Crostini Setup

.crostini-setup

These scripts set up Crostini on my Pixelbook

setup-crostini-ssl.sh

# Setup Crostini SSL
#[email protected]

# This generates the certificates (that you should trust in the browser) for the nginx proxy so that
# the rstudio server, CUPS server, and Jupyter Lab can communicate with the container via HTTPS.

# Should not run as root
if [ "$(whoami)" == "root" ]; then
  echo "Script should not be run as root, but as a user with root privileges"
  exit -1
fi

mkdir ~/ssl 
cd ~/ssl
openssl genrsa -des3 -out penguin.linux.test.key 2048
openssl req -x509 -new -nodes -key penguin.linux.test.key -sha256 -days 1024 -out penguin.linux.test.pem
echo '
[req]
default_bits = 2048
prompt = no
default_md = sha256
distinguished_name = dn

[dn]
C=PH
ST=NCR
L=Makati
O=Crostini
OU=Personal
[email protected]
CN = penguin.linux.test
' > server.csr.cnf
echo '
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = penguin.linux.test
' > v3.ext
openssl req -new -sha256 -nodes -out server.csr -newkey rsa:2048 -keyout server.key -config <( cat server.csr.cnf )
openssl x509 -req -in server.csr -CA penguin.linux.test.pem -CAkey penguin.linux.test.key -CAcreateserial -out server.crt -days 500 -sha256 -extfile v3.ext

setup-crostini.sh

# Setup Crostini (CrOS) Instance
# [email protected]
# 2018-09-10

# Contains:
# 1. Linux basics
# 2. Nginx to broker all traffic between different services
# 3. Rstudio server and core R packages
# 4. Miniconda and Jupyter Lab
# 5. CUPS server for printing

# Should not run as root
if [ "$(whoami)" == "root" ]; then
  echo "Script should not be run as root, but as a user with root privileges"
  exit -1
fi

# Install some basics
cd ~/
sudo apt-get update
sudo apt-get -y install \
  software-properties-common \
  gnupg \
  wget \
  libssl-dev \
  nano \
  iputils-ping
  
# Repositories update
sudo apt-key adv --keyserver keys.gnupg.net --recv-key 'E19F5F87128899B192B1A2C2AD5F960A256A04AF'
sudo add-apt-repository 'deb [arch=amd64,i386] https://cran.rstudio.com/bin/linux/debian stretch-cran35/' -y
sudo apt-get update

# Install R 3.5.X and Rstudio server
sudo apt-get -y install \
  r-base \
  r-base-dev \
  libopenblas-base \
  libapparmor1 \
  gdebi-core
wget https://download2.rstudio.org/rstudio-server-stretch-1.1.456-amd64.deb && \
  sudo gdebi --non-interactive rstudio-server-stretch-1.1.456-amd64.deb && \
  rm rstudio-server-stretch-1.1.456-amd64.deb
  
# Set up password
sudo passwd $USER

# Linux R package dependencies
sudo apt-get -y install \
  libxml2-dev \
  libssl-dev \
  libcurl4-openssl-dev \
  default-jre \
  default-jdk \
  libssh2-1-dev 

# Install CUPS Server
sudo apt-get -y install cups
sudo gpasswd -a $USER lpadmin

# Install miniconda and jupyter lab as a service
wget https://repo.continuum.io/miniconda/Miniconda3-latest-Linux-x86_64.sh
bash Miniconda3-latest-Linux-x86_64.sh 
source ~/.bashrc 
rm Miniconda3-latest-Linux-x86_64.sh
conda install -y jupyterlab nodejs
mkdir -p ~/.config/systemd/user/
mkdir -p ~/jupyter/
echo '
[Unit]
Description=Jupyter Lab

[Service]
Type=simple
ExecStart=/home/$USER/miniconda3/bin/jupyter-lab \
  --no-browser \
  --port=8888 \
  --notebook-dir=/home/$USER/jupyter/ \
  --NotebookApp.trust_xheaders=True \
  --NotebookApp.password='sha1:5edd1c9a8fa0:b1a9a6998fb674102fa742af3d6562fb23371a45'\
  --NotebookApp.base_url=jupyter

[Install]
WantedBy=default.target
' > ~/.config/systemd/user/jupyterlab.service
systemctl --user enable jupyterlab.service
systemctl --user start jupyterlab.service

# Install nginx reverse proxy
sudo apt-get -y install nginx
echo "
map \$http_upgrade \$connection_upgrade {
  default upgrade;
  ''      close;
}
server {
  listen 80;
  return 301 https://\$host\$request_uri;
}
server {
  listen 443;
  server_name penguin.linux.test;
  ssl_certificate /home/$USER/ssl/server.crt;
  ssl_certificate_key /home/$USER/ssl/server.key;
  ssl on;
  ssl_session_cache  builtin:1000  shared:SSL:10m;
  ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
  ssl_prefer_server_ciphers on;
  access_log            /var/log/nginx/penguin.linux.test.access.log;
  # RStudio Server
  location /rstudio/ {
    rewrite ^/rstudio/(.*)\$ /\$1 break;
    proxy_pass http://localhost:8787;
    proxy_redirect http://localhost:8787/ \$scheme://\$host/rstudio/;
    proxy_http_version 1.1;
    proxy_set_header Upgrade \$http_upgrade;
    proxy_set_header Connection \$connection_upgrade;
    proxy_read_timeout 20d;
  }
  # Jupyter Lab
  location /jupyter/ {
    proxy_pass http://localhost:8888/jupyter/;
    proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
    proxy_set_header X-Real-IP \$remote_addr;
    proxy_set_header Host \$http_host;
    proxy_http_version 1.1;
    proxy_redirect off;
    proxy_buffering off;
    proxy_set_header Upgrade \$http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_read_timeout 86400;
  } 
  # CUPS Server
  location / {
    proxy_pass http://localhost:631;
    proxy_redirect http://localhost:631/ \$scheme://\$host/cups/;
    proxy_http_version 1.1;
    proxy_set_header Upgrade \$http_upgrade;
    proxy_set_header Connection \$connection_upgrade;
    proxy_read_timeout 20d;
  }  
}" | sudo tee /etc/nginx/sites-available/default
sudo systemctl restart nginx.service

# Install 'core' R packages and R Kernel for Jupyter Lab
Rscript -e " \
  dir.create(Sys.getenv('R_LIBS_USER'), recursive = TRUE); \
  install.packages( \
    pkgs = c('tidyverse', 'glue', 'devtools', 'rJava'), \
    repos = 'https://cran.rstudio.com', \
    lib = Sys.getenv('R_LIBS_USER') \
  ); \
"
Rscript -e "devtools::install_github('IRkernel/IRkernel'); IRkernel::installspec()" 

# Install Jupyter Extensions
jupyter labextension install @jupyterlab/git

# Permissions for ssh keys
chmod 700 /home/$USER/.ssh
chmod 700 /home/$USER/.ssh/id_rsa 
chmod 644 /home/$USER/.ssh/id_rsa.pub

# Remove self
rm setup-crostini.sh