profit/llm-team-ui
1
0
Fork 0
Code Issues Pull Requests 2 Actions Packages Projects Releases Wiki Activity
llm-team-ui/server/setup.sh
root 6ea457d01d Add server security configs and setup script 
- Nginx configs with security headers (X-Frame-Options, CSP, etc.)
- fail2ban jails for nginx (botsearch, bad-request, forbidden)
- Kernel hardening via sysctl (rp_filter, no redirects, log martians)
- SSH hardening (no root, max 3 attempts, no X11)
- UFW rules export
- Idempotent setup.sh to restore all configs on fresh install
- Flask bound to 127.0.0.1 (nginx-only access)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-25 04:47:54 -05:00

74 lines
2.4 KiB
Bash
Executable File
Raw Permalink Blame History

#!/bin/bash
# Server security setup for LLM Team UI (brain / island37.com)
# Run as root. Idempotent — safe to re-run.
set -euo pipefail
SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
echo "=== LLM Team UI Server Setup ==="
# --- Nginx ---
echo "[1/6] Installing nginx configs..."
cp "$SCRIPT_DIR/nginx-llms3.conf" /etc/nginx/sites-available/llms3
cp "$SCRIPT_DIR/nginx-kb.conf" /etc/nginx/sites-available/kb
ln -sf /etc/nginx/sites-available/llms3 /etc/nginx/sites-enabled/llms3
ln -sf /etc/nginx/sites-available/kb /etc/nginx/sites-enabled/kb
nginx -t && systemctl reload nginx
echo " nginx OK"
# --- Systemd ---
echo "[2/6] Installing systemd unit..."
cp "$SCRIPT_DIR/llm-team-ui.service" /etc/systemd/system/llm-team-ui.service
systemctl daemon-reload
systemctl enable llm-team-ui
echo " systemd OK"
# --- Fail2ban ---
echo "[3/6] Installing fail2ban config..."
cp "$SCRIPT_DIR/fail2ban-jail.local" /etc/fail2ban/jail.local
systemctl restart fail2ban
echo " fail2ban OK"
# --- Sysctl ---
echo "[4/6] Installing kernel security settings..."
cp "$SCRIPT_DIR/sysctl-security.conf" /etc/sysctl.d/99-security.conf
sysctl --system > /dev/null 2>&1
echo " sysctl OK"
# --- SSH ---
echo "[5/6] Installing SSH config..."
cp "$SCRIPT_DIR/sshd_config" /etc/ssh/sshd_config
sshd -t && systemctl reload sshd
echo " sshd OK"
# --- UFW ---
echo "[6/6] Configuring firewall..."
ufw --force enable
ufw default deny incoming
ufw default allow outgoing
# SSH
ufw allow 22/tcp
# HTTP/HTTPS
ufw allow 80/tcp comment "HTTP web server"
ufw allow 443/tcp comment "HTTPS web server"
# LAN services
ufw allow from 192.168.1.0/24 to any port 139,445 proto tcp
ufw allow from 192.168.1.0/24 to any port 137,138 proto udp
ufw allow from 192.168.1.0/24 to any port 5000 comment "LLM Team UI"
ufw allow from 192.168.1.0/24 to any port 9000 comment "MinIO LAN only"
ufw deny 9000 comment "Block MinIO external"
ufw allow from 192.168.1.0/24 to any port 11434 comment "Ollama internal"
ufw allow from 192.168.1.0/24 to any port 18789 comment "OpenClaw brain"
# llms3.com Bun app
ufw allow 3030/tcp
echo " ufw OK"
echo ""
echo "=== Setup complete ==="
echo "Remaining manual steps:"
echo " 1. Add SSH public key: ssh-copy-id profit@<this-host>"
echo " 2. Then set PasswordAuthentication no in /etc/ssh/sshd_config"
echo " 3. Update DNS to point to this server, then run:"
echo " certbot --nginx -d llms3.com -d www.llms3.com"
Reference in New Issue View Git Blame Copy Permalink