Refactor

.github/workflows/shellcheck.yml

@@ -0,0 +1,23 @@
+name: Shell checks
+
+on:
+  push:
+  pull_request:
+
+jobs:
+  shellcheck:
+    name: Bash syntax and ShellCheck
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@v4
+
+      - name: Install ShellCheck
+        run: sudo apt-get update && sudo apt-get install -y shellcheck
+
+      - name: Check Bash syntax
+        run: bash -n install.sh
+
+      - name: Run ShellCheck
+        run: shellcheck install.sh

.vscode/settings.json

@@ -1,13 +1,20 @@
 {
   "cSpell.words": [
+    "Armbian",
+    "btop",
     "decoscript",
     "ethernets",
     "fastcgi",
+    "journalctl",
     "LEMP",
     "mbstring",
+    "netfilter",
     "Netplan",
     "networkd",
+    "nftables",
     "NOPASSWD",
-    "phpinfo"
+    "phpinfo",
+    "pihole",
+    "shellcheck"
   ]
 }

README.md

@@ -2,11 +2,11 @@
 
 ## Overview
 
-This script is a modular server utility tool for Debian-based and Ubuntu-based systems. It helps automate common setup tasks without forcing a specific stack. You choose exactly
-what gets installed: essential tools, Nginx, PHP, NVM, static IP profiles, and more.
+This is a menu-driven server utility script for Ubuntu and other Debian-based systems. It helps automate common setup tasks without forcing one fixed stack. You choose what to install or configure:
+essential tools, Nginx, PHP, MySQL, NVM, SSH hardening, Fail2ban, static IP profiles, and more.
 
-Ubuntu is the primary target environment. Other Debian derivatives should work, but if you encounter issues, feel free to open an
-[issue](https://github.com/Decaded/install-script/issues) and describe your setup.
+Ubuntu is the primary target environment. Other Debian derivatives should work, but some minimal images, SBC images, and custom kernels may need extra care. If you encounter an issue,
+open an [issue](https://github.com/Decaded/install-script/issues) and include your OS, kernel version, and the menu option that failed.
 
 <div align="center">
   <a href="https://github.com/Decaded/install-script">
@@ -45,7 +45,7 @@ Ubuntu is the primary target environment. Other Debian derivatives should work,
    ./install.sh
    ```
 
-A menu will appear with all available options.
+The script requires sudo privileges and checks for them on startup. A menu will appear with the available actions.
 
 <div align="center">
   <img src="images/main_menu.png" alt="Script Menu Preview">
@@ -55,84 +55,85 @@ A menu will appear with all available options.
 
 ## Features
 
-### Essential Tools
-
-Install a curated pack of common system utilities:
-
-1. **[htop](https://htop.dev/)** – process viewer
-2. **[screen](https://www.gnu.org/software/screen/)** – terminal multiplexer
-3. **[nload](https://github.com/rolandriegel/nload)** – network traffic monitor
-4. **[nano](https://www.nano-editor.org/)** – simple text editor
-5. **[firewalld](https://firewalld.org/)** – firewall management
-
-   - Automatically opens SSH
-   - Migrates from UFW if needed
+### Main Menu
 
-6. **[fail2ban](https://github.com/fail2ban/fail2ban)** – intrusion prevention
+- Install selected essential apps
+- Install a web server stack
+- Install Node Version Manager (NVM)
+- Enable passwordless sudo
+- Configure SSH key-only authentication
+- Configure a static IP address
+- Configure Fail2ban
+- Revert static IP configuration to DHCP
+- Check for script updates
+- Restore SSH configuration when a backup exists
 
-   - Default configuration or custom rules
+### Essential Tools
 
-7. **[git](https://git-scm.com/)** – version control
+Install any combination of common utilities from a checklist:
 
-   - Optional first-time setup
+- **[htop](https://htop.dev/)** and **[btop](https://github.com/aristocratos/btop)** - process viewers
+- **[screen](https://www.gnu.org/software/screen/)** and **[tmux](https://github.com/tmux/tmux/wiki)** - terminal multiplexers
+- **[nload](https://github.com/rolandriegel/nload)** - network traffic monitor
+- **[nano](https://www.nano-editor.org/)** and **[Neovim](https://neovim.io/)** - text editors
+- **[firewalld](https://firewalld.org/)** - firewall management
+- **[fail2ban](https://github.com/fail2ban/fail2ban)** - intrusion prevention
+- **[git](https://git-scm.com/)** - version control
+- **[unattended-upgrades](https://wiki.debian.org/UnattendedUpgrades)** - automatic security updates
+- **[Pi-hole](https://pi-hole.net/)** - ad blocker and optional DHCP server
 
-8. **[unattended-upgrades](https://wiki.debian.org/UnattendedUpgrades)** – automatic security updates
+When selected, some tools offer follow-up configuration. Firewalld asks for the current SSH port, opens that port, and checks for working netfilter/nftables support before trying to start
+the service. Fail2ban can use the default setup or a custom `jail.local` URL. Git can configure global name, email, and default branch.
 
 ### SSH Configuration
 
-Switch to secure, key-only SSH authentication. The script:
+Switch to key-only SSH authentication. The script:
 
 - Disables password-based logins
+- Enables public key authentication
+- Adds the provided public key to `~/.ssh/authorized_keys`
 - Creates a backup of your SSH config
-- Provides a restore option
+- Provides a restore option when a backup exists
 
 Backup file location:
 
-``` bash
-/etc/ssh/sshd_config_decoscript.backup
+```bash
+/etc/ssh/sshd_config_decoscript.backup.*
 ```
 
-Re-running the script replaces the old backup, so rename it if you want to keep multiple versions.
+The script keeps the five most recent SSH config backups.
 
 ### Passwordless Sudo
 
 Enables password-free sudo access if desired. If your system already uses this configuration, the script leaves it unchanged.
 
 ### Web Server Setup
 
-- Automatic cleanup of Apache2 if present
-- Firewall rules for HTTP(S) when using firewalld
-
-Installs the full **LEMP** stack:
+Choose one of three web server paths:
 
-- **[Nginx](https://nginx.org/)** installation and configuration
-- **[MySQL](https://www.mysql.com/)** installation and secure setup
-- **[PHP](https://www.php.net/)** installation with commonly used modules
+- Full **LEMP** stack: **[Nginx](https://nginx.org/)**, **[MySQL](https://www.mysql.com/)**, and **[PHP](https://www.php.net/)**
+- **Nginx + PHP**
+- **Nginx only**
 
-  - Configures **php-fpm** to work with Nginx
-  - Installs modules:
-    - **php-cli**
-    - **php-fpm**
-    - **php-mbstring**
-    - **php-curl**
-    - **php-xml**
-    - **php-zip**
-    - **php-gd**
-    - **php-mysql**
+The web server setup can:
 
-- **OR** install Nginx and PHP only,
-- **OR** install only Nginx.
+- Remove Apache2 if it is installed, to avoid port conflicts
+- Enable and start Nginx
+- Install common PHP/FPM packages and configure Nginx for PHP
+- Create `/etc/nginx/cert` for SSL certificates
+- Create a simple default page if the web root is empty
+- Open HTTP and HTTPS ports when firewalld is available
 
 ### Node.js via NVM
 
-Installs the latest **[NVM](https://github.com/nvm-sh/nvm)** version and lets you manage Node.js installations cleanly:
+Installs the latest **[NVM](https://github.com/nvm-sh/nvm)** version and lets you choose a Node.js version to install:
 
-- Install or remove Node.js versions
-- Switch between versions
+- Lists recent remote Node.js versions
+- Installs the version you enter
 
 ### Static IP Configuration
 
-Configure a static IP address using **Netplan** when available.
+Configure a static IP address using **Netplan**.
 
 Supports:
 
@@ -141,7 +142,22 @@ Supports:
 - Gateway
 - DNS servers
 
-If Netplan isn’t present, the script chooses the best available method.
+If Netplan is not present, the script installs `netplan.io` before writing the configuration. It also installs `net-tools` when needed to list network interfaces.
+
+Before changing an existing Netplan file, the script creates a backup under:
+
+```bash
+/etc/netplan/backups_decoscript/
+```
+
+A revert option is available from the main menu to switch an interface back to DHCP.
+
+---
+
+## Notes
+
+- Firewalld depends on working kernel netfilter/nftables support. On some minimal Armbian or SBC images, firewalld may not be usable until the kernel is updated and the system is rebooted.
+- SSH and network changes can disconnect you from a remote server if incorrect values are entered. Keep another access path available when possible.
 
 ---