# 创建用户并加入 sudo 组
useradd -m -s /bin/bash admin
echo 'admin ALL=(ALL) NOPASSWD:ALL' > /etc/sudoers.d/admin
chmod 440 /etc/sudoers.d/admin

# 设置密码（或后续配置密钥登录后禁用密码）
passwd admin

# 在本地生成密钥（如未有）
ssh-keygen -t ed25519 -C "your@email.com"

# 复制公钥到服务器
ssh-copy-id -i ~/.ssh/id_ed25519.pub admin@<server-ip>

# 在服务器上加固 sshd_config
sudo sed -i 's/^#\?PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config
sudo sed -i 's/^#\?PasswordAuthentication.*/PasswordAuthentication no/' /etc/ssh/sshd_config
sudo sed -i 's/^#\?PubkeyAuthentication.*/PubkeyAuthentication yes/' /etc/ssh/sshd_config
sudo systemctl restart sshd

sudo timedatectl set-timezone Asia/Shanghai
sudo timedatectl set-ntp true

# 验证
timedatectl
date

# Ubuntu/Debian
sudo apt update && sudo apt upgrade -y
sudo apt install -y vim curl wget git htop tmux lsof net-tools unzip

# CentOS/Rocky
sudo yum update -y
sudo yum install -y vim curl wget git htop tmux lsof net-tools unzip epel-release

sudo hostnamectl set-hostname <your-hostname>
# 写入 hosts 避免 sudo 警告
echo "127.0.0.1 $(hostname)" | sudo tee -a /etc/hosts

# Ubuntu (ufw)
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow ssh
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw enable

# CentOS (firewalld)
sudo systemctl enable --now firewalld
sudo firewall-cmd --permanent --add-service=ssh
sudo firewall-cmd --permanent --add-service=http
sudo firewall-cmd --permanent --add-service=https
sudo firewall-cmd --reload

sudo fallocate -l 2G /swapfile
sudo chmod 600 /swapfile
sudo mkswap /swapfile
sudo swapon /swapfile
echo '/swapfile none swap sw 0 0' | sudo tee -a /etc/fstab

# 调整 swappiness（云服务器推荐 10）
echo 'vm.swappiness=10' | sudo tee -a /etc/sysctl.conf
sudo sysctl -p

cat >> /etc/sysctl.conf << 'EOF'
# 网络优化
net.core.somaxconn = 65535
net.ipv4.tcp_max_syn_backlog = 65535
net.ipv4.tcp_fin_timeout = 30
net.ipv4.tcp_tw_reuse = 1

# 文件描述符
fs.file-max = 655350
EOF
sudo sysctl -p

# 进程限制
cat >> /etc/security/limits.conf << 'EOF'
* soft nofile 655350
* hard nofile 655350
EOF