Humberd/new-linux-user.sh

## new-linux-user.sh
#!/bin/bash

# setup-user.sh - Create a new user with sudo and SSH key, optionally harden SSH
# Run this script as root on a fresh Debian droplet.

set -e  # exit on any error

# -------------------- Helper functions --------------------
die() {
    echo "ERROR: $1" >&2
    exit 1
}

prompt_yes_no() {
    local answer
    while true; do
        read -p "$1 (y/n) " answer
        case "$answer" in
            [Yy]*) return 0 ;;
            [Nn]*) return 1 ;;
            *) echo "Please answer y or n." ;;
        esac
    done
}

# -------------------- Prerequisites --------------------
if [ "$EUID" -ne 0 ]; then
    die "This script must be run as root. Use 'sudo' or log in as root."
fi

echo "=== New User Setup for Debian Droplet ==="
echo

# -------------------- Create new user --------------------
read -p "Enter the username for the new account: " NEWUSER
if [ -z "$NEWUSER" ]; then
    die "Username cannot be empty."
fi

# Check if user already exists
if id "$NEWUSER" &>/dev/null; then
    die "User '$NEWUSER' already exists."
fi

# Create user with home directory and bash shell
adduser --gecos "" "$NEWUSER" || die "Failed to create user."

# Add to sudo group
usermod -aG sudo "$NEWUSER" || die "Failed to add user to sudo group."
echo "User '$NEWUSER' created and added to sudo group."

# -------------------- Set up SSH keys --------------------
echo
echo "--- SSH Key Setup ---"
echo "We'll now set up SSH key authentication for the new user."

# Create .ssh directory and set permissions
USER_HOME=$(eval echo "~$NEWUSER")
SSH_DIR="$USER_HOME/.ssh"
AUTH_KEYS="$SSH_DIR/authorized_keys"

sudo -u "$NEWUSER" mkdir -p "$SSH_DIR"
sudo -u "$NEWUSER" chmod 700 "$SSH_DIR"

# Check if root's authorized_keys exists and offer to copy
COPY_ROOT_KEYS=false
if [ -f /root/.ssh/authorized_keys ]; then
    if prompt_yes_no "Root's authorized_keys found. Copy it to the new user?"; then
        COPY_ROOT_KEYS=true
    fi
fi

if [ "$COPY_ROOT_KEYS" = true ]; then
    cp /root/.ssh/authorized_keys "$AUTH_KEYS"
    chown "$NEWUSER:$NEWUSER" "$AUTH_KEYS"
    chmod 600 "$AUTH_KEYS"
    echo "Root's authorized_keys copied."
else
    echo "Please paste your SSH public key (the contents of your local ~/.ssh/id_rsa.pub or id_ed25519.pub)."
    echo "Press Ctrl+D when done (or enter an empty line to skip and rely on password login)."
    echo "Public key: "
    PUBKEY=$(</dev/stdin)
    if [ -n "$PUBKEY" ]; then
        echo "$PUBKEY" > "$AUTH_KEYS"
        chown "$NEWUSER:$NEWUSER" "$AUTH_KEYS"
        chmod 600 "$AUTH_KEYS"
        echo "Public key saved."
    else
        echo "No key provided. The user will only be able to log in with a password."
    fi
fi

# -------------------- Final message and test --------------------
echo
echo "=== User setup complete ==="
echo "You can now log in as '$NEWUSER' from another terminal:"
echo "  ssh $NEWUSER@$(curl -s ifconfig.me || echo 'your_droplet_ip')"
echo
echo "After logging in, verify sudo works by running: sudo whoami"
echo

# -------------------- Optional SSH hardening --------------------
if prompt_yes_no "Do you want to harden SSH security now? (Disable root login and password authentication)"; then
    echo "--- Backing up SSH configuration ---"
    SSHD_CONFIG="/etc/ssh/sshd_config"
    BACKUP="$SSHD_CONFIG.backup-$(date +%Y%m%d%H%M%S)"
    cp "$SSHD_CONFIG" "$BACKUP"
    echo "Backup saved to $BACKUP"

    # Disable root login
    sed -i 's/^#*PermitRootLogin.*/PermitRootLogin no/' "$SSHD_CONFIG"
    # Disable password authentication (only if key auth is set up)
    sed -i 's/^#*PasswordAuthentication.*/PasswordAuthentication no/' "$SSHD_CONFIG"
    # Also ensure ChallengeResponseAuthentication is off
    sed -i 's/^#*ChallengeResponseAuthentication.*/ChallengeResponseAuthentication no/' "$SSHD_CONFIG"

    echo "SSH configuration modified:"
    echo "  - PermitRootLogin no"
    echo "  - PasswordAuthentication no"
    echo "  - ChallengeResponseAuthentication no"

    # Test configuration before restart
    sshd -t || die "SSH configuration test failed. Please check $BACKUP and fix manually."

    # Restart SSH
    systemctl restart ssh
    echo "SSH restarted."

    echo
    echo "=== IMPORTANT ==="
    echo "Before closing this root session, open a NEW terminal and test logging in as '$NEWUSER'."
    echo "If you cannot log in, you still have this session open to revert changes."
    echo "To revert, restore the backup: cp $BACKUP $SSHD_CONFIG && systemctl restart ssh"
    echo
    echo "If everything works, you're all set!"
else
    echo "Skipping SSH hardening. You can manually secure SSH later by editing /etc/ssh/sshd_config."
fi

echo
echo "Script finished."

## run-scripts.sh
bash <(curl -fsSL https://gist.githubusercontent.com/Humberd/9b06cfaf6128b4da12142023dc14008b/raw/system-update.sh)

bash <(curl -fsSL https://gist.githubusercontent.com/Humberd/9b06cfaf6128b4da12142023dc14008b/raw/new-linux-user.sh)

## system-update.sh
#!/bin/bash

# system-update.sh - Update and upgrade Debian system packages
# Run this script as root or with sudo.

set -e  # exit on error

# Check for root privileges
if [ "$EUID" -ne 0 ]; then
    echo "Please run as root or with sudo."
    exit 1
fi

echo "=== Starting system update ==="
date

# Update package lists
echo "Updating package lists..."
apt update

# Upgrade all packages
echo "Upgrading installed packages..."
apt upgrade -y

# Remove unnecessary packages
echo "Removing unused packages..."
apt autoremove -y

# Clean up downloaded package files
echo "Cleaning up package cache..."
apt autoclean

echo "=== System update completed ==="
date

# Check if a reboot is needed (kernel or critical updates)
if [ -f /var/run/reboot-required ]; then
    echo
    echo "*** REBOOT REQUIRED ***"
    echo "A system reboot is recommended to apply kernel or critical updates."
    echo "Please reboot when convenient: sudo reboot"
fi
	#!/bin/bash

	# setup-user.sh - Create a new user with sudo and SSH key, optionally harden SSH
	# Run this script as root on a fresh Debian droplet.

	set -e # exit on any error

	# -------------------- Helper functions --------------------
	die() {
	echo "ERROR: $1" >&2
	exit 1
	}

	prompt_yes_no() {
	local answer
	while true; do
	read -p "$1 (y/n) " answer
	case "$answer" in
	[Yy]*) return 0 ;;
	[Nn]*) return 1 ;;
	*) echo "Please answer y or n." ;;
	esac
	done
	}

	# -------------------- Prerequisites --------------------
	if [ "$EUID" -ne 0 ]; then
	die "This script must be run as root. Use 'sudo' or log in as root."
	fi

	echo "=== New User Setup for Debian Droplet ==="
	echo

	# -------------------- Create new user --------------------
	read -p "Enter the username for the new account: " NEWUSER
	if [ -z "$NEWUSER" ]; then
	die "Username cannot be empty."
	fi

	# Check if user already exists
	if id "$NEWUSER" &>/dev/null; then
	die "User '$NEWUSER' already exists."
	fi

	# Create user with home directory and bash shell
	adduser --gecos "" "$NEWUSER" \|\| die "Failed to create user."

	# Add to sudo group
	usermod -aG sudo "$NEWUSER" \|\| die "Failed to add user to sudo group."
	echo "User '$NEWUSER' created and added to sudo group."

	# -------------------- Set up SSH keys --------------------
	echo
	echo "--- SSH Key Setup ---"
	echo "We'll now set up SSH key authentication for the new user."

	# Create .ssh directory and set permissions
	USER_HOME=$(eval echo "~$NEWUSER")
	SSH_DIR="$USER_HOME/.ssh"
	AUTH_KEYS="$SSH_DIR/authorized_keys"

	sudo -u "$NEWUSER" mkdir -p "$SSH_DIR"
	sudo -u "$NEWUSER" chmod 700 "$SSH_DIR"

	# Check if root's authorized_keys exists and offer to copy
	COPY_ROOT_KEYS=false
	if [ -f /root/.ssh/authorized_keys ]; then
	if prompt_yes_no "Root's authorized_keys found. Copy it to the new user?"; then
	COPY_ROOT_KEYS=true
	fi
	fi

	if [ "$COPY_ROOT_KEYS" = true ]; then
	cp /root/.ssh/authorized_keys "$AUTH_KEYS"
	chown "$NEWUSER:$NEWUSER" "$AUTH_KEYS"
	chmod 600 "$AUTH_KEYS"
	echo "Root's authorized_keys copied."
	else
	echo "Please paste your SSH public key (the contents of your local ~/.ssh/id_rsa.pub or id_ed25519.pub)."
	echo "Press Ctrl+D when done (or enter an empty line to skip and rely on password login)."
	echo "Public key: "
	PUBKEY=$(</dev/stdin)
	if [ -n "$PUBKEY" ]; then
	echo "$PUBKEY" > "$AUTH_KEYS"
	chown "$NEWUSER:$NEWUSER" "$AUTH_KEYS"
	chmod 600 "$AUTH_KEYS"
	echo "Public key saved."
	else
	echo "No key provided. The user will only be able to log in with a password."
	fi
	fi

	# -------------------- Final message and test --------------------
	echo
	echo "=== User setup complete ==="
	echo "You can now log in as '$NEWUSER' from another terminal:"
	echo " ssh $NEWUSER@$(curl -s ifconfig.me \|\| echo 'your_droplet_ip')"
	echo
	echo "After logging in, verify sudo works by running: sudo whoami"
	echo

	# -------------------- Optional SSH hardening --------------------
	if prompt_yes_no "Do you want to harden SSH security now? (Disable root login and password authentication)"; then
	echo "--- Backing up SSH configuration ---"
	SSHD_CONFIG="/etc/ssh/sshd_config"
	BACKUP="$SSHD_CONFIG.backup-$(date +%Y%m%d%H%M%S)"
	cp "$SSHD_CONFIG" "$BACKUP"
	echo "Backup saved to $BACKUP"

	# Disable root login
	sed -i 's/^#PermitRootLogin./PermitRootLogin no/' "$SSHD_CONFIG"
	# Disable password authentication (only if key auth is set up)
	sed -i 's/^#PasswordAuthentication./PasswordAuthentication no/' "$SSHD_CONFIG"
	# Also ensure ChallengeResponseAuthentication is off
	sed -i 's/^#ChallengeResponseAuthentication./ChallengeResponseAuthentication no/' "$SSHD_CONFIG"

	echo "SSH configuration modified:"
	echo " - PermitRootLogin no"
	echo " - PasswordAuthentication no"
	echo " - ChallengeResponseAuthentication no"

	# Test configuration before restart
	sshd -t \|\| die "SSH configuration test failed. Please check $BACKUP and fix manually."

	# Restart SSH
	systemctl restart ssh
	echo "SSH restarted."

	echo
	echo "=== IMPORTANT ==="
	echo "Before closing this root session, open a NEW terminal and test logging in as '$NEWUSER'."
	echo "If you cannot log in, you still have this session open to revert changes."
	echo "To revert, restore the backup: cp $BACKUP $SSHD_CONFIG && systemctl restart ssh"
	echo
	echo "If everything works, you're all set!"
	else
	echo "Skipping SSH hardening. You can manually secure SSH later by editing /etc/ssh/sshd_config."
	fi

	echo
	echo "Script finished."
	bash <(curl -fsSL https://gist.githubusercontent.com/Humberd/9b06cfaf6128b4da12142023dc14008b/raw/system-update.sh)

	bash <(curl -fsSL https://gist.githubusercontent.com/Humberd/9b06cfaf6128b4da12142023dc14008b/raw/new-linux-user.sh)
	#!/bin/bash

	# system-update.sh - Update and upgrade Debian system packages
	# Run this script as root or with sudo.

	set -e # exit on error

	# Check for root privileges
	if [ "$EUID" -ne 0 ]; then
	echo "Please run as root or with sudo."
	exit 1
	fi

	echo "=== Starting system update ==="
	date

	# Update package lists
	echo "Updating package lists..."
	apt update

	# Upgrade all packages
	echo "Upgrading installed packages..."
	apt upgrade -y

	# Remove unnecessary packages
	echo "Removing unused packages..."
	apt autoremove -y

	# Clean up downloaded package files
	echo "Cleaning up package cache..."
	apt autoclean

	echo "=== System update completed ==="
	date

	# Check if a reboot is needed (kernel or critical updates)
	if [ -f /var/run/reboot-required ]; then
	echo
	echo "* REBOOT REQUIRED *"
	echo "A system reboot is recommended to apply kernel or critical updates."
	echo "Please reboot when convenient: sudo reboot"
	fi