lynsei · November 19, 2024 20:41
diff --git a/.gitignore b/.gitignore
 node_modules
diff --git a/cloud-init.yml b/cloud-init.yml
 #cloud-config
 # I have not tested this yet, but it should work just fine

 packages:
  - apt-transport-https
  - ca-certificates
  - curl
  - gnupg-agent
  - software-properties-common
  - git
  - docker.io   # Lynsei prefers docker.io for security: https://bityl.co/9kNA
  - python3.9

 # create the docker group
 groups:
  - docker

 # Add default auto created user to docker group
 system_info:
  default_user:
    groups: [docker]

 runcmd:
  - apt update -y # Update apt package index
  - /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"  # install brew
  - apt install -y python3.9 docker.io linuxbrew-wrapper
  - sudo apt-add-repository ppa:fish-shell/release-3
  - sudo apt update
  - sudo apt install fish
  - python3.9 --version
  - docker version
  - groupadd docker
  - usermod -aG docker $USER
  - snap install docker-compose
  - docker-compose -v
  - sudo apt install pass
  - sudo npm i -g npx
  - npm i -g jest-cli
  - npm i -g ava-cli
  - npm i -g yarn
  - npm install -g degit
  - curl -fsSL https://raw.githubusercontent.com/mviereck/x11docker/master/x11docker | sudo bash -s -- --update  # x11 docker
  - sudo apt-get install -y nxagent xserver-xephyr  # x11 stuff
  - cd /
  - npm install -g @jsdevtools/version-bump-prompt # bump tool
  - curl -sSL https://raw.githubusercontent.com/sdispater/poetry/master/get-poetry.py | python 
  - npx degit https://github.com/powerline/fonts#master Meslo%20Slashed --force;
  - cd ~/; git clone https://github.com/nvm-sh/nvm.git .nvm
  - git checkout v0.39.1; source ./nvm.sh
  - export NVM_DIR="$HOME/.nvm" [ -s "$NVM_DIR/nvm.sh" ] && \. "$NVM_DIR/nvm.sh" [ -s "$NVM_DIR/bash_completion" ] && source "$NVM_DIR/bash_completion"
  - modprobe br_netfilter # Load br_netfilter module.
  - snap install microk8s --classic --channel=1.18/stable
  - brew install minikube kubernetes-cli k3sup
  - ufw allow in on cni0 && sudo ufw allow out on cni0
  - ufw default allow routed
  - sysctl --system # Reload settings from all system configuration files to take iptables configuration
  - brew install ruby-install
  - brew install brew-gem
  - ruby-install ruby 3.0.2
  - rbenv install 2.4.1
  - rbenv local 2.4.1
  - rbenv global 2.4.1
  - rbenv rehash
  - gem update --system

 groups:
  - docker

 # Install Docker, for production, consider pinning to stable versions
 runcmd:
  - systemctl start docker
  - systemctl enable docker
  - chown -R ubuntu:ubuntu /home/ubuntu
  
 # Add default auto created user to docker group
 system_info:
  default_user:
    name: ubuntu
    groups: [docker]

 # Enable ipv4 forwarding, required on CIS hardened machines
 # Install netbox-docker and render docker-compose.override.yml
 write_files:
  - path: /etc/sysctl.d/enabled_ipv4_forwarding.conf
    content: |
      net.ipv4.conf.all.forwarding=1
diff --git a/Dockerfile b/Dockerfile
 # syntax=docker/dockerfile:1
 FROM redhat/ubi8-minimal
 # Set one or more individual labels
 LABEL com.lyns.language.version="0.1.26"
 LABEL com.splunk.

 WORKDIR /usr/local/splunk
 COPY setup.sh ./setup.sh
 RUN setup.sh 

 COPY lyns 
 # Add Tini
 ENV TINI_VERSION v0.19.0
 ADD https://github.com/krallin/tini/releases/download/${TINI_VERSION}/tini /tini
 RUN chmod +x /tini
 ENTRYPOINT ["/tini", "--"]

 # Init and Properly Reap Lyns Language from Base Image
 CMD ["/usr/local/bin/lyns", "--","sleep","infinity","&&"]
 
diff --git a/setup.sh b/setup.sh
 set -e

 # Generate UTF-8 char map and locale
 apt-get update -y
 apt-get install -y --no-install-recommends locales wget gnupg bash
 echo "en_US.UTF-8 UTF-8" > /etc/locale.gen
 rm -f /usr/share/locale/locale.alias
 ln -s /etc/locale.alias /usr/share/locale/locale.alias
 locale-gen
 localedef -i en_US -c -f UTF-8 -A /usr/share/locale/locale.alias en_US.UTF-8
 export LANG=en_US.utf8

 # Set timezone to use UTC
 ln -sf /usr/share/zoneinfo/UTC /etc/localtime
 /usr/sbin/dpkg-reconfigure -f noninteractive tzdata

 # Install utility packages
 apt-get install -y --no-install-recommends curl sudo libgssapi-krb5-2 busybox procps acl gcc make \
                                           libffi-dev libssl-dev make build-essential libbz2-dev \
                                           wget xz-utils ca-certificates zlib1g-dev python3-apt p11-kit liblz4-dev \
                                           libhogweed4=3.4.1-1+deb10u1 libgnutls30=3.6.7-4+deb10u7 libgcrypt20=1.8.4-5+deb10u1

 # Install Python and necessary packages
 PY_SHORT=${PYTHON_VERSION%.*}
 wget -O /tmp/python.tgz https://www.python.org/ftp/python/${PYTHON_VERSION}/Python-${PYTHON_VERSION}.tgz
 wget -O /tmp/Python-gpg-sig-${PYTHON_VERSION}.tgz.asc https://www.python.org/ftp/python/${PYTHON_VERSION}/Python-${PYTHON_VERSION}.tgz.asc
 gpg --recv-keys $PYTHON_GPG_KEY_ID
 gpg --verify /tmp/Python-gpg-sig-${PYTHON_VERSION}.tgz.asc /tmp/python.tgz
 rm /tmp/Python-gpg-sig-${PYTHON_VERSION}.tgz.asc
 mkdir -p /tmp/pyinstall
 tar -xzC /tmp/pyinstall/ --strip-components=1 -f /tmp/python.tgz
 rm /tmp/python.tgz
 cd /tmp/pyinstall
 ./configure --enable-optimizations --prefix=/usr --with-ensurepip=install
 make altinstall LDFLAGS="-Wl,--strip-all"
 rm -rf /tmp/pyinstall
 ln -sf /usr/bin/python${PY_SHORT} /usr/bin/python
 ln -sf /usr/bin/pip${PY_SHORT} /usr/bin/pip
 # For ansible apt module
 cd /tmp
 apt-get download python3-apt=1.8.4.3
 ARCH=`arch`
 PKG_ARCH=`dpkg --print-architecture`
 dpkg -x python3-apt_1.8.4.3_${PKG_ARCH}.deb python3-apt
 rm python3-apt_1.8.4.3_${PKG_ARCH}.deb
 cp -r /tmp/python3-apt/usr/lib/python3/dist-packages/* /usr/lib/python${PY_SHORT}/site-packages/
 cd /usr/lib/python${PY_SHORT}/site-packages/
 cp apt_pkg.cpython-37m-${ARCH}-linux-gnu.so apt_pkg.so
 cp apt_inst.cpython-37m-${ARCH}-linux-gnu.so apt_inst.so
 rm -rf /tmp/python3-apt
 # Install splunk-ansible dependencies
 cd /
 pip -q --no-cache-dir install six wheel requests cryptography==3.3.2 ansible==3.4.0 urllib3==1.26.5 jmespath --upgrade
 # Remove tests packaged in python libs
 find /usr/lib/ -depth \( -type d -a -not -wholename '*/ansible/plugins/test' -a \( -name test -o -name tests -o -name idle_test \) \) -exec rm -rf '{}' \;
 find /usr/lib/ -depth \( -type f -a -name '*.pyc' -o -name '*.pyo' -o -name '*.a' \) -exec rm -rf '{}' \;
 find /usr/lib/ -depth \( -type f -a -name 'wininst-*.exe' \) -exec rm -rf '{}' \;
 ldconfig

 apt-get remove -y --allow-remove-essential gcc libffi-dev libssl-dev make build-essential libbz2-dev xz-utils zlib1g-dev
 apt-get autoremove -y --allow-remove-essential

 # Install scloud
 wget -O /usr/bin/scloud.tar.gz ${SCLOUD_URL}
 tar -xf /usr/bin/scloud.tar.gz -C /usr/bin/
 rm /usr/bin/scloud.tar.gz

 # Enable busybox symlinks
 cd /bin
 BBOX_LINKS=( clear find diff hostname killall netstat nslookup ping ping6 readline route syslogd tail traceroute vi )
 for item in "${BBOX_LINKS[@]}"
 do
  ln -s busybox $item || true
 done
 chmod u+s /bin/ping

 # Clean
 apt clean autoclean
 rm -rf /var/lib/apt/lists/*
	#cloud-config
	# I have not tested this yet, but it should work just fine

	packages:
	- apt-transport-https
	- ca-certificates
	- curl
	- gnupg-agent
	- software-properties-common
	- git
	- docker.io # Lynsei prefers docker.io for security: https://bityl.co/9kNA
	- python3.9

	# create the docker group
	groups:
	- docker

	# Add default auto created user to docker group
	system_info:
	default_user:
	groups: [docker]

	runcmd:
	- apt update -y # Update apt package index
	- /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)" # install brew
	- apt install -y python3.9 docker.io linuxbrew-wrapper
	- sudo apt-add-repository ppa:fish-shell/release-3
	- sudo apt update
	- sudo apt install fish
	- python3.9 --version
	- docker version
	- groupadd docker
	- usermod -aG docker $USER
	- snap install docker-compose
	- docker-compose -v
	- sudo apt install pass
	- sudo npm i -g npx
	- npm i -g jest-cli
	- npm i -g ava-cli
	- npm i -g yarn
	- npm install -g degit
	- curl -fsSL https://raw.githubusercontent.com/mviereck/x11docker/master/x11docker \| sudo bash -s -- --update # x11 docker
	- sudo apt-get install -y nxagent xserver-xephyr # x11 stuff
	- cd /
	- npm install -g @jsdevtools/version-bump-prompt # bump tool
	- curl -sSL https://raw.githubusercontent.com/sdispater/poetry/master/get-poetry.py \| python
	- npx degit https://github.com/powerline/fonts#master Meslo%20Slashed --force;
	- cd ~/; git clone https://github.com/nvm-sh/nvm.git .nvm
	- git checkout v0.39.1; source ./nvm.sh
	- export NVM_DIR="$HOME/.nvm" [ -s "$NVM_DIR/nvm.sh" ] && \. "$NVM_DIR/nvm.sh" [ -s "$NVM_DIR/bash_completion" ] && source "$NVM_DIR/bash_completion"
	- modprobe br_netfilter # Load br_netfilter module.
	- snap install microk8s --classic --channel=1.18/stable
	- brew install minikube kubernetes-cli k3sup
	- ufw allow in on cni0 && sudo ufw allow out on cni0
	- ufw default allow routed
	- sysctl --system # Reload settings from all system configuration files to take iptables configuration
	- brew install ruby-install
	- brew install brew-gem
	- ruby-install ruby 3.0.2
	- rbenv install 2.4.1
	- rbenv local 2.4.1
	- rbenv global 2.4.1
	- rbenv rehash
	- gem update --system

	groups:
	- docker

	# Install Docker, for production, consider pinning to stable versions
	runcmd:
	- systemctl start docker
	- systemctl enable docker
	- chown -R ubuntu:ubuntu /home/ubuntu

	# Add default auto created user to docker group
	system_info:
	default_user:
	name: ubuntu
	groups: [docker]

	# Enable ipv4 forwarding, required on CIS hardened machines
	# Install netbox-docker and render docker-compose.override.yml
	write_files:
	- path: /etc/sysctl.d/enabled_ipv4_forwarding.conf
	content: \|
	net.ipv4.conf.all.forwarding=1
	# syntax=docker/dockerfile:1
	FROM redhat/ubi8-minimal
	# Set one or more individual labels
	LABEL com.lyns.language.version="0.1.26"
	LABEL com.splunk.

	WORKDIR /usr/local/splunk
	COPY setup.sh ./setup.sh
	RUN setup.sh

	COPY lyns
	# Add Tini
	ENV TINI_VERSION v0.19.0
	ADD https://github.com/krallin/tini/releases/download/${TINI_VERSION}/tini /tini
	RUN chmod +x /tini
	ENTRYPOINT ["/tini", "--"]

	# Init and Properly Reap Lyns Language from Base Image
	CMD ["/usr/local/bin/lyns", "--","sleep","infinity","&&"]
	set -e

	# Generate UTF-8 char map and locale
	apt-get update -y
	apt-get install -y --no-install-recommends locales wget gnupg bash
	echo "en_US.UTF-8 UTF-8" > /etc/locale.gen
	rm -f /usr/share/locale/locale.alias
	ln -s /etc/locale.alias /usr/share/locale/locale.alias
	locale-gen
	localedef -i en_US -c -f UTF-8 -A /usr/share/locale/locale.alias en_US.UTF-8
	export LANG=en_US.utf8

	# Set timezone to use UTC
	ln -sf /usr/share/zoneinfo/UTC /etc/localtime
	/usr/sbin/dpkg-reconfigure -f noninteractive tzdata

	# Install utility packages
	apt-get install -y --no-install-recommends curl sudo libgssapi-krb5-2 busybox procps acl gcc make \
	libffi-dev libssl-dev make build-essential libbz2-dev \
	wget xz-utils ca-certificates zlib1g-dev python3-apt p11-kit liblz4-dev \
	libhogweed4=3.4.1-1+deb10u1 libgnutls30=3.6.7-4+deb10u7 libgcrypt20=1.8.4-5+deb10u1

	# Install Python and necessary packages
	PY_SHORT=${PYTHON_VERSION%.*}
	wget -O /tmp/python.tgz https://www.python.org/ftp/python/${PYTHON_VERSION}/Python-${PYTHON_VERSION}.tgz
	wget -O /tmp/Python-gpg-sig-${PYTHON_VERSION}.tgz.asc https://www.python.org/ftp/python/${PYTHON_VERSION}/Python-${PYTHON_VERSION}.tgz.asc
	gpg --recv-keys $PYTHON_GPG_KEY_ID
	gpg --verify /tmp/Python-gpg-sig-${PYTHON_VERSION}.tgz.asc /tmp/python.tgz
	rm /tmp/Python-gpg-sig-${PYTHON_VERSION}.tgz.asc
	mkdir -p /tmp/pyinstall
	tar -xzC /tmp/pyinstall/ --strip-components=1 -f /tmp/python.tgz
	rm /tmp/python.tgz
	cd /tmp/pyinstall
	./configure --enable-optimizations --prefix=/usr --with-ensurepip=install
	make altinstall LDFLAGS="-Wl,--strip-all"
	rm -rf /tmp/pyinstall
	ln -sf /usr/bin/python${PY_SHORT} /usr/bin/python
	ln -sf /usr/bin/pip${PY_SHORT} /usr/bin/pip
	# For ansible apt module
	cd /tmp
	apt-get download python3-apt=1.8.4.3
	ARCH=`arch`
	PKG_ARCH=`dpkg --print-architecture`
	dpkg -x python3-apt_1.8.4.3_${PKG_ARCH}.deb python3-apt
	rm python3-apt_1.8.4.3_${PKG_ARCH}.deb
	cp -r /tmp/python3-apt/usr/lib/python3/dist-packages/* /usr/lib/python${PY_SHORT}/site-packages/
	cd /usr/lib/python${PY_SHORT}/site-packages/
	cp apt_pkg.cpython-37m-${ARCH}-linux-gnu.so apt_pkg.so
	cp apt_inst.cpython-37m-${ARCH}-linux-gnu.so apt_inst.so
	rm -rf /tmp/python3-apt
	# Install splunk-ansible dependencies
	cd /
	pip -q --no-cache-dir install six wheel requests cryptography==3.3.2 ansible==3.4.0 urllib3==1.26.5 jmespath --upgrade
	# Remove tests packaged in python libs
	find /usr/lib/ -depth \( -type d -a -not -wholename '*/ansible/plugins/test' -a \( -name test -o -name tests -o -name idle_test \) \) -exec rm -rf '{}' \;
	find /usr/lib/ -depth \( -type f -a -name '.pyc' -o -name '.pyo' -o -name '*.a' \) -exec rm -rf '{}' \;
	find /usr/lib/ -depth \( -type f -a -name 'wininst-*.exe' \) -exec rm -rf '{}' \;
	ldconfig

	apt-get remove -y --allow-remove-essential gcc libffi-dev libssl-dev make build-essential libbz2-dev xz-utils zlib1g-dev
	apt-get autoremove -y --allow-remove-essential

	# Install scloud
	wget -O /usr/bin/scloud.tar.gz ${SCLOUD_URL}
	tar -xf /usr/bin/scloud.tar.gz -C /usr/bin/
	rm /usr/bin/scloud.tar.gz

	# Enable busybox symlinks
	cd /bin
	BBOX_LINKS=( clear find diff hostname killall netstat nslookup ping ping6 readline route syslogd tail traceroute vi )
	for item in "${BBOX_LINKS[@]}"
	do
	ln -s busybox $item \|\| true
	done
	chmod u+s /bin/ping

	# Clean
	apt clean autoclean
	rm -rf /var/lib/apt/lists/*