From 5c0ec708c41f44ccea55e5f75c3a4720128b88bc Mon Sep 17 00:00:00 2001 From: Bruce Becker Date: Fri, 4 Aug 2023 07:57:23 +0200 Subject: [PATCH 1/3] build(packer): add packer template Signed-off-by: Bruce Becker --- default.auto.pkvars.hcl | 1 + image_requirements.txt | 4 ++ packer.pkr.hcl | 85 +++++++++++++++++++++++++++++++++++++++++ 3 files changed, 90 insertions(+) create mode 100644 default.auto.pkvars.hcl create mode 100644 image_requirements.txt create mode 100644 packer.pkr.hcl diff --git a/default.auto.pkvars.hcl b/default.auto.pkvars.hcl new file mode 100644 index 0000000..b3e8951 --- /dev/null +++ b/default.auto.pkvars.hcl @@ -0,0 +1 @@ +source_image="docker.io/ubuntu:22.04" \ No newline at end of file diff --git a/image_requirements.txt b/image_requirements.txt new file mode 100644 index 0000000..3061040 --- /dev/null +++ b/image_requirements.txt @@ -0,0 +1,4 @@ +yamllint==1.31.0 +ansible==8.2.0 +ansible-core==2.15.2 +ansible-lint==6.17.2 \ No newline at end of file diff --git a/packer.pkr.hcl b/packer.pkr.hcl new file mode 100644 index 0000000..bc332a1 --- /dev/null +++ b/packer.pkr.hcl @@ -0,0 +1,85 @@ +variable "source_image" { + type = string + default = "docker.io/ubuntu:focal" + # Selecting ubuntu:focal instead of ubuntu:22.04 because of glibc problem on my podman + # See https://stackoverflow.com/a/73701049/2707870 + description = "Base image to extend." +} + +variable "base_packages" { + type = list(string) + description = "Base OS packages to be added to the image." + default = [ + "python3.9", + "python3-pip", + "curl", + "git" + // "rubygems", + // "pandoc", + // "texlive", + // "texlive-base", + // "texlive-binaries", + // "texlive-fonts-recommended", + // "texlive-latex-base", + // "texlive-latex-extra", + // "texlive-latex-recommended", + // "texlive-pictures", + // "texlive-plain-generic", + // "texlive-xetex" + ] +} + +variable "google_signing_key_url" { + description = "URL of the Google apt repo signing key" + type = string + default = "https://dl.google.com/linux/linux_signing_key.pub" +} +source "docker" "default" { + image = var.source_image + commit = true + changes = [ + "ENV TZ=Etc/UTC", + "ENV DEBIAN_FRONTEND=noninteractive" + ] +} + +data "http" "google_signing_key" { + url = var.google_signing_key_url +} + +build { + sources = ["source.docker.default"] + provisioner "shell" { + inline = [ + "apt-get update -qq", + "apt-get install -qq gpg gnupg2" + ] + } + + # Add the python requirements for the image + provisioner "file" { + source = "image_requirements.txt" + destination = "/image_requirements.txt" + } + # Add the google signing key for the chrome browser we need later. + provisioner "file" { + content = data.http.google_signing_key.body + destination = "/google.gpg" + } + provisioner "file" { + content = "deb [signed-by=/usr/local/share/keyrings/google.gpg] http://dl.google.com/linux/chrome/deb/ stable main" + destination = "/etc/apt/sources.list.d/google-chrome.list" + } + + # Package installation + provisioner "shell" { + inline = [ + "echo \"${data.http.google_signing_key.body}\" | apt-key add -", + // "curl -sL https://deb.nodesource.com/setup_18.x | bash -", + "DEBIAN_FRONTEND=noninteractive apt-get install -y ${join(" ", var.base_packages)}", + # Add pip packages + "python3.9 -m pip install -r /image_requirements.txt", + "npm install -g @marp-team/marp-cli" + ] + } +} \ No newline at end of file From ed9fbeff93d151fdeef091770a58c54ce803c7a4 Mon Sep 17 00:00:00 2001 From: Bruce Becker Date: Fri, 4 Aug 2023 09:49:37 +0200 Subject: [PATCH 2/3] build(packer): complete packer workflow ci: add packer job Signed-off-by: Bruce Becker --- .github/workflows/main.yml | 14 +++++- .pre-commit-config.yaml | 27 +++++++++++ commitlint.config.js | 1 + packer.pkr.hcl | 93 ++++++++++++++++++++++++++++---------- 4 files changed, 110 insertions(+), 25 deletions(-) create mode 100644 .pre-commit-config.yaml create mode 100644 commitlint.config.js diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 2856526..90f0432 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -4,14 +4,26 @@ env: REGISTRY_NAME: ghcr.io CONTAINER_NAME: mmul-it/kpa-marp-pandoc CONTAINER_VERSION: latest + PACKER_VERSION: 1.9.2 on: [push] jobs: + packer: + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v3 + - name: Get packer + run: | + packer --version || curl -fSL https://releases.hashicorp.com/packer/${{ env.PACKER_VERSION }}/packer_${{ env.PACKER_VERSION }}_linux_amd64.zip \ + | gunzip -> /usr/bin/packer + chmod u+x /usr/bin/packer + /usr/bin/packer -version build_and_push: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Build the container image run: docker build . --file Dockerfile --tag ${REGISTRY_NAME}/${CONTAINER_NAME}:${CONTAINER_VERSION} - name: Login into the container registry diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100644 index 0000000..8e15eb6 --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,27 @@ +# See https://pre-commit.com for more information +# See https://pre-commit.com/hooks.html for more hooks +repos: + - repo: https://github.com/pre-commit/pre-commit-hooks + rev: v4.4.0 + hooks: + - id: trailing-whitespace + - id: end-of-file-fixer + - id: check-yaml + - id: check-added-large-files + - repo: https://github.com/alessandrojcm/commitlint-pre-commit-hook + rev: v9.5.0 + hooks: + - id: commitlint + stages: [commit-msg] + additional_dependencies: ['@commitlint/config-conventional'] + - repo: https://github.com/python-jsonschema/check-jsonschema + rev: 0.23.3 + hooks: + - id: check-github-workflows + - repo: https://github.com/jumanjihouse/pre-commit-hooks + rev: 3.0.0 + hooks: + - id: markdownlint + - id: shellcheck + - id: shfmt + - id: script-must-have-extension diff --git a/commitlint.config.js b/commitlint.config.js new file mode 100644 index 0000000..3347cb9 --- /dev/null +++ b/commitlint.config.js @@ -0,0 +1 @@ +module.exports = {extends: ['@commitlint/config-conventional']}; diff --git a/packer.pkr.hcl b/packer.pkr.hcl index bc332a1..b2de72b 100644 --- a/packer.pkr.hcl +++ b/packer.pkr.hcl @@ -6,26 +6,34 @@ variable "source_image" { description = "Base image to extend." } +variable "version" { + type = string + default = "latest" + description = "Version of the base image." +} + variable "base_packages" { type = list(string) description = "Base OS packages to be added to the image." default = [ - "python3.9", - "python3-pip", + "bash", "curl", - "git" - // "rubygems", - // "pandoc", - // "texlive", - // "texlive-base", - // "texlive-binaries", - // "texlive-fonts-recommended", - // "texlive-latex-base", - // "texlive-latex-extra", - // "texlive-latex-recommended", - // "texlive-pictures", - // "texlive-plain-generic", - // "texlive-xetex" + "git", + "nodejs", + "pandoc", + "python3-pip", + "python3.9", + "rubygems", + "texlive", + "texlive-base", + "texlive-binaries", + "texlive-fonts-recommended", + "texlive-latex-base", + "texlive-latex-extra", + "texlive-latex-recommended", + "texlive-pictures", + "texlive-plain-generic", + "texlive-xetex" ] } @@ -34,12 +42,21 @@ variable "google_signing_key_url" { type = string default = "https://dl.google.com/linux/linux_signing_key.pub" } + +variable "nodejs_version" { + description = "Version of NodeJS we want to provision" + type = string + default = "18.x" +} + source "docker" "default" { image = var.source_image commit = true changes = [ "ENV TZ=Etc/UTC", - "ENV DEBIAN_FRONTEND=noninteractive" + "ENV DEBIAN_FRONTEND=noninteractive", + "ENTRYPOINT /bin/bash", + "LABEL version=${var.version}" ] } @@ -47,12 +64,20 @@ data "http" "google_signing_key" { url = var.google_signing_key_url } +data "http" "nodejs_install_script" { + url = join("",["https://deb.nodesource.com/setup_",var.nodejs_version]) +} + +data "http" "nodejs_signing_key" { + url = "https://deb.nodesource.com/gpgkey/nodesource.gpg.key" +} + build { sources = ["source.docker.default"] provisioner "shell" { inline = [ "apt-get update -qq", - "apt-get install -qq gpg gnupg2" + "apt-get install -qq gpg gnupg2 ca-certificates" ] } @@ -61,25 +86,45 @@ build { source = "image_requirements.txt" destination = "/image_requirements.txt" } - # Add the google signing key for the chrome browser we need later. + + # Ensure deb string for nodejs provisioner "file" { - content = data.http.google_signing_key.body - destination = "/google.gpg" + content = join(" ", [ + "deb", + // "[signed-by=/usr/local/keyrings/nodejs.gpg]", + "https://deb.nodesource.com/node_${var.nodejs_version}", + "focal", + "main" + ]) + destination = "/etc/apt/sources.list.d/nodesource.list" } + + # Configure Google repo for chrome browser provisioner "file" { - content = "deb [signed-by=/usr/local/share/keyrings/google.gpg] http://dl.google.com/linux/chrome/deb/ stable main" + // content = "deb [signed-by=/usr/share/keyrings/google.gpg] http://dl.google.com/linux/chrome/deb/ stable main" + content = "deb http://dl.google.com/linux/chrome/deb/ stable main" destination = "/etc/apt/sources.list.d/google-chrome.list" } # Package installation provisioner "shell" { inline = [ - "echo \"${data.http.google_signing_key.body}\" | apt-key add -", - // "curl -sL https://deb.nodesource.com/setup_18.x | bash -", + "echo \"${data.http.google_signing_key.body}\" | gpg --dearmor | apt-key add -", + "echo \"${data.http.nodejs_signing_key.body}\" | apt-key add -", + # Update the apt cache after adding the signing keys for google and nodejs repos + "apt-get update -qq", "DEBIAN_FRONTEND=noninteractive apt-get install -y ${join(" ", var.base_packages)}", # Add pip packages "python3.9 -m pip install -r /image_requirements.txt", + # Add nodejs packages "npm install -g @marp-team/marp-cli" ] } -} \ No newline at end of file + post-processors { + post-processor "docker-tag" { + repository = "kpa-marp-pandoc" + tags = distinct([var.version, "latest"]) + } + // post-processor "docker-push" {} + } +} From 205f5d6c8267e829beb27d8d83bc6ab87f60627b Mon Sep 17 00:00:00 2001 From: Bruce Becker Date: Fri, 4 Aug 2023 09:58:35 +0200 Subject: [PATCH 3/3] chore: add secrets baseline and pre-commit hook Signed-off-by: Bruce Becker --- .pre-commit-config.yaml | 6 +++ .secrets.baseline | 112 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 118 insertions(+) create mode 100644 .secrets.baseline diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 8e15eb6..5f29246 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -25,3 +25,9 @@ repos: - id: shellcheck - id: shfmt - id: script-must-have-extension + - repo: https://github.com/Yelp/detect-secrets + rev: v1.4.0 + hooks: + - id: detect-secrets + args: ['--baseline', '.secrets.baseline'] + exclude: "" diff --git a/.secrets.baseline b/.secrets.baseline new file mode 100644 index 0000000..f5575be --- /dev/null +++ b/.secrets.baseline @@ -0,0 +1,112 @@ +{ + "version": "1.4.29", + "plugins_used": [ + { + "name": "ArtifactoryDetector" + }, + { + "name": "AWSKeyDetector" + }, + { + "name": "AzureStorageKeyDetector" + }, + { + "name": "Base64HighEntropyString", + "limit": 4.5 + }, + { + "name": "BasicAuthDetector" + }, + { + "name": "CloudantDetector" + }, + { + "name": "DiscordBotTokenDetector" + }, + { + "name": "GitHubTokenDetector" + }, + { + "name": "HexHighEntropyString", + "limit": 3.0 + }, + { + "name": "IbmCloudIamDetector" + }, + { + "name": "IbmCosHmacDetector" + }, + { + "name": "JwtTokenDetector" + }, + { + "name": "KeywordDetector", + "keyword_exclude": "" + }, + { + "name": "MailchimpDetector" + }, + { + "name": "NpmDetector" + }, + { + "name": "PrivateKeyDetector" + }, + { + "name": "SendGridDetector" + }, + { + "name": "SlackDetector" + }, + { + "name": "SoftlayerDetector" + }, + { + "name": "SquareOAuthDetector" + }, + { + "name": "StripeDetector" + }, + { + "name": "TwilioKeyDetector" + } + ], + "filters_used": [ + { + "path": "detect_secrets.filters.allowlist.is_line_allowlisted" + }, + { + "path": "detect_secrets.filters.common.is_ignored_due_to_verification_policies", + "min_level": 2 + }, + { + "path": "detect_secrets.filters.heuristic.is_indirect_reference" + }, + { + "path": "detect_secrets.filters.heuristic.is_likely_id_string" + }, + { + "path": "detect_secrets.filters.heuristic.is_lock_file" + }, + { + "path": "detect_secrets.filters.heuristic.is_not_alphanumeric_string" + }, + { + "path": "detect_secrets.filters.heuristic.is_potential_uuid" + }, + { + "path": "detect_secrets.filters.heuristic.is_prefixed_with_dollar_sign" + }, + { + "path": "detect_secrets.filters.heuristic.is_sequential_string" + }, + { + "path": "detect_secrets.filters.heuristic.is_swagger_file" + }, + { + "path": "detect_secrets.filters.heuristic.is_templated_secret" + } + ], + "results": {}, + "generated_at": "2023-08-04T07:57:18Z" +}