images/initializeBaseUbuntuImage.sh

#!/bin/bash

set -euv -o pipefail

readonly USER=yellowtent
readonly USER_HOME="/home/${USER}"
readonly INSTALLER_SOURCE_DIR="${USER_HOME}/installer"
readonly INSTALLER_REVISION="$1"
readonly USER_DATA_FILE="/root/user_data.img"
readonly USER_DATA_DIR="/home/yellowtent/data"

readonly SOURCE_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
source "${SOURCE_DIR}/INFRA_VERSION"

echo "==== Create User ${USER} ===="
if ! id "${USER}"; then
    useradd "${USER}" -m
fi

echo "=== Yellowtent base image preparation (installer revision - ${INSTALLER_REVISION}) ==="

export DEBIAN_FRONTEND=noninteractive

echo "=== Upgrade ==="
apt-get update
apt-get upgrade -y
apt-get install -y curl

# Setup firewall before everything. docker creates it's own chain and the -X below will remove it
# Do NOT use iptables-persistent because it's startup ordering conflicts with docker
echo "=== Setting up firewall ==="
# clear tables and set default policy
iptables -F # flush all chains
iptables -X # delete all chains
# default policy for filter table
iptables -P INPUT DROP
iptables -P FORWARD ACCEPT # TODO: disable icc and make this as reject
iptables -P OUTPUT ACCEPT

# NOTE: keep these in sync with src/apps.js validatePortBindings
# allow ssh, http, https, ping, dns
iptables -I INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -m tcp -m multiport --dports 80,202,443,886 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
iptables -A INPUT -p udp --sport 53 -j ACCEPT
iptables -A INPUT -s 172.17.0.0/16 -j ACCEPT # required to accept any connections from apps to our IP:<public port>

# loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# disable metadata access to non-root
# modprobe ipt_owner
iptables -A OUTPUT -m owner ! --uid-owner root -d 169.254.169.254 -j DROP

# prevent DoS
# iptables -A INPUT -p tcp --dport 80 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT

# log dropped incoming. keep this at the end of all the rules
iptables -N LOGGING # new chain
iptables -A INPUT -j LOGGING # last rule in INPUT chain
iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables Packet Dropped: " --log-level 7
iptables -A LOGGING -j DROP

echo "==== Install btrfs tools ==="
apt-get -y install btrfs-tools

echo "==== Install docker ===="
# install docker from binary to pin it to a specific version. the current debian repo does not allow pinning
curl https://get.docker.com/builds/Linux/x86_64/docker-1.9.0 > /usr/bin/docker
chmod +x /usr/bin/docker
groupadd docker
cat > /etc/systemd/system/docker.socket <<EOF
[Unit]
Description=Docker Socket for the API
PartOf=docker.service

[Socket]
ListenStream=/var/run/docker.sock
SocketMode=0660
SocketUser=root
SocketGroup=docker

[Install]
WantedBy=sockets.target
EOF
cat > /etc/systemd/system/docker.service <<EOF
[Unit]
Description=Docker Application Container Engine
After=network.target docker.socket
Requires=docker.socket

[Service]
ExecStart=/usr/bin/docker -d -H fd:// -s btrfs -g /home/yellowtent/data/docker --log-driver=journald
MountFlags=slave
LimitNOFILE=1048576
LimitNPROC=1048576
LimitCORE=infinity

[Install]
WantedBy=multi-user.target
EOF

echo "=== Setup btrfs docker data ==="
fallocate -l "8192m" "${USER_DATA_FILE}" # 8gb start
mkfs.btrfs -L UserHome "${USER_DATA_FILE}"
echo "${USER_DATA_FILE} ${USER_DATA_DIR} btrfs loop,nosuid 0 0" >> /etc/fstab
mkdir -p "${USER_DATA_DIR}" && mount "${USER_DATA_FILE}"
mkdir -p "${USER_DATA_DIR}/docker"

# give docker sometime to start up and create iptables rules
systemctl enable docker
systemctl start docker
sleep 10

# Disable forwarding to metadata route from containers
iptables -I FORWARD -d 169.254.169.254 -j DROP

# ubuntu will restore iptables from this file automatically. this is here so that docker's chain is saved to this file
mkdir /etc/iptables && iptables-save > /etc/iptables/rules.v4

echo "=== Enable memory accounting =="
sed -e 's/GRUB_CMDLINE_LINUX=.*/GRUB_CMDLINE_LINUX="cgroup_enable=memory swapaccount=1 panic_on_oops=1 panic=5"/' -i /etc/default/grub
update-grub

# now add the user to the docker group
usermod "${USER}" -a -G docker
echo "=== Pulling base docker images ==="
docker pull "${BASE_IMAGE}"

echo "=== Pulling mysql addon image ==="
docker pull "${MYSQL_IMAGE}"

echo "=== Pulling postgresql addon image ==="
docker pull "${POSTGRESQL_IMAGE}"

echo "=== Pulling redis addon image ==="
docker pull "${REDIS_IMAGE}"

echo "=== Pulling mongodb addon image ==="
docker pull "${MONGODB_IMAGE}"

echo "=== Pulling graphite docker images ==="
docker pull "${GRAPHITE_IMAGE}"

echo "=== Pulling mail relay ==="
docker pull "${MAIL_IMAGE}"

echo "==== Install nginx ===="
apt-get -y install nginx-full

echo "==== Install build-essential ===="
apt-get -y install build-essential rcconf


echo "==== Install mysql ===="
debconf-set-selections <<< 'mysql-server mysql-server/root_password password password'
debconf-set-selections <<< 'mysql-server mysql-server/root_password_again password password'
apt-get -y install mysql-server

echo "==== Install pwgen ===="
apt-get -y install pwgen

echo "==== Install collectd ==="
apt-get install -y collectd collectd-utils
update-rc.d -f collectd remove

# this simply makes it explicit that we run logrotate via cron. it's already part of base ubuntu
echo "==== Install logrotate ==="
apt-get install -y cron logrotate
systemctl enable cron

echo "==== Extracting installer source ===="
rm -rf "${INSTALLER_SOURCE_DIR}" && mkdir -p "${INSTALLER_SOURCE_DIR}"
tar xvf /root/installer.tar -C "${INSTALLER_SOURCE_DIR}" && rm /root/installer.tar
echo "${INSTALLER_REVISION}" > "${INSTALLER_SOURCE_DIR}/REVISION"

echo "==== Install nodejs ===="
# Cannot use anything above 4.1.1 - https://github.com/nodejs/node/issues/3803
mkdir -p /usr/local/node-4.1.1
curl -sL https://nodejs.org/dist/v4.1.1/node-v4.1.1-linux-x64.tar.gz | tar zxvf - --strip-components=1 -C /usr/local/node-4.1.1
ln -s /usr/local/node-4.1.1/bin/node /usr/bin/node
ln -s /usr/local/node-4.1.1/bin/npm /usr/bin/npm
apt-get install -y python	# Install python which is required for npm rebuild

echo "=== Rebuilding npm packages ==="
cd "${INSTALLER_SOURCE_DIR}" && npm install --production
chown "${USER}:${USER}" -R "${INSTALLER_SOURCE_DIR}"

echo "==== Install installer systemd script ===="
cat > /etc/systemd/system/cloudron-installer.service <<EOF
[Unit]
Description=Cloudron Installer

[Service]
Type=idle
ExecStart="${INSTALLER_SOURCE_DIR}/src/server.js"
Environment="DEBUG=installer*,connect-lastmile"
KillMode=process
Restart=on-failure

[Install]
WantedBy=multi-user.target
EOF
systemctl enable cloudron-installer

# Restore iptables before docker
echo "==== Install iptables-restore systemd script ===="
cat > /etc/systemd/system/iptables-restore.service <<EOF
[Unit]
Description=IPTables Restore
Before=docker.service

[Service]
Type=oneshot
ExecStart=/sbin/iptables-restore /etc/iptables/rules.v4
RemainAfterExit=yes

[Install]
WantedBy=multi-user.target
EOF
systemctl enable iptables-restore

# Allocate swap files
# https://bbs.archlinux.org/viewtopic.php?id=194792 ensures this runs after do-resize.service
echo "==== Install box-setup systemd script ===="
cat > /etc/systemd/system/box-setup.service <<EOF
[Unit]
Description=Box Setup
Before=docker.service
After=do-resize.service

[Service]
Type=oneshot
ExecStart="${INSTALLER_SOURCE_DIR}/systemd/box-setup.sh"
RemainAfterExit=yes

[Install]
WantedBy=multi-user.target
EOF

systemctl enable box-setup

# Configure systemd
sed -e "s/^#SystemMaxUse=/SystemMaxUse=100M/" \
    -e "s/^#ForwardToSyslog=/ForwardToSyslog=no/" \
    -i /etc/systemd/journald.conf

sync

# Configure time
sed -e 's/^#NTP=/NTP=0.ubuntu.pool.ntp.org 1.ubuntu.pool.ntp.org 2.ubuntu.pool.ntp.org 3.ubuntu.pool.ntp.org/' -i /etc/systemd/timesyncd.conf
timedatectl set-ntp 1
timedatectl set-timezone UTC

# Give user access to system logs
usermod -a -G systemd-journal ${USER}
setfacl -n -m u:${USER}:r /var/log/journal/*/system.journal

echo "==== Install ssh ==="
apt-get -y install openssh-server
# https://stackoverflow.com/questions/4348166/using-with-sed on why ? must be escaped
sed -e 's/^#\?Port .*/Port 202/g' \
    -e 's/^#\?PermitRootLogin .*/PermitRootLogin without-password/g' \
    -e 's/^#\?PermitEmptyPasswords .*/PermitEmptyPasswords no/g' \
    -e 's/^#\?PasswordAuthentication .*/PasswordAuthentication no/g' \
    -i /etc/ssh/sshd_config

 # required so we can connect to this machine since port 22 is blocked by iptables by now
systemctl reload sshd
list ldap as 0.0.25 change 2015-08-04 16:29:49 -07:00			`#!/bin/bash`

			`set -euv -o pipefail`

			`readonly USER=yellowtent`
			`readonly USER_HOME="/home/${USER}"`
			`readonly INSTALLER_SOURCE_DIR="${USER_HOME}/installer"`
			`readonly INSTALLER_REVISION="$1"`
create single btrfs partition apps and data consume space from the same btrfs partition now 2015-08-26 14:29:54 -07:00			`readonly USER_DATA_FILE="/root/user_data.img"`
			`readonly USER_DATA_DIR="/home/yellowtent/data"`
list ldap as 0.0.25 change 2015-08-04 16:29:49 -07:00
Use constants from the box repo 2015-08-12 19:52:43 -07:00			`readonly SOURCE_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"`
			`source "${SOURCE_DIR}/INFRA_VERSION"`

list ldap as 0.0.25 change 2015-08-04 16:29:49 -07:00			`echo "==== Create User ${USER} ===="`
			`if ! id "${USER}"; then`
			`useradd "${USER}" -m`
			`fi`

			`echo "=== Yellowtent base image preparation (installer revision - ${INSTALLER_REVISION}) ==="`

			`export DEBIAN_FRONTEND=noninteractive`

			`echo "=== Upgrade ==="`
limit systemd journal size 2015-08-30 21:04:39 -07:00			`apt-get update`
list ldap as 0.0.25 change 2015-08-04 16:29:49 -07:00			`apt-get upgrade -y`
Install docker binaries instead of apt The apt binaries lxc-* are obsolete and replaced with 'docker-engine' packages. The new repos however do not allow pinning to a specific version. so brain dead. https://docs.docker.com/engine/installation/binaries/#get-the-linux-binary 2015-11-18 11:52:41 -08:00			`apt-get install -y curl`
list ldap as 0.0.25 change 2015-08-04 16:29:49 -07:00
use docker 1.9.0 2015-11-18 18:28:28 -08:00			`# Setup firewall before everything. docker creates it's own chain and the -X below will remove it`
list ldap as 0.0.25 change 2015-08-04 16:29:49 -07:00			`# Do NOT use iptables-persistent because it's startup ordering conflicts with docker`
			`echo "=== Setting up firewall ==="`
			`# clear tables and set default policy`
			`iptables -F # flush all chains`
			`iptables -X # delete all chains`
			`# default policy for filter table`
			`iptables -P INPUT DROP`
			`iptables -P FORWARD ACCEPT # TODO: disable icc and make this as reject`
			`iptables -P OUTPUT ACCEPT`

			`# NOTE: keep these in sync with src/apps.js validatePortBindings`
			`# allow ssh, http, https, ping, dns`
			`iptables -I INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT`
Move ssh to port 202 2015-11-01 08:46:28 -08:00			`iptables -A INPUT -p tcp -m tcp -m multiport --dports 80,202,443,886 -j ACCEPT`
list ldap as 0.0.25 change 2015-08-04 16:29:49 -07:00			`iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT`
			`iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT`
			`iptables -A INPUT -p udp --sport 53 -j ACCEPT`
			`iptables -A INPUT -s 172.17.0.0/16 -j ACCEPT # required to accept any connections from apps to our IP:<public port>`

			`# loopback`
			`iptables -A INPUT -i lo -j ACCEPT`
			`iptables -A OUTPUT -o lo -j ACCEPT`

			`# disable metadata access to non-root`
			`# modprobe ipt_owner`
			`iptables -A OUTPUT -m owner ! --uid-owner root -d 169.254.169.254 -j DROP`

			`# prevent DoS`
			`# iptables -A INPUT -p tcp --dport 80 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT`

			`# log dropped incoming. keep this at the end of all the rules`
			`iptables -N LOGGING # new chain`
			`iptables -A INPUT -j LOGGING # last rule in INPUT chain`
			`iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables Packet Dropped: " --log-level 7`
			`iptables -A LOGGING -j DROP`

Move ssh to port 202 2015-11-01 08:46:28 -08:00			`echo "==== Install btrfs tools ==="`
Create app and data partitions dynamically 2015-08-26 09:23:30 -07:00			`apt-get -y install btrfs-tools`

list ldap as 0.0.25 change 2015-08-04 16:29:49 -07:00			`echo "==== Install docker ===="`
Install docker binaries instead of apt The apt binaries lxc-* are obsolete and replaced with 'docker-engine' packages. The new repos however do not allow pinning to a specific version. so brain dead. https://docs.docker.com/engine/installation/binaries/#get-the-linux-binary 2015-11-18 11:52:41 -08:00			`# install docker from binary to pin it to a specific version. the current debian repo does not allow pinning`
use docker 1.9.0 2015-11-18 18:28:28 -08:00			`curl https://get.docker.com/builds/Linux/x86_64/docker-1.9.0 > /usr/bin/docker`
Install docker binaries instead of apt The apt binaries lxc-* are obsolete and replaced with 'docker-engine' packages. The new repos however do not allow pinning to a specific version. so brain dead. https://docs.docker.com/engine/installation/binaries/#get-the-linux-binary 2015-11-18 11:52:41 -08:00			`chmod +x /usr/bin/docker`
			`groupadd docker`
			`cat > /etc/systemd/system/docker.socket <<EOF`
			`[Unit]`
			`Description=Docker Socket for the API`
			`PartOf=docker.service`
create single btrfs partition apps and data consume space from the same btrfs partition now 2015-08-26 14:29:54 -07:00
Install docker binaries instead of apt The apt binaries lxc-* are obsolete and replaced with 'docker-engine' packages. The new repos however do not allow pinning to a specific version. so brain dead. https://docs.docker.com/engine/installation/binaries/#get-the-linux-binary 2015-11-18 11:52:41 -08:00			`[Socket]`
			`ListenStream=/var/run/docker.sock`
			`SocketMode=0660`
			`SocketUser=root`
			`SocketGroup=docker`

			`[Install]`
			`WantedBy=sockets.target`
			`EOF`
			`cat > /etc/systemd/system/docker.service <<EOF`
			`[Unit]`
			`Description=Docker Application Container Engine`
			`After=network.target docker.socket`
			`Requires=docker.socket`

			`[Service]`
			`ExecStart=/usr/bin/docker -d -H fd:// -s btrfs -g /home/yellowtent/data/docker --log-driver=journald`
			`MountFlags=slave`
			`LimitNOFILE=1048576`
			`LimitNPROC=1048576`
			`LimitCORE=infinity`
create single btrfs partition apps and data consume space from the same btrfs partition now 2015-08-26 14:29:54 -07:00
Install docker binaries instead of apt The apt binaries lxc-* are obsolete and replaced with 'docker-engine' packages. The new repos however do not allow pinning to a specific version. so brain dead. https://docs.docker.com/engine/installation/binaries/#get-the-linux-binary 2015-11-18 11:52:41 -08:00			`[Install]`
			`WantedBy=multi-user.target`
			`EOF`

			`echo "=== Setup btrfs docker data ==="`
Start with 8gb instead 2015-08-26 16:02:51 -07:00			`fallocate -l "8192m" "${USER_DATA_FILE}" # 8gb start`
create single btrfs partition apps and data consume space from the same btrfs partition now 2015-08-26 14:29:54 -07:00			`mkfs.btrfs -L UserHome "${USER_DATA_FILE}"`
			`echo "${USER_DATA_FILE} ${USER_DATA_DIR} btrfs loop,nosuid 0 0" >> /etc/fstab`
			`mkdir -p "${USER_DATA_DIR}" && mount "${USER_DATA_FILE}"`
Remove redundant variable 2015-08-26 15:22:53 -07:00			`mkdir -p "${USER_DATA_DIR}/docker"`
list ldap as 0.0.25 change 2015-08-04 16:29:49 -07:00
Create app and data partitions dynamically 2015-08-26 09:23:30 -07:00			`# give docker sometime to start up and create iptables rules`
Install docker binaries instead of apt The apt binaries lxc-* are obsolete and replaced with 'docker-engine' packages. The new repos however do not allow pinning to a specific version. so brain dead. https://docs.docker.com/engine/installation/binaries/#get-the-linux-binary 2015-11-18 11:52:41 -08:00			`systemctl enable docker`
create single btrfs partition apps and data consume space from the same btrfs partition now 2015-08-26 14:29:54 -07:00			`systemctl start docker`
Create app and data partitions dynamically 2015-08-26 09:23:30 -07:00			`sleep 10`
list ldap as 0.0.25 change 2015-08-04 16:29:49 -07:00
Disable forwarding from containers to metadata IP 2015-08-25 10:46:23 -07:00			`# Disable forwarding to metadata route from containers`
			`iptables -I FORWARD -d 169.254.169.254 -j DROP`

list ldap as 0.0.25 change 2015-08-04 16:29:49 -07:00			`# ubuntu will restore iptables from this file automatically. this is here so that docker's chain is saved to this file`
			`mkdir /etc/iptables && iptables-save > /etc/iptables/rules.v4`

Enable memory accounting 2015-08-24 22:33:35 -07:00			`echo "=== Enable memory accounting =="`
reboot automatically on panic after 5 seconds 2015-11-10 01:53:09 -08:00			`sed -e 's/GRUB_CMDLINE_LINUX=.*/GRUB_CMDLINE_LINUX="cgroup_enable=memory swapaccount=1 panic_on_oops=1 panic=5"/' -i /etc/default/grub`
Enable memory accounting 2015-08-24 22:33:35 -07:00			`update-grub`

list ldap as 0.0.25 change 2015-08-04 16:29:49 -07:00			`# now add the user to the docker group`
			`usermod "${USER}" -a -G docker`
			`echo "=== Pulling base docker images ==="`
Use constants from the box repo 2015-08-12 19:52:43 -07:00			`docker pull "${BASE_IMAGE}"`
list ldap as 0.0.25 change 2015-08-04 16:29:49 -07:00
			`echo "=== Pulling mysql addon image ==="`
Use constants from the box repo 2015-08-12 19:52:43 -07:00			`docker pull "${MYSQL_IMAGE}"`
list ldap as 0.0.25 change 2015-08-04 16:29:49 -07:00
			`echo "=== Pulling postgresql addon image ==="`
Use constants from the box repo 2015-08-12 19:52:43 -07:00			`docker pull "${POSTGRESQL_IMAGE}"`
list ldap as 0.0.25 change 2015-08-04 16:29:49 -07:00
			`echo "=== Pulling redis addon image ==="`
Use constants from the box repo 2015-08-12 19:52:43 -07:00			`docker pull "${REDIS_IMAGE}"`
list ldap as 0.0.25 change 2015-08-04 16:29:49 -07:00
			`echo "=== Pulling mongodb addon image ==="`
Use constants from the box repo 2015-08-12 19:52:43 -07:00			`docker pull "${MONGODB_IMAGE}"`
list ldap as 0.0.25 change 2015-08-04 16:29:49 -07:00
			`echo "=== Pulling graphite docker images ==="`
Use constants from the box repo 2015-08-12 19:52:43 -07:00			`docker pull "${GRAPHITE_IMAGE}"`
list ldap as 0.0.25 change 2015-08-04 16:29:49 -07:00
			`echo "=== Pulling mail relay ==="`
Use constants from the box repo 2015-08-12 19:52:43 -07:00			`docker pull "${MAIL_IMAGE}"`
list ldap as 0.0.25 change 2015-08-04 16:29:49 -07:00
			`echo "==== Install nginx ===="`
			`apt-get -y install nginx-full`

			`echo "==== Install build-essential ===="`
			`apt-get -y install build-essential rcconf`


			`echo "==== Install mysql ===="`
			`debconf-set-selections <<< 'mysql-server mysql-server/root_password password password'`
			`debconf-set-selections <<< 'mysql-server mysql-server/root_password_again password password'`
			`apt-get -y install mysql-server`

			`echo "==== Install pwgen ===="`
			`apt-get -y install pwgen`

			`echo "==== Install collectd ==="`
			`apt-get install -y collectd collectd-utils`
			`update-rc.d -f collectd remove`

make it explicit that logrotate is run via cron in base system 2015-10-14 15:08:38 -07:00			`# this simply makes it explicit that we run logrotate via cron. it's already part of base ubuntu`
			`echo "==== Install logrotate ==="`
			`apt-get install -y cron logrotate`
			`systemctl enable cron`

list ldap as 0.0.25 change 2015-08-04 16:29:49 -07:00			`echo "==== Extracting installer source ===="`
			`rm -rf "${INSTALLER_SOURCE_DIR}" && mkdir -p "${INSTALLER_SOURCE_DIR}"`
			`tar xvf /root/installer.tar -C "${INSTALLER_SOURCE_DIR}" && rm /root/installer.tar`
			`echo "${INSTALLER_REVISION}" > "${INSTALLER_SOURCE_DIR}/REVISION"`

			`echo "==== Install nodejs ===="`
we have to use 4.1.1 2015-11-12 12:17:14 -08:00			`# Cannot use anything above 4.1.1 - https://github.com/nodejs/node/issues/3803`
			`mkdir -p /usr/local/node-4.1.1`
fix paths 2015-11-12 12:28:36 -08:00			`curl -sL https://nodejs.org/dist/v4.1.1/node-v4.1.1-linux-x64.tar.gz \| tar zxvf - --strip-components=1 -C /usr/local/node-4.1.1`
we have to use 4.1.1 2015-11-12 12:17:14 -08:00			`ln -s /usr/local/node-4.1.1/bin/node /usr/bin/node`
			`ln -s /usr/local/node-4.1.1/bin/npm /usr/bin/npm`
Revert "install specific version of python" The specific version does not create /usr/bin/python but only the exact version /usr/bin/python2.7 The meta package python is the only one creating that link and according to https://wiki.ubuntu.com/Python/3 /usr/bin/python will not point to version 3 anytime soon at all. This reverts commit be128bbecfd2afe9ef2bdca603a3b26e8ccced7b. 2015-10-12 15:02:05 +02:00			`apt-get install -y python # Install python which is required for npm rebuild`
list ldap as 0.0.25 change 2015-08-04 16:29:49 -07:00
			`echo "=== Rebuilding npm packages ==="`
			`cd "${INSTALLER_SOURCE_DIR}" && npm install --production`
Change ownership only of installer/ 2015-08-26 16:01:45 -07:00			`chown "${USER}:${USER}" -R "${INSTALLER_SOURCE_DIR}"`
list ldap as 0.0.25 change 2015-08-04 16:29:49 -07:00
Restore iptables before docker 2015-08-25 23:21:30 -07:00			`echo "==== Install installer systemd script ===="`
Fix typo 2015-08-25 23:43:42 -07:00			`cat > /etc/systemd/system/cloudron-installer.service <<EOF`
Make installer a systemd service 2015-08-25 22:27:45 -07:00			`[Unit]`
			`Description=Cloudron Installer`

			`[Service]`
Type belongs to service 2015-09-07 14:10:34 -07:00			`Type=idle`
Make installer a systemd service 2015-08-25 22:27:45 -07:00			`ExecStart="${INSTALLER_SOURCE_DIR}/src/server.js"`
			`Environment="DEBUG=installer*,connect-lastmile"`
			`KillMode=process`
			`Restart=on-failure`

			`[Install]`
			`WantedBy=multi-user.target`
list ldap as 0.0.25 change 2015-08-04 16:29:49 -07:00			`EOF`
Make installer a systemd service 2015-08-25 22:27:45 -07:00			`systemctl enable cloudron-installer`
list ldap as 0.0.25 change 2015-08-04 16:29:49 -07:00
Restore iptables before docker 2015-08-25 23:21:30 -07:00			`# Restore iptables before docker`
			`echo "==== Install iptables-restore systemd script ===="`
			`cat > /etc/systemd/system/iptables-restore.service <<EOF`
			`[Unit]`
			`Description=IPTables Restore`
			`Before=docker.service`

			`[Service]`
			`Type=oneshot`
			`ExecStart=/sbin/iptables-restore /etc/iptables/rules.v4`
Set RemainAfterExit https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=750683 2015-08-25 23:43:04 -07:00			`RemainAfterExit=yes`
Restore iptables before docker 2015-08-25 23:21:30 -07:00
			`[Install]`
			`WantedBy=multi-user.target`
			`EOF`
			`systemctl enable iptables-restore`

Create systemd service to allocate swap This can be used to make the swap creation dynamic based on the ram in the cloudron 2015-08-26 08:48:13 -07:00			`# Allocate swap files`
Leave a note on singleshot After= behavior "Actually oneshot is also a bit special and that is where RemainAfterExit comes in. For oneshot, systemd waits for the process to exit before it starts any follow-up units (and with multiple ExecStarts I assume it waits for all of them). So that automatically leads to the scheme in berbae's last post. However, with RemainAfterExit, the unit remains active even though the process has exited, so this makes it look more like "normal" service with " 2015-09-07 22:37:20 -07:00			`# https://bbs.archlinux.org/viewtopic.php?id=194792 ensures this runs after do-resize.service`
create single btrfs partition apps and data consume space from the same btrfs partition now 2015-08-26 14:29:54 -07:00			`echo "==== Install box-setup systemd script ===="`
Create app and data partitions dynamically 2015-08-26 09:23:30 -07:00			`cat > /etc/systemd/system/box-setup.service <<EOF`
Create systemd service to allocate swap This can be used to make the swap creation dynamic based on the ram in the cloudron 2015-08-26 08:48:13 -07:00			`[Unit]`
Create app and data partitions dynamically 2015-08-26 09:23:30 -07:00			`Description=Box Setup`
Create systemd service to allocate swap This can be used to make the swap creation dynamic based on the ram in the cloudron 2015-08-26 08:48:13 -07:00			`Before=docker.service`
do-resize resizes the disk it seems 2015-08-26 23:38:01 -07:00			`After=do-resize.service`
list ldap as 0.0.25 change 2015-08-04 16:29:49 -07:00
Create systemd service to allocate swap This can be used to make the swap creation dynamic based on the ram in the cloudron 2015-08-26 08:48:13 -07:00			`[Service]`
			`Type=oneshot`
Create app and data partitions dynamically 2015-08-26 09:23:30 -07:00			`ExecStart="${INSTALLER_SOURCE_DIR}/systemd/box-setup.sh"`
Create systemd service to allocate swap This can be used to make the swap creation dynamic based on the ram in the cloudron 2015-08-26 08:48:13 -07:00			`RemainAfterExit=yes`

			`[Install]`
			`WantedBy=multi-user.target`
			`EOF`

Create app and data partitions dynamically 2015-08-26 09:23:30 -07:00			`systemctl enable box-setup`
Create systemd service to allocate swap This can be used to make the swap creation dynamic based on the ram in the cloudron 2015-08-26 08:48:13 -07:00
Revert "Disable rsyslog" This reverts commit 3c5db59de2b6c2ef8891ecba54496335b5e2d55f. Don't revert this. Maybe some system services use this. 2015-09-16 09:48:47 -07:00			`# Configure systemd`
Disable forwarding to syslog 2015-09-15 14:29:16 -07:00			`sed -e "s/^#SystemMaxUse=/SystemMaxUse=100M/" \`
			`-e "s/^#ForwardToSyslog=/ForwardToSyslog=no/" \`
			`-i /etc/systemd/journald.conf`
limit systemd journal size 2015-08-30 21:04:39 -07:00
Create systemd service to allocate swap This can be used to make the swap creation dynamic based on the ram in the cloudron 2015-08-26 08:48:13 -07:00			`sync`
configure cloudron to use UTC local timezone should be tracked by the webadmin/box code 2015-09-16 13:17:04 -07:00
			`# Configure time`
			`sed -e 's/^#NTP=/NTP=0.ubuntu.pool.ntp.org 1.ubuntu.pool.ntp.org 2.ubuntu.pool.ntp.org 3.ubuntu.pool.ntp.org/' -i /etc/systemd/timesyncd.conf`
			`timedatectl set-ntp 1`
			`timedatectl set-timezone UTC`
Move ssh to port 202 2015-11-01 08:46:28 -08:00
give yellowtent user access to cloudron logs 2015-11-02 13:20:43 -08:00			`# Give user access to system logs`
			`usermod -a -G systemd-journal ${USER}`
			`setfacl -n -m u:${USER}:r /var/log/journal/*/system.journal`

Move ssh to port 202 2015-11-01 08:46:28 -08:00			`echo "==== Install ssh ==="`
			`apt-get -y install openssh-server`
			`# https://stackoverflow.com/questions/4348166/using-with-sed on why ? must be escaped`
			`sed -e 's/^#\?Port .*/Port 202/g' \`
			`-e 's/^#\?PermitRootLogin .*/PermitRootLogin without-password/g' \`
			`-e 's/^#\?PermitEmptyPasswords .*/PermitEmptyPasswords no/g' \`
			`-e 's/^#\?PasswordAuthentication .*/PasswordAuthentication no/g' \`
			`-i /etc/ssh/sshd_config`

			`# required so we can connect to this machine since port 22 is blocked by iptables by now`
			`systemctl reload sshd`