#!/bin/bash
# ============LICENSE_START=======================================================
#  Copyright (C) 2021 The Nordix Foundation. All rights reserved.
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#      http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# SPDX-License-Identifier: Apache-2.0
# ============LICENSE_END=========================================================

set -o errexit
set -o pipefail

# update and upgrade
export DEBIAN_FRONTEND=noninteractive
sudo apt update
sudo apt upgrade -y

# install basic dependencies
sudo apt install -y make openjdk-11-jre-headless apt-transport-https ca-certificates curl gnupg jq software-properties-common build-essential

# If you have a issue with Let's Encrypt certificate when cloning repo due to DST Root CA X3 Expiration:
# https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/
# remove outdated certificate from system
sudo rm -rf /usr/share/ca-certificates/mozilla/DST_Root_CA_X3.crt
# update ca-certificates
sudo update-ca-certificates --fresh --verbose

# set versions of various things for NSM for visibility and ease of maintenance
DOCKER_CE_VERSION="5:20.10.5~3-0~ubuntu-bionic"
DOCKER_CE_CLI_VERSION="5:20.10.5~3-0~ubuntu-bionic"
CONTAINERD_IO_VERSION="1.4.4-1"
GO_VERSION="1.16.4"
GO_LINT_VERSION="1.39.0"
FOSSA_CLI_VERSION="1.1.7"

# install docker-ce, docker-ce-cli, containerd.io and mark them hold
sudo apt remove -y docker docker-engine docker.io containerd runc
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg
echo "deb [arch=amd64 signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu \
  $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
sudo apt update
sudo apt install -y docker-ce=$DOCKER_CE_VERSION docker-ce-cli=$DOCKER_CE_CLI_VERSION containerd.io=$CONTAINERD_IO_VERSION
sudo apt-mark hold docker-ce docker-ce-cli containerd.io
sudo systemctl enable docker
sudo systemctl start docker

# install go related stuff
cd /tmp
# golang
wget https://dl.google.com/go/go${GO_VERSION}.linux-amd64.tar.gz
tar xzvf go${GO_VERSION}.linux-amd64.tar.gz
sudo mv go /usr/local
# golangci-lint
wget https://github.com/golangci/golangci-lint/releases/download/v${GO_LINT_VERSION}/golangci-lint-${GO_LINT_VERSION}-linux-amd64.deb
sudo dpkg -i golangci-lint-${GO_LINT_VERSION}-linux-amd64.deb
/bin/rm -rf  go${GO_VERSION}.linux-amd64.tar.gz golangci-lint-${GO_LINT_VERSION}-linux-amd64.deb

# install fossa-cli
wget https://github.com/fossas/fossa-cli/releases/download/v${FOSSA_CLI_VERSION}/fossa-cli_${FOSSA_CLI_VERSION}_linux_amd64.tar.gz
tar xzvf fossa-cli_${FOSSA_CLI_VERSION}_linux_amd64.tar.gz
sudo mv fossa /usr/local/bin
sudo chmod +x /usr/local/bin/fossa
/bin/rm -rf fossa-cli_${FOSSA_CLI_VERSION}_linux_amd64.tar.gz

# Create jenkins user, add it to required groups, configure sudoers and sshd_config
sudo useradd -G sudo,docker -d /home/jenkins -m -c "jenkins user" -s /bin/bash jenkins
# Create slave root directory
sudo mkdir -p /home/jenkins/nordix/slave_root
sudo chown -R jenkins:jenkins /home/jenkins/nordix/slave_root
sudo chmod -R 755 /home/jenkins/nordix/slave_root
# Modify sudoers - disable env_reset, !requiretty and passwordless sudo
sudo sed -i "s/^Defaults.*env_reset/#&\nDefaults:jenkins  \!requiretty/" /etc/sudoers
sudo sed -i "s/^%sudo.*ALL/%sudo   ALL=(ALL:ALL)   NOPASSWD: ALL/" /etc/sudoers
# Disable ssh password login, enable ssh with keys for jenkins user
sudo bash -c "echo PasswordAuthentication no >> /etc/ssh/sshd_config"
sudo bash -c "echo PubkeyAuthentication yes >> /etc/ssh/sshd_config"
sudo bash -c "echo AllowUsers jenkins >> /etc/ssh/sshd_config"
sudo systemctl restart sshd

# configure sysctl
sudo sysctl -w net.ipv4.tcp_keepalive_time=120
sudo sysctl -w net.ipv4.tcp_keepalive_intvl=30
sudo sysctl -w net.ipv4.tcp_keepalive_probes=8
sudo sysctl -w net.ipv4.tcp_fin_timeout=30

# update ~jenkins/.profile
sudo bash -c "echo 'export PATH=\$PATH:/usr/local/go/bin' >> /home/jenkins/.profile"

# get cloud-init script in place so we can place the keys into ~jenkins/.ssh
sudo bash -c 'cat << EOF > /var/lib/cloud/scripts/per-instance/copykeystojenkins.sh
#!/bin/bash
sudo mkdir -p /home/jenkins/.ssh
# append ssh key injected by openstack to authorized_keys
sudo cat /home/ubuntu/.ssh/authorized_keys >> /home/jenkins/.ssh/authorized_keys
# append user ssh public keys uploaded by packer to authorized_keys
sudo cat /home/ubuntu/authorized_keys.packer >> /home/jenkins/.ssh/authorized_keys
# remove /home/ubuntu/authorized_keys.packer
sudo rm -f /home/jenkins/authorized_keys.packer
sudo chown -R jenkins:jenkins /home/jenkins/.ssh
sudo chmod -R go-rwx /home/jenkins/.ssh
sudo userdel -f -r ubuntu
EOF'

sudo chmod +x /var/lib/cloud/scripts/per-instance/copykeystojenkins.sh

# vim: set ts=2 sw=2 expandtab: