#!/bin/bash # Server security setup for LLM Team UI (brain / island37.com) # Run as root. Idempotent — safe to re-run. set -euo pipefail SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)" echo "=== LLM Team UI Server Setup ===" # --- Nginx --- echo "[1/6] Installing nginx configs..." cp "$SCRIPT_DIR/nginx-llms3.conf" /etc/nginx/sites-available/llms3 cp "$SCRIPT_DIR/nginx-kb.conf" /etc/nginx/sites-available/kb ln -sf /etc/nginx/sites-available/llms3 /etc/nginx/sites-enabled/llms3 ln -sf /etc/nginx/sites-available/kb /etc/nginx/sites-enabled/kb nginx -t && systemctl reload nginx echo " nginx OK" # --- Systemd --- echo "[2/6] Installing systemd unit..." cp "$SCRIPT_DIR/llm-team-ui.service" /etc/systemd/system/llm-team-ui.service systemctl daemon-reload systemctl enable llm-team-ui echo " systemd OK" # --- Fail2ban --- echo "[3/6] Installing fail2ban config..." cp "$SCRIPT_DIR/fail2ban-jail.local" /etc/fail2ban/jail.local systemctl restart fail2ban echo " fail2ban OK" # --- Sysctl --- echo "[4/6] Installing kernel security settings..." cp "$SCRIPT_DIR/sysctl-security.conf" /etc/sysctl.d/99-security.conf sysctl --system > /dev/null 2>&1 echo " sysctl OK" # --- SSH --- echo "[5/6] Installing SSH config..." cp "$SCRIPT_DIR/sshd_config" /etc/ssh/sshd_config sshd -t && systemctl reload sshd echo " sshd OK" # --- UFW --- echo "[6/6] Configuring firewall..." ufw --force enable ufw default deny incoming ufw default allow outgoing # SSH ufw allow 22/tcp # HTTP/HTTPS ufw allow 80/tcp comment "HTTP web server" ufw allow 443/tcp comment "HTTPS web server" # LAN services ufw allow from 192.168.1.0/24 to any port 139,445 proto tcp ufw allow from 192.168.1.0/24 to any port 137,138 proto udp ufw allow from 192.168.1.0/24 to any port 5000 comment "LLM Team UI" ufw allow from 192.168.1.0/24 to any port 9000 comment "MinIO LAN only" ufw deny 9000 comment "Block MinIO external" ufw allow from 192.168.1.0/24 to any port 11434 comment "Ollama internal" ufw allow from 192.168.1.0/24 to any port 18789 comment "OpenClaw brain" # llms3.com Bun app ufw allow 3030/tcp echo " ufw OK" echo "" echo "=== Setup complete ===" echo "Remaining manual steps:" echo " 1. Add SSH public key: ssh-copy-id profit@" echo " 2. Then set PasswordAuthentication no in /etc/ssh/sshd_config" echo " 3. Update DNS to point to this server, then run:" echo " certbot --nginx -d llms3.com -d www.llms3.com"