CFTS Internal

README

Download Markdown

rproxy Ubuntu 24.x rebuild

This folder holds the rebuild path for rproxy.cfts.co from a minimal Ubuntu 24.x LTS install.

The script installs the rproxy packages, applies the repo-owned Caddy/Fail2Ban/GoAccess/unattended-upgrades config, configures SSH on port 4422, sets up SNMP for PRTG, and recreates the UFW posture captured from the live host.

Run

Copy this repository to the new Ubuntu host, then run from the repository root:

sudo bash rebuild/install-rproxy-ubuntu24.sh

If you are on the VM console and want the script to apply the static IP during the run:

sudo APPLY_NETPLAN=1 bash rebuild/install-rproxy-ubuntu24.sh

By default the script writes and validates /etc/netplan/50-cloud-init.yaml but does not apply it. That avoids cutting off an SSH session during a rebuild rehearsal.

Defaults

The captured target values are baked in as overridable environment variables:

RPROXY_HOSTNAME=rproxy.cfts.co
RPROXY_IFACE=ens33
RPROXY_ADDRESS=172.16.198.60/24
RPROXY_GATEWAY=172.16.198.254
RPROXY_DNS_1=172.16.198.15
RPROXY_DNS_2=172.16.198.49
RPROXY_DNS_SEARCH=cfts.local
RPROXY_TIMEZONE=Africa/Kampala
SYSOPS_USER=sysops
SSH_PORT=4422
SSH_ALLOWED_CIDR=172.16.198.0/24
PRTG_HOST=172.16.198.50
SNMP_COMMUNITY=cfts

Example override:

sudo RPROXY_IFACE=ens160 APPLY_NETPLAN=1 bash rebuild/install-rproxy-ubuntu24.sh

What It Does Not Do

  • It does not copy SSH host private keys from the ignored capture folder. A rebuilt VM will have new SSH host key fingerprints unless those are restored manually.
  • It does not create public DNS, router/NAT, VMware, or upstream host firewall rules.
  • It creates the sysops user if missing, but with no password. Set a password or install SSH keys before relying on remote access.

Post-Run Checks

hostnamectl
resolvectl status
ip addr show ens33
ip route
sudo ufw status verbose
sudo systemctl status ssh caddy fail2ban snmpd caddy-goaccess-report.timer --no-pager -l
sudo fail2ban-client status
sudo caddy validate --config /etc/caddy/Caddyfile --adapter caddyfile

The expected exposed services are:

  • Public: 80/tcp, 443/tcp
  • LAN only: SSH on 4422
  • PRTG only: SNMP on 161/udp from 172.16.198.50