Dot Files

Published

Contents


Introduction

The configs are intentionally simple. I usually try to use the default configurations as much as possible, so I can easily switch between different computers without spending time configuring each of them. Also, I’m not too fond of code or configuration that I don’t understand. It might do magical things, but when things go awry, which they do, I need to be able to fix it.

Setup MacOS

#!/bin/bash

# xcode
xcode-select --install
# ~/.oh-my-zsh
if [ ! -d ~/.oh-my-zsh ]; then
  sh -c "$(curl -fsSL https://raw.githubusercontent.com/ohmyzsh/ohmyzsh/master/tools/install.sh)"
  echo '
  # GENERAL
  export PATH=/opt/homebrew/opt/node@20/bin:/opt/homebrew/opt/curl/bin:/opt/homebrew/bin:/opt/homebrew/sbin:~/go/bin:$PATH
  export ZSH="$HOME/.oh-my-zsh"
  ZSH_THEME="agnoster"
  source $ZSH/oh-my-zsh.sh
  # ALIAS
  alias ss="source ~/.zshrc"
  alias findgit="find . -type f -name config -not -path node_modules -exec grep -H github {} \; 2> /dev/null"
  alias cleanmac="brew update && brew upgrade && brew cleanup && brew cleanup -s && brew autoremove && brew doctor"
  alias deploy_site="rsync -avr --exclude={.git,node_modules,.DS_Store} \
  ~/apps/site/ [email protected]:/var/www/site && \
  ssh [email protected] "cd /var/www/site; docker compose up -d --build; docker system prune -f; exit""
  ' | awk '{$1=$1;print}' > ~/.zshrc
fi
# ~/.vimrc
if [ ! -f ~/.vimrc ]; then
  echo '
  set tabstop=2 shiftwidth=2 expandtab autoindent linebreak wrap number
  ' | awk '{$1=$1;print}' > ~/.vimrc
fi
# ~/.gitconfig
if [ ! -f ~/.gitconfig ]; then
  git config --global user.name "x"
  git config --global user.email "[email protected]"
  git config --global init.defaultBranch main
fi
# brew
if ( ! command -v brew &> /dev/null ); then
  /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
  brew analytics off
  brew update
  brew upgrade
  brew install jq
  brew install go
  brew install git
  brew install php
  brew install composer
  brew install node@18
  brew install node@20
  brew install deno
  brew install llvm
  brew install rust
  brew install ruby
  brew install grep
  brew install curl
  brew install wget
  brew install tmux
  brew install gnupg
  brew install awscli
  brew install openssl
  brew install nmap
  brew install netcat
  brew install whois
  brew install qrencode
  brew install wireguard-tools
  brew install --cask google-chrome
  brew install --cask firefox
  brew install --cask tor-browser
  brew install --cask docker
  brew install --cask iterm2
  brew install --cask visual-studio-code
  brew install --cask tableplus
  brew install --cask telegram
  brew install --cask spotify
  brew install --cask trezor-suite
  brew install --cask vlc
  brew install --cask wireshark
  brew install --cask mullvadvpn
fi

Setup Debian

#!/bin/bash

# prompt
read -p "Install fail2ban? [y/n] " install_fail2ban
read -p "Install docker? [y/n] " install_docker
read -p "Install go? [y/n] " install_go
read -p "Install caddy? [y/n] " install_caddy
read -p "Install hack? [y/n] " install_hack
# install
sudo apt update
sudo apt upgrade -y
sudo apt install -y ufw
sudo apt install -y git
sudo apt install -y htop
sudo apt install -y tmux
# ssh
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.original
sudo sed -i '/^PermitRootLogin yes$/d' /etc/ssh/sshd_config
echo "PermitRootLogin prohibit-password" >> /etc/ssh/sshd_config
echo "PasswordAuthentication no" >> /etc/ssh/sshd_config
echo "Port 55666" >> /etc/ssh/sshd_config
echo "MaxSessions 5" >> /etc/ssh/sshd_config
echo "MaxAuthTries 2" >> /etc/ssh/sshd_config
echo "LoginGraceTime 30" >> /etc/ssh/sshd_config
echo "MaxStartUps 5:30:10" >> /etc/ssh/sshd_config
# re-generate the RSA and ED25519 keys
rm /etc/ssh/ssh_host_*
ssh-keygen -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -N ""
ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N ""
# remove small Diffie-Hellman moduli
awk '$5 >= 3071' /etc/ssh/moduli > /etc/ssh/moduli.safe
mv /etc/ssh/moduli.safe /etc/ssh/moduli
# enable the RSA and ED25519 keys
sed -i 's/^\#HostKey \/etc\/ssh\/ssh_host_\(rsa\|ed25519\)_key$/HostKey \/etc\/ssh\/ssh_host_\1_key/g' /etc/ssh/sshd_config
# restrict supported key exchange, cipher, and MAC algorithms
echo -e "# Restrict key exchange, cipher, and MAC algorithms, as per sshaudit.com\n# hardening guide.\nKexAlgorithms [email protected],curve25519-sha256,[email protected],gss-curve25519-sha256-,diffie-hellman-group16-sha512,gss-group16-sha512-,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256\n\nCiphers [email protected],[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr\n\nMACs [email protected],[email protected],[email protected]\n\nHostKeyAlgorithms [email protected],[email protected],[email protected],[email protected],[email protected],ssh-ed25519,rsa-sha2-512,rsa-sha2-256\n\nCASignatureAlgorithms [email protected],ssh-ed25519,rsa-sha2-512,rsa-sha2-256\n\nGSSAPIKexAlgorithms gss-curve25519-sha256-,gss-group16-sha512-\n\nHostbasedAcceptedAlgorithms [email protected],[email protected],[email protected],ssh-ed25519,[email protected],rsa-sha2-512,[email protected],rsa-sha2-256\n\nPubkeyAcceptedAlgorithms [email protected],[email protected],[email protected],ssh-ed25519,[email protected],rsa-sha2-512,[email protected],rsa-sha2-256" > /etc/ssh/sshd_config.d/ssh-audit_hardening.conf
# restart OpenSSH server
service ssh restart
# fail2ban
if [ "$install_fail2ban" = "y" ] && [ ! -d /etc/fail2ban ]; then
  sudo apt install -y fail2ban
  sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
  sudo sed -i 's/^bantime.*=.*10m$/bantime = 1d/g' /etc/fail2ban/jail.local
  sudo sed -i 's/^findtime.*=.*10m$/findtime = 1d/g' /etc/fail2ban/jail.local
  sudo sed -i 's/^maxretry.*=.*5$/maxretry = 3/g' /etc/fail2ban/jail.local
  sudo sed -i 's/^#mode.*=.*normal$/mode = aggressive/g' /etc/fail2ban/jail.local
  if lsb_release -ds | grep -iqF debian; then
   sudo sed -i 's/^backend.*=.*sshd_backend.*/backend = systemd/g' /etc/fail2ban/jail.local
  fi
  sudo systemctl enable fail2ban
  sudo systemctl restart fail2ban
fi
# docker
if [ "$install_docker" = "y" ] && ( ! command -v docker &> /dev/null ); then
  if lsb_release -ds | grep -iqF debian; then
    sudo apt install -y ca-certificates curl gnupg
    sudo install -m 0755 -d /etc/apt/keyrings
    curl -fsSL https://download.docker.com/linux/debian/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg
    sudo chmod a+r /etc/apt/keyrings/docker.gpg
    echo "deb [arch="$(dpkg --print-architecture)" signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian \
    "$(. /etc/os-release && echo "$VERSION_CODENAME")" stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
  elif lsb_release -ds | grep -iqF ubuntu; then
    sudo apt install -y ca-certificates curl gnupg
    sudo install -m 0755 -d /etc/apt/keyrings
    curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg
    sudo chmod a+r /etc/apt/keyrings/docker.gpg
    echo "deb [arch="$(dpkg --print-architecture)" signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu \
    "$(. /etc/os-release && echo "$VERSION_CODENAME")" stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
  fi
  sudo apt update
  sudo apt install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
fi
# caddy
if [ "$install_caddy" = "y" ] && ( ! command -v caddy &> /dev/null ); then
  sudo apt install -y debian-keyring debian-archive-keyring apt-transport-https curl
  curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | sudo gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg
  curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | sudo tee /etc/apt/sources.list.d/caddy-stable.list
  sudo apt update
  sudo apt install -y caddy
fi
# go
if [ "$install_go" = "y" ] && ( ! command -v go &> /dev/null ); then
  curl -O -L https://go.dev/dl/go1.20.2.linux-amd64.tar.gz
  rm -rf /usr/local/go
  tar -C /usr/local -xzf go1.20.2.linux-amd64.tar.gz
  rm -rf go1.20.2.linux-amd64.tar.gz
  echo 'PATH=$PATH:/usr/local/go/bin:$HOME/go/bin' > ~/.bash_profile
  source ~/.bash_profile
fi
# hack
if [ "$install_hack" = "y" ] && ( command -v go &> /dev/null ); then
  go install github.com/ffuf/ffuf@latest
  go install github.com/tomnomnom/gf@latest
  go install github.com/tomnomnom/fff@latest
  go install github.com/tomnomnom/anew@latest
  go install github.com/lc/gau/v2/cmd/gau@latest
  go install github.com/projectdiscovery/dnsx/cmd/dnsx@latest
  go install github.com/projectdiscovery/httpx/cmd/httpx@latest
  go install github.com/projectdiscovery/nuclei/v2/cmd/nuclei@latest
  go install github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest
  go install github.com/projectdiscovery/interactsh/cmd/interactsh-client@latest
  go install -v github.com/owasp-amass/amass/v3/...@master
fi