#!/bin/bash
email=matvey@zabiyaka.net
systemuser=matvey
securitylist=security@zabiyaka.net
monitor=monitor.zabiyaka.net

cat > /etc/apt/sources.list <<EOF
#binary:
deb http://ftp.debian.org/debian/ lenny main contrib non-free
deb http://security.debian.org/ lenny/updates main contrib
#sources:
deb-src http://ftp.debian.org/debian/ lenny main
deb-src http://security.debian.org/ lenny/updates main contrib
#corporate apps:
EOF

#as it is stable - allow security updates by default:
cat > /etc/cron.daily/upgrade <<EOF
#!/bin/bash
/usr/bin/apt-get update &> /dev/null
/usr/bin/apt-get -y upgrade &> /dev/null
EOF

chmod +x /etc/cron.daily/upgrade

#default set of packages
apt-get update && apt-get -y upgrade
apt-get install -y --force-yes ssh vim screen rcs subversion less bzip2 rsync netcat socat nmap dns-browse sshfs davfs2 mutt iproute vlan postfix snmpd snmp debootstrap apt-file dstat ifstat sysstat diffmon backup-manager sudo strace  lsof locales at autoconf automake libtool m4 ruby fakeroot logwatch psmisc pwgen ipcalc ftp make lftp unzip lynx links ntpdate ntp atop mailx
dpkg-reconfigure locales
dpkg-reconfigure backup-manager
#all:
apt-get remove -y portmap lpr cupsys nano

#timezone
tzconfig 

#add default user
groupadd wheel
useradd ${systemuser}
usermod -G wheel ${systemuser}
passwd -d ${systemuser}
grep -v '%wheel  ALL=(ALL) NOPASSWD:ALL' /etc/sudoers > /tmp/spool
cat /tmp/spool > /etc/sudoers
echo '%wheel  ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers
mkdir -p /home/${systemuser}/.ssh
cat > /home/${systemuser}/.ssh/authorized_keys <<EOF
ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAgEAmryyHCe3Bbs1PS10cKTiXBv8tVybXLmftoRBJcxPWaMaTl13sq3EZcU34T5H1P3PA2XdMb4Lt22w8J2CPEzKtEr2ZbXiKdh9oTGwaWJHdXhzP8CuCJHy8ZPWoCHpTnpuXjM3aNXpc2bBhlwm9U58gm09fF3tZ2hGd0elPjUceKa9ETGe0u5XI3/73W6UC1+b0CAKAS6B7b4ZHoUPSFj+ZGTVTZw7ovJiAl9DCOLh0+KFi5MHsqf07xB8yjVSpOig+6XlorI9iaU4GOadcMGVaw4lRXeryL25p1/KCd9pwF0v+B/gKVKRtYjiCfeGoVk91mBJHdyecl31D4aScGknBlAKbhZJQbDWhRvjrK18xRPFBRlPbY9n7DLwotm/Df+wz7TOK4mBgUDYrnRASIn+7RQDIsABa5be05AtAzn6QMxzl7Ai+sTLmGjcfbG3t9RWpumWdA8ZW9cuH/HF78BUKUIGIohIbJvhvGbx9RUINcjhGTMr/hgxXH1QaOfxd5W8N87v9oDi7EiUmIXLtbRHMcXjWqzaI71ydO7bAaAmcsxIQ6OrnbV8GE8IjUDu3nuaeTa8320vW1E/+swLtVF+SxtgR0/iYX9h5FXZcXp1TkNIw0ZfHrY51bxcD9r3pNH69IMNqYjOh29Fh0usenZJZLlPUnmjkjhqGzUhkNlOc/M= MatveyGladkikh-current
EOF
chown ${systemuser}:${systemuser} /home/${systemuser}/ -R
chmod 700 /home/${systemuser}
chmod 700 /home/${systemuser}/.ssh
chmod 400 /home/${systemuser}/.ssh/authorized_keys

cat > /etc/issue.net <<EOF
*******************************************************
* No bad fish allowed. We appreciate your reports of  *
* insecurity issues to security@zabiyaka.net. We will *
* pay for successful insecurity reports. Thank you.   *
*******************************************************

EOF

#vim
cat > /etc/vim/vimrc <<EOF
runtime! debian.vim
set paste
syntax on
set nomodeline
EOF

#robots mail goest to maillist:
grep -v 'root: ' /etc/aliases > /tmp/aliases
cat /tmp/aliases > /etc/aliases
echo "root: robots@zabiyaka.net" >> /etc/aliases
newaliases


# enable bash completion in interactive shells
cat > /etc/bash.bashrc <<EOF
if [ -f /etc/bash_completion ]; then
    . /etc/bash_completion
fi
EOF

#bash colors
cat >> /etc/profile <<EOF
export PS1='\[\033[01;32m\]\u@\h\[\033[01;34m\] \w $\[\033[00m\] '
export CLICOLOR=1
EOF


#add to users
cat /etc/bash.bashrc > /home/${systemuser}/.bashrc
cat /etc/bash.bashrc > /root/.bashrc

#snmpd
cat > /etc/snmp/snmpd.conf <<EOF
syslocation zabiyaka.net (configure /etc/snmp/snmpd.local.conf)
syscontact Charlie Root <robots@zabiyaka.net> (configure /etc/snmp/snmpd.local.conf)
rocommunity  public monitor.zabiyaka.net
com2sec paranoid  default  public
group MyROSystem v1        paranoid
group MyROSystem v2c       paranoid
group MyROSystem usm       paranoid
group MyROGroup v1         readonly
group MyROGroup v2c        readonly
group MyROGroup usm        readonly
group MyRWGroup v1         readwrite
group MyRWGroup v2c        readwrite
group MyRWGroup usm        readwrite
view all    included  .1                               80
view system included  .iso.org.dod.internet.mgmt.mib-2.system
access MyROSystem ""     any       noauth    exact  system none   none
access MyROGroup ""      any       noauth    exact  all    none   none
access MyRWGroup ""      any       noauth    exact  all    all    none
EOF

#add apt-check:
echo "exec .1.3.6.1.4.1.2021.8.3 aptupdate /usr/local/bin/nagios-check-apt-updates" >> /etc/snmp/snmpd.conf

wget http://matvey.org.ru/pub/src/nagios-check-apt-updates \
-O /usr/local/bin/nagios-check-apt-updates

chmod +x /usr/local/bin/nagios-check-apt-updates

echo "snmp ALL=(ALL) NOPASSWD: /usr/bin/apt-get update" >> /etc/sudoers
echo "snmp ALL=(ALL) NOPASSWD: /usr/bin/apt-get --simulate upgrade" >> /etc/sudoers

#RELOAD SNMPD
/etc/init.d/snmpd reload

#sshfp
for i in `ls /etc/ssh/ssh_host_*_key`; do ssh-keygen -r `hostname`. -f $i | mail ${email}; done

#sshd config
cat > /etc/ssh/sshd_config <<EOF
SyslogFacility AUTHPRIV
PasswordAuthentication yes
ClientAliveInterval 5
ClientAliveCountMax     1000
Port 22
Protocol 2
Banner /etc/issue.net
PrintMotd no
PermitRootLogin yes
Subsystem sftp /usr/lib/openssh/sftp-server
EOF

cat > /etc/ssh/ssh_config <<EOF
Host *.zabiyaka.net
VerifyHostKeyDNS yes
ForwardAgent yes
EOF
echo "reload sshd? (press CTRL+C to abort)" 
read
#apply configuration
/etc/init.d/ssh reload