Enabled ssh login using password and added post-deploy instructions

legout · legout · commit 7357c390201a · 2024-12-07T14:52:13.000+01:00
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
@@ -14,6 +14,7 @@ jobs:
       - name: Create setup script with secrets
         run: |
           sed -i "s/NEW_USER=\"youruser\"/NEW_USER=\"${{ secrets.VPS_USER }}\"/" setup.sh
+          sed -i "s/NEW_USER_PASSWORD=\"your-secure-password\"/NEW_USER_PASSWORD=\"${{ secrets.VPS_USER_PASSWORD }}\"/" setup.sh
           sed -i "s/SSH_PUBLIC_KEY=\"your-public-key-content\"/SSH_PUBLIC_KEY=\"${{ secrets.SSH_PUBLIC_KEY }}\"/" setup.sh
 
       - name: Deploy to VPS
@@ -39,3 +40,9 @@ jobs:
             # Cleanup
             cd /
             rm -rf $TEMP_DIR
+
+      - name: Post-setup instructions
+          run: |
+            echo "🎉 Setup completed!"
+            echo "⚠️ IMPORTANT: After verifying SSH key access works, disable password authentication:"
+            echo "ssh ${{ secrets.VPS_USER }}@${{ secrets.VPS_HOST }} 'sudo sed -i \"s/PasswordAuthentication yes/PasswordAuthentication no/\" /etc/ssh/sshd_config && sudo systemctl restart sshd'"
diff --git a/README.md b/README.md
@@ -32,11 +32,28 @@ First, fork this repository and make it private to safely store your configurati
 ### 2. Configure GitHub Secrets
 In your forked repository, go to Settings > Secrets and variables > Actions and add the following secrets:
 
-- `VPS_HOST`: Your VPS IP address
+- `VPS_HOST`: Your VPS IP address or hostname
 - `VPS_ROOT_PASSWORD`: Initial root password
 - `VPS_USER`: Desired username for the non-root user
+- `VPS_USER_PASSWORD`: Password for the new user
 - `SSH_PUBLIC_KEY`: Your SSH public key content (from `~/.ssh/id_rsa.pub`)
 
+Example values:
+```bash
+VPS_HOST: 123.456.789.0
+VPS_ROOT_PASSWORD: your-initial-root-password
+VPS_USER: john
+VPS_USER_PASSWORD: your-secure-user-password
+SSH_PUBLIC_KEY: ssh-rsa AAAAB3NzaC1... john@localhost
+```
+
+⚠️ Security Note:
+- Never commit these values directly to the repository
+- Always use GitHub Secrets for sensitive information
+- Use strong passwords for both root and user accounts
+- Keep your SSH private key secure
+
+
 ### 3. Deploy
 The setup will automatically deploy when you push to the main branch, or you can manually trigger it from the Actions tab.
 
@@ -72,7 +89,27 @@ The setup will automatically deploy when you push to the main branch, or you can
 ### SSH Security
 - Key-based authentication only
 - Root login disabled
-- Password authentication disabled
+- Password authentication enabled. For security reasons you should disable it after successfull setup (see [Post-Setup Security Steps](#4-post-setup-security-steps) below)
+
+### 4. Post-Setup Security Steps
+
+After the GitHub Action completes successfully:
+
+1. Test SSH key-based login:
+```bash
+ssh your-user@your-vps-host
+```
+
+2. If SSH key access works, disable password authentication:
+```bash
+ssh your-user@your-vps-host 'sudo sed -i "s/PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config && sudo systemctl restart sshd'
+```
+
+⚠️ Important:
+- Only disable password authentication after confirming SSH key access works
+- Keep a backup of your SSH private key
+- Store your VPS root password securely (in case of emergencies)
+- Monitor the GitHub Actions logs for the setup result
 
 ## 🛠️ Customization
 
diff --git a/setup.sh b/setup.sh
@@ -0,0 +1,101 @@
+#!/bin/bash
+
+# Variables
+NEW_USER="youruser"
+NEW_USER_PASSWORD="your-secret-password"
+SSH_PUBLIC_KEY="your-public-key-content"
+
+# Update system
+apt update && apt upgrade -y
+
+# Install required packages
+apt install -y sudo ufw fail2ban unattended-upgrades apt-listchanges
+
+# Configure unattended-upgrades
+cat > /etc/apt/apt.conf.d/20auto-upgrades << EOF
+APT::Periodic::Update-Package-Lists "1";
+APT::Periodic::Unattended-Upgrade "1";
+APT::Periodic::Download-Upgradeable-Packages "1";
+APT::Periodic::AutocleanInterval "7";
+EOF
+
+cat > /etc/apt/apt.conf.d/50unattended-upgrades << EOF
+Unattended-Upgrade::Origins-Pattern {
+    "origin=Debian,codename=\${distro_codename},label=Debian-Security";
+    "origin=Debian,codename=\${distro_codename}-security,label=Debian-Security";
+};
+Unattended-Upgrade::AutoFixInterruptedDpkg "true";
+Unattended-Upgrade::MinimalSteps "true";
+Unattended-Upgrade::InstallOnShutdown "false";
+Unattended-Upgrade::Mail "root";
+Unattended-Upgrade::MailReport "on-change";
+Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
+Unattended-Upgrade::Remove-New-Unused-Dependencies "true";
+Unattended-Upgrade::Remove-Unused-Dependencies "false";
+Unattended-Upgrade::Automatic-Reboot "true";
+Unattended-Upgrade::Automatic-Reboot-Time "02:00";
+EOF
+
+# Enable unattended-upgrades
+systemctl enable unattended-upgrades
+systemctl start unattended-upgrades
+
+# Create new user and add to sudo group
+useradd -m -s /bin/bash $NEW_USER
+echo "$NEW_USER:$NEW_USER_PASSWORD" | chpasswd
+usermod -aG sudo $NEW_USER
+
+# Setup SSH key for new user
+mkdir -p /home/$NEW_USER/.ssh
+echo "$SSH_PUBLIC_KEY" > /home/$NEW_USER/.ssh/authorized_keys
+chmod 700 /home/$NEW_USER/.ssh
+chmod 600 /home/$NEW_USER/.ssh/authorized_keys
+chown -R $NEW_USER:$NEW_USER /home/$NEW_USER/.ssh
+
+# Configure SSH
+sed -i 's/#PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config
+sed -i 's/#PubkeyAuthentication yes/PubkeyAuthentication yes/' /etc/ssh/sshd_config
+sed -i 's/PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config
+
+# Configure fail2ban
+cat > /etc/fail2ban/jail.local << EOF
+[sshd]
+enabled = true
+port = ssh
+filter = sshd
+logpath = /var/log/auth.log
+maxretry = 3
+bantime = 3600
+findtime = 600
+EOF
+
+# Configure firewall
+ufw default deny incoming
+ufw default allow outgoing
+ufw allow ssh
+ufw allow http
+ufw allow https
+echo "y" | ufw enable
+
+# Install Docker
+apt install -y ca-certificates curl gnupg
+install -m 0755 -d /etc/apt/keyrings
+curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg
+chmod a+r /etc/apt/keyrings/docker.gpg
+
+echo \
+  "deb [arch="$(dpkg --print-architecture)" signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian \
+  "$(. /etc/os-release && echo "$VERSION_CODENAME")" stable" | \
+  tee /etc/apt/sources.list.d/docker.list > /dev/null
+
+apt update
+apt install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
+
+# Add user to docker group
+usermod -aG docker $NEW_USER
+
+# Restart services
+systemctl restart sshd
+systemctl restart fail2ban
+
+echo "Setup completed!"
