# rproxy Ubuntu 24.x rebuild This folder holds the rebuild path for `rproxy.cfts.co` from a minimal Ubuntu 24.x LTS install. The script installs the rproxy packages, applies the repo-owned Caddy/Fail2Ban/GoAccess/unattended-upgrades config, configures SSH on port `4422`, sets up SNMP for PRTG, and recreates the UFW posture captured from the live host. ## Run Copy this repository to the new Ubuntu host, then run from the repository root: ```sh sudo bash rebuild/install-rproxy-ubuntu24.sh ``` If you are on the VM console and want the script to apply the static IP during the run: ```sh sudo APPLY_NETPLAN=1 bash rebuild/install-rproxy-ubuntu24.sh ``` By default the script writes and validates `/etc/netplan/50-cloud-init.yaml` but does not apply it. That avoids cutting off an SSH session during a rebuild rehearsal. ## Defaults The captured target values are baked in as overridable environment variables: ```sh RPROXY_HOSTNAME=rproxy.cfts.co RPROXY_IFACE=ens33 RPROXY_ADDRESS=172.16.198.60/24 RPROXY_GATEWAY=172.16.198.254 RPROXY_DNS_1=172.16.198.15 RPROXY_DNS_2=172.16.198.49 RPROXY_DNS_SEARCH=cfts.local RPROXY_TIMEZONE=Africa/Kampala SYSOPS_USER=sysops SSH_PORT=4422 SSH_ALLOWED_CIDR=172.16.198.0/24 PRTG_HOST=172.16.198.50 SNMP_COMMUNITY=cfts ``` Example override: ```sh sudo RPROXY_IFACE=ens160 APPLY_NETPLAN=1 bash rebuild/install-rproxy-ubuntu24.sh ``` ## What It Does Not Do - It does not copy SSH host private keys from the ignored capture folder. A rebuilt VM will have new SSH host key fingerprints unless those are restored manually. - It does not create public DNS, router/NAT, VMware, or upstream host firewall rules. - It creates the `sysops` user if missing, but with no password. Set a password or install SSH keys before relying on remote access. ## Post-Run Checks ```sh hostnamectl resolvectl status ip addr show ens33 ip route sudo ufw status verbose sudo systemctl status ssh caddy fail2ban snmpd caddy-goaccess-report.timer --no-pager -l sudo fail2ban-client status sudo caddy validate --config /etc/caddy/Caddyfile --adapter caddyfile ``` The expected exposed services are: - Public: `80/tcp`, `443/tcp` - LAN only: SSH on `4422` - PRTG only: SNMP on `161/udp` from `172.16.198.50`