28/01/21 Notes
Bash Provisioning of a CentOS8 Vultur VM
#!/bin/bash
# The below script can be used on Vultur to provision my webserver VM on CentOS8
# The idea is that the website code & config is GitManaged and run in a Docker container on this VM
# It uses DNF instead of YUM, a cron job to update instead of yum-cron, and the Dockerfile has changed to use git clone.
# Install Packages
/usr/bin/dnf install git -y
/usr/bin/dnf install docker -y
# Security Related
/usr/sbin/setenforce 1
/usr/bin/firewall-cmd --permanent --zone=public --add-port=80/tcp
/usr/bin/firewall-cmd --permanent --zone=public --add-port=53/udp
/usr/bin/sed -i 's|^apply_updates = no|apply_updates = yes|' /etc/dnf/dnf-cron.conf
/usr/bin/systemctl disable --now sshd
/usr/sbin/usermod root --password 'somecrazypwdhash'
# Enable Services
/usr/bin/systemctl enable --now docker
/usr/bin/systemctl enable --now firewalld
# Set timezone
/usr/bin/timedatectl set-timezone Australia/Sydney
# Update System
/usr/bin/dnf update -y
# Create Docker dirs
/usr/bin/mkdir /opt/web-contained
/usr/bin/mkdir /opt/dns-contained
# Create Website Dockerfile
cat < /opt/web-contained/Dockerfile
#!/bin/sh
# Download Ubuntu base OS
FROM ubuntu:20.04
# LABEL about this custom image
LABEL maintainer="guy@gmail.com"
LABEL version="1.0"
LABEL description="Runs my website."
# Disable Prompt During Packages Installation
ARG DEBIAN_FRONTEND=noninteractive
# Update Ubuntu Software repository
RUN apt-get update -y && apt-get upgrade -y
# Download websites and apache config
RUN apt-get install git -y && \
git init && \
git config user.email "guy@gmail.com" && \
git config user.name "guy" && \
git clone https://tokenid@github.com/guy/website.git && \
git clone https://tokenid@github.com/guy/apache-config.git
# Install apache and required module
RUN apt-get install apache2 -y
RUN a2enmod rewrite
# Replace apache config file
RUN mv /apache-config/apache2.conf /etc/apache2/
RUN chown root:root /etc/apache2/apache2.conf
RUN chmod 644 /etc/apache2/apache2.conf
# Move websites into apache web directory
RUN mv /website/ /var/www/html/
RUN chown -R www-data:www-data /var/www/html
# Listen on port 80
EXPOSE 80
EOF
# Create DNS Dockerfile
cat < /opt/dns-contained/Dockerfile
# Download Ubuntu base OS
FROM ubuntu:20.04
# LABEL about this custom image
LABEL maintainer="guy84@gmail.com"
LABEL version="1.0"
LABEL description="Runs my DNS zone."
# Disable Prompt During Packages Installation
ARG DEBIAN_FRONTEND=noninteractive
# Update Ubuntu Software repository
RUN apt-get update -y && apt-get upgrade -y
# Install DNS software
RUN apt-get install -y bind9
# Create the zone file configuration
RUN echo 'zone "tayicseua.com" {\n\
type master;\n\
notify no;\n\
file "/etc/bind/db.tayicseua.com";\n\
allow-transfer {\n\
"none";\n\
};\n\
};'\
> /etc/bind/named.conf.local
# Create the zone file
RUN echo $'TTL 3600\n\
@ IN SOA ns1.tayicseua.com. postmaster.tayicseua.com. (\n\
2014032705 ; Serial\n\
12H ; Refresh\n\
1H ; Retry\n\
2W ; Expire\n\
3H ) ; Negative Cache TTL\n\
;\n\
@ IN NS ns1.tayicseua.com.\n\
@ IN NS ns2.tayicseua.com.\n\
@ IN A 45.32.242.167\n\
ns1 IN A 45.32.242.167\n\
ns2 IN A 45.32.242.167\n\
www IN A 45.32.242.167\n\
beare IN A 45.32.242.167\n\
www.beare IN A 45.32.242.167\n\
khounkongleng IN A 45.32.242.167\n\
www.khounkongleng IN A 45.32.242.167'\
> /etc/bind/db.tayicseua.com
# Enforce correct permissions
RUN chown root:bind /etc/bind/db.tayicseua.com
RUN chown root:bind /etc/bind/named.conf.local
RUN chmod 644 /etc/bind/db.tayicseua.com
RUN chmod 644 /etc/bind/named.conf.local
# Listen on port 53
EXPOSE 53/udp
EOF
# Create Docker Script
/usr/bin/cat < /opt/web-contained/docker-rebuild.sh
#!/bin/bash
# Wait for Docker to start when rebooting
/usr/bin/sleep 30
# Stop the container
/usr/bin/docker stop tayicseua
/usr/bin/docker stop ns1
# Delete the container
/usr/bin/docker rm tayicseua
/usr/bin/docker rm ns1
# Remove the docker images
/usr/bin/docker image rm ubuntu:20.04
/usr/bin/docker image rm website-image:latest
/usr/bin/docker image rm dns-image:latest
# Build the docker image
/usr/bin/docker build -t website-image /opt/web-contained
/usr/bin/docker build -t dns-image /opt/dns-contained
# Start the container
/usr/bin/docker run -d -t -p 80:80 --name tayicseua website-image bash -c "service apache2 start && sleep infinity"
/usr/bin/docker run -d -t -p 53:53/udp --name ns1 dns-image bash -c "service named start && sleep infinity"
EOF
# Permissions
/usr/bin/chown -R root:root /opt/web-contained
/usr/bin/chown -R root:root /opt/dns-contained
/usr/bin/chmod -R 0600 /opt/web-contained
/usr/bin/chmod -R 0700 /opt/web-contained/docker-rebuild.sh
/usr/bin/chmod -R 0600 /opt/dns-contained
# Cronjobs
echo "30 4 * * MON-SAT root /opt/web-contained/docker-rebuild.sh" >> /etc/crontab
echo "@reboot root /opt/web-contained/docker-rebuild.sh" >> /etc/crontab
echo "30 2 * * SUN root /usr/bin/dnf update -y" >> /etc/crontab
echo "30 4 * * SUN root /usr/sbin/reboot now" >> /etc/crontab
# Cleanup
/usr/bin/rm -f /tmp/firstboot.exec
# Restart
/usr/sbin/reboot now