kaz-vagrant/files/vm-provision.sh

#!/bin/bash

if [ -z "${KAZGUARD}" ] ; then
    exit 1
fi

resize2fs /dev/sda1

DIR=$(cd "$(dirname $0)"; pwd)
cd "${DIR}"
set -e
export VAGRANT_SRC_DIR=/vagrant/files

mkdir -p "${VAGRANT_SRC_DIR}/log/"
export DebugLog="${VAGRANT_SRC_DIR}/log/log-vagrant-$(date +%y-%m-%d-%T)-"
(
    echo "########## ********** Start Vagrant $(date +%D-%T)"

    # Copie de qques fichiers
    cp "${VAGRANT_SRC_DIR}/keyboard" /etc/default/keyboard

    # gestions sources.list
    sed -i -e 's/main.*/main contrib non-free/' /etc/apt/sources.list
    sed -i -e 's/https:/http:/' /etc/apt/sources.list
    apt-get --allow-releaseinfo-change update

    # Cache APT
    #DEBIAN_FRONTEND=noninteractive apt-get install -y apt-cacher # apt-cacher-ng does not work well on bullseye
    #echo "allowed_hosts = *" >> /etc/apt-cacher/apt-cacher.conf
    #service apt-cacher restart
    DEBIAN_FRONTEND=noninteractive apt-get install -y squid
    sed -i -e "s/#http_access allow localnet/http_access allow localnet/" /etc/squid/squid.conf
    echo "cache_dir aufs /var/spool/squid 5000 14 256
maximum_object_size 4000 MB
http_port 3142" >> /etc/squid/squid.conf
    service squid restart
    echo "Acquire::http::Proxy \"http://127.0.0.1:3142\";" > /etc/apt/apt.conf.d/01proxy;  # utilisation de apt-cacher-ng
    # Ajouter http://www.squid-cache.org/Doc/config/cache_peer/ à squid pour un proxy upstream

    # Pour le confort de chacun, un customVM.sh optionnel
    if [ -f "${VAGRANT_SRC_DIR}/customVM.sh" ]; then
	     bash "${VAGRANT_SRC_DIR}/customVM.sh"
    fi

    # MAJ et Install
    DEBIAN_FRONTEND=noninteractive apt-get -y upgrade
    DEBIAN_FRONTEND=noninteractive apt-get -y dist-upgrade
    DEBIAN_FRONTEND=noninteractive apt-get install -y apg curl git sudo unzip rsync firefox-esr tcpdump net-tools mousepad wireshark swapspace whois python3-lxc lxc python3-pygraphviz python3-pil python3-yaml imagemagick btrfs-progs docker-registry # could be with --no-install-recommends
    DEBIAN_FRONTEND=noninteractive apt-get install -y xfce4 lightdm xfce4-terminal xserver-xorg gitk # needs to install recommends

    ssh-keygen -t rsa -b 4096 -N '' <<<$'\ny'
    rsync /root/.ssh/id_rsa.pub /root/.ssh/authorized_keys

    # Localisation du $LANG, en par défaut, timezone Paris
    if [ -z "${HOSTLANG}" ] ; then
	     HOSTLANG="en_US.UTF-8"
    fi
    echo "Europe/Paris" > /etc/timezone
    ln -sf /usr/share/zoneinfo/Europe/Paris /etc/localtime
    dpkg-reconfigure -f noninteractive tzdata
    sed -i -e 's/# en_US.UTF-8 UTF-8/en_US.UTF-8 UTF-8/' /etc/locale.gen
    sed -i -e "s/# ${HOSTLANG} /${HOSTLANG} /" /etc/locale.gen
    echo "LANG=\"${HOSTLANG}\"">/etc/default/locale
    dpkg-reconfigure --frontend=noninteractive locales || true  # don't fail for a locales problem
    update-locale LANG=${HOSTLANG} || true   # don't fail for a locales problem

    # Creation des utilisateurs
    echo -e "\n    #### create user\n"
    usermod -p $(mkpasswd --method=sha-512 root) root
    useradd -m -s "/bin/bash" -p $(mkpasswd --method=sha-512 debian) debian || true # don't fail if user already exists

    # Désactivation de la mise en veille de l'écran
    mkdir -p /etc/X11/xorg.conf.d/
    rsync -a "${VAGRANT_SRC_DIR}/10-monitor.conf" /etc/X11/xorg.conf.d/
    # mv /etc/xdg/autostart/light-locker.desktop /etc/xdg/autostart/light-locker.desktop.bak
    DEBIAN_FRONTEND=noninteractive apt-get remove --purge -y light-locker

    #faut virer exim, inutile
    DEBIAN_FRONTEND=noninteractive apt-get remove --purge -y exim4-base exim4-config exim4-daemon-light

    #login ssh avec mot de passe
    sed -i "s/PasswordAuthentication no/PasswordAuthentication yes/" /etc/ssh/sshd_config
    if ! grep -q "PasswordAuthentication yes" /etc/ssh/sshd_config 2>/dev/null; then
	     echo "PasswordAuthentication yes" >> /etc/ssh/sshd_config
    fi

    # autorisation du routing et augmentation inotify
    if ! grep -q "net.ipv4.ip_forward" /etc/sysctl.conf 2>/dev/null; then
	     echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
    fi
    sed -i "s/#net.ipv4.ip_forward=1/net.ipv4.ip_forward=1/" /etc/sysctl.conf
    if ! grep -q "fs.inotify.max_queued_events" /etc/sysctl.conf 2>/dev/null; then
	     echo -e "fs.inotify.max_queued_events=1048576\nfs.inotify.max_user_instances=1048576\nfs.inotify.max_user_watches=1048576" >> /etc/sysctl.conf
    fi
    sysctl -p


    # enable bash autocompletion
	cat >> /etc/bash.bashrc <<EOF
# enable bash completion in interactive shells
if ! shopt -oq posix; then
  if [ -f /usr/share/bash-completion/bash_completion ]; then
    . /usr/share/bash-completion/bash_completion
  elif [ -f /etc/bash_completion ]; then
    . /etc/bash_completion
  fi
fi
EOF

    # XFCE4 panel: use default config
    # source: https://forum.xfce.org/viewtopic.php?pid=36585#p36585
    rsync -a /etc/xdg/xfce4/panel/default.xml /etc/xdg/xfce4/xfconf/xfce-perchannel-xml/xfce4-panel.xml

    # Permetre l'édition emacs des lignes de commande (exemple "Esc. flèche gauche" pour "déplace d'un mot à gauche")
    TERM_CFG=/root/.config/xfce4/terminal/terminalrc
    mkdir -p $(dirname "${TERM_CFG}")
    touch "${TERM_CFG}"
    if ! grep -q "ShortcutsNoMnemonics" "${TERM_CFG}" 2>/dev/null; then
	     echo -e "[Configuration]\nShortcutsNoMnemonics=TRUE" >> "${TERM_CFG}"
    fi

    # free swapspace at shutdown
    echo -e "\n    #### set swapspace\n"
    sed -i -e 's/ExecStart=\/usr\/sbin\/swapspace/ExecStart=\/usr\/sbin\/swapspace\nExecStop=\/usr\/sbin\/swapspace -e/' /lib/systemd/system/swapspace.service
    systemctl daemon-reload

    # limit journald log size
    mkdir -p /etc/systemd/journald.conf.d
    if [ ! -f /etc/systemd/journald.conf.d/sizelimit.conf ]; then
	     cat > /etc/systemd/journald.conf.d/sizelimit.conf <<EOF
[Journal]
SystemMaxUse=20M
SystemMaxFileSize=2M
EOF
    fi

    # CA et certifs avec mkcert

    echo -e "\n    #### mkcert\n"
    DEBIAN_FRONTEND=noninteractive apt-get install -y libnss3-tools

    mkdir -p /root/mkcert
    cd /root/mkcert
    if [ ! -f mkcert ]; then
	     wget https://github.com/FiloSottile/mkcert/releases/download/v1.4.3/mkcert-v1.4.3-linux-amd64 -O mkcert
	     chmod +x mkcert
	     mkdir -p /etc/letsencrypt/local/
       export CAROOT=/etc/letsencrypt/local/
       /root/mkcert/mkcert -install      # CA dans /etc/letsencrypt/local/
       cd "${CAROOT}"
       /root/mkcert/mkcert "*.kaz.sns" # cert et clé dans /etc/letsencrypt/local/

     	 mkdir -p /etc/letsencrypt/live/kaz.sns/
       ln -s ../../local/_wildcard.kaz.sns.pem /etc/letsencrypt/live/kaz.sns/fullchain.pem
       ln -s ../../local/_wildcard.kaz.sns-key.pem /etc/letsencrypt/live/kaz.sns/privkey.pem
    fi

    # Cache docker registry
    echo "proxy:
  remoteurl: https://registry-1.docker.io
auth:
  none:
" >> /etc/docker/registry/config.yml


    # clear apt cache
    DEBIAN_FRONTEND=noninteractive apt-get autoremove -y
    DEBIAN_FRONTEND=noninteractive apt-get clean

    # SNSTER
    cd
    git clone https://framagit.org/flesueur/snster.git
    cd snster
    # git checkout tags/v1.1.0
    git checkout fe59ef1f
    ./install.sh

    # BTRFS avec hotfix sale de SNSTER
    freespace=`df /root | awk '/[0-9]%/{print $(NF-2)}'`
    btrsize=$(( $freespace - 5000000 )) # on laisse 5GB libres
    truncate -s ${btrsize}k /root/btrfs.img
    mkfs.btrfs -f /root/btrfs.img
    echo "/root/btrfs.img	/var/lib/lxc	btrfs	loop	0	0" >> /etc/fstab
    mount /var/lib/lxc
    sed -i -e "s/template=self.template/template=self.template, bdevtype='btrfs'/" /usr/local/lib/python3.9/dist-packages/backends/LxcBackend.py

    # SNSTER KAZ
    cp -ar ${VAGRANT_SRC_DIR}/snster-kaz /root

    # crypto keys
    cp -ar /etc/letsencrypt /root/snster-kaz/kaz/prod/
    cp -ar /etc/letsencrypt /root/snster-kaz/isp-a/home/

    # On lie le filesystem de kaz-prod dans le /kaz de la VM pour le dév
    ln -s /var/lib/lxc/kaz-kaz-prod/rootfs/ /kaz-prod
    ln -s /kaz-prod/kaz /kaz

    # On met le KAZGUARD pour la mise au point
    echo "export KAZGUARD='true'" >> /root/.bashrc

    # Build SNSTER KAZ !
    snster -c /root/snster-kaz create
    cp "${VAGRANT_SRC_DIR}/vm-upgrade.sh" /root/
    chmod +x /root/vm-upgrade.sh

    echo -e '#!/bin/sh\nsnster -c /root/snster-kaz start' >> /etc/rc.local
    chmod +x /etc/rc.local

    echo "########## ********** End Vagrant $(date +%D-%T)"
)  > >(tee ${DebugLog}stdout.log) 2> >(tee ${DebugLog}stderr.log >&2)

reboot

# Pour sympa-SOAP
# KAZPROD="snster -c /root/snster-kaz -t /root/templates attach kaz-prod -x"
# ${KAZPROD} "docker cp /etc/letsencrypt/local/rootCA.pem sympaServ:/usr/local/share/ca-certificates/rootCA.crt"
# ${KAZPROD} "docker exec -it sympaServ update-ca-certificates"

# Interception https avec squid-openssl (nok pour dockerhub) :
# http_port 3142 tcpkeepalive=60,30,3 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=20MB tls-cert=/etc/letsencrypt/local/rootCA.pem tls-key=/etc/letsencrypt/local/rootCA-key.pem tls-dh=prime256v1:/etc/letsencrypt/local/dhparam.pem
# sslcrtd_program /usr/lib/squid/security_file_certgen -s /var/lib/ssl_db -M 4MB
# sslcrtd_children 5
# ssl_bump server-first all
# ssl_bump stare all
# sslproxy_cert_error deny all
# refresh_pattern -i (/blobs/sha256)     1440 99% 10080  ignore-no-store ignore-private override-expire store-stale reload-into-ims
# refresh_pattern -i (/images/sha256)    1440 99% 10080  ignore-no-store ignore-private override-expire store-stale reload-into-ims
# refresh_pattern -i (/manifests/)       1440 99% 10080  ignore-no-store ignore-private override-expire store-stale reload-into-ims