#!/bin/bash # Phase 1: Base system setup for new James server # Run as: ssh johan@192.168.3.134 'bash -s' < scripts/new-server-phase1.sh set -e SUDO="echo Helder06 | sudo -S" echo "=== Phase 1: Base System Setup ===" # 1. Essentials echo ">>> Installing essentials..." $SUDO apt-get install -y -q \ curl wget git jq htop tmux build-essential \ pass gnupg2 \ sshpass rsync \ unzip zip \ python3-pip python3-venv \ net-tools dnsutils \ ufw fail2ban \ samba \ ffmpeg \ trash-cli \ apt-transport-https \ ca-certificates \ software-properties-common 2>&1 | tail -3 # 2. Minimal Xfce GUI (for headed Chrome) echo ">>> Installing minimal Xfce + LightDM..." $SUDO apt-get install -y -q \ xorg \ xfce4 \ xfce4-terminal \ lightdm \ lightdm-gtk-greeter \ dbus-x11 2>&1 | tail -3 # Set LightDM as default display manager echo "/usr/sbin/lightdm" | $SUDO tee /etc/X11/default-display-manager > /dev/null # Configure autologin $SUDO mkdir -p /etc/lightdm/lightdm.conf.d cat << 'AUTOLOGIN' | $SUDO tee /etc/lightdm/lightdm.conf.d/50-autologin.conf > /dev/null [Seat:*] autologin-user=johan autologin-user-timeout=0 user-session=xfce AUTOLOGIN echo ">>> Disabling screensaver/power management..." # Will be configured in Xfce session; install xfce4-power-manager $SUDO apt-get install -y -q xfce4-power-manager 2>&1 | tail -1 # 3. NVIDIA Driver + CUDA (GTX 970 for inference) echo ">>> Installing NVIDIA driver..." $SUDO apt-get install -y -q nvidia-driver-535 nvidia-cuda-toolkit 2>&1 | tail -5 # 4. Configure Xorg to use Intel for display, leave NVIDIA for compute echo ">>> Configuring Xorg for Intel display..." cat << 'XORGCONF' | $SUDO tee /etc/X11/xorg.conf > /dev/null # Intel iGPU for display output, NVIDIA GTX 970 for compute only Section "Device" Identifier "Intel" Driver "modesetting" BusID "PCI:0:2:0" EndSection Section "Screen" Identifier "Screen0" Device "Intel" EndSection Section "ServerLayout" Identifier "Layout0" Screen "Screen0" EndSection XORGCONF # 5. Hardening echo ">>> Hardening SSH..." $SUDO sed -i 's/^#\?PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config $SUDO sed -i 's/^#\?PasswordAuthentication.*/PasswordAuthentication no/' /etc/ssh/sshd_config $SUDO sed -i 's/^#\?PubkeyAuthentication.*/PubkeyAuthentication yes/' /etc/ssh/sshd_config $SUDO systemctl restart sshd echo ">>> Configuring UFW firewall..." $SUDO ufw default deny incoming $SUDO ufw default allow outgoing $SUDO ufw allow ssh $SUDO ufw allow from 192.168.0.0/16 to any # LAN access for all services $SUDO ufw --force enable echo ">>> Configuring fail2ban..." cat << 'F2B' | $SUDO tee /etc/fail2ban/jail.local > /dev/null [sshd] enabled = true port = ssh filter = sshd logpath = /var/log/auth.log maxretry = 5 bantime = 3600 F2B $SUDO systemctl enable fail2ban $SUDO systemctl start fail2ban echo ">>> Enabling unattended security updates..." $SUDO apt-get install -y -q unattended-upgrades $SUDO dpkg-reconfigure -plow unattended-upgrades 2>/dev/null || true # 6. Enable lingering for user services echo ">>> Enabling systemd linger for johan..." $SUDO loginctl enable-linger johan # 7. Node.js 22 echo ">>> Installing Node.js 22..." curl -fsSL https://deb.nodesource.com/setup_22.x | $SUDO bash - 2>&1 | tail -3 $SUDO apt-get install -y -q nodejs 2>&1 | tail -3 # 8. NPM global directory (no sudo needed) mkdir -p ~/.npm-global npm config set prefix ~/.npm-global grep -q 'npm-global' ~/.bashrc || echo 'export PATH=~/.npm-global/bin:$PATH' >> ~/.bashrc echo "=== Phase 1 Complete ===" echo "Reboot recommended for NVIDIA driver + GUI"