mucas-central/homelab/ubuntu-server-setup.sh

#!/usr/bin/env bash
set -euo pipefail

# Simple installer for Ubuntu server:
# - unattended-upgrades (security updates + automatic reboot)
# - Docker (engine + compose plugin) per Docker docs steps 1-3
# - zsh (set as default shell for original user)
# - 1Password CLI for access to secrets
# - secret-tools for storing tokens needed (i.e. for 1Password CLI)

# Must be run as root
if [ "$EUID" -ne 0 ]; then
  echo "Please run as root: sudo bash $0"
  exit 1
fi

# Detect target user to set default shell for
TARGET_USER="${SUDO_USER:-$(whoami)}"

apt-get update

# 1) Enable automatic security updates and automatic reboot
apt-get install -y unattended-upgrades

# Enable periodic updates/unattended-upgrades
cat > /etc/apt/apt.conf.d/20auto-upgrades <<'EOF'
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";
APT::Periodic::AutocleanInterval "7";
EOF

# Ensure automatic reboot after unattended-upgrades (time adjustable)
cat > /etc/apt/apt.conf.d/99auto-reboot <<'EOF'
Unattended-Upgrade::Automatic-Reboot "true";
Unattended-Upgrade::Automatic-Reboot-Time "04:00";
EOF

# Start/enable unattended-upgrades (if system uses service/timer)
if systemctl list-unit-files | grep -q unattended-upgrades; then
  systemctl enable --now unattended-upgrades || true
fi

# 2) Install Docker (steps 1-3 from Docker docs)
# Install prerequisites
apt-get install -y ca-certificates curl gnupg lsb-release

# Create keyrings dir and add Docker GPG key
install -m 0755 -d /etc/apt/keyrings
curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc
chmod a+r /etc/apt/keyrings/docker.asc

# Add Docker apt repository
ARCH=$(dpkg --print-architecture)
. /etc/os-release
UBU_CODENAME="${UBUNTU_CODENAME:-$VERSION_CODENAME}"
echo "deb [arch=${ARCH} signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu ${UBU_CODENAME} stable" \
  > /etc/apt/sources.list.d/docker.list

apt-get update

# Install Docker Engine + plugins including compose plugin
apt-get install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin

# Verify Docker works by running hello-world (this will pull an image)
if command -v docker >/dev/null 2>&1; then
  docker run --rm hello-world || true
fi

# 3) Install zsh and make it the default shell for the target user
apt-get install -y zsh

ZSH_PATH="$(which zsh)"
if ! grep -q "^${ZSH_PATH}$" /etc/shells; then
  echo "${ZSH_PATH}" >> /etc/shells
fi

# Change shell for target user (if possible)
if id "${TARGET_USER}" >/dev/null 2>&1; then
  chsh -s "${ZSH_PATH}" "${TARGET_USER}" || echo "chsh failed for ${TARGET_USER}; you may need to run 'chsh -s ${ZSH_PATH} ${TARGET_USER}' manually"
else
  echo "User ${TARGET_USER} not found; skipping chsh"
fi

# 4) Install 1Password CLI for access to secrets
curl -sS https://downloads.1password.com/linux/keys/1password.asc | \
gpg --dearmor --output /usr/share/keyrings/1password-archive-keyring.gpg && \
echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/1password-archive-keyring.gpg] https://downloads.1password.com/linux/debian/$(dpkg --print-architecture) stable main" | \
tee /etc/apt/sources.list.d/1password.list && \
mkdir -p /etc/debsig/policies/AC2D62742012EA22/ && \
curl -sS https://downloads.1password.com/linux/debian/debsig/1password.pol | \
tee /etc/debsig/policies/AC2D62742012EA22/1password.pol && \
mkdir -p /usr/share/debsig/keyrings/AC2D62742012EA22 && \
curl -sS https://downloads.1password.com/linux/keys/1password.asc | \
gpg --dearmor --output /usr/share/debsig/keyrings/AC2D62742012EA22/debsig.gpg && \
apt update && apt install 1password-cli

# Check successful install
op --version

# 5) Install gnome-keyring secret-tool for securely storing tokens
apt install pass gnupg2


echo "Done. Recommended: log out and back in (or reboot) to start using zsh and ensure all services are active."