diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json index 5f3d913..b026325 100644 --- a/.devcontainer/devcontainer.json +++ b/.devcontainer/devcontainer.json @@ -1,17 +1,8 @@ -// For format details, see https://aka.ms/devcontainer.json. For config options, see the -// README at: https://github.com/devcontainers/templates/tree/main/src/ubuntu { "name": "DevOS", - // Or use a Dockerfile or Docker Compose file. More info: https://containers.dev/guide/dockerfile - // "image": "mcr.microsoft.com/devcontainers/base:dev-ubuntu", - // "build": {"dockerfile": "${localWorkspaceFolder}/build/package/Dockerfile"}, - "dockerComposeFile": [ - "${localWorkspaceFolder}/compose-dev.yaml" - ], + "dockerComposeFile": ["${localWorkspaceFolder}/compose-dev.yaml"], "service": "devos", - "workspaceFolder": "/workspace", - // Use 'postCreateCommand' to run commands after the container is created. + "workspaceFolder": "/home/devos/workspace", "postCreateCommand": "${containerWorkspaceFolder}/scripts/config-devos.sh", - // Uncomment to connect as root instead. More info: https://aka.ms/dev-containers-non-root. "remoteUser": "devos" } diff --git a/.github/build/img/Dockerfile b/.github/build/img/Dockerfile deleted file mode 100644 index 69bf879..0000000 --- a/.github/build/img/Dockerfile +++ /dev/null @@ -1,58 +0,0 @@ -FROM ubuntu:24.10 - -ENV DEBIAN_FRONTEND=noninteractive -ENV X11VNC_SKIP_DISPLAY=="" - -RUN apt-get update -y && \ - apt-get install --no-install-recommends -y \ - ansible \ - ca-certificates \ - cron \ - curl \ - dbus \ - file \ - git \ - git-lfs \ - gnupg2 \ - icewm \ - iproute2 \ - libvirt-clients \ - libvirt-daemon \ - libvirt-daemon-system \ - openssl \ - protobuf-compiler \ - protobuf-compiler-grpc \ - python3-openstackclient \ - software-properties-common \ - ssh \ - systemd \ - unzip \ - vim \ - x11vnc \ - xauth \ - xinit \ - xterm \ - xvfb \ - zsh && \ - apt-get clean && \ - rm -rf /var/lib/apt/lists/* && \ - echo "exec icewm" > ~/.xinitrc && chmod +x ~/.xinitrc - -COPY config/systemd/x11vnc.service /lib/systemd/system/x11vnc.service -RUN systemctl enable x11vnc.service - -COPY config/systemd/journal-to-tty.service /lib/systemd/system/journal-to-tty.service -RUN systemctl enable journal-to-tty.service - -RUN useradd -m devos - -# todo: checksum downloaded binaries -COPY scripts/init-devos.sh /tmp/init-devos.sh -COPY scripts/install-docker.sh /tmp/install-docker.sh -RUN chmod +x \ - /tmp/init-devos.sh \ - /tmp/install-docker.sh && /tmp/init-devos.sh - -CMD ["/sbin/init"] -USER devos -HEALTHCHECK NONE diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 0eed77c..0a1babe 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -13,3 +13,9 @@ updates: - /.devcontainer schedule: interval: monthly + # Maintain dependencies for Container Images + - package-ecosystem: docker + directories: + - /build/img + schedule: + interval: weekly diff --git a/.github/workflows/ondemand/bot.yml b/.github/workflows/bot.yml similarity index 98% rename from .github/workflows/ondemand/bot.yml rename to .github/workflows/bot.yml index c517a73..7cdfa4f 100644 --- a/.github/workflows/ondemand/bot.yml +++ b/.github/workflows/bot.yml @@ -1,4 +1,4 @@ -name: Bot +name: Bot Workflow on: - workflow_call diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index bb22c8b..a3e3011 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -1,4 +1,4 @@ -name: Build +name: Build Pipeline on: push: @@ -25,8 +25,9 @@ jobs: uses: ./.github/actions/build with: build-container-image: true - container-image-file: build/img/devos/Dockerfile + container-image-file: build/img/Dockerfile container-image-name: devos + container-image-platforms: linux/amd64,linux/arm64,linux/riscv64 container-image-repo-password: ${{ secrets.GHCR_TOKEN }} container-image-repo-username: ${{ github.repository_owner }} push-container-image: ${{ github.ref == 'refs/heads/main' && github.event_name == 'push' }} diff --git a/.github/workflows/cicd.yml b/.github/workflows/cicd.yml index 5e9985c..9130f68 100644 --- a/.github/workflows/cicd.yml +++ b/.github/workflows/cicd.yml @@ -11,21 +11,21 @@ permissions: read-all jobs: bot: - uses: ./.github/workflows/ondemand/bot.yml + uses: ./.github/workflows/bot.yml permissions: issues: write pull-requests: write repository-projects: write sonarqube: - uses: ./.github/workflows/gate/sonarqube.yml + uses: ./.github/workflows/sonarqube.yml trivy: - uses: ./.github/workflows/gate/trivy.yml - devos: - uses: ./.github/workflows/gate/devos.yml + uses: ./.github/workflows/trivy.yml + # devos: + # uses: ./.github/workflows/devos.yml scorecard: - uses: ./.github/workflows/ondemand/scorecard.yml + uses: ./.github/workflows/scorecard.yml permissions: contents: write id-token: write diff --git a/.github/workflows/ondemand/cleanup.yml b/.github/workflows/cleanup.yml similarity index 99% rename from .github/workflows/ondemand/cleanup.yml rename to .github/workflows/cleanup.yml index b040a8f..19627cf 100644 --- a/.github/workflows/ondemand/cleanup.yml +++ b/.github/workflows/cleanup.yml @@ -1,4 +1,4 @@ -name: Cleanup +name: Cleanup OnDemand on: pull_request: diff --git a/.github/workflows/gate/devos.yml b/.github/workflows/devos.yml similarity index 71% rename from .github/workflows/gate/devos.yml rename to .github/workflows/devos.yml index 30005dd..ae32013 100644 --- a/.github/workflows/gate/devos.yml +++ b/.github/workflows/devos.yml @@ -1,4 +1,4 @@ -name: DevOS +name: DevOS Gate on: - workflow_call @@ -6,9 +6,11 @@ on: permissions: read-all jobs: - airskiff: + devos: runs-on: ubuntu-latest steps: - name: Checkout code uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - run: hack/run + # - run: | + # cd hack + # ./run diff --git a/.github/workflows/review.yml b/.github/workflows/review.yml index ce286b2..b01d860 100644 --- a/.github/workflows/review.yml +++ b/.github/workflows/review.yml @@ -36,10 +36,10 @@ jobs: VALIDATE_DOCKERFILE_HADOLINT: false # fixme: superlinter not using .hadolint.yaml VALIDATE_KUBERNETES_KUBECONFORM: false # fixme: enable kubeconform VALIDATE_YAML_PRETTIER: false # fixme: ignore symlink - - name: Trunk Check - uses: trunk-io/trunk-action@86b68ffae610a05105e90b1f52ad8c549ef482c2 # v1.1.16 https://github.com/trunk-io/trunk-action/commit/86b68ffae610a05105e90b1f52ad8c549ef482c2 - with: - post-annotations: true + # - name: Trunk Check + # uses: trunk-io/trunk-action@86b68ffae610a05105e90b1f52ad8c549ef482c2 # v1.1.16 https://github.com/trunk-io/trunk-action/commit/86b68ffae610a05105e90b1f52ad8c549ef482c2 + # with: + # post-annotations: true scanning: runs-on: ubuntu-latest @@ -49,14 +49,14 @@ jobs: with: fetch-depth: 0 persist-credentials: false - - name: GitGuardian Scan - uses: GitGuardian/ggshield-action@ed817b2930f8dbf32995b6d8bbf65499e6a4e3be # v1.31.0 https://github.com/GitGuardian/ggshield-action/commit/ed817b2930f8dbf32995b6d8bbf65499e6a4e3be - env: - GITGUARDIAN_API_KEY: ${{ secrets.GITGUARDIAN_API_KEY }} - GITHUB_DEFAULT_BRANCH: ${{ github.event.repository.default_branch }} - GITHUB_PULL_BASE_SHA: ${{ github.event.pull_request.base.sha }} - GITHUB_PUSH_BASE_SHA: ${{ github.event.before }} - GITHUB_PUSH_BEFORE_SHA: ${{ github.event.before }} + # - name: GitGuardian Scan + # uses: GitGuardian/ggshield-action@ed817b2930f8dbf32995b6d8bbf65499e6a4e3be # v1.31.0 https://github.com/GitGuardian/ggshield-action/commit/ed817b2930f8dbf32995b6d8bbf65499e6a4e3be + # env: + # GITGUARDIAN_API_KEY: ${{ secrets.GITGUARDIAN_API_KEY }} + # GITHUB_DEFAULT_BRANCH: ${{ github.event.repository.default_branch }} + # GITHUB_PULL_BASE_SHA: ${{ github.event.pull_request.base.sha }} + # GITHUB_PUSH_BASE_SHA: ${{ github.event.before }} + # GITHUB_PUSH_BEFORE_SHA: ${{ github.event.before }} # - name: SonarQube Scan # uses: sonarsource/sonarqube-scan-action@aecaf43ae57e412bd97d70ef9ce6076e672fe0a9 # v3.0.0 https://github.com/SonarSource/sonarqube-scan-action/commit/aecaf43ae57e412bd97d70ef9ce6076e672fe0a9 # env: @@ -83,11 +83,11 @@ jobs: uses: actions/dependency-review-action@5a2ce3f5b92ee19cbb1541a4984c76d921601d7c # v4.3.4 https://github.com/actions/dependency-review-action/commit/5a2ce3f5b92ee19cbb1541a4984c76d921601d7c with: allow-ghsas: none - allow-licenses: Apache-2.0,BSD-2-Clause,BSD-3-Clause,CC0-1.0,GPL-2.0,GPL-3.0,ISC,MIT - deny-packages: empty + allow-licenses: Apache-2.0,BSD-2-Clause,BSD-3-Clause,CC0-1.0,GPL-2.0,GPL-3.0,ISC,MIT,LGPL-3.0 + # deny-packages: empty fail-on-severity: low - retry-on-snapshot-warnings-timeout: 120 - retry-on-snapshot-warnings: true + # retry-on-snapshot-warnings-timeout: 120 + # retry-on-snapshot-warnings: true assign: runs-on: ubuntu-latest diff --git a/.github/workflows/ondemand/scorecard.yml b/.github/workflows/scorecard.yml similarity index 100% rename from .github/workflows/ondemand/scorecard.yml rename to .github/workflows/scorecard.yml diff --git a/.github/workflows/gate/sonarqube.yml b/.github/workflows/sonarqube.yml similarity index 100% rename from .github/workflows/gate/sonarqube.yml rename to .github/workflows/sonarqube.yml diff --git a/.github/workflows/gate/trivy.yml b/.github/workflows/trivy.yml similarity index 67% rename from .github/workflows/gate/trivy.yml rename to .github/workflows/trivy.yml index 37ad735..555feab 100644 --- a/.github/workflows/gate/trivy.yml +++ b/.github/workflows/trivy.yml @@ -16,6 +16,6 @@ jobs: persist-credentials: false - name: Trivy Scan uses: ./.github/actions/trivy - # with: - # generate-sbom: ${{ github.ref == 'refs/heads/main' && github.event_name == 'push' }} - # upload-scan-result: ${{ github.ref == 'refs/heads/main' && github.event_name == 'push' }} + with: + generate-sbom: ${{ github.ref == 'refs/heads/main' && github.event_name == 'push' }} + upload-scan-result: ${{ github.ref == 'refs/heads/main' && github.event_name == 'push' }} diff --git a/.trunk/.gitignore b/.trunk/.gitignore index 1e24652..15966d0 100644 --- a/.trunk/.gitignore +++ b/.trunk/.gitignore @@ -6,3 +6,4 @@ plugins user_trunk.yaml user.yaml +tmp diff --git a/.trunk/configs/.shellcheckrc b/.trunk/configs/.shellcheckrc index f777516..9a5867d 100644 --- a/.trunk/configs/.shellcheckrc +++ b/.trunk/configs/.shellcheckrc @@ -9,7 +9,5 @@ disable=SC2181 disable=SC2312 # If you're having issues with shellcheck following source, disable the errors via: - # disable=SC1090 - # disable=SC1091 diff --git a/.trunk/trunk.yaml b/.trunk/trunk.yaml index adc12ea..8092284 100644 --- a/.trunk/trunk.yaml +++ b/.trunk/trunk.yaml @@ -19,18 +19,18 @@ runtimes: lint: enabled: - osv-scanner@1.9.0 - - gitleaks@8.20.0 + - gitleaks@8.20.1 - semgrep@1.90.0 - - trivy@0.55.2 + - trivy@0.56.1 - actionlint@1.7.3 - - checkov@3.2.256 + - checkov@3.2.257 - git-diff-check - hadolint@2.12.0 - markdownlint@0.42.0 - prettier@3.3.3 - shellcheck@0.10.0 - shfmt@3.6.0 - - trufflehog@3.82.6 + - trufflehog@3.82.7 - yamllint@1.35.1 actions: disabled: diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 0ec70b7..09227a7 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -2,4 +2,4 @@ ## To Contribute -Open a PR https://github.com/labsonline/devcontainer/compare. +Open a PR https://github.com/anselmes/devos/compare. diff --git a/README.md b/README.md index b467a6e..5b735a8 100644 --- a/README.md +++ b/README.md @@ -1,20 +1,17 @@ -# Readme +# devOS --- [![OpenSSF Scorecard][ossf-score-badge]][ossf-score-link] [![Contiuos Integration][ci-badge]][ci-link] [![Review][review-badge]][review-link] -[![Releases][releases-badge]][releases-link] - -[ossf-score-badge]: https://api.securityscorecards.dev/projects/github.com/labsonline/devcontainer/badge -[ossf-score-link]: https://securityscorecards.dev/viewer/?uri=github.com/labsonline/devcontainer -[ci-badge]: https://github.com/labsonline/devcontainer/actions/workflows/cicd.yml/badge.svg -[ci-link]: https://github.com/labsonline/devcontainer/actions/workflows/cicd.yml -[review-badge]: https://github.com/labsonline/devcontainer/actions/workflows/review.yml/badge.svg -[review-link]: https://github.com/labsonline/devcontainer/actions/workflows/review.yml -[releases-badge]: https://github.com/labsonline/devcontainer/actions/workflows/release.yml/badge.svg -[releases-link]: https://github.com/labsonline/devcontainer/actions/workflows/release.yml + +[ossf-score-badge]: https://api.securityscorecards.dev/projects/github.com/anselmes/devos/badge +[ossf-score-link]: https://securityscorecards.dev/viewer/?uri=github.com/anselmes/devos +[ci-badge]: https://github.com/anselmes/devos/actions/workflows/cicd.yml/badge.svg +[ci-link]: https://github.com/anselmes/devos/actions/workflows/cicd.yml +[review-badge]: https://github.com/anselmes/devos/actions/workflows/review.yml/badge.svg +[review-link]: https://github.com/anselmes/devos/actions/workflows/review.yml --- diff --git a/SECURITY.md b/SECURITY.md index e2e48d9..a0d706c 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -2,4 +2,4 @@ ## Reporting a Vulnerability -[Open an Issue](https://github.com/labsonline/devcontainer/issues/new?assignees=&labels=&template=security.md&title=) to report vulnerability. +[Open an Issue](https://github.com/anselmes/devos/issues/new?assignees=&labels=&template=security.md&title=) to report vulnerability. diff --git a/build/img/Dockerfile b/build/img/Dockerfile new file mode 100644 index 0000000..6a95bc0 --- /dev/null +++ b/build/img/Dockerfile @@ -0,0 +1,37 @@ +FROM ubuntu:24.04 + +ENV DEBIAN_FRONTEND=noninteractive +ENV X11VNC_SKIP_DISPLAY=="" + +COPY config/systemd/journal-to-tty.service /lib/systemd/system/journal-to-tty.service +RUN apt-get update -y && \ + apt-get install --no-install-recommends -y \ + ca-certificates \ + cron \ + curl \ + dbus \ + file \ + iproute2 \ + libvirt-daemon \ + libvirt-daemon-system \ + openssl \ + software-properties-common \ + ssh \ + systemd && \ + apt-get clean && \ + rm -rf /var/lib/apt/lists/* + +# todo: checksum downloaded binaries +# COPY scripts/init-devos.sh /tmp/init-devos.sh +# COPY scripts/install-docker.sh /tmp/install-docker.sh +# RUN chmod +x \ +# /tmp/init-devos.sh \ +# /tmp/install-docker.sh && \ +# /tmp/init-devos.sh && \ +# echo "devos ALL=(ALL) NOPASSWD: ALL" >/etc/sudoers.d/devos && \ +# systemctl enable journal-to-tty.service && \ +# useradd -m devos + +CMD ["/sbin/init"] +USER devos +HEALTHCHECK NONE diff --git a/compose-dev.yaml b/compose-dev.yaml index a52cc58..a9c6fe1 100644 --- a/compose-dev.yaml +++ b/compose-dev.yaml @@ -1,18 +1,28 @@ --- services: devos: - image: ubuntu:22.04 + image: ghcr.io/anselmes/devos:main # platform: linux/amd64 # entrypoint: /sbin/init - # privileged: true + # network_mode: host + privileged: true stdin_open: true tty: true - working_dir: /root/workspace - env_file: - - .env + user: root # note: required for /sbin/init + working_dir: /home/devos/workspace + # env_file: + # - .env volumes: - - .:/root/workspace - - ~/.gitconfig:/root/.gitconfig:ro - - ~/.gnupg:/root/.gnupg # fixme: investigate mounting as read-only - - ~/.ssh:/root/.ssh:ro - - ~/.zshrc:/root/.zshrc:ro + - .:/home/devos/workspace + - /sys/fs/cgroup:/sys/fs/cgroup:rw + - /var/lib/libvirt:/var/lib/libvirt + - ~/.gitconfig:/home/devos/.gitconfig:ro + - ~/.gnupg:/home/devos/.gnupg:ro + - ~/.ssh:/home/devos/.ssh:ro + - ~/.zshrc:/home/devos/.zshrc:ro + ports: + - 10022:22 + - 10080:80 + - 10443:443 + - 15900:5900 + - 16443:6443 diff --git a/config/systemd/journal-to-tty.service b/config/systemd/journal-to-tty.service new file mode 100644 index 0000000..2725055 --- /dev/null +++ b/config/systemd/journal-to-tty.service @@ -0,0 +1,13 @@ +[Unit] +Description=Journald console log streamer +Requires=systemd-journald.service +After=systemd-journald.service + +[Service] +Restart=always +RestartSec=0 +ExecStart=/bin/journalctl -f +StandardOutput=tty + +[Install] +WantedBy=basic.target diff --git a/config/systemd/x11vnc.service b/config/systemd/x11vnc.service new file mode 100644 index 0000000..6d4c803 --- /dev/null +++ b/config/systemd/x11vnc.service @@ -0,0 +1,9 @@ +[Unit] +Description=VNC Server + +[Service] +Environment="HOME=/root" +ExecStart=/usr/bin/x11vnc --create --forever --shared + +[Install] +WantedBy=graphical.target diff --git a/scripts/config-devos.sh b/scripts/config-devos.sh index 5c967e0..d8e4fde 100755 --- a/scripts/config-devos.sh +++ b/scripts/config-devos.sh @@ -3,7 +3,7 @@ set -euxo pipefail -DIR="$(dirname $(realpath $(dirname $0)))" +DIR="$(dirname $(realpath $(dirname "${0}")))" # check dependencies commands=( @@ -15,25 +15,36 @@ commands=( sudo apt-get update -y for command in "${commands[@]}"; do - if [[ ! $(command -v "${command}") ]]; then + if [[ -z $(command -v "${command}") ]]; then sudo apt-get install -y "${command}" fi done +# configure permissions +groups=( + "docker" + "libvirt" + "plugdev" + "sudo" +) + +for g in "${groups[@]}"; do + sudo usermod -aG "${g}" "${USER}" || true +done + # configure environment if [[ ! -d "${HOME}/.oh-my-zsh" ]]; then curl -fsSLo /tmp/ohmyzsh-install.sh https://raw.githubusercontent.com/ohmyzsh/ohmyzsh/master/tools/install.sh - bash /tmp/ohmyzsh-install.sh --unattended + bash /tmp/ohmyzsh-install.sh --unattended || true rm -f /tmp/ohmyzsh-install.sh fi +ln -sf "${DIR}/config/bashrc" "${HOME}/.bashrc" || true +ln -sf "${DIR}/config/gitconfig" "${HOME}/.gitconfig" || true +ln -sf "${DIR}/config/sshconfig" "${HOME}/.ssh/config" || true +ln -sf "${DIR}/config/zshrc" "${HOME}/.zshrc" || true + sudo ln -sf "${DIR}/scripts/aliases.sh" /etc/profile.d/aliases.sh sudo ln -sf "${DIR}/scripts/environment.sh" /etc/profile.d/environment.sh -ln -sf "${DIR}/config/bashrc" "${HOME}/.bashrc" -ln -sf "${DIR}/config/gitconfig" "${HOME}/.gitconfig" -ln -sf "${DIR}/config/sshconfig" "${HOME}/.ssh/config" -ln -sf "${DIR}/config/zshrc" "${HOME}/.zshrc" - -zsh="$(command -v zsh)" -sudo chsh -s "${zsh}" "$(whoami)" +sudo chsh -s "$(command -v zsh)" "${USER}" diff --git a/scripts/init-devos.sh b/scripts/init-devos.sh index 60dd358..b31ba13 100755 --- a/scripts/init-devos.sh +++ b/scripts/init-devos.sh @@ -17,10 +17,12 @@ set -euxo pipefail : "${CLUSTERCTL_VERSION:=1.8.3}" : "${COSIGN_VERSION:=2.4.0}" : "${GH_VERSION:=2.57.0}" +: "${GO_VERSION:=1.23.2}" : "${JQ_VERSION:=1.7.1}" : "${K0SCTL_VERSION:=0.19.0}" : "${KIND_VERSION:=0.24.0}" : "${KUBECTL_VERSION:=v1.31.1}" +: "${NODE_VERSION:=20.18.0}" : "${OP_VERSION:=2.30.0}" : "${SBCTL_VERSION:=0.15.4}" : "${SOPS_VERSION:=3.9.0}" @@ -28,10 +30,23 @@ set -euxo pipefail : "${VAULT_VERSION:=1.17.6}" : "${YQ_VERSION:=4.44.3}" -DIR="$(dirname $(realpath $(dirname $0)))" - -apt-get update -apt-get install -y sudo unzip zip +ARGS=${@} +DIR="$(dirname $(realpath $(dirname "${0}")))" + +apt-get update -yq +apt-get install --no-install-recommends -y \ + ansible \ + genisoimage \ + git \ + git-lfs \ + libvirt-clients \ + python3-openstackclient \ + python3-pip \ + sudo \ + unzip \ + vim \ + virtinst \ + zip mkdir -p \ "${CARGO_HOME}" \ @@ -39,170 +54,182 @@ mkdir -p \ "${KREW_ROOT}" \ "${RUSTUP_HOME}" -# fixme: make optional via envvar # install docker -[[ -z $(command -v docker) ]] && "${DIR}/scripts/install-docker.sh" - -# fixme: make optional via envvar -# # install rust -# [[ -z $(command -v rustc) ]] && { -# curl -fsSLo /tmp/rustup-init.sh https://sh.rustup.rs -# RUSTUP_HOME="${RUSTUP_HOME}" CARGO_HOME="${CARGO_HOME}" sh /tmp/rustup-init.sh -y -# } - -# todo: make golang optional via envvar -# todo: make node optional via envvar +if [[ ${ARGS} == *"--docker"* && -z $(command -v docker) ]]; then + "${DIR}/scripts/install-docker.sh" +fi + +# install rust +if [[ ${ARGS} == *"--rust"* && -z $(command -v rustc) ]]; then + curl -fsSLo /tmp/rustup-init.sh https://sh.rustup.rs + RUSTUP_HOME="${RUSTUP_HOME}" CARGO_HOME="${CARGO_HOME}" sh /tmp/rustup-init.sh -y +fi + +# install go +if [[ ${ARGS} == *"--go"* && -z $(command -v go) ]]; then + curl -fsSLo /tmp/go.tar.gz "https://golang.org/dl/go${GO_VERSION}.linux-${ARCH}.tar.gz" + tar -xvf /tmp/go.tar.gz -C /usr/local/ >/dev/null +fi + +# install node +if [[ ${ARGS} == *"--go"* && -z $(command -v node) ]]; then + curl -fsSLo /tmp/node.tar.gz "https://nodejs.org/dist/v${NODE_VERSION}/node-v${NODE_VERSION}-linux-${ARCH}.tar.gz" + tar -xvf /tmp/node.tar.gz -C /usr/local/ >/dev/null +fi # install yq -[[ -z $(command -v yq) ]] && { +if [[ -z $(command -v yq) ]]; then curl -fsSLo /tmp/yq "https://github.com/mikefarah/yq/releases/download/v${YQ_VERSION}/yq_linux_${ARCH}" install /tmp/yq /usr/local/bin/ -} +fi # install jq -[[ -z $(command -v jq) ]] && { +if [[ -z $(command -v jq) ]]; then curl -fsSLo /tmp/jq "https://github.com/jqlang/jq/releases/download/jq-1.7.1/jq-linux-arm64" install /tmp/jq /usr/local/bin/ -} +fi # install buf -[[ -z $(command -v buf) ]] && { +if [[ -z $(command -v buf) ]]; then curl -fsSLo /tmp/buf "https://github.com/bufbuild/buf/releases/download/v${BUF_VERSION}/buf-$(uname -s)-$(uname -m)" install /tmp/buf /usr/local/bin/ -} +fi # install cfssl -[[ -z $(command -v cfssl) ]] && { +if [[ -z $(command -v cfssl) ]]; then curl -fsSLo /tmp/cfssl "https://github.com/cloudflare/cfssl/releases/download/v${CFSSL_VERSION}/cfssl_${CFSSL_VERSION}_linux_${ARCH}" install /tmp/cfssl /usr/local/bin/ -} +fi # install cilium cli -[[ -z $(command -v cilium) ]] && { +if [[ -z $(command -v cilium) ]]; then curl -fsSLo /tmp/cilium.tar.gz "https://github.com/cilium/cilium-cli/releases/download/v${CILIUM_VERSION}/cilium-linux-${ARCH}.tar.gz" - tar -xvf /tmp/cilium.tar.gz -C /tmp/ + tar -xvf /tmp/cilium.tar.gz -C /tmp/ >/dev/null install /tmp/cilium /usr/local/bin/ -} +fi -# fixme: make optional via envvar # install cloudflared -# [[ -z $(command -v cloudflared) ]] && { -# curl -fsSLo /tmp/cloudflared "https://github.com/cloudflare/cloudflared/releases/download/${CLOUDFLARED_VERSION}/cloudflared-linux-${ARCH}" -# install /tmp/cloudflared /usr/local/bin/ -# } +if [[ ${ARGS} == *"--cloudflared"* && -z $(command -v cloudflared) ]]; then + curl -fsSLo /tmp/cloudflared "https://github.com/cloudflare/cloudflared/releases/download/${CLOUDFLARED_VERSION}/cloudflared-linux-${ARCH}" + install /tmp/cloudflared /usr/local/bin/ +fi # install clusterctl -[[ -z $(command -v clusterctl) ]] && { +if [[ -z $(command -v clusterctl) ]]; then curl -fsSLo /tmp/clusterctl "https://github.com/kubernetes-sigs/cluster-api/releases/download/v${CLUSTERCTL_VERSION}/clusterctl-linux-${ARCH}" install /tmp/clusterctl /usr/local/bin/ -} +fi # install cosign -[[ -z $(command -v cosign) ]] && { +if [[ -z $(command -v cosign) ]]; then curl -fsSLo /tmp/cosign "https://github.com/sigstore/cosign/releases/download/v${COSIGN_VERSION}/cosign-linux-${ARCH}" install /tmp/cosign /usr/local/bin/ -} +fi # install github cli -[[ -z $(command -v gh) ]] && { +if [[ -z $(command -v gh) ]]; then curl -fsSLo /tmp/gh.tar.gz "https://github.com/cli/cli/releases/download/v${GH_VERSION}/gh_${GH_VERSION}_linux_${ARCH}.tar.gz" - tar -xvf /tmp/gh.tar.gz -C /tmp/ + tar -xvf /tmp/gh.tar.gz -C /tmp/ >/dev/null install "/tmp/gh_${GH_VERSION}_linux_${ARCH}/bin/gh" /usr/local/bin/ -} +fi # install k0sctl -[[ -z $(command -v k0sctl) ]] && { +if [[ -z $(command -v k0sctl) ]]; then curl -fsSLo /tmp/k0sctl "https://github.com/k0sproject/k0sctl/releases/download/v${K0SCTL_VERSION}/k0sctl-linux-${ARCH}" install /tmp/k0sctl /usr/local/bin/ -} +fi # install kind -[[ -z $(command -v kind) ]] && { +if [[ -z $(command -v kind) ]]; then curl -fsSLo /tmp/kind "https://github.com/kubernetes-sigs/kind/releases/download/v${KIND_VERSION}/kind-linux-${ARCH}" install /tmp/kind /usr/local/bin/ -} +fi # install kubectl -[[ -z $(command -v kubectl) ]] && { +if [[ -z $(command -v kubectl) ]]; then curl -fsSLo /tmp/kubectl "https://dl.k8s.io/release/${KUBECTL_VERSION}/bin/linux/${ARCH}/kubectl" install /tmp/kubectl /usr/local/bin/ -} +fi # install 1password cli -[[ -z $(command -v op) ]] && { +if [[ -z $(command -v op) ]]; then curl -fsSLo /tmp/op.zip "https://cache.agilebits.com/dist/1P/op2/pkg/v${OP_VERSION}/op_linux_${ARCH}_v${OP_VERSION}.zip" unzip -d /tmp/op /tmp/op.zip install /tmp/op/op /usr/local/bin/ groupadd -f onepassword-cli chgrp onepassword-cli /usr/local/bin/op chmod g+s /usr/local/bin/op -} +fi # install sbctl -[[ -z $(command -v sbctl) ]] && { +if [[ -z $(command -v sbctl) ]]; then curl -fsSLo /tmp/sbctl.tar.gz "https://github.com/Foxboron/sbctl/releases/download/${SBCTL_VERSION}/sbctl-${SBCTL_VERSION}-linux-${ARCH}.tar.gz" - tar -xvf /tmp/sbctl.tar.gz -C /tmp/ + tar -xvf /tmp/sbctl.tar.gz -C /tmp/ >/dev/null install /tmp/sbctl/sbctl /usr/local/bin/ -} +fi # install sops -[[ -z $(command -v sops) ]] && { +if [[ -z $(command -v sops) ]]; then curl -fsSLo /tmp/sops "https://github.com/getsops/sops/releases/download/v${SOPS_VERSION}/sops-v${SOPS_VERSION}.linux.${ARCH}" install /tmp/sops /usr/local/bin/ -} +fi # install trivy -[[ -z $(command -v trivy) ]] && { +if [[ -z $(command -v trivy) ]]; then curl -fsSLo /tmp/trivy.tar.gz "https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-ARM64.tar.gz" - tar -xvf /tmp/trivy.tar.gz -C /tmp/ + tar -xvf /tmp/trivy.tar.gz -C /tmp/ >/dev/null install /tmp/trivy /usr/local/bin/ -} +fi # install vault -[[ -z $(command -v vault) ]] && { +if [[ -z $(command -v vault) ]]; then curl -fsSLo /tmp/vault.zip "https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_linux_${ARCH}.zip" unzip -d /tmp/vault /tmp/vault.zip install /tmp/vault/vault /usr/local/bin/ -} +fi # install flux -[[ -z $(command -v flux) ]] && { +if [[ -z $(command -v flux) ]]; then curl -fsSLo /tmp/flux-install.sh https://fluxcd.io/install.sh bash /tmp/flux-install.sh -} +fi # install helm -[[ -z $(command -v helm) ]] && { +if [[ -z $(command -v helm) ]]; then curl -fsSLo /tmp/get-helm-3.sh https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 bash /tmp/get-helm-3.sh -} +fi # install krew -[[ -z $(command -v krew) ]] && { +if [[ -z $(command -v krew) ]]; then curl -fsSLo /tmp/krew.tar.gz "https://github.com/kubernetes-sigs/krew/releases/latest/download/krew-linux_${ARCH}.tar.gz" - tar -xvf /tmp/krew.tar.gz -C /tmp/ + tar -xvf /tmp/krew.tar.gz -C /tmp/ >/dev/null KREW_ROOT="${KREW_ROOT}" /tmp/krew-linux_"${ARCH}" install krew -} +fi # install trunk.io -[[ -z $(command -v trunk) ]] && { +if [[ -z $(command -v trunk) ]]; then curl -fsSLo /tmp/trunk.sh https://get.trunk.io chmod 755 /tmp/trunk.sh /tmp/trunk.sh chmod 755 "$(command -v trunk)" -} +fi + +# enable windows manager +if [[ ${ARGS} == *"--wm"* ]]; then + apt-get install --no-install-recommends -y \ + icewm \ + x11vnc \ + xauth \ + xinit \ + xterm \ + xvfb + cp -f config/systemd/x11vnc.service /lib/systemd/system/x11vnc.service + systemctl enable x11vnc.service + echo "exec icewm" >~/.xinitrc && chmod +x ~/.xinitrc +fi # post -groups=( - "docker" - "libvirt" - "plugdev" - "sudo" -) -for g in "${groups[@]}"; do - usermod -aG "${g}" "$(whoami)" || true -done - plugins=( "ca-cert" "cert-manager" @@ -226,13 +253,11 @@ plugins=( "view-serviceaccount-kubeconfig" "view-utilization" ) + for p in "${plugins[@]}"; do KREW_ROOT="${KREW_ROOT}" /usr/local/krew/bin/kubectl-krew install "${p}" done -chsh -s "$(command -v zsh)" root || true -chsh -s "$(command -v zsh)" "$(whoami)" && echo "$(whoami) ALL=(ALL) NOPASSWD: ALL >/etc/sudoers.d/$(whoami)" - chmod -R 777 \ "${CARGO_HOME}" \ "${GOPATH}" \ diff --git a/tools/libvirt.sh b/tools/libvirt.sh deleted file mode 100755 index ec853ac..0000000 --- a/tools/libvirt.sh +++ /dev/null @@ -1,115 +0,0 @@ -#!/bin/bash -# SPDX-License-Identifier: GPL-3.0 - -set -eo pipefail - -# Check Dependencies -commands=( - "pip" - "python3" -) - -for command in "${commands[@]}"; do - if [[ $(command -v "${command}" > /dev/null) ]]; then - echo "${command} not found" - exit 1 - fi -done - -ARGS=${@} -DIR="$(dirname $(realpath $(dirname $0)))" -NAME="devos" - -# Parse Arguments -while [[ $# -gt 0 ]]; do - case "${1}" in - -d|--debug) - DEBUG=true - shift - ;; - -V|--verbose) - VERBOSE=true - shift - ;; - --name) - NAME="${2}" - [[ -z ${NAME} ]] && echo "Name is required" && exit 1 - shift 2 - ;; - --install) - INSTALL=true - shift - ;; - --create) - CREATE=true - shift - ;; - --configure) - CONFIGURE=true - shift - ;; - --cleanup) - CLEANUP=true - shift - ;; - -v|--version) - echo "${0} $(git describe --all)" - exit 0 - ;; - -h|--help) - echo """ -Usage: ${0} [options] -Options: - -d, --debug Enable debug mode - -V, --verbose Enable verbose mode - --name string Name of the instance (default: devos) - --install Install vbmc locally - --create Create the instance - --configure Configure vbmc - --cleanup Cleanup the instance - -v, --version Show version - -h, --help Show this help message -""" - exit 0 - ;; - *) - ARGS+=("${1}") - echo "Unknown option: ${1}" - exit 1 - esac -done - -# Enable Debug Mode -if [[ ${DEBUG} == true ]]; then - set -x -fi - -# Enable Verbose Mode -if [[ ${VERBOSE} == true ]]; then - echo """ -ARGS: ${ARGS} -""" -fi - -if [[ ${CLEANUP} == true ]]; then - # todo: cleanup - echo "cleaning up!!!" -fi - -# install vbmc -if [[ ${INSTALL} == true ]]; then - pip install virtualbmc -fi - -virsh list --all -vbmc list - -if [[ ${CREATE} == true ]]; then - # todo: create vm - echo "creating vm!!!" -fi - -if [[ ${CONFIG} == true ]]; then - # todo: configure vbmc - echo "configuring vbmc!!!" -fi