Contents
Introduction
The configs are intentionally simple. I usually try to use the default configurations as much as possible, so I can easily switch between different computers without spending time configuring each of them. Also, I’m not too fond of code or configuration that I don’t understand. It might do magical things, but when things go awry, which they do, I need to be able to fix it.
Setup MacOS
#!/bin/bash
# xcode
xcode-select --install
# ~/.oh-my-zsh
if [ ! -d ~/.oh-my-zsh ]; then
sh -c "$(curl -fsSL https://raw.githubusercontent.com/ohmyzsh/ohmyzsh/master/tools/install.sh)"
echo '
# GENERAL
export PATH=/opt/homebrew/opt/node@20/bin:/opt/homebrew/opt/curl/bin:/opt/homebrew/bin:/opt/homebrew/sbin:~/go/bin:$PATH
export ZSH="$HOME/.oh-my-zsh"
ZSH_THEME="agnoster"
source $ZSH/oh-my-zsh.sh
# ALIAS
alias ss="source ~/.zshrc"
alias findgit="find . -type f -name config -not -path node_modules -exec grep -H github {} \; 2> /dev/null"
alias cleanmac="brew update && brew upgrade && brew cleanup && brew cleanup -s && brew autoremove && brew doctor"
alias deploy_site="rsync -avr --exclude={.git,node_modules,.DS_Store} \
~/apps/site/ [email protected]:/var/www/site && \
ssh [email protected] "cd /var/www/site; docker compose up -d --build; docker system prune -f; exit""
' | awk '{$1=$1;print}' > ~/.zshrc
fi
# ~/.vimrc
if [ ! -f ~/.vimrc ]; then
echo '
set tabstop=2 shiftwidth=2 expandtab autoindent linebreak wrap number
' | awk '{$1=$1;print}' > ~/.vimrc
fi
# ~/.gitconfig
if [ ! -f ~/.gitconfig ]; then
git config --global user.name "x"
git config --global user.email "[email protected]"
git config --global init.defaultBranch main
fi
# brew
if ( ! command -v brew &> /dev/null ); then
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
brew analytics off
brew update
brew upgrade
brew install jq
brew install go
brew install git
brew install php
brew install composer
brew install node@18
brew install node@20
brew install deno
brew install llvm
brew install rust
brew install ruby
brew install grep
brew install curl
brew install wget
brew install tmux
brew install gnupg
brew install awscli
brew install openssl
brew install nmap
brew install netcat
brew install whois
brew install qrencode
brew install wireguard-tools
brew install --cask google-chrome
brew install --cask firefox
brew install --cask tor-browser
brew install --cask docker
brew install --cask iterm2
brew install --cask visual-studio-code
brew install --cask tableplus
brew install --cask telegram
brew install --cask spotify
brew install --cask trezor-suite
brew install --cask vlc
brew install --cask wireshark
brew install --cask mullvadvpn
fiSetup Debian
#!/bin/bash
# prompt
read -p "Install basic? [y/n] " install_basic
read -p "Install fail2ban? [y/n] " install_fail2ban
read -p "Install docker? [y/n] " install_docker
read -p "Install caddy? [y/n] " install_caddy
read -p "Install hack? [y/n] " install_hack
if [ "$install_basic" = "y" ] && ( ! command -v docker &> /dev/null ); then
# install
sudo apt update
sudo apt upgrade -y
sudo apt install -y ufw
sudo apt install -y git
sudo apt install -y htop
sudo apt install -y tmux
# ssh
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.original
echo "PermitRootLogin prohibit-password" >> /etc/ssh/sshd_config
echo "PasswordAuthentication no" >> /etc/ssh/sshd_config
echo "Port 55666" >> /etc/ssh/sshd_config
echo "MaxSessions 5" >> /etc/ssh/sshd_config
echo "MaxAuthTries 2" >> /etc/ssh/sshd_config
echo "LoginGraceTime 30" >> /etc/ssh/sshd_config
echo "MaxStartUps 5:30:10" >> /etc/ssh/sshd_config
# re-generate the RSA and ED25519 keys
rm /etc/ssh/ssh_host_*
ssh-keygen -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -N ""
ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N ""
# remove small Diffie-Hellman moduli
awk '$5 >= 3071' /etc/ssh/moduli > /etc/ssh/moduli.safe
mv /etc/ssh/moduli.safe /etc/ssh/moduli
# enable the RSA and ED25519 keys
sed -i 's/^\#HostKey \/etc\/ssh\/ssh_host_\(rsa\|ed25519\)_key$/HostKey \/etc\/ssh\/ssh_host_\1_key/g' /etc/ssh/sshd_config
# restrict supported key exchange, cipher, and MAC algorithms
echo -e "# Restrict key exchange, cipher, and MAC algorithms, as per sshaudit.com\n# hardening guide.\nKexAlgorithms [email protected],curve25519-sha256,[email protected],gss-curve25519-sha256-,diffie-hellman-group16-sha512,gss-group16-sha512-,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256\n\nCiphers [email protected],[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr\n\nMACs [email protected],[email protected],[email protected]\n\nHostKeyAlgorithms [email protected],[email protected],[email protected],[email protected],[email protected],ssh-ed25519,rsa-sha2-512,rsa-sha2-256\n\nCASignatureAlgorithms [email protected],ssh-ed25519,rsa-sha2-512,rsa-sha2-256\n\nGSSAPIKexAlgorithms gss-curve25519-sha256-,gss-group16-sha512-\n\nHostbasedAcceptedAlgorithms [email protected],[email protected],[email protected],ssh-ed25519,[email protected],rsa-sha2-512,[email protected],rsa-sha2-256\n\nPubkeyAcceptedAlgorithms [email protected],[email protected],[email protected],ssh-ed25519,[email protected],rsa-sha2-512,[email protected],rsa-sha2-256" > /etc/ssh/sshd_config.d/ssh-audit_hardening.conf
# restart OpenSSH server
service ssh restart
fi
# fail2ban
if [ "$install_fail2ban" = "y" ] && [ ! -d /etc/fail2ban ]; then
sudo apt install -y fail2ban
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sudo sed -i 's/^bantime.*=.*10m$/bantime = 1d/g' /etc/fail2ban/jail.local
sudo sed -i 's/^findtime.*=.*10m$/findtime = 1d/g' /etc/fail2ban/jail.local
sudo sed -i 's/^maxretry.*=.*5$/maxretry = 3/g' /etc/fail2ban/jail.local
sudo sed -i 's/^#mode.*=.*normal$/mode = aggressive/g' /etc/fail2ban/jail.local
sudo systemctl enable fail2ban
sudo systemctl restart fail2ban
fi
# docker
if [ "$install_docker" = "y" ] && ( ! command -v docker &> /dev/null ); then
sudo apt install -y ca-certificates curl
sudo install -m 0755 -d /etc/apt/keyrings
sudo curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc
sudo chmod a+r /etc/apt/keyrings/docker.asc
echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu \
$(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \
sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
sudo apt update
sudo apt install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
fi
# caddy
if [ "$install_caddy" = "y" ] && ( ! command -v caddy &> /dev/null ); then
sudo apt install -y debian-keyring debian-archive-keyring apt-transport-https curl
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | sudo gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | sudo tee /etc/apt/sources.list.d/caddy-stable.list
sudo apt update
sudo apt install -y caddy
fi
# hack
if [ "$install_hack" = "y" ] && ( command -v go &> /dev/null ); then
curl -O -L https://go.dev/dl/go1.20.2.linux-amd64.tar.gz
rm -rf /usr/local/go
tar -C /usr/local -xzf go1.20.2.linux-amd64.tar.gz
rm -rf go1.20.2.linux-amd64.tar.gz
echo 'PATH=$PATH:/usr/local/go/bin:$HOME/go/bin' > ~/.bash_profile
source ~/.bash_profile
go install github.com/ffuf/ffuf@latest
go install github.com/tomnomnom/gf@latest
go install github.com/tomnomnom/fff@latest
go install github.com/tomnomnom/anew@latest
go install github.com/lc/gau/v2/cmd/gau@latest
go install github.com/projectdiscovery/dnsx/cmd/dnsx@latest
go install github.com/projectdiscovery/httpx/cmd/httpx@latest
go install github.com/projectdiscovery/nuclei/v2/cmd/nuclei@latest
go install github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest
go install github.com/projectdiscovery/interactsh/cmd/interactsh-client@latest
go install -v github.com/owasp-amass/amass/v3/...@master
fi