sudo apt update && sudo apt upgrade -y

sudo apt update && sudo apt upgrade -y

sudo adduser michu
sudo usermod -aG sudo michu
sudo mkdir -p /home/michu/.ssh
sudo cp ~/.ssh/authorized_keys /home/michu/.ssh/authorized_keys
sudo chown -R michu:michu /home/michu/.ssh
sudo chmod 700 /home/michu/.ssh
sudo chmod 600 /home/michu/.ssh/authorized_keys

sudo adduser michu
sudo usermod -aG sudo michu
sudo mkdir -p /home/michu/.ssh
sudo cp ~/.ssh/authorized_keys /home/michu/.ssh/authorized_keys
sudo chown -R michu:michu /home/michu/.ssh
sudo chmod 700 /home/michu/.ssh
sudo chmod 600 /home/michu/.ssh/authorized_keys

# Neues Terminal öffnen und ssh michu@ip testen
sudo whoami
# muss root zeigen

# Neues Terminal öffnen und ssh michu@ip testen
sudo whoami
# muss root zeigen

#erst dann
sudo usermod -L -s /sbin/nologin ubuntu

#erst dann
sudo usermod -L -s /sbin/nologin ubuntu

sudo nano /etc/ssh/sshd_config

sudo nano /etc/ssh/sshd_config

#werte
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
ChallengeResponseAuthentication no
UsePAM yes
X11Forwarding no
MaxAuthTries 3
MaxSessions 2

#werte
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
ChallengeResponseAuthentication no
UsePAM yes
X11Forwarding no
MaxAuthTries 3
MaxSessions 2

sudo sshd -t #sollte nichts anzeigen

sudo sshd -t #sollte nichts anzeigen

# Neues Terminal öffnen und Login neues Login testen.
# Wenn es geht, in alter Session:
sudo systemctl restart ssh

# Neues Terminal öffnen und Login neues Login testen.
# Wenn es geht, in alter Session:
sudo systemctl restart ssh

sudo apt install fail2ban -y
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sudo nano /etc/fail2ban/jail.local

sudo apt install fail2ban -y
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sudo nano /etc/fail2ban/jail.local

#werte ganz unten in sshd sektion
[sshd]
enabled = true
port = ssh
filter = sshd
maxretry = 3
bantime = 86400
findtime = 600
logpath = %(sshd_log)s
backend = %(sshd_backend)s

#werte ganz unten in sshd sektion
[sshd]
enabled = true
port = ssh
filter = sshd
maxretry = 3
bantime = 86400
findtime = 600
logpath = %(sshd_log)s
backend = %(sshd_backend)s

sudo systemctl restart fail2ban
sudo systemctl enable fail2ban

sudo systemctl restart fail2ban
sudo systemctl enable fail2ban

sudo apt install unattended-upgrades -y
sudo dpkg-reconfigure --priority=low unattended-upgrades

sudo apt install unattended-upgrades -y
sudo dpkg-reconfigure --priority=low unattended-upgrades

sudo apt install auditd audispd-plugins -y
sudo systemctl enable auditd
sudo systemctl start auditd

sudo apt install auditd audispd-plugins -y
sudo systemctl enable auditd
sudo systemctl start auditd

#audit abfragen
sudo ausearch -ts today

#audit abfragen
sudo ausearch -ts today

#live audit abfragen
sudo tail -f /var/log/audit/audit.log

#live audit abfragen
sudo tail -f /var/log/audit/audit.log

sudo nano /etc/fstab

sudo nano /etc/fstab

#wert am ende anfügen
tmpfs /run/shm tmpfs defaults,noexec,nosuid 0 0

#wert am ende anfügen
tmpfs /run/shm tmpfs defaults,noexec,nosuid 0 0

sudo systemctl daemon-reload
sudo mount -o remount /dev/shm
# prüfen, ob gesichert
mount | grep /dev/shm

sudo systemctl daemon-reload
sudo mount -o remount /dev/shm
# prüfen, ob gesichert
mount | grep /dev/shm

sudo nano /etc/sysctl.conf

sudo nano /etc/sysctl.conf

#am ende anfügen
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.conf.all.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv6.conf.default.accept_source_route = 0
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 2048
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 5
net.ipv4.conf.all.log_martians = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0

#am ende anfügen
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.conf.all.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv6.conf.default.accept_source_route = 0
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 2048
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 5
net.ipv4.conf.all.log_martians = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0

sudo sysctl -p

sudo sysctl -p

#beispiel mit kleinem vps mit 2gb ram
sudo fallocate -l 1G /swapfile
sudo chmod 600 /swapfile
sudo mkswap /swapfile
sudo swapon /swapfile
echo '/swapfile none swap sw 0 0' | sudo tee -a /etc/fstab

#beispiel mit kleinem vps mit 2gb ram
sudo fallocate -l 1G /swapfile
sudo chmod 600 /swapfile
sudo mkswap /swapfile
sudo swapon /swapfile
echo '/swapfile none swap sw 0 0' | sudo tee -a /etc/fstab

#4GB Ram
sudo fallocate -l 2G /swapfile
#8GB Ram
sudo fallocate -l 4G /swapfile
#16GB Ram
sudo fallocate -l 4G /swapfile
#32GB Ram
sudo fallocate -l 4G /swapfile

#4GB Ram
sudo fallocate -l 2G /swapfile
#8GB Ram
sudo fallocate -l 4G /swapfile
#16GB Ram
sudo fallocate -l 4G /swapfile
#32GB Ram
sudo fallocate -l 4G /swapfile

sudo timedatectl set-timezone Europe/Zurich

sudo timedatectl set-timezone Europe/Zurich

curl https://rclone.org/install.sh | sudo bash
mkdir -p ~/.config/rclone

curl https://rclone.org/install.sh | sudo bash
mkdir -p ~/.config/rclone

#rclone.conf einrichten
# 1. Im Infomaniak Manager → Swiss Backup → Gerät → rclone.conf herunterladen
# 2. Auf VPS hochladen (vom Mac):
scp ~/Downloads/rclone.conf michu@IP:~/.config/rclone/rclone.conf

# 3. Passwort neu generieren in Infomaniak Manager Gerät:
nano ~/.config/rclone/rclone.conf
# key = [password] → durch generiertes Passwort ersetzen

# 4. Verbindung testen:
rclone lsd <remote-name>:
# remote-name steht in der rclone.conf, z.B. sb_project_SBI-XXXXXX

#rclone.conf einrichten
# 1. Im Infomaniak Manager → Swiss Backup → Gerät → rclone.conf herunterladen
# 2. Auf VPS hochladen (vom Mac):
scp ~/Downloads/rclone.conf michu@IP:~/.config/rclone/rclone.conf

# 3. Passwort neu generieren in Infomaniak Manager Gerät:
nano ~/.config/rclone/rclone.conf
# key = [password] → durch generiertes Passwort ersetzen

# 4. Verbindung testen:
rclone lsd <remote-name>:
# remote-name steht in der rclone.conf, z.B. sb_project_SBI-XXXXXX

#dropbox einrichten
# Auf VPS:
rclone config
# → n → Name: dropbox → Storage: dropbox → client_id: leer → client_secret: leer
# → advanced: n → web browser: n

# Auf Mac (neues Terminal lokal):
rclone authorize "dropbox"
# Browser öffnet sich → Dropbox autorisieren → Token kopieren

# Token auf VPS einfügen (alles zwischen und mit {}) → y → q

#verbindung testen
rclone lsd dropbox:

#dropbox einrichten
# Auf VPS:
rclone config
# → n → Name: dropbox → Storage: dropbox → client_id: leer → client_secret: leer
# → advanced: n → web browser: n

# Auf Mac (neues Terminal lokal):
rclone authorize "dropbox"
# Browser öffnet sich → Dropbox autorisieren → Token kopieren

# Token auf VPS einfügen (alles zwischen und mit {}) → y → q

#verbindung testen
rclone lsd dropbox:

sudo apt install -y docker.io docker-compose
sudo systemctl enable docker
sudo systemctl start docker

sudo apt install -y docker.io docker-compose
sudo systemctl enable docker
sudo systemctl start docker

nano ~/backup.sh

#!/bin/bash

DATE=$(date +%d-%m-%Y)
REMOTE="sb_project_SBI-MG301561"
DROPBOX="dropbox:BACKUPS/INFOMANIAK-VPS/VPS-LITE"
BACKUP_DIR="/tmp/vps-lite-$DATE"
RCLONE_CONFIG="/home/michu/.config/rclone/rclone.conf"

mkdir -p "$BACKUP_DIR"

echo "📦 App sichern..."
tar czf "$BACKUP_DIR/app.tar.gz" /home/michu/app

echo "📦 /etc sichern..."
sudo tar czf "$BACKUP_DIR/etc.tar.gz" /etc 2>/dev/null

echo "📦 Forgejo Volume sichern..."
sudo docker run --rm \
  -v docker_forgejo:/data \
  -v "$BACKUP_DIR":/backup \
  alpine tar czf /backup/forgejo.tar.gz /data

echo "📦 Uptime-Kuma Volume sichern..."
sudo docker run --rm \
  -v uptime-kuma:/data \
  -v "$BACKUP_DIR":/backup \
  alpine tar czf /backup/uptime-kuma.tar.gz /data

echo "☁️  Upload zu Swiss Backup..."
rclone --config "$RCLONE_CONFIG" --progress sync "$BACKUP_DIR" "$REMOTE:default/vps-lite-$DATE"

echo "☁️  Upload zu Dropbox..."
rclone --config "$RCLONE_CONFIG" --progress sync "$BACKUP_DIR" "$DROPBOX/vps-lite-$DATE"

echo "🧹 Alte Backups löschen (älter als 7 Tage)..."
rclone --config "$RCLONE_CONFIG" delete --min-age 7d "$REMOTE:default/"
rclone --config "$RCLONE_CONFIG" rmdirs "$REMOTE:default/"
rclone --config "$RCLONE_CONFIG" delete --min-age 7d "$DROPBOX/"
rclone --config "$RCLONE_CONFIG" rmdirs "$DROPBOX/"

echo "🧹 Aufräumen..."
sudo rm -rf "$BACKUP_DIR"

echo "✅ Backup vps-lite-$DATE abgeschlossen."

chmod +x ~/backup.sh

nano ~/backup.sh

#!/bin/bash

DATE=$(date +%d-%m-%Y)
REMOTE="sb_project_SBI-MG301561"
DROPBOX="dropbox:BACKUPS/INFOMANIAK-VPS/VPS-LITE"
BACKUP_DIR="/tmp/vps-lite-$DATE"
RCLONE_CONFIG="/home/michu/.config/rclone/rclone.conf"

mkdir -p "$BACKUP_DIR"

echo "📦 App sichern..."
tar czf "$BACKUP_DIR/app.tar.gz" /home/michu/app

echo "📦 /etc sichern..."
sudo tar czf "$BACKUP_DIR/etc.tar.gz" /etc 2>/dev/null

echo "📦 Forgejo Volume sichern..."
sudo docker run --rm \
  -v docker_forgejo:/data \
  -v "$BACKUP_DIR":/backup \
  alpine tar czf /backup/forgejo.tar.gz /data

echo "📦 Uptime-Kuma Volume sichern..."
sudo docker run --rm \
  -v uptime-kuma:/data \
  -v "$BACKUP_DIR":/backup \
  alpine tar czf /backup/uptime-kuma.tar.gz /data

echo "☁️  Upload zu Swiss Backup..."
rclone --config "$RCLONE_CONFIG" --progress sync "$BACKUP_DIR" "$REMOTE:default/vps-lite-$DATE"

echo "☁️  Upload zu Dropbox..."
rclone --config "$RCLONE_CONFIG" --progress sync "$BACKUP_DIR" "$DROPBOX/vps-lite-$DATE"

echo "🧹 Alte Backups löschen (älter als 7 Tage)..."
rclone --config "$RCLONE_CONFIG" delete --min-age 7d "$REMOTE:default/"
rclone --config "$RCLONE_CONFIG" rmdirs "$REMOTE:default/"
rclone --config "$RCLONE_CONFIG" delete --min-age 7d "$DROPBOX/"
rclone --config "$RCLONE_CONFIG" rmdirs "$DROPBOX/"

echo "🧹 Aufräumen..."
sudo rm -rf "$BACKUP_DIR"

echo "✅ Backup vps-lite-$DATE abgeschlossen."

chmod +x ~/backup.sh

#backup.sh ausführen
sudo ~/backup.sh

#backup.sh ausführen
sudo ~/backup.sh

sudo crontab -e
# nano wählen (1) und enter drücken
0 2 * * * /home/michu/backup.sh >> /var/log/backup.log 2>&1

sudo crontab -e
# nano wählen (1) und enter drücken
0 2 * * * /home/michu/backup.sh >> /var/log/backup.log 2>&1

#restore von swiss-backup
cat > ~/restore-swiss.sh << 'EOF'
#!/bin/bash

DATE=$1
REMOTE="sb_project_SBI-MG301561"
RCLONE_CONFIG="/home/michu/.config/rclone/rclone.conf"
RESTORE_DIR="/tmp/restore-$DATE"

if [ -z "$DATE" ]; then
  echo "❌ Datum angeben: ./restore-swiss.sh 12-05-2026"
  exit 1
fi

mkdir -p "$RESTORE_DIR"

echo "⬇️  Download von Swiss Backup..."
rclone --config "$RCLONE_CONFIG" --progress sync "$REMOTE:default/vps-lite-$DATE" "$RESTORE_DIR"

echo "📦 /etc wiederherstellen..."
sudo tar xzf "$RESTORE_DIR/etc.tar.gz" -C /

echo "📦 App wiederherstellen..."
tar xzf "$RESTORE_DIR/app.tar.gz" -C /

echo "📦 Forgejo Volume wiederherstellen..."
sudo docker volume create docker_forgejo
sudo docker run --rm \
  -v docker_forgejo:/data \
  -v "$RESTORE_DIR":/backup \
  alpine tar xzf /backup/forgejo.tar.gz -C /

echo "📦 Uptime-Kuma Volume wiederherstellen..."
sudo docker volume create uptime-kuma
sudo docker run --rm \
  -v uptime-kuma:/data \
  -v "$RESTORE_DIR":/backup \
  alpine tar xzf /backup/uptime-kuma.tar.gz -C /

echo "🧹 Aufräumen..."
rm -rf "$RESTORE_DIR"

echo "✅ Restore $DATE abgeschlossen."
echo "👉 Docker starten: cd ~/app && sudo docker-compose up -d"
EOF
chmod +x ~/restore-swiss.sh

#restore von swiss-backup
cat > ~/restore-swiss.sh << 'EOF'
#!/bin/bash

DATE=$1
REMOTE="sb_project_SBI-MG301561"
RCLONE_CONFIG="/home/michu/.config/rclone/rclone.conf"
RESTORE_DIR="/tmp/restore-$DATE"

if [ -z "$DATE" ]; then
  echo "❌ Datum angeben: ./restore-swiss.sh 12-05-2026"
  exit 1
fi

mkdir -p "$RESTORE_DIR"

echo "⬇️  Download von Swiss Backup..."
rclone --config "$RCLONE_CONFIG" --progress sync "$REMOTE:default/vps-lite-$DATE" "$RESTORE_DIR"

echo "📦 /etc wiederherstellen..."
sudo tar xzf "$RESTORE_DIR/etc.tar.gz" -C /

echo "📦 App wiederherstellen..."
tar xzf "$RESTORE_DIR/app.tar.gz" -C /

echo "📦 Forgejo Volume wiederherstellen..."
sudo docker volume create docker_forgejo
sudo docker run --rm \
  -v docker_forgejo:/data \
  -v "$RESTORE_DIR":/backup \
  alpine tar xzf /backup/forgejo.tar.gz -C /

echo "📦 Uptime-Kuma Volume wiederherstellen..."
sudo docker volume create uptime-kuma
sudo docker run --rm \
  -v uptime-kuma:/data \
  -v "$RESTORE_DIR":/backup \
  alpine tar xzf /backup/uptime-kuma.tar.gz -C /

echo "🧹 Aufräumen..."
rm -rf "$RESTORE_DIR"

echo "✅ Restore $DATE abgeschlossen."
echo "👉 Docker starten: cd ~/app && sudo docker-compose up -d"
EOF
chmod +x ~/restore-swiss.sh

#restore von dropbox
cat > ~/restore-dropbox.sh << 'EOF'
#!/bin/bash

DATE=$1
DROPBOX="dropbox:BACKUPS/INFOMANIAK-VPS/VPS-LITE"
RCLONE_CONFIG="/home/michu/.config/rclone/rclone.conf"
RESTORE_DIR="/tmp/restore-$DATE"

if [ -z "$DATE" ]; then
  echo "❌ Datum angeben: ./restore-dropbox.sh 12-05-2026"
  exit 1
fi

mkdir -p "$RESTORE_DIR"

echo "⬇️  Download von Dropbox..."
rclone --config "$RCLONE_CONFIG" --progress sync "$DROPBOX/vps-lite-$DATE" "$RESTORE_DIR"

echo "📦 /etc wiederherstellen..."
sudo tar xzf "$RESTORE_DIR/etc.tar.gz" -C /

echo "📦 App wiederherstellen..."
tar xzf "$RESTORE_DIR/app.tar.gz" -C /

echo "📦 Forgejo Volume wiederherstellen..."
sudo docker volume create docker_forgejo
sudo docker run --rm \
  -v docker_forgejo:/data \
  -v "$RESTORE_DIR":/backup \
  alpine tar xzf /backup/forgejo.tar.gz -C /

echo "📦 Uptime-Kuma Volume wiederherstellen..."
sudo docker volume create uptime-kuma
sudo docker run --rm \
  -v uptime-kuma:/data \
  -v "$RESTORE_DIR":/backup \
  alpine tar xzf /backup/uptime-kuma.tar.gz -C /

echo "🧹 Aufräumen..."
rm -rf "$RESTORE_DIR"

echo "✅ Restore $DATE abgeschlossen."
echo "👉 Docker starten: cd ~/app && sudo docker-compose up -d"
EOF
chmod +x ~/restore-dropbox.sh

#restore von dropbox
cat > ~/restore-dropbox.sh << 'EOF'
#!/bin/bash

DATE=$1
DROPBOX="dropbox:BACKUPS/INFOMANIAK-VPS/VPS-LITE"
RCLONE_CONFIG="/home/michu/.config/rclone/rclone.conf"
RESTORE_DIR="/tmp/restore-$DATE"

if [ -z "$DATE" ]; then
  echo "❌ Datum angeben: ./restore-dropbox.sh 12-05-2026"
  exit 1
fi

mkdir -p "$RESTORE_DIR"

echo "⬇️  Download von Dropbox..."
rclone --config "$RCLONE_CONFIG" --progress sync "$DROPBOX/vps-lite-$DATE" "$RESTORE_DIR"

echo "📦 /etc wiederherstellen..."
sudo tar xzf "$RESTORE_DIR/etc.tar.gz" -C /

echo "📦 App wiederherstellen..."
tar xzf "$RESTORE_DIR/app.tar.gz" -C /

echo "📦 Forgejo Volume wiederherstellen..."
sudo docker volume create docker_forgejo
sudo docker run --rm \
  -v docker_forgejo:/data \
  -v "$RESTORE_DIR":/backup \
  alpine tar xzf /backup/forgejo.tar.gz -C /

echo "📦 Uptime-Kuma Volume wiederherstellen..."
sudo docker volume create uptime-kuma
sudo docker run --rm \
  -v uptime-kuma:/data \
  -v "$RESTORE_DIR":/backup \
  alpine tar xzf /backup/uptime-kuma.tar.gz -C /

echo "🧹 Aufräumen..."
rm -rf "$RESTORE_DIR"

echo "✅ Restore $DATE abgeschlossen."
echo "👉 Docker starten: cd ~/app && sudo docker-compose up -d"
EOF
chmod +x ~/restore-dropbox.sh

# ausführen mit datum
sudo ~/restore-swiss.sh 12-05-2026
# oder
sudo ~/restore-dropbox.sh 12-05-2026

# ausführen mit datum
sudo ~/restore-swiss.sh 12-05-2026
# oder
sudo ~/restore-dropbox.sh 12-05-2026

cd ~/app && sudo docker-compose up -d
# ab hier läuft alles wieder

cd ~/app && sudo docker-compose up -d
# ab hier läuft alles wieder