66 lines
3.1 KiB
Text
66 lines
3.1 KiB
Text
|
# Use a base image with necessary tools installed
|
||
|
|
FROM ubuntu:latest
|
||
|
|
|
||
|
|
# Set environment variables
|
||
|
|
ENV LANG en_US.UTF-8
|
||
|
|
ENV LC_ALL en_US.UTF-8
|
||
|
|
ENV TZ Europe/Berlin
|
||
|
|
|
||
|
|
# Install necessary packages
|
||
|
|
RUN apt-get update && \
|
||
|
|
apt-get install -y fail2ban ufw unattended-upgrades sbcl mosh tmux git mercurial nginx certbot python3-certbot-nginx libev4 build-essential libsqlite3-dev sqlite3 emacs-nox python3-pip python3-pandas python3-matplotlib && \
|
||
|
|
apt-get upgrade -y && \
|
||
|
|
apt-get autoremove -y && \
|
||
|
|
apt-get clean
|
||
|
|
|
||
|
|
# Add users and groups
|
||
|
|
RUN groupadd nginxgroup && \
|
||
|
|
useradd -r -s /usr/sbin/nologin -g nginxgroup nginxuser && \
|
||
|
|
useradd -m -s /bin/bash -G users,admin marcus && \
|
||
|
|
echo 'marcus ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers
|
||
|
|
|
||
|
|
# Copy SSH keys
|
||
|
|
COPY marcus-ssh-keys /home/marcus/.ssh/authorized_keys
|
||
|
|
RUN chown marcus:marcus /home/marcus/.ssh/authorized_keys && \
|
||
|
|
chmod 600 /home/marcus/.ssh/authorized_keys
|
||
|
|
|
||
|
|
# Copy configuration files
|
||
|
|
COPY 20auto-upgrades /etc/apt/apt.conf.d/20auto-upgrades
|
||
|
|
COPY sshd_config /etc/ssh/sshd_config
|
||
|
|
COPY jail.local /etc/fail2ban/jail.local
|
||
|
|
COPY nginx.conf /etc/nginx/nginx.conf
|
||
|
|
COPY reverse-proxy.conf /etc/nginx/sites-available/reverse-proxy.conf
|
||
|
|
|
||
|
|
# Set up symbolic link for nginx configuration
|
||
|
|
RUN ln -s /etc/nginx/sites-available/reverse-proxy.conf /etc/nginx/sites-enabled/ && \
|
||
|
|
rm /etc/nginx/sites-enabled/default
|
||
|
|
|
||
|
|
# Set up Certbot, firewall, and other configurations
|
||
|
|
RUN certbot certonly --nginx -d u1.metaebene.dev --non-interactive --agree-tos --email marcus.kammer@mailbox.org --redirect && \
|
||
|
|
certbot certonly --nginx -d docs.u1.metaebene.dev --non-interactive --agree-tos --email marcus.kammer@mailbox.org --redirect && \
|
||
|
|
echo '0 0 1 * * root certbot renew --post-hook "systemctl reload nginx" >> /var/log/letsencrypt/letsencrypt-auto-renew.log' > /etc/cron.d/letsencrypt-renew && \
|
||
|
|
curl https://ssl-config.mozilla.org/ffdhe2048.txt > /etc/letsencrypt/ssl-dhparams.pem && \
|
||
|
|
ufw allow 'Nginx Full' && \
|
||
|
|
ufw default deny incoming && \
|
||
|
|
ufw default allow outgoing && \
|
||
|
|
ufw allow 22/tcp && \
|
||
|
|
ufw allow mosh && \
|
||
|
|
ufw enable && \
|
||
|
|
systemctl enable fail2ban && systemctl start fail2ban && \
|
||
|
|
systemctl restart sshd
|
||
|
|
|
||
|
|
# Set up Git, SBCL, SLIME and Quicklisp for user Marcus
|
||
|
|
USER marcus
|
||
|
|
RUN git config --global user.email "marcus.kammer@mailbox.org" && \
|
||
|
|
git config --global user.name "Marcus Kammer" && \
|
||
|
|
git config --global init.defaultBranch main && \
|
||
|
|
git clone --depth 1 --branch sbcl-2.1.11 git://git.code.sf.net/p/sbcl/sbcl /home/marcus/sbcl && \
|
||
|
|
git clone --depth 1 --branch v2.28 https://github.com/slime/slime.git /home/marcus/slime && \
|
||
|
|
curl https://beta.quicklisp.org/quicklisp.lisp -o /home/marcus/quicklisp.lisp && \
|
||
|
|
sbcl --load quicklisp.lisp --non-interactive --eval '(quicklisp-quickstart:install)' --quit && rm quicklisp.lisp && \
|
||
|
|
curl https://git.sr.ht/~marcuskammer/cloudinit/blob/main/.sbclrc -o /home/marcus/.sbclrc && \
|
||
|
|
sbcl --non-interactive --eval "(ql:quickload '(:hunchentoot :spinneret :dexador :rove :vecto :woo :clsql-sqlite3))" --quit
|
||
|
|
|
||
|
|
# Switch back to root user for any further setup
|
||
|
|
USER root
|