docs(setup): make fail2ban opt-in in 70-hardening.sh
CI / commits (pull_request) Successful in 3m51s
CI / scan (pull_request) Successful in 4m13s
CI / check (pull_request) Successful in 4m24s
CI / a11y (pull_request) Successful in 3m49s
Docs site / build (pull_request) Successful in 3m51s
CI / perf (pull_request) Successful in 6m54s
CI / commits (pull_request) Successful in 3m51s
CI / scan (pull_request) Successful in 4m13s
CI / check (pull_request) Successful in 4m24s
CI / a11y (pull_request) Successful in 3m49s
Docs site / build (pull_request) Successful in 3m51s
CI / perf (pull_request) Successful in 6m54s
Three branches now: (1) already running -> skip; (2) installed but stopped -> prompt to enable+start; (3) not installed -> prompt to install+enable+start. Each decline path logs `(user choice)` so a re-run doesn't surprise the dev with a different state. Reasoning: some corp environments already ship brute-force protection at the network layer (ACL / corp firewall / appliance). fail2ban on the host is then redundant and can be the wrong layer to debug from when a rule misfires. The other three hardening steps (UFW, sshd lockdown) were already prompt-gated; fail2ban was the odd one out. Table descriptors in the main doc + setup README updated to make each sub-step's prompt posture visible.
This commit is contained in:
@@ -23,7 +23,7 @@ Modular setup scripts called from the doc above. Each is idempotent, each can be
|
||||
| [`40-node.sh`](scripts/40-node.sh) | nvm + Node from the repo's `.nvmrc` + corepack pinned to `package.json#packageManager`'s pnpm version. |
|
||||
| [`50-docker.sh`](scripts/50-docker.sh) | Docker CE + compose plugin from docker.com apt repo + user added to `docker` group + service enabled at boot. |
|
||||
| [`60-tuning.sh`](scripts/60-tuning.sh) | inotify watches → 524288, optional 4 GB swapfile, optional hostname rename (only prompts if generic). |
|
||||
| [`70-hardening.sh`](scripts/70-hardening.sh) | Best-effort UFW + unattended-upgrades + fail2ban + sshd hardening drop-in. Probes before applying — skips done items. |
|
||||
| [`70-hardening.sh`](scripts/70-hardening.sh) | Best-effort UFW + unattended-upgrades + fail2ban (opt-in) + sshd hardening drop-in. Probes before applying — skips done items, prompts before each install. |
|
||||
| [`80-dotfiles.sh`](scripts/80-dotfiles.sh) | Symlinks `notes/aliases.zsh` → `~/.oh-my-zsh/custom/aliases.zsh`. Copies `notes/gitconfig.txt` to `~/.gitconfig` with prompted identity. |
|
||||
|
||||
## `systemd/`
|
||||
|
||||
Reference in New Issue
Block a user