- create user ${USER}"
  useradd $USER
  passwd $USER
  usermod -G wheel $USER

  _echo_and_exec "id ${USER}"
}

# add: auth      required        pam_wheel.so use_uid
# http://www.usupi.org/sysad/105.html
change_pamd_su() {
  local file=/etc/pam.d/su
  _backup_file $file
cat << EOS > $file 2>&1
auth      sufficient      pam_rootok.so
auth      required        pam_wheel.so use_uid
auth      include         system-auth
account   sufficient      pam_succeed_if.so uid = 0 use_uid quiet
account   include         system-auth
password  include         system-auth
session   include         system-auth
session   optional        pam_xauth.so
EOS

  echo "-- modified ${file}"
}

change_sudores() {
  local file=/etc/sudoers
  _backup_file $file
cat << EOS >> $file 2>&1
%wheel  ALL=(ALL)       NOPASSWD: ALL
EOS

  echo "-- modified ${file}"
}

change_sshd_config() {
  local file=/etc/ssh/sshd_config
  _backup_file $file
cat << EOS > $file 2>&1
# initial settings
Port $PORT
Protocol 2
SyslogFacility AUTHPRIV
ChallengeResponseAuthentication no
GSSAPICleanupCredentials yes
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
X11Forwarding yes
Subsystem	sftp	/usr/libexec/openssh/sftp-server

# modify settings
PasswordAuthentication no
GSSAPIAuthentication no
UsePAM no

# add settings
PermitRootLogin no
PermitEmptyPasswords no
EOS

  echo "-- modified ${file}"

  local ssh_home="/home/$USER/.ssh/"
  mkdir $ssh_home
  echo $PUB_KEY > ${ssh_home}/authorized_keys
  chmod 600 ${ssh_home}/authorized_keys
  chown -R $USER:$USER ${ssh_home}
  chmod 700 $ssh_home
  echo "-- created #{ssh_home}"
 
  service sshd restart
  echo "-- restart sshd"
}

change_iptables() {
  local file=/etc/sysconfig/iptables
  _backup_file $file
cat << EOS > $file 2>&1
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport $PORT -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
EOS

  echo "-- modified ${file}"
  /etc/init.d/iptables restart
  echo "-- restart iptables"
}

change_aliases() {
  local file="/etc/aliases"
  _backup_file $file
  echo "root: $MAIL" >> $file
  newaliases
  echo "-- modified ${file}"
}

# for mysql5.5
add_repos() {
  # remi for mysql5.5
  rpm -Uvh http://rpms.famillecollet.com/enterprise/remi-release-6.rpm
  echo "-- added remi repos"
}

install_services() {
  # http
  #_yumi install httpd httpd-devel
  #/etc/init.d/mysqld httpd
  #chkconfig httpd on

  # nginx
  # when installing passenger
  #_yumi nginx
  #/etc/init.d/nginx start
  #chkconfig nginx on

  # git
  _yumi 'git nmap'
  # sqlite
  _yumi 'sqlite sqlite-devel'
  # ruby
  _yumi 'openssl-devel curl-devel readline-devel zlib-devel libxml2 libxml2-devel libxslt-devel libyaml-devel libffi-devel'
  # capistrano(nokogiri)
  _yumi 'libxml2 libxml2-devel libxslt libxslt-devel'
  # sphinx
  _yumi sphinx
  # python-setuptools(easy_install)
  _yumi 'python-devel python-setuptools'
  # monit
  _yumi monit
  chkconfig monit on
  # hg
  echo "-- easy_install Mercurial"
  easy_install Mercurial
  # mysql
  _yumi 'mysql mysql-server mysql-devel --enablerepo=remi,remi-test'
  /etc/init.d/mysqld start
  chkconfig mysqld on
}

disable_services() {
  chkconfig auditd off
  chkconfig haldaemon off
  chkconfig mdmonitor off
  chkconfig messagebus off
  chkconfig netfs off
  chkconfig restorecond off
  chkconfig smartd off
  echo '-- disabled services'
  chkconfig --list
}

yum_update() {
  yum -y update
}

#setup_mysql() {
#  #mysql_install_db
#  #mysql_secure_installation
#  ## data load
#  #mysql_upgrade
#}
#setup_nginx() {
#
#
#}

finalize() {
  echo 'Done! You should restart.'
}

main() {
  initialize

  # os settings
  create_user
  change_pamd_su
  change_sudores
  change_sshd_config
  change_iptables
  change_aliases
  
  # service
  add_repos
  install_services
  disable_services
  yum_update

  # setup
  #setup_mysql
  #setup_nginx

  finalize
}

##
# execute
##
main