Permalink
Switch branches/tags
Nothing to show
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
455 lines (402 sloc) 12.9 KB
# We assert here that we are running as root
SEND whoami
ASSERT_OUTPUT root
LOG DEBUG
# Check this is Ubuntu
SEND lsb_release -d -s | awk '{print $1}'
ASSERT_OUTPUT Ubuntu
# We assert here the user imiell was set up by the OS installation process
SEND cut -d: -f1 /etc/passwd | grep imiell | wc -l
ASSERT_OUTPUT 1
# CRON SETUP
IF FILE_EXISTS /space/git/work
#USER imiell
#RUN cd /space/git/work
#RUN git pull
LOGOUT imiell
RUN cat /space/git/work/bin/crontab_imiell > /tmp/imiellcron
RUN (cat /space/git/work/bin/crontab_$(hostname)_imiell 2>/tmp/imiellcronerr || true) >> /tmp/imiellcron
RUN cat /tmp/imiellcron | crontab -u imiell -
RUN cat /space/git/work/bin/crontab_root > /tmp/rootcron
RUN (cat /space/git/work/bin/crontab_$(hostname)_root 2>/tmp/rootcronerr || true) >> /tmp/rootcron
RUN cat /tmp/rootcron | crontab -
ENDIF
IF FILE_EXISTS /space/git/work
IF FILE_EXISTS /etc/audit/rules.d
RUN cp /space/git/work/bin/imiell_auditd.rules /etc/audit/rules.d
ENDIF
ENDIF
RUN usermod -aG sudo imiell
# Add a nexus user
IF_NOT RUN id -u nexus
RUN useradd nexus
ENDIF
# Install required packages
# Required for some dep issues with python3
INSTALL sosreport
# Required to diagnose crashes
INSTALL crash
# Required for gems
INSTALL libtool
INSTALL autoconf
# gems requirements done
INSTALL maven
INSTALL postgresql
INSTALL libreoffice
INSTALL socat
INSTALL etherwake
INSTALL openssh-server
INSTALL run-one
INSTALL apache2
INSTALL vim
INSTALL python-pip
INSTALL meld
INSTALL tmux
INSTALL openjdk-8-jre
INSTALL alien
INSTALL brasero
INSTALL moreutils
INSTALL git
INSTALL git-extras
INSTALL npm
INSTALL asciidoc
INSTALL asciidoctor
INSTALL awscli
INSTALL python3-pip
INSTALL jq
INSTALL fslint
INSTALL pylint
INSTALL apt-file
INSTALL shellcheck
INSTALL sqlite3
INSTALL golang-go
INSTALL gnuplot
INSTALL ubuntu-desktop
INSTALL ubuntu-gnome-desktop
INSTALL ioping
INSTALL sysstat
INSTALL fdupes
INSTALL html2text
INSTALL software-properties-common
INSTALL curl
INSTALL apt-transport-https
INSTALL ca-certificates
INSTALL pandoc
INSTALL htop
# For sec standards
INSTALL auditd
INSTALL nmap
# X disk usage analyser
INSTALL xdiskusage
# ncurses disk usage analyser
INSTALL ncdu
INSTALL btrfs-tools
# For Jenkins
INSTALL groovy
# IPTables state viewer
INSTALL iptstate
# fail2ban - ban IPs of failing ssh queries
INSTALL fail2ban
# Text-only browser
INSTALL links
# Tasksel - see notes/ubuntu
INSTALL tasksel
INSTALL php
INSTALL libapache2-mod-php
# VIRTUALIZATION BEGIN
# Virtualbox except on basquiat
INSTALL ruby-dev
# VAGRANT PROBLEMS?
# Vagrant BEGIN
# basquiat does not need VB
#IF_NOT RUN hostname | grep basquiat
# INSTALL virtualbox
# INSTALL virtualbox-guest-dkms
# RUN wget https://releases.hashicorp.com/vagrant/2.1.1/vagrant_2.1.1_x86_64.deb && dpkg -i vagrant_2.1.1_x86_64.deb && rm vagrant_2.1.1_x86_64.deb
# # Landrush plugin reqs BEGIN
# INSTALL zlib1g-dev
# INSTALL libvirt-dev
# # Landrush plugin reqs DONE
# # Get rid of fog-core, which causes dep issues.
# RUN apt remove -y --auto-remove ruby-fog-core || true
# RUN apt purge -y ruby-nokogiri || true
# IF_NOT RUN vagrant plugin list | grep landrush
# RUN vagrant plugin install landrush
# ENDIF
# RUN chown -R imiell: /home/imiell/.vagrant.d/ || true
#ENDIF
INSTALL qemu
INSTALL qemu-kvm
INSTALL libvirt-bin
INSTALL virtinst
RUN adduser imiell libvirt
# Vagrant BEGIN
# VIRTUALIZATION END
# For authoring
# NTP
INSTALL ntp
RUN timedatectl set-ntp on
INSTALL sysdig
RUN curl -s https://s3.amazonaws.com/download.draios.com/DRAIOS-GPG-KEY.public | apt-key add -
RUN curl -s -o /etc/apt/sources.list.d/draios.list https://s3.amazonaws.com/download.draios.com/stable/deb/draios.list
RUN apt-get update -y
INSTALL falco
# latest dns utils, including drill
INSTALL ldnsutils
INSTALL libldns2
# Install fpaste
#RUN git clone git://git.fedorahosted.org/fpaste.git && cd fpaste && make install && cd .. && rm -rf fpaste
#INSTALL dnsmasq
#IF_NOT RUN test -f /etc/google-dns.resolv.conf
# RUN echo nameserver 8.8.8.8 > /etc/google-dns.resolv.conf
# RUN echo nameserver 8.8.4.4 >> /etc/google-dns.resolv.conf
# RUN grep ^IGNORE_RESOLVCONF /etc/default/dnsmasq || echo IGNORE_RESOLVCONF=yes >> /etc/default/dnsmasq
# RUN systemctl restart dnsmasq
# RUN systemctl restart systemd-resolved
#ENDIF
# Let's encrypt: https://certbot.eff.org/#ubuntuxenial-apache
IF_NOT RUN apt-cache policy | grep certbot
RUN add-apt-repository -y ppa:certbot/certbot
RUN apt -y update >/dev/null 2>&1
INSTALL python-certbot-apache
ENDIF
IF_NOT RUN apt-cache policy | grep jonathonf.vim
RUN add-apt-repository -y ppa:jonathonf/vim
RUN apt -y update >/dev/null 2>&1
INSTALL vim
ENDIF
# Handbrake
#IF_NOT RUN apt-cache policy | grep stebbins
# RUN add-apt-repository -y ppa:stebbins/handbrake-releases || true
# RUN apt -y update >/dev/null 2>&1 || true
# RUN apt -y install handbrake-cli >/dev/null 2>&1|| true
#ENDIF
# Powershell
IF_NOT RUN apt-cache policy | grep microsoft
RUN curl https://packages.microsoft.com/keys/microsoft.asc | sudo apt-key add -
# Register the Microsoft Ubuntu repository
RUN curl https://packages.microsoft.com/config/ubuntu/16.04/prod.list | sudo tee /etc/apt/sources.list.d/microsoft.list
# Update apt
RUN apt update -y >/dev/null 2>&1
# Install PowerShell
INSTALL powershell
ENDIF
# grub-customizer
IF_NOT RUN apt-cache policy | grep grub-customizer
RUN add-apt-repository -y ppa:danielrichter2007/grub-customizer
INSTALL grub-customizer
ENDIF
## tmate.io
#IF_NOT RUN apt-cache policy | grep tmate
# RUN add-apt-repository -y ppa:tmate.io/archive
# RUN apt update -y >/dev/null 2>&1
# INSTALL tmate
#ENDIF
# Google Chrome
IF_NOT RUN google-chrome --version
RUN wget -q -O - https://dl-ssl.google.com/linux/linux_signing_key.pub | sudo apt-key add -
RUN echo 'deb [arch=amd64] http://dl.google.com/linux/chrome/deb/ stable main' | tee /etc/apt/sources.list.d/google-chrome.list
RUN apt update -y >/dev/null 2>&1
INSTALL google-chrome-stable
ENDIF
RUN apt-file update >/dev/null 2>&1
RUN apt-get autoremove -y >/dev/null 2>&1
# pip upgrade
IF_NOT RUN pip list | grep requests
RUN pip install requests
ENDIF
IF_NOT RUN pip list | grep coverage
RUN pip install coverage
ENDIF
IF_NOT RUN pip list | grep python-twitter
RUN pip install python-twitter
ENDIF
IF_NOT RUN pip list | grep setuptools
RUN pip install setuptools
ENDIF
IF_NOT RUN pip list | grep twine
RUN pip install twine
ENDIF
IF_NOT RUN pip list | grep butterfly
RUN pip install butterfly
ENDIF
IF_NOT RUN pip list | grep shutit
RUN pip install shutit
ENDIF
# Report on your aws setup
IF_NOT RUN pip list | grep Scout2
RUN pip install awsscout2
ENDIF
# Install docker
IF_NOT RUN docker version
INSTALL docker.io
# Add imiell to the docker user group
RUN usermod -G docker -a imiell
RUN usermod -G staff -a imiell
ENDIF
# youtube-dl
IF_NOT FILE_EXISTS /usr/local/bin/youtube-dl
RUN wget https://yt-dl.org/latest/youtube-dl -O /usr/local/bin/youtube-dl
RUN chmod a+x /usr/local/bin/youtube-dl
RUN hash -r
ENDIF
# Set up local storage
RUN mkdir -p /media/storage_{1,2}
# Create space folder and chown it to imiell
RUN mkdir -p /space/git
RUN mkdir -p /space/jenkins_cache
RUN chown -R imiell: /space
# for inspec tests
IF_NOT RUN inspec version
RUN gem install inspec >/dev/null 2>&1
ENDIF
# Asciidoc extras
IF_NOT RUN gem list | grep -w asciidoctor-pdf
RUN gem install --pre asciidoctor-pdf >/dev/null 2>&1
ENDIF
IF_NOT RUN gem list | grep -w asciidoctor-revealjs
RUN gem install --pre asciidoctor-revealjs >/dev/null 2>&1
ENDIF
IF_NOT RUN gem list | grep -w coderay
RUN gem install coderay >/dev/null 2>&1
ENDIF
IF_NOT RUN gem list | grep -w pygments.rb
RUN gem install pygments.rb >/dev/null 2>&1
ENDIF
IF_NOT RUN gem list | grep -w tilt
RUN gem install tilt >/dev/null 2>&1
ENDIF
IF_NOT RUN gem list | grep -w slim
RUN gem install slim >/dev/null 2>&1
ENDIF
# Generate an ssh key
IF_NOT FILE_EXISTS /home/imiell/.ssh/id_rsa.pub
RUN ssh-keygen
# Note that the response to 'already exists' below prevents overwrite here.
EXPECT_MULTI ['file in which=','empty for no passphrase=','Enter same passphrase again=','already exists=n']
ENDIF
# Apache
RUN a2enmod proxy
RUN a2enmod proxy_http
RUN a2enmod proxy_ajp
RUN a2enmod rewrite
RUN a2enmod deflate
RUN a2enmod headers
RUN a2enmod proxy_balancer
RUN a2enmod proxy_connect
RUN a2enmod proxy_html
RUN a2enmod php7.2
RUN a2enmod proxy_wstunnel
# Terraform
IF_NOT RUN terraform version | awk '{print $NF}' | head -1 | grep v0.11.3
RUN wget https://releases.hashicorp.com/terraform/0.11.3/terraform_0.11.3_linux_amd64.zip
RUN unzip terraform_0.11.3_linux_amd64.zip
RUN mv terraform /usr/local/bin
RUN rm -f terraform*
ENDIF
# Jenkins setup
RUN mkdir -p /var/jenkins
RUN chown imiell: /var/jenkins
#https://ubuntuforums.org/showthread.php?t=1842371 - speed up login
RUN sed -i 's/hosts:.*NOTFOUND.*/hosts: files dns/' /etc/nsswitch.conf
#REPLACE_LINE ['filename=/tmp/test2','line=asd','pattern=asd']
# Nexus needs to up limits.conf
ENSURE_LINE ['filename=/etc/security/limits.conf','line=nexus - nofile 65536','pattern=nexus - nofile.*']
# Power/nosleep management
IF_NOT RUN grep HandleLidSwitch=ignore /etc/systemd/logind.conf
RUN sed -i 's/HandleLidSwitch.*/HandleLidSwitch=ignore' /etc/systemd/logind.conf || true
RUN systemctl daemon-reload && systemctl restart systemd-logind.service
ENDIF
IF_NOT RUN grep HandleLidSwitch=ignore /etc/systemd/logind.conf
RUN echo HandleLidSwitch=ignore >> /etc/systemd/logind.conf
RUN systemctl daemon-reload && systemctl restart systemd-logind.service
ENDIF
IF_NOT RUN grep IgnoreLid=true /etc/UPower/UPower.conf
RUN sed -i 's/IgnoreLid=.*/IgnoreLid=true' /etc/UPower/UPower.conf || true
RUN systemctl daemon-reload && systemctl restart upower.service
ENDIF
IF_NOT RUN grep IgnoreLid=true /etc/UPower/UPower.conf
RUN echo IgnoreLid=true >> /etc/UPower/UPower.conf
RUN systemctl daemon-reload && systemctl restart upower.service
ENDIF
# Takes effect on next reboot
# https://unix.stackexchange.com/questions/269661/how-to-turn-off-wireless-power-management-permanently
RUN sed -i 's/wifi.powersave.*/wifi.powersave = 2/' /etc/NetworkManager/conf.d/default-wifi-powersave-on.conf
# Power management
RUN systemctl mask sleep.target suspend.target hibernate.target hybrid-sleep.target
IF_NOT RUN grep SUSPEND_METHODS="none" /etc/default/acpi-support
RUN sed -i 's/SUSPEND_METHODS=".*/SUSPEND_METHODS="none"/' /etc/default/acpi-support || true
RUN /etc/init.d/acpid restart
ENDIF
IF_NOT RUN command chef
RUN wget -qO- https://packages.chef.io/files/stable/chefdk/2.3.4/ubuntu/16.04/chefdk_2.3.4-1_amd64.deb > chefdk.deb
RUN dpkg -i chefdk.deb
RUN gem install kitchen
RUN rm -f chefdk.deb
ENDIF
# apt cleanup
RUN apt-file update >/dev/null 2>&1
RUN apt autoremove -y >/dev/null 2>&1
RUN apt clean >/dev/null 2>&1
# Sysstat
RUN sed -i 's/^ENABLED.*/ENABLED="true"/' /etc/default/sysstat
# Auditd
IF_NOT RUN grep -- '-a exit,always -F arch=b64 -S execve' /etc/audit/audit.rules
RUN echo '-a exit,always -F arch=b64 -S execve' >> /etc/audit/audit.rules
ENDIF
IF_NOT RUN grep -- '-a exit,always -F arch=b32 -S execve' /etc/audit/audit.rules
RUN echo '-a exit,always -F arch=b32 -S execve' >> /etc/audit/audit.rules
ENDIF
# Photon - site exploiter
IF_NOT FILE_EXISTS /space/git/Photon
RUN cd /space/git
RUN git clone https://github.com/s0md3v/Photon
RUN cd Photon
RUN pip install .
ENDIF
IF_NOT FILE_EXISTS /space/git/Quark
RUN cd /space/git
RUN git clone https://github.com/s0md3v/Quark
ENDIF
################################################################################
# Log me in as imiell
USER imiell
# If it's not been done before, check out my dotfiles and set it up
IF_NOT FILE_EXISTS /home/imiell/.dotfiles
RUN cd /home/imiell
RUN git clone --depth=1 https://github.com/ianmiell/dotfiles ~imiell/.dotfiles
RUN cd .dotfiles
RUN ./script/bootstrap
EXPECT_MULTI ['What is your github author name=Ian Miell','What is your github author email=ian.miell@gmail.com','verwrite all=O']
ENDIF
# Generate an ssh key
IF_NOT FILE_EXISTS /home/imiell/.ssh/id_rsa.pub
RUN ssh-keygen
# Note that the response to 'already exists' below prevents overwrite here.
EXPECT_MULTI ['file in which=','empty for no passphrase=','Enter same passphrase again=','already exists=n']
ENDIF
# Log imiell out
IF_NOT FILE_EXISTS /space/jenkins_cache/shutit-openshift-cluster
RUN cd /space/jenkins_cache
RUN git clone --depth=1 https://github.com/ianmiell/shutit-openshift-cluster
RUN cd -
ENDIF
IF_NOT FILE_EXISTS /home/imiell/.aws
RUN mkdir -p /home/imiell/.aws
RUN chmode 0600 /home/imiell/.aws
ENDIF
LOGOUT
# ensure vim is the default for root
RUN echo 3 | update-alternatives --config editor
RUN chown -R imiell: /space
################################################################################
IF_NOT RUN npm -g ll mermaid
RUN npm install -g mermaid >/dev/null 2>&1
ENDIF
IF_NOT RUN which gtop
RUN npm install -g gtop >/dev/null 2>&1
ENDIF
# Allow to get src
RUN sed -i 's/# deb-src/deb-src/' /etc/apt/sources.list
RUN apt-get update -y
RUN echo Now ssh-copy-id around, git clone ssh://imiell@meirionconsulting.com:/var/cache/git/work.git and re-run