feat: initial commit

terraform/scripts/company-bootstrap-ubuntu.sh

@@ -0,0 +1,50 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+if [[ "${EUID}" -ne 0 ]]; then
+  echo "Run as root (sudo)." >&2
+  exit 1
+fi
+
+SSH_USER="${1:-devops}"
+SSH_PORT="${2:-42315}"
+SSH_PUBKEY="${3:-}"
+
+if [[ -z "${SSH_PUBKEY}" ]]; then
+  echo "Usage: $0 <ssh_user> <ssh_port> <ssh_public_key>" >&2
+  exit 1
+fi
+
+if ! id -u "${SSH_USER}" >/dev/null 2>&1; then
+  useradd -m -s /bin/bash "${SSH_USER}"
+fi
+
+usermod -aG sudo "${SSH_USER}"
+
+install -d -m 700 -o "${SSH_USER}" -g "${SSH_USER}" "/home/${SSH_USER}/.ssh"
+touch "/home/${SSH_USER}/.ssh/authorized_keys"
+chown "${SSH_USER}:${SSH_USER}" "/home/${SSH_USER}/.ssh/authorized_keys"
+chmod 600 "/home/${SSH_USER}/.ssh/authorized_keys"
+
+if ! grep -Fqx "${SSH_PUBKEY}" "/home/${SSH_USER}/.ssh/authorized_keys"; then
+  echo "${SSH_PUBKEY}" >>"/home/${SSH_USER}/.ssh/authorized_keys"
+fi
+
+cat >/etc/ssh/sshd_config.d/99-company.conf <<EOF
+Port ${SSH_PORT}
+PermitRootLogin no
+PasswordAuthentication no
+PubkeyAuthentication yes
+ChallengeResponseAuthentication no
+UsePAM yes
+EOF
+
+sshd -t
+systemctl restart ssh || systemctl restart sshd
+
+echo "Company baseline applied:"
+echo "- user: ${SSH_USER}"
+echo "- ssh port: ${SSH_PORT}"
+echo "- root login: disabled"
+echo "- password auth: disabled"
+