first scripts and configs

README.md

@@ -0,0 +1,5 @@
+# TF Public scripts
+
+This handy repository will make it easy to get a script or config file on a server
+
+Please take care NOT to push scripts with sensitive information in them.

add-tf-users.sh

@@ -0,0 +1,36 @@
+##/bin/bash
+apt -y install zsh
+useradd -Gsudo -m -s /usr/bin/zsh -c "Jan De Landtsheer" delandtj
+mkdir /home/delandtj/.ssh
+wget -qO- https://github.com/delandtj.keys >> /home/delandtj/.ssh/authorized_keys
+chown -R delandtj:delandtj /home/delandtj/.ssh
+
+useradd -m -Gsudo -s /usr/bin/zsh -c "Lee Smet" lee
+mkdir /home/lee/.ssh
+wget -qO- https://github.com/LeeSmet.keys >> /home/lee/.ssh/authorized_keys
+chown -R lee:lee /home/lee/.ssh
+
+useradd -m -Gsudo -s /usr/bin/zsh -c "Dylan Verstraete" verstrad
+mkdir /home/verstrad/.ssh
+wget -qO- https://github.com/dylanVerstraete.keys >> .ssh/authorized_keys
+chown -R verstrad:verstrad /home/verstrad/.ssh
+
+useradd -m -Gsudo -c "Coesens Bert" -s /bin/bash coesensb
+mkdir /home/coesensb/.ssh
+wget -qO- github.com/coesensbert.keys >> .ssh/authorized_keys
+chown -R coesensb:coesensb /home/coesensb/.ssh
+
+useradd -m -Gsudo -c "Peter Nashaat" -s /bin/bash nashaatp
+mkdir /home/nashaatp/.ssh
+wget -qO- https://github.com/PeterNashaat.keys >> .ssh/authorized_keys
+chown -R nashaatp:nashaatp /home/nashaatp/.ssh
+
+useradd -m -Gsudo -c "Ramez Saeed" -s /bin/bash saeedr
+mkdir /home/saeedr/.ssh
+wget -qO- https://github.com/ramezsaeed.keys >> .ssh/authorized_keys
+chown -R saeedr:saeedr /home/saeedr/.ssh
+
+useradd -m -Gsudo -c "Samir Hossny" -s /bin/bash hossnys
+mkdir /home/hossnys/.ssh
+wget -qO- https://github.com/hossnys.keys >> .ssh/authorized_keys
+chown -R hossnys:hossnys /home/hossnys/.ssh

monitoring/install-node-exporter.sh

@@ -0,0 +1,77 @@
+#!/bin/sh -e
+VERSION=1.3.0
+RELEASE=node_exporter-${VERSION}.linux-amd64
+
+_check_root () {
+    if [ $(id -u) -ne 0 ]; then
+        echo "Please run as root" >&2;
+        exit 1;
+    fi
+}
+
+_install_curl () {
+    if [ -x "$(command -v curl)" ]; then
+        return
+    fi
+
+    if [ -x "$(command -v apt-get)" ]; then
+        apt-get update
+        apt-get -y install curl
+    elif [ -x "$(command -v yum)" ]; then
+        yum -y install curl
+    else
+        echo "No known package manager found" >&2;
+        exit 1;
+    fi
+}
+
+_check_root
+_install_curl
+
+cd /tmp
+curl -sSL https://github.com/prometheus/node_exporter/releases/download/v${VERSION}/${RELEASE}.tar.gz | tar xz
+#mkdir -p /opt/node_exporter
+cp ${RELEASE}/node_exporter /usr/local/bin/
+rm -rf /tmp/${RELEASE}
+useradd --system --no-create-home --shell /usr/sbin/nologin prometheus
+
+if [ -x "$(command -v systemctl)" ]; then
+    cat << EOF > /etc/systemd/system/node-exporter.service
+[Unit]
+Description=Prometheus exporter for machine metrics
+
+[Service]
+Restart=always
+User=prometheus
+ExecStart=/usr/local/bin/node_exporter
+ExecReload=/bin/kill -HUP $MAINPID
+TimeoutStopSec=20s
+SendSIGKILL=no
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+    systemctl daemon-reload
+    systemctl enable node-exporter
+    systemctl start node-exporter
+    systemctl status node-exporter
+fi
+#elif [ -x "$(command -v chckconfig)" ]; then
+#    cat << EOF >> /etc/inittab
+#::respawn:/opt/node_exporter/node_exporter
+#EOF
+#elif [ -x "$(command -v initctl)" ]; then
+#    cat << EOF > /etc/init/node-exporter.conf
+#start on runlevel [23456]
+#stop on runlevel [016]
+#exec /opt/node_exporter/node_exporter
+#respawn
+#EOF
+#
+#    initctl reload-configuration
+#    stop node-exporter || true && start node-exporter
+#else
+#    echo "No known service management found" >&2;
+#    exit 1;
+#fi

sshd_config

@@ -0,0 +1,124 @@
+#	$OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
+
+# This is the sshd server system-wide configuration file.  See
+# sshd_config(5) for more information.
+
+# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
+
+# The strategy used for options in the default sshd_config shipped with
+# OpenSSH is to specify options with their default value where
+# possible, but leave them commented.  Uncommented options override the
+# default value.
+
+Include /etc/ssh/sshd_config.d/*.conf
+
+Port 34022
+#AddressFamily any
+#ListenAddress 0.0.0.0
+#ListenAddress ::
+
+#HostKey /etc/ssh/ssh_host_rsa_key
+#HostKey /etc/ssh/ssh_host_ecdsa_key
+#HostKey /etc/ssh/ssh_host_ed25519_key
+
+# Ciphers and keying
+#RekeyLimit default none
+
+# Logging
+#SyslogFacility AUTH
+#LogLevel INFO
+
+# Authentication:
+
+LoginGraceTime 60
+PermitRootLogin no
+#StrictModes yes
+#MaxAuthTries 6
+#MaxSessions 10
+
+#PubkeyAuthentication yes
+
+# Expect .ssh/authorized_keys2 to be disregarded by default in future.
+#AuthorizedKeysFile	.ssh/authorized_keys .ssh/authorized_keys2
+
+#AuthorizedPrincipalsFile none
+
+#AuthorizedKeysCommand none
+#AuthorizedKeysCommandUser nobody
+
+# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
+#HostbasedAuthentication no
+# Change to yes if you don't trust ~/.ssh/known_hosts for
+# HostbasedAuthentication
+#IgnoreUserKnownHosts no
+# Don't read the user's ~/.rhosts and ~/.shosts files
+#IgnoreRhosts yes
+
+# To disable tunneled clear text passwords, change to no here!
+PasswordAuthentication no
+PermitEmptyPasswords no
+
+# Change to yes to enable challenge-response passwords (beware issues with
+# some PAM modules and threads)
+ChallengeResponseAuthentication no
+
+# Kerberos options
+#KerberosAuthentication no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+#KerberosGetAFSToken no
+
+# GSSAPI options
+#GSSAPIAuthentication no
+#GSSAPICleanupCredentials yes
+#GSSAPIStrictAcceptorCheck yes
+#GSSAPIKeyExchange no
+
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the ChallengeResponseAuthentication and
+# PasswordAuthentication.  Depending on your PAM configuration,
+# PAM authentication via ChallengeResponseAuthentication may bypass
+# the setting of "PermitRootLogin without-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and ChallengeResponseAuthentication to 'no'.
+UsePAM yes
+
+#AllowAgentForwarding yes
+#AllowTcpForwarding yes
+#GatewayPorts no
+X11Forwarding no
+#X11DisplayOffset 10
+#X11UseLocalhost yes
+#PermitTTY yes
+PrintMotd no
+#PrintLastLog yes
+#TCPKeepAlive yes
+#PermitUserEnvironment no
+#Compression delayed
+#ClientAliveInterval 0
+#ClientAliveCountMax 3
+#UseDNS no
+#PidFile /var/run/sshd.pid
+#MaxStartups 10:30:100
+#PermitTunnel no
+#ChrootDirectory none
+#VersionAddendum none
+
+# no default banner path
+#Banner none
+
+# Allow client to pass locale environment variables
+AcceptEnv LANG LC_*
+
+# override default of no subsystems
+Subsystem sftp	/usr/lib/openssh/sftp-server
+
+# Example of overriding settings on a per-user basis
+#Match User anoncvs
+#	X11Forwarding no
+#	AllowTcpForwarding no
+#	PermitTTY no
+#	ForceCommand cvs server
+#PasswordAuthentication yes