-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathuser_data.sh.tftpl
109 lines (87 loc) · 4.1 KB
/
user_data.sh.tftpl
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
#!/bin/bash
set -eux -o pipefail
# Configuration prerequisites:
apt-get update
apt-get install --yes \
jq \
locales-all
# General parameters:
export HOME=/root
export WORKDIR="$${HOME}/securedrop"
# Tails parameters:
export TAILS_TAGS_ENDPOINT="https://gitlab.tails.boum.org/api/v4/projects/tails%2Ftails/repository/tags"
export TAILS_LATEST_TAG=$(curl $TAILS_TAGS_ENDPOINT | jq -r ".[0].name")
export TAILS_IMG=/tails.img
export TAILS_IMG_SIG="$${TAILS_IMG}.sig"
export TAILS_IMG_URL="https://mirrors.edge.kernel.org/tails/stable/tails-amd64-$${TAILS_LATEST_TAG}/tails-amd64-$${TAILS_LATEST_TAG}.img"
export TAILS_KEY_URL="https://tails.net/tails-signing.key"
# --- SECUREDROP PREREQUISITES ---
#
# For the sake of easy cross-referencing, commands here are replicated as
# faithfully as possible from the SecureDrop documentation as cited, even
# when it would be easier to split them over multiline YAML strings, when
# their "sudo" prefixes are no-ops under cloud-init, etc.
# https://docs.securedrop.org/en/stable/development/setup_development.html#ubuntu-or-debian-gnu-linux
# https://docs.docker.com/engine/install/debian/
apt-get install -y apt-transport-https ca-certificates curl gnupg lsb-release
curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg
echo "deb [arch=amd64 signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/debian $(lsb_release -cs) stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null
apt-get update
apt-get install -y docker-ce docker-ce-cli containerd.io
# https://docs.securedrop.org/en/stable/development/setup_development.html
apt-get install -y build-essential libssl-dev libffi-dev python3-dev dpkg-dev git linux-headers-$(uname -r)
apt-get install -y python3-pip python3-virtualenv
# https://docs.securedrop.org/en/stable/development/virtual_environments.html#debian-stable-setup
apt-get install -y vagrant libvirt-daemon-system qemu-kvm virt-manager
apt-get install -y ansible rsync
apt-get remove -y vagrant-libvirt # so that we can then...
vagrant plugin install vagrant-libvirt
vagrant plugin install vagrant-mutate
rmmod kvm_intel
rmmod kvm
modprobe kvm
modprobe kvm_intel
echo 'export VAGRANT_DEFAULT_PROVIDER=libvirt' >> ~/.bashrc
export VAGRANT_DEFAULT_PROVIDER=libvirt
export VAGRANT_SERVER_URL=https://vagrantcloud.com/api/v2/vagrant # hashicorp/vagrant#13571
vagrant box add --provider virtualbox bento/ubuntu-20.04
vagrant mutate bento/ubuntu-20.04 libvirt
# -- SECUREDROP WORKSPACE ---
git clone https://github.com/freedomofpress/securedrop.git "$WORKDIR"
cd "$WORKDIR" && git checkout ${ref}
apt-get install -y enchant-2
apt-get install -y rustc
export UBUNTU_VERSION=focal
PKG_SRC_PATH="$${WORKDIR}/build/$${UBUNTU_VERSION}"
PKG_DST_PATH="$${WORKDIR}/build/dists/$${UBUNTU_VERSION}/main/binary-amd64"
cd "$WORKDIR" && make build-debs-notest && make build-debs-ossec-notest
mkdir -p "$PKG_DST_PATH"
apt-ftparchive packages "$PKG_SRC_PATH" > "$${PKG_DST_PATH}/Packages"
export UBUNTU_VERSION=noble
cd "$WORKDIR" && make build-debs-notest && make build-debs-ossec-notest
PKG_SRC_PATH="$${WORKDIR}/build/$${UBUNTU_VERSION}"
PKG_DST_PATH="$${WORKDIR}/build/dists/$${UBUNTU_VERSION}/main/binary-amd64"
cd "$WORKDIR" && make build-debs-notest && make build-debs-ossec-notest
mkdir -p "$PKG_DST_PATH"
apt-ftparchive packages "$PKG_SRC_PATH" > "$${PKG_DST_PATH}/Packages"
# Under the hood, the "libvirt-staging-focal" Molecule scenario will create
# the "libvirt-vagrant" network to which we'll attach our Tails domain.
cd "$WORKDIR" && make staging
# --- TAILS ---
curl -o "$TAILS_IMG" "$TAILS_IMG_URL"
curl -o "$TAILS_IMG_SIG" "$${TAILS_IMG_URL}.sig"
curl --silent "$TAILS_KEY_URL" | gpg --import
gpg --verify "$TAILS_IMG_SIG" "$TAILS_IMG"
truncate --size ">16G" "$TAILS_IMG"
virt-install \
--boot hd \
--disk "$${TAILS_IMG},bus=usb,removable=on" \
--graphics "spice,password=tails" \
--import \
--memory 8192 \
--name tails \
--network network=vagrant-libvirt \
--noautoconsole \
--osinfo debian11 \
--vcpus 4
cd "$${WORKDIR}/build" && python3 -m http.server &