v0.80.5

What's Changed

• Fixed a crash in timezone validation by checking for files (-f) instead of directories.
• Resolved unexpected set -e terminations during 'pretty hostname' assignment and SSH port detection.

Full Changelog: v0.80.4...v0.80.5

v0.80.4

What's Changed

Alert the user and continue to run to complete the setup if the script is unable to install Docker, Tailscale, or Netbird. #109

Full Changelog: v0.80.3...v0.80.4

v0.80.3

What's Changed

• Interactive password and sudo rescue: Fixed an issue where skipping password creation during user setup resulted in a complete loss of sudo privileges. The script now intercepts skipped passwords and offers to auto-generate a secure 24-character password or explicitly opt-in to passwordless sudo. Thanks @prashantsengar

• SSH service detection: Fixed a bug that caused SSH port changes to fail and trigger rollbacks on Debian 13. Removed hardcoded OS-specific checks so the script correctly resolves systemd aliases (sshd.service vs ssh.service).

Full Changelog: v0.80.2...v0.80.3

v0.80.2

What's Changed

Implemented optional install of netbird either with default netbird server or with self-hosted server. Add setup-key from the server during the script run or only install and setup later.

Suggested in #103 by @alfrede

Full Changelog: v0.80.1...v0.80.2

v0.80.1

What's Changed

Bug Fixes

• Fixed SSH port detection latching to X11 forwarding port — when connected via ssh -X on a dual-stack IPv6 server, ss output could resolve the X11 display port (60xx) before the real SSH port, causing rollback to restore the wrong port. Detection now explicitly filters out X11 port range (6010–6099) and also matches ssh.socket listeners.

• Fixed SSH hardening drop-in load order — renamed 99-hardening.conf to 10-hardening.conf. OpenSSH uses first-match-wins on drop-ins processed lexicographically, meaning provider-injected configs (e.g. 50-cloud-init.conf) were silently overriding hardening directives. Hardening rules now evaluate first.

Security Improvements

• Existing users are now required to provide or generate a valid SSH key before setup continues, preventing lockout when PasswordAuthentication is disabled. Previously this was a warning only.

• SSH and 2FA connection verification prompts now timeout after 5 minutes — if your session drops during the key confirmation step, the script auto-reverts rather than hanging indefinitely.

Improvements

• New port selection checks for conflicts — validate_port now verifies the chosen SSH port is not already in use by another service before accepting it.

• SSH key setup extracted into a reusable setup_ssh_keys() function, used consistently across new and existing user flows.

---

Thanks @avetere for reporting most of these and discussed in #100

Full Changelog: v0.80.0...v0.80.1

v0.80.0

What's Changed

• Added configure_2fa function that sets up TOTP-based MFA for the user.
• Configures SSH to require AuthenticationMethods publickey,keyboard-interactive. This enforces a "Key + Code" (or Key + Code + Password) requirement, preventing access if only the private key is compromised.
• Generates and displays the QR code directly in the terminal (via qrencode).
• Includes a "safe rollback" verification step: users must verify a successful login in a new terminal before changes are permanently applied.
• Extracted show_connection_options from configure_ssh into a global helper function to support connection instructions in both SSH and 2FA setup stages.
• Updated the final summary report to indicate 2FA status.

Full Changelog: v0.79.1...v0.80.0

v0.79.1

What's Changed

Missed the collections from last update now added. Setup will enable default Linux and iptables collections and then ask user if they want to enable any more collection.

Browse collections at: https://app.crowdsec.net/hub/collections

Full Changelog: v0.79.0...v0.79.1

v0.79.0

What's Changed

Added CrowdSec as a selectable Intrusion Detection System (IDS) alongside fail2Ban.

• IDS Selection: Users can now choose between Fail2Ban, CrowdSec, or skipping IDS setup entirely during the interactive prompt.
• CrowdSec Setup: Implemented configure_crowdsec to handle repository setup, agent installation, and the firewall bouncer (iptables/UFW).
• Log Parity: Configured CrowdSec to actively monitor /var/log/ufw.log, ensuring parity with the existing Fail2Ban configuration.
• Refactor: Moved IDS package installation out of the base package list to support conditional installation.
• Reporting: Updated generate_summary to dynamically display the status, metrics, and bans for the specific IDS selected.

Full Changelog: v0.78.5...v0.79.0

v0.78.5

What's Changed

• Update .bashrc to use nano as default editor in #88

Full Changelog: v0.78.4...v0.78.5

v0.78.4

What's Changed

• Improved configure_swap to detect swap partitions vs files. #87
• Prevents 'fallocate' crashes on physical partitions by offering to disable them or skip. #87

Full Changelog: v0.78.3...v0.78.4