### Nginx Startup Script Example Source: https://github.com/bagelhole/devops-security-agent-skills/blob/main/infrastructure/cloud-gcp/gcp-compute/SKILL.md A bash script that updates package lists, installs Nginx, enables and starts the Nginx service, and reports completion status to instance metadata. Designed to run on first boot and reboots. ```bash #!/bin/bash # startup.sh - runs on first boot and every reboot set -euo pipefail apt-get update && apt-get install -y nginx systemctl enable nginx && systemctl start nginx curl -X PUT -H "Metadata-Flavor: Google" \ "http://metadata.google.internal/computeMetadata/v1/instance/guest-attributes/startup/status" \ -d "complete" ``` -------------------------------- ### Initialize Convex and Start Local Development Source: https://github.com/bagelhole/devops-security-agent-skills/blob/main/infrastructure/platforms/convex-backend/SKILL.md Install the Convex package and start the local development server for real-time syncing with the cloud. ```bash npm install convex npx convex dev # Start local development (syncs with cloud) # In a new project npm create convex@latest ``` -------------------------------- ### Install MLflow and Start Tracking Server Source: https://github.com/bagelhole/devops-security-agent-skills/blob/main/devops/ai/model-registry-governance/SKILL.md Installs MLflow with necessary backends and starts the tracking server with PostgreSQL and S3 artifact storage. ```bash pip install mlflow[extras] psycopg2-binary boto3 mlflow server \ --backend-store-uri postgresql://mlflow:password@db:5432/mlflow \ --default-artifact-root s3://mlflow-artifacts/models \ --host 0.0.0.0 \ --port 5000 \ --serve-artifacts ``` -------------------------------- ### Install and Run Ollama Source: https://github.com/bagelhole/devops-security-agent-skills/blob/main/infrastructure/local-ai/ollama-stack/SKILL.md Installs Ollama, starts the server, and demonstrates pulling and running a model. Also shows how to list available models and pull specific quantizations. ```bash # Install Ollama curl -fsSL https://ollama.com/install.sh | sh # Start the server ollama serve # Pull and run a model ollama pull llama3.1:8b ollama run llama3.1:8b "Explain Kubernetes pods in one paragraph" # List available models ollama list # Pull specific quantization ollama pull llama3.1:8b-instruct-q4_K_M ``` -------------------------------- ### Install Dependencies and Run OpenClaw Source: https://github.com/bagelhole/devops-security-agent-skills/blob/main/infrastructure/local-ai/openclaw-local-mac-mini/SKILL.md Install project dependencies using npm or pnpm, run database migrations if necessary, and start the development server. ```bash # Install dependencies npm install # Or with pnpm: # pnpm install # Run database migrations if needed npm run db:migrate # Start the development server npm run dev # Verify startup curl -s http://localhost:3000/api/health | jq . ``` -------------------------------- ### Start Docker MySQL Container and Connect Source: https://github.com/bagelhole/devops-security-agent-skills/blob/main/infrastructure/databases/planetscale/SKILL.md Commands to start the Docker Compose setup and connect to the local MySQL instance using the MySQL client. ```bash docker compose up -d ``` ```bash mysql -h 127.0.0.1 -u myapp -psecret my-app ``` -------------------------------- ### Azure CLI Setup and Sign-in Source: https://github.com/bagelhole/devops-security-agent-skills/blob/main/infrastructure/it/identity-access-management/SKILL.md This set of commands installs the Azure CLI, signs you into your Azure account, and sets the default subscription. It also verifies the signed-in user. ```bash # Install Azure CLI and sign in az login # Set the default tenant az account set --subscription "your-subscription-id" # Verify tenant az ad signed-in-user show --query '{name:displayName, email:userPrincipalName}' ``` -------------------------------- ### Install and Link Vercel CLI Source: https://github.com/bagelhole/devops-security-agent-skills/blob/main/infrastructure/platforms/vercel-deployments/SKILL.md Installs the Vercel CLI globally and links your local project to your Vercel account. Use this for initial setup. ```bash npm i -g vercel vercel login vercel link ``` -------------------------------- ### Install and Run OpenSCAP CIS Benchmark Scan Source: https://github.com/bagelhole/devops-security-agent-skills/blob/main/security/hardening/cis-benchmarks/SKILL.md Installs OpenSCAP scanner and the Security Guide, then runs a CIS benchmark scan for Ubuntu 22.04, saving results to XML and HTML reports. ```bash # Install apt install openscap-scanner scap-security-guide # Run CIS benchmark scan oscap xccdf eval \ --profile xccdf_org.ssgproject.content_profile_cis \ --results results.xml \ --report report.html \ /usr/share/xml/scap/ssg/content/ssg-ubuntu2204-ds.xml ``` -------------------------------- ### Install Azure CLI and Set Up Environment Source: https://github.com/bagelhole/devops-security-agent-skills/blob/main/infrastructure/cloud-azure/azure-networking/SKILL.md Installs the Azure CLI, logs in, sets the subscription, registers necessary providers, and creates a resource group. Ensure you have the Azure CLI installed and are logged in with the correct subscription. ```bash # Install Azure CLI curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash # Login and set subscription az login az account set --subscription "my-subscription-id" # Register required providers az provider register --namespace Microsoft.Network # Create resource group az group create --name networking-rg --location eastus ``` -------------------------------- ### Create Backstage App Source: https://github.com/bagelhole/devops-security-agent-skills/blob/main/devops/platforms/platform-engineering/SKILL.md Installs and starts a new Backstage application. Ensure Node.js 18+ and yarn 1.x are installed. ```bash # Prerequisites: Node.js 18+, yarn 1.x npx @backstage/create-app@latest # Follow the prompts -- name your app, e.g., "internal-platform" cd internal-platform # Start the development server yarn dev ``` -------------------------------- ### Fleet MDM Initial Setup and Admin Creation Source: https://github.com/bagelhole/devops-security-agent-skills/blob/main/infrastructure/it/mdm-device-management/SKILL.md Commands to generate self-signed TLS certificates for Fleet, start the Docker services, and then prepare the database and create the initial administrator account. Replace placeholders with your actual domain and desired password. ```bash # Generate TLS certs (use real certs in production) mkdir -p tls openssl req -x509 -newkey rsa:4096 -sha256 -days 365 \ -nodes -keyout tls/fleet.key -out tls/fleet.crt \ -subj "/CN=fleet.yourcompany.com" # Start services docker compose up -d # Create admin account docker compose exec fleet fleet prepare db docker compose exec fleet fleet setup \ --email admin@yourcompany.com \ --name "IT Admin" \ --password "${FLEET_ADMIN_PASSWORD}" \ --org-name "YourCompany" ``` -------------------------------- ### MLX Framework Installation and Usage Source: https://github.com/bagelhole/devops-security-agent-skills/blob/main/infrastructure/local-ai/mac-mini-llm-lab/SKILL.md Installs the MLX framework for native Apple Silicon model execution and demonstrates running a model for text generation. Includes setup for the MLX server. ```bash # Install MLX uv pip install mlx mlx-lm # Run a model python3 -c " from mlx_lm import load, generate model, tokenizer = load('mlx-community/Llama-3.1-8B-Instruct-4bit') response = generate(model, tokenizer, prompt='Explain Docker in 3 sentences', max_tokens=200) print(response) " # MLX server (OpenAI-compatible API) uv pip install mlx-lm[server] mlx_lm.server --model mlx-community/Llama-3.1-8B-Instruct-4bit --port 8080 ``` -------------------------------- ### Start Caddy Service Source: https://github.com/bagelhole/devops-security-agent-skills/blob/main/infrastructure/local-ai/mac-mini-llm-lab/SKILL.md Starts the Caddy web server using Homebrew services. Ensure Caddy is installed via Homebrew before running this command. ```bash brew services start caddy ``` -------------------------------- ### Create VM with Cloud-Init Configuration Source: https://github.com/bagelhole/devops-security-agent-skills/blob/main/infrastructure/cloud-azure/azure-vms/SKILL.md Deploys a Linux VM using a cloud-init configuration file to automate setup, including package installation and service management. ```yaml #cloud-init.yaml #cloud-config package_update: true packages: - nginx - docker.io runcmd: - systemctl enable nginx - systemctl start nginx - usermod -aG docker azureuser ``` ```bash az vm create \ --resource-group compute-rg \ --name web-vm \ --image Ubuntu2204 \ --size Standard_B2s \ --admin-username azureuser \ --generate-ssh-keys \ --custom-data cloud-init.yaml \ --tags role=web ``` -------------------------------- ### Quick Start: QLoRA Fine-Tuning with TRL Source: https://github.com/bagelhole/devops-security-agent-skills/blob/main/infrastructure/local-ai/llm-fine-tuning/SKILL.md Use this Python script for a quick start on fine-tuning LLMs with QLoRA and Hugging Face TRL. It sets up 4-bit quantization, LoRA configuration, and uses SFTTrainer for the training process. Ensure you have the necessary libraries installed and a Hugging Face token. ```bash pip install transformers datasets trl peft bitsandbytes accelerate ``` ```python from datasets import load_dataset from transformers import AutoTokenizer, AutoModelForCausalLM, BitsAndBytesConfig from peft import LoraConfig, get_peft_model from trl import SFTTrainer, SFTConfig import torch model_id = "meta-llama/Llama-3.1-8B-Instruct" # 4-bit quantization (QLoRA) bnb_config = BitsAndBytesConfig( load_in_4bit=True, bnb_4bit_quant_type="nf4", bnb_4bit_compute_dtype=torch.bfloat16, bnb_4bit_use_double_quant=True, ) model = AutoModelForCausalLM.from_pretrained( model_id, quantization_config=bnb_config, device_map="auto" ) tokenizer = AutoTokenizer.from_pretrained(model_id) # LoRA configuration peft_config = LoraConfig( r=16, # rank lora_alpha=32, target_modules=["q_proj", "k_proj", "v_proj", "o_proj", "gate_proj", "up_proj", "down_proj"], lora_dropout=0.05, bias="none", task_type="CAUSAL_LM", ) dataset = load_dataset("your-org/your-dataset", split="train") trainer = SFTTrainer( model=model, args=SFTConfig( output_dir="./output", num_train_epochs=3, per_device_train_batch_size=2, gradient_accumulation_steps=8, learning_rate=2e-4, bf16=True, logging_steps=10, save_strategy="epoch", report_to="wandb", ), train_dataset=dataset, peft_config=peft_config, processing_class=tokenizer, ) trainer.train() trainer.save_model("./fine-tuned-model") ``` -------------------------------- ### OWASP CRS Installation and Customization Source: https://github.com/bagelhole/devops-security-agent-skills/blob/main/security/network/waf-setup/SKILL.md Steps to download and install the OWASP Core Rule Set, copy the example configuration, and customize paranoia level and anomaly score thresholds. Includes adding custom rule exclusions for specific paths and parameters. ```bash # Download and install OWASP CRS cd /etc/nginx/modsec git clone https://github.com/coreruleset/coreruleset crs cp crs/crs-setup.conf.example crs/crs-setup.conf # Customize CRS settings cat >> crs/crs-setup.conf << 'EOF' # Set paranoia level (1-4, higher = more strict) SecAction "id:900000, phase:1, pass, t:none, nolog, setvar:tx.paranoia_level=2" # Set anomaly score thresholds SecAction "id:900110, phase:1, pass, t:none, nolog, \ setvar:tx.inbound_anomaly_score_threshold=5, \ setvar:tx.outbound_anomaly_score_threshold=4" # Exclude known false positives SecRule REQUEST_URI "@beginsWith /api/upload" \ "id:1001,phase:1,pass,nolog,ctl:ruleRemoveById=920420" EOF # Create rule exclusions file cat > /etc/nginx/modsec/crs/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf << 'EOF' # Exclude rules that cause false positives on specific paths SecRule REQUEST_URI "@beginsWith /api/webhook" \ "id:1000001,phase:1,pass,nolog,ctl:ruleRemoveTargetById=942100;ARGS:payload" # Exclude rules for specific parameters SecRule ARGS_NAMES "^content$" \ "id:1000002,phase:1,pass,nolog,ctl:ruleRemoveTargetById=941100;ARGS:content" EOF ``` -------------------------------- ### Initial System Setup for Mac mini LLM Lab Source: https://github.com/bagelhole/devops-security-agent-skills/blob/main/infrastructure/local-ai/mac-mini-llm-lab/SKILL.md Installs essential macOS updates, command-line tools, Homebrew, and core packages for an LLM environment. Includes Python and monitoring tools. ```bash # Update macOS softwareupdate --install --all # Install Xcode command-line tools xcode-select --install # Install Homebrew /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)" # Core packages brew install tmux htop btop wget jq git neovim # Python environment (for MLX and custom scripts) brew install python@3.12 uv # Monitoring brew install prometheus node_exporter ``` -------------------------------- ### Install Istio and Configure Namespace Source: https://github.com/bagelhole/devops-security-agent-skills/blob/main/infrastructure/networking/ai-inference-service-mesh/SKILL.md Install Istio using the 'default' profile and configure the AI inference namespace for sidecar injection. Verify the installation and analyze configurations. ```bash istioctl install --set profile=default \ --set meshConfig.accessLogFile=/dev/stdout \ --set meshConfig.defaultConfig.holdApplicationUntilProxyStarts=true kubectl create namespace ai-inference kubectl label namespace ai-inference istio-injection=enabled istioctl verify-install istioctl analyze -n ai-inference ``` -------------------------------- ### Unleash SDK Setup (Node.js) Source: https://github.com/bagelhole/devops-security-agent-skills/blob/main/devops/release/feature-flags/SKILL.md Initialize the Unleash client for Node.js, specifying the server URL, application name, and authorization headers. Use the client to check if features are enabled for a user or to get experiment variants. ```javascript const { initialize } = require('unleash-client'); const unleash = initialize({ url: 'http://localhost:4242/api', appName: 'my-app', customHeaders: { Authorization: 'your-api-token' } }); unleash.on('ready', () => { // Check feature const isEnabled = unleash.isEnabled('new-checkout'); // With context const context = { userId: 'user-123', properties: { plan: 'premium' } }; const isEnabledForUser = unleash.isEnabled('new-checkout', context); // Get variant const variant = unleash.getVariant('experiment-flag', context); console.log(variant.name); // 'control' or 'treatment' }); ``` -------------------------------- ### Linkerd Installation and Configuration Source: https://github.com/bagelhole/devops-security-agent-skills/blob/main/infrastructure/networking/service-mesh/SKILL.md A comprehensive set of bash commands for installing the Linkerd CLI, checking prerequisites, installing the control plane, and enabling automatic sidecar injection. ```bash # Install Linkerd CLI curl --proto '=https' --tlsv1.2 -sSfL https://run.linkerd.io/install | sh export PATH=$HOME/.linkerd2/bin:$PATH # Validate cluster prerequisites linkerd check --pre # Install Linkerd CRDs linkerd install --crds | kubectl apply -f - # Install Linkerd control plane linkerd install | kubectl apply -f - # Verify installation linkerd check # Inject sidecar into a namespace kubectl get deploy -n my-app -o yaml | linkerd inject - | kubectl apply -f - # Or annotate namespace for auto-injection kubectl annotate namespace my-app linkerd.io/inject=enabled # View live traffic dashboard linkerd viz install | kubectl apply -f - linkerd viz dashboard ``` -------------------------------- ### Install Azure CLI and Set Up Environment Source: https://github.com/bagelhole/devops-security-agent-skills/blob/main/infrastructure/cloud-azure/azure-vms/SKILL.md Installs the Azure CLI, logs in, sets the subscription, and creates a resource group. Also shows how to list available VM sizes and images. ```bash curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash az login az account set --subscription "my-subscription-id" az group create --name compute-rg --location eastus az vm list-sizes --location eastus --output table az vm image list --output table az vm image list --publisher Canonical --offer 0001-com-ubuntu-server-jammy --all --output table ``` -------------------------------- ### User Data Script for EC2 Instance Source: https://github.com/bagelhole/devops-security-agent-skills/blob/main/infrastructure/cloud-aws/aws-ec2/references/ec2-operations.md A bash script to be executed when an EC2 instance first boots. This example updates packages, installs Apache, starts and enables the service, and creates a basic index.html. ```bash #!/bin/bash yum update -y yum install -y httpd systemctl start httpd systemctl enable httpd echo "Hello World" > /var/www/html/index.html ``` -------------------------------- ### Download and Install osquery MSI for Windows Source: https://github.com/bagelhole/devops-security-agent-skills/blob/main/infrastructure/it/mdm-device-management/SKILL.md Use fleetctl to download the osquery MSI installer for Windows and then install it silently using msiexec. Ensure the Fleet URL and enroll secret are correctly configured. ```powershell # Download the Fleet osquery MSI installer fleetctl package --type msi \ --fleet-url https://fleet.yourcompany.com:8080 \ --enroll-secret "$(fleetctl get enroll-secret)" \ --fleet-certificate tls/fleet.crt # Install silently msiexec /i fleet-osquery.msi /quiet /norestart ``` -------------------------------- ### Install MongoDB on Debian/Ubuntu Source: https://github.com/bagelhole/devops-security-agent-skills/blob/main/infrastructure/databases/mongodb/SKILL.md Installs MongoDB 7.x on Debian/Ubuntu systems. Ensures the repository is added, the package is installed, and the service is enabled and started. ```bash curl -fsSL https://www.mongodb.org/static/pgp/server-7.0.asc | \ sudo gpg -o /usr/share/keyrings/mongodb-server-7.0.gpg --dearmor echo "deb [ signed-by=/usr/share/keyrings/mongodb-server-7.0.gpg ] \ https://repo.mongodb.org/apt/ubuntu jammy/mongodb-org/7.0 multiverse" | \ sudo tee /etc/apt/sources.list.d/mongodb-org-7.0.list sudo apt update sudo apt install -y mongodb-org # Start and enable sudo systemctl enable --now mongod # Verify mongosh --eval "db.version()" ``` -------------------------------- ### Initial PostgreSQL User and Database Setup Source: https://github.com/bagelhole/devops-security-agent-skills/blob/main/infrastructure/databases/postgresql/SKILL.md Creates a new application user and database, then grants privileges. Connect to the database to set default privileges for the user. ```bash # Switch to the postgres system user sudo -u postgres psql ``` ```sql -- Create an application user CREATE USER myapp WITH PASSWORD 'strong_password_here'; -- Create the database owned by that user CREATE DATABASE mydb OWNER myapp; -- Grant connection privileges GRANT ALL PRIVILEGES ON DATABASE mydb TO myapp; -- Connect to the database and set default privileges \c mydb ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT, INSERT, UPDATE, DELETE ON TABLES TO myapp; ``` -------------------------------- ### Install Azure CLI and Set Up Subscription Source: https://github.com/bagelhole/devops-security-agent-skills/blob/main/infrastructure/cloud-azure/azure-sql/SKILL.md Installs the Azure CLI and logs in to your Azure subscription. Ensure you have the necessary permissions to create resources. ```bash curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash az login az account set --subscription "my-subscription-id" az group create --name database-rg --location eastus ``` -------------------------------- ### Create Instance with Startup Script and Service Account Source: https://github.com/bagelhole/devops-security-agent-skills/blob/main/infrastructure/cloud-gcp/gcp-compute/SKILL.md Create an instance that runs a startup script on boot and is associated with a specific service account, granting it permissions to access Google Cloud services. ```bash # Instance with a startup script and service account gcloud compute instances create app-server \ --machine-type=e2-standard-2 \ --zone=us-central1-a \ --image-family=ubuntu-2204-lts --image-project=ubuntu-os-cloud \ --boot-disk-size=50GB \ --metadata-from-file=startup-script=startup.sh \ --service-account=app-sa@${PROJECT_ID}.iam.gserviceaccount.com \ --scopes=cloud-platform ``` -------------------------------- ### First-Day Setup Script (macOS) Source: https://github.com/bagelhole/devops-security-agent-skills/blob/main/infrastructure/it/startup-it-troubleshooting/SKILL.md Automates the setup of a new macOS environment, including Homebrew, development tools, Git configuration, GitHub CLI authentication, repository cloning, and FileVault enablement. ```bash #!/bin/bash set -e /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)" curl -sL https://internal.company.com/setup/Brewfile -o /tmp/Brewfile && brew bundle install --file=/tmp/Brewfile read -p "Full name: " N; read -p "Email: " E git config --global user.name "$N" && git config --global user.email "$E" && git config --global pull.rebase true gh auth login && mkdir -p ~/src && cd ~/src && gh repo clone your-company/main-app sudo fdesetup enable ``` -------------------------------- ### Install and Initialize OpenVPN Server Source: https://github.com/bagelhole/devops-security-agent-skills/blob/main/security/network/vpn-setup/SKILL.md Installs OpenVPN and Easy-RSA, then initializes the Public Key Infrastructure (PKI) for server certificate generation. Requires root privileges. ```bash # Install OpenVPN and Easy-RSA apt install -y openvpn easy-rsa # Initialize PKI make-cadir /etc/openvpn/easy-rsa cd /etc/openvpn/easy-rsa ./easyrsa init-pki ./easyrsa build-ca nopass ./easyrsa gen-req server nopass ./easyrsa sign-req server server ./easyrsa gen-dh openvpn --genkey secret /etc/openvpn/ta.key # Generate client certificate ./easyrsa gen-req client1 nopass ./easyrsa sign-req client client1 ``` -------------------------------- ### Install Datadog Agent on Linux Source: https://github.com/bagelhole/devops-security-agent-skills/blob/main/devops/observability/datadog/SKILL.md Installs the Datadog agent using a script or package manager. Configure the API key and start the agent service. ```bash # Install agent DD_API_KEY= DD_SITE="datadoghq.com" bash -c "$(curl -L https://s3.amazonaws.com/dd-agent/scripts/install_script_agent7.sh)" # Or via package manager apt-get update && apt-get install datadog-agent # Configure API key echo "api_key: YOUR_API_KEY" >> /etc/datadog-agent/datadog.yaml # Start agent systemctl start datadog-agent systemctl enable datadog-agent ``` -------------------------------- ### LaunchDarkly SDK Setup (Node.js) Source: https://github.com/bagelhole/devops-security-agent-skills/blob/main/devops/release/feature-flags/SKILL.md Initialize the LaunchDarkly SDK for Node.js and evaluate feature flags for a given user. Ensure the SDK is initialized before use. ```javascript const LaunchDarkly = require('launchdarkly-node-server-sdk'); const client = LaunchDarkly.init(process.env.LAUNCHDARKLY_SDK_KEY); await client.waitForInitialization(); // Evaluate flag const user = { key: 'user-123', email: 'user@example.com', custom: { plan: 'premium', company: 'acme' } }; const showNewFeature = await client.variation('new-checkout', user, false); if (showNewFeature) { // New feature code } else { // Existing code } ``` -------------------------------- ### Set up PostgreSQL Replica Server using pg_basebackup Source: https://github.com/bagelhole/devops-security-agent-skills/blob/main/infrastructure/databases/postgresql/SKILL.md Initializes a replica server by taking a base backup from the primary. Ensure PostgreSQL is stopped on the replica before starting the backup. ```bash # Stop PostgreSQL on the replica sudo systemctl stop postgresql # Remove existing data directory sudo rm -rf /var/lib/postgresql/15/main/* # Base backup from primary sudo -u postgres pg_basebackup \ -h 10.0.0.1 -U replicator \ -D /var/lib/postgresql/15/main \ --wal-method=stream --checkpoint=fast --progress ``` -------------------------------- ### User Data Script for Web Server Bootstrap Source: https://github.com/bagelhole/devops-security-agent-skills/blob/main/infrastructure/cloud-aws/aws-ec2/SKILL.md A bash script to bootstrap a web server on Amazon Linux 2023. It performs system updates, installs and starts Nginx, installs the CloudWatch agent, and installs the CodeDeploy agent. ```bash #!/bin/bash #userdata.sh - Bootstrap a web server on Amazon Linux 2023 set -euxo pipefail # System updates dnf update -y # Install and start web server dnf install -y nginx systemctl enable nginx systemctl start nginx # Install CloudWatch agent dnf install -y amazon-cloudwatch-agent /opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-ctl \ -a fetch-config -m ec2 \ -s -c ssm:AmazonCloudWatch-linux # Install CodeDeploy agent dnf install -y ruby wget cd /home/ec2-user wget https://aws-codedeploy-us-east-1.s3.us-east-1.amazonaws.com/latest/install chmod +x ./install ./install auto # Signal CloudFormation (if launched via CFN) # /opt/aws/bin/cfn-signal -e $? --stack ${AWS::StackName} --resource ASG --region ${AWS::Region} ``` -------------------------------- ### Install Azure CLI and kubectl Source: https://github.com/bagelhole/devops-security-agent-skills/blob/main/infrastructure/cloud-azure/azure-aks/SKILL.md Installs the Azure CLI and kubectl, logs into Azure, and registers necessary providers. Ensure you have the correct subscription ID. ```bash curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash az aks install-cli az login az account set --subscription "my-subscription-id" az provider register --namespace Microsoft.ContainerService az provider register --namespace Microsoft.OperationsManagement kubectl version --client ``` -------------------------------- ### Start Vault Dev Server and Set Environment Source: https://github.com/bagelhole/devops-security-agent-skills/blob/main/security/secrets/hashicorp-vault/SKILL.md Starts a development Vault server and sets the necessary environment variables for connection. Ensure Vault CLI is installed and network access to Vault is available. ```bash # Start dev server vault server -dev # Set environment export VAULT_ADDR='http://127.0.0.1:8200' export VAULT_TOKEN='root' # Verify connection vault status ``` -------------------------------- ### Manage Homebrew Packages and Bundles (macOS) Source: https://github.com/bagelhole/devops-security-agent-skills/blob/main/infrastructure/it/startup-it-troubleshooting/SKILL.md Defines and installs Homebrew packages and casks using a Brewfile, and exports the current setup. ```bash cat > Brewfile <<'EOF' brew "git"; brew "node"; brew "python@3.12"; brew "awscli"; brew "jq"; brew "gh" cask "google-chrome"; cask "slack"; cask "1password"; cask "visual-studio-code"; cask "docker"; cask "zoom" EOF ``` ```bash brew bundle install --file=Brewfile ``` ```bash brew bundle dump --file=~/Brewfile --force # export current setup ``` -------------------------------- ### GCP Project Setup and Terraform Initialization Source: https://github.com/bagelhole/devops-security-agent-skills/blob/main/infrastructure/cloud-gcp/terraform-gcp/SKILL.md Create a GCS bucket for Terraform state and configure versioning. Initialize Terraform, plan the deployment with specified variables, and apply the plan. ```bash gcloud storage buckets create gs://my-project-tf-state \ --location=us-central1 --uniform-bucket-level-access --public-access-prevention gcloud storage buckets update gs://my-project-tf-state --versioning terraform init terraform plan -var="project_id=my-project" -var="environment=production" -out=tfplan terraform apply tfplan ``` -------------------------------- ### Pip Requirements with Hashes Source: https://github.com/bagelhole/devops-security-agent-skills/blob/main/security/scanning/supply-chain-attack-response/SKILL.md Example of a requirements.txt file format that includes SHA256 hashes for each package. This ensures that only the exact specified versions are installed. ```text # requirements.txt with hashes (generated by pip-compile --generate-hashes) requests==2.31.0 \ --hash=sha256:58cd2187c01e70e6e26505bca751777aa9f2ee0b7f4300988b709f44e013003eb \ --hash=sha256:942c5a758f98d790eaed1a29cb6eefc7f0edf3fcb0fce8afe0f44546e1 ``` -------------------------------- ### Install Istio Observability Addons Source: https://github.com/bagelhole/devops-security-agent-skills/blob/main/infrastructure/networking/service-mesh/SKILL.md Install Kiali, Prometheus, Grafana, and Jaeger for service mesh observability. Access dashboards via istioctl. ```bash # Install Kiali, Prometheus, Grafana, Jaeger kubectl apply -f samples/addons/prometheus.yaml kubectl apply -f samples/addons/grafana.yaml kubectl apply -f samples/addons/jaeger.yaml kubectl apply -f samples/addons/kiali.yaml # Wait for rollout kubectl rollout status deployment/kiali -n istio-system # Access dashboards istioctl dashboard kiali istioctl dashboard grafana istioctl dashboard jaeger ``` -------------------------------- ### Python HTTP Cloud Function Source: https://github.com/bagelhole/devops-security-agent-skills/blob/main/infrastructure/cloud-gcp/gcp-cloud-functions/SKILL.md An example HTTP-triggered Python Cloud Function using the functions_framework. It handles GET requests and returns a JSON response. ```python # main.py import functions_framework import base64, json from flask import jsonify from google.cloud import firestore @functions_framework.http def hello_http(request): """HTTP Cloud Function.""" name = request.args.get("name", "World") return jsonify({"message": f"Hello, {name}!", "status": "ok"}), 200 ``` -------------------------------- ### Create Spot VM Instance Source: https://github.com/bagelhole/devops-security-agent-skills/blob/main/infrastructure/cloud-gcp/gcp-compute/SKILL.md Create a Spot VM instance, which offers significant cost savings for fault-tolerant workloads. Configures the instance to stop rather than terminate upon preemption. ```bash # Spot VM (recommended over legacy preemptible) gcloud compute instances create spot-worker \ --machine-type=n2-standard-8 \ --zone=us-central1-a \ --image-family=debian-12 --image-project=debian-cloud \ --provisioning-model=SPOT \ --instance-termination-action=STOP ``` -------------------------------- ### Docker Compose for Ollama Stack Source: https://github.com/bagelhole/devops-security-agent-skills/blob/main/infrastructure/local-ai/ollama-stack/SKILL.md Defines a Docker Compose setup for Ollama, Open WebUI, and LiteLLM. Ensures services are healthy before starting dependent services. ```yaml # docker-compose.yml services: ollama: image: ollama/ollama:latest container_name: ollama restart: unless-stopped ports: - "11434:11434" volumes: - ollama_data:/root/.ollama environment: - OLLAMA_HOST=0.0.0.0 - OLLAMA_NUM_PARALLEL=4 - OLLAMA_MAX_LOADED_MODELS=2 - OLLAMA_FLASH_ATTENTION=1 deploy: resources: reservations: devices: - driver: nvidia count: all capabilities: [gpu] healthcheck: test: ["CMD", "curl", "-f", "http://localhost:11434/api/tags"] interval: 30s timeout: 10s retries: 3 open-webui: image: ghcr.io/open-webui/open-webui:main container_name: open-webui restart: unless-stopped ports: - "3000:8080" volumes: - webui_data:/app/backend/data environment: - OLLAMA_BASE_URL=http://ollama:11434 - WEBUI_AUTH=true - WEBUI_SECRET_KEY=${WEBUI_SECRET_KEY:-"change-me-in-production"} - DEFAULT_MODELS=llama3.1:8b depends_on: ollama: condition: service_healthy litellm: image: ghcr.io/berriai/litellm:main-latest container_name: litellm restart: unless-stopped ports: - "4000:4000" volumes: - ./litellm-config.yaml:/app/config.yaml command: ["--config", "/app/config.yaml"] depends_on: ollama: condition: service_healthy volumes: ollama_data: webui_data: ``` -------------------------------- ### Install Istio with istioctl Source: https://github.com/bagelhole/devops-security-agent-skills/blob/main/infrastructure/networking/service-mesh/SKILL.md Download and install Istio using the istioctl CLI. Supports different profiles like 'default' and 'demo'. ```bash # Download istioctl curl -L https://istio.io/downloadIstio | sh - cd istio-* export PATH=$PWD/bin:$PATH # Install with the production profile istioctl install --set profile=default -y # Or use the demo profile (includes all addons, good for learning) istioctl install --set profile=demo -y # Verify installation istioctl verify-install # Check running components kubectl get pods -n istio-system ``` -------------------------------- ### Automated Device Onboarding Script (PowerShell) Source: https://github.com/bagelhole/devops-security-agent-skills/blob/main/infrastructure/it/mdm-device-management/SKILL.md This script automates device onboarding by installing common applications, enabling disk encryption, configuring firewall and power settings, and setting up automatic updates. It logs the entire process to a specified file. ```powershell $ErrorActionPreference = "Stop" $logFile = "C:\ProgramData\onboarding.log" Start-Transcript -Path $logFile -Append Write-Host "=== Starting onboarding $(Get-Date) ===" # 1. Install winget packages $packages = @( "Git.Git", "Microsoft.VisualStudioCode", "Docker.DockerDesktop", "SlackTechnologies.Slack", "Tailscale.Tailscale", "AgileBits.1Password" ) foreach ($pkg in $packages) { Write-Host "Installing $pkg..." winget install --id $pkg --accept-package-agreements --accept-source-agreements --silent } # 2. Enable BitLocker Enable-BitLocker -MountPoint "C:" -EncryptionMethod XtsAes256 -TpmProtector Add-BitLockerKeyProtector -MountPoint "C:" -RecoveryPasswordProtector # 3. Configure firewall Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled True Set-NetFirewallProfile -Profile Domain,Public,Private ` -DefaultInboundAction Block -DefaultOutboundAction Allow # 4. Set power and lock settings powercfg /change monitor-timeout-ac 5 Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` -Name "InactivityTimeoutSecs" -Value 300 # 5. Enable automatic updates Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" ` -Name "AUOptions" -Value 4 Write-Host "=== Onboarding complete $(Get-Date) ===" Stop-Transcript ``` -------------------------------- ### Ollama Setup and Model Pulling Source: https://github.com/bagelhole/devops-security-agent-skills/blob/main/infrastructure/local-ai/mac-mini-llm-lab/SKILL.md Installs Ollama and pulls various language models optimized for different Mac mini RAM configurations. Verifies Metal acceleration. ```bash # Install Ollama brew install ollama # Pull models based on your RAM # 16GB Mac mini: ollama pull llama3.1:8b ollama pull nomic-embed-text ollama pull codellama:7b # 32GB Mac mini: ollama pull llama3.1:8b ollama pull qwen2.5:14b ollama pull deepseek-coder-v2:16b ollama pull nomic-embed-text # 64GB+ Mac mini: ollama pull llama3.1:70b ollama pull qwen2.5:32b ollama pull codellama:34b # Verify Metal acceleration ollama run llama3.1:8b --verbose # Look for: "metal" in output ``` -------------------------------- ### Install Azure CLI and Functions Core Tools Source: https://github.com/bagelhole/devops-security-agent-skills/blob/main/infrastructure/cloud-azure/azure-functions/SKILL.md Installs the Azure CLI and Azure Functions Core Tools v4. Logs in to Azure and sets the subscription. Creates a resource group and storage account for function apps. ```bash curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash npm install -g azure-functions-core-tools@4 func --version az login az account set --subscription "my-subscription-id" az group create --name functions-rg --location eastus az storage account create \ --name myfuncstorageacct \ --resource-group functions-rg \ --location eastus \ --sku Standard_LRS ``` -------------------------------- ### ECR Repository Setup Source: https://github.com/bagelhole/devops-security-agent-skills/blob/main/devops/containers/container-registries/SKILL.md Create an ECR repository with image scanning enabled and retrieve its URI. ```bash # Create repository aws ecr create-repository \ --repository-name myapp \ --image-scanning-configuration scanOnPush=true \ --encryption-configuration encryptionType=AES256 # Get registry URI REGISTRY=$(aws ecr describe-repositories \ --repository-names myapp \ --query 'repositories[0].repositoryUri' \ --output text | cut -d'/' -f1) ``` -------------------------------- ### Stop, Resize, and Start GCP Instance Source: https://github.com/bagelhole/devops-security-agent-skills/blob/main/infrastructure/cloud-gcp/gcp-compute/SKILL.md Provides commands to stop, resize (change machine type), and start a Compute Engine instance. Ensure the instance name and zone are correct. ```bash gcloud compute instances stop web-server --zone=us-central1-a gcloud compute instances set-machine-type web-server \ --machine-type=e2-standard-4 --zone=us-central1-a gcloud compute instances start web-server --zone=us-central1-a ``` -------------------------------- ### DAST Scan with GitHub Actions Source: https://github.com/bagelhole/devops-security-agent-skills/blob/main/security/scanning/dast-scanning/SKILL.md Integrates OWASP ZAP full scan into a GitHub Actions workflow. This example starts an application using docker-compose and then runs the ZAP scan. ```yaml name: DAST Scan on: workflow_dispatch: schedule: - cron: '0 2 * * *' jobs: dast: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - name: Start Application run: | docker-compose up -d sleep 30 # Wait for app to be ready - name: OWASP ZAP Scan uses: zaproxy/action-full-scan@v0.8.0 with: target: 'http://localhost:8080' rules_file_name: '.zap/rules.tsv' cmd_options: '-a' - name: Upload Report uses: actions/upload-artifact@v4 if: always() with: name: zap-report path: report_html.html ``` -------------------------------- ### Nuclei Custom Template Source: https://github.com/bagelhole/devops-security-agent-skills/blob/main/security/scanning/dast-scanning/references/dast-tools.md Define a custom template for Nuclei to perform specific security checks. This example checks for a GET request to an admin path and matches on a 200 status code. ```yaml id: custom-check info: name: Custom Security Check severity: high requests: - method: GET path: - "{{BaseURL}}/admin" matchers: - type: status status: - 200 ``` -------------------------------- ### Install Prefect and Prefect Kubernetes Source: https://github.com/bagelhole/devops-security-agent-skills/blob/main/devops/ai/ai-pipeline-orchestration/SKILL.md Install the necessary Prefect packages. This is a prerequisite for running Prefect workflows. ```bash pip install prefect prefect-kubernetes # Start Prefect server (or use Prefect Cloud) prefect server start # In another terminal prefect worker start --pool default-agent-pool ``` -------------------------------- ### Basic API Route with Pages Functions Source: https://github.com/bagelhole/devops-security-agent-skills/blob/main/infrastructure/cloudflare/cloudflare-pages/SKILL.md Define a simple API endpoint using Pages Functions. This example creates a GET request handler for '/api/hello.ts' that returns a JSON response. ```typescript // functions/api/hello.ts export const onRequestGet: PagesFunction = async (context) => { return new Response(JSON.stringify({ message: "Hello from the edge" }), { headers: { "Content-Type": "application/json" }, }); }; ``` -------------------------------- ### Install and Configure Tailscale Source: https://github.com/bagelhole/devops-security-agent-skills/blob/main/infrastructure/local-ai/openclaw-local-mac-mini/SKILL.md Steps to install Tailscale via Homebrew, authenticate, and connect the Mac Mini to a Tailscale network for secure remote access. Includes commands to verify the IP and access the service. ```bash # Install Tailscale on the Mac mini brew install --cask tailscale # Authenticate and connect open /Applications/Tailscale.app # Or via CLI: tailscale up --authkey tskey-auth-your-key-here # Verify Tailscale IP tailscale ip -4 # e.g., 100.64.x.x # Access OpenClaw from any Tailscale device curl http://100.64.x.x:3000/api/health # Enable MagicDNS for friendly names # Access via: http://openclaw-mini:3000 ``` -------------------------------- ### Configure Docker Compose with launchd Source: https://github.com/bagelhole/devops-security-agent-skills/blob/main/infrastructure/local-ai/openclaw-local-mac-mini/SKILL.md Defines a launchd plist file to automatically start Docker Compose on system load. Ensure the paths to docker and the compose file are correct for your setup. ```xml Label com.openclaw.docker ProgramArguments /usr/local/bin/docker compose -f /Users/openclaw/openclaw/docker-compose.yml up RunAtLoad KeepAlive StandardOutPath /var/log/openclaw/docker-stdout.log StandardErrorPath /var/log/openclaw/docker-stderr.log ``` -------------------------------- ### Database Initialization with Docker Compose Source: https://github.com/bagelhole/devops-security-agent-skills/blob/main/devops/containers/docker-compose/SKILL.md Sets up a PostgreSQL service, mounting initialization scripts and a named volume for persistent data. ```yaml services: db: image: postgres:15 volumes: - postgres-data:/var/lib/postgresql/data - ./init-scripts:/docker-entrypoint-initdb.d:ro environment: POSTGRES_DB: myapp ``` -------------------------------- ### GitHub Actions CI with Devbox Source: https://github.com/bagelhole/devops-security-agent-skills/blob/main/devops/developer-experience/devcontainers-nix/SKILL.md Integrate Devbox into your GitHub Actions CI/CD pipeline to ensure consistent build and test environments. This example shows how to check out code, install Devbox, and run tests. ```yaml # .github/workflows/ci.yml name: CI on: [push, pull_request] jobs: test: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - uses: jetify-com/devbox-install-action@v0.11.0 with: enable-cache: true - run: devbox run test - run: devbox run lint ``` -------------------------------- ### Enable SnapStart for Java Lambda Functions Source: https://github.com/bagelhole/devops-security-agent-skills/blob/main/infrastructure/cloud-aws/aws-lambda/SKILL.md Activate SnapStart for Java functions to significantly reduce cold start times. This requires publishing a new version after enabling the configuration. ```bash aws lambda update-function-configuration \ --function-name my-java-handler \ --snap-start '{"ApplyOn": "PublishedVersions"}' ``` ```bash aws lambda publish-version --function-name my-java-handler ``` -------------------------------- ### Initial Okta Configuration via API Source: https://github.com/bagelhole/devops-security-agent-skills/blob/main/infrastructure/it/identity-access-management/SKILL.md Sets Okta domain and API token environment variables and verifies connectivity to the Okta API. Requires `jq` for JSON parsing. ```bash # Set your Okta domain and API token export OKTA_ORG_URL="https://company.okta.com" export OKTA_API_TOKEN="your-api-token" # Verify connectivity curl -s -H "Authorization: SSWS ${OKTA_API_TOKEN}" \ "${OKTA_ORG_URL}/api/v1/org" | jq '.companyName' ``` -------------------------------- ### Install Semgrep Source: https://github.com/bagelhole/devops-security-agent-skills/blob/main/security/scanning/sast-scanning/SKILL.md Install Semgrep using pip or Homebrew. Ensure you have Python or Homebrew installed. ```bash # Install via pip pip install semgrep # Or via Homebrew brew install semgrep ``` -------------------------------- ### Install Backstage Kubernetes Plugin Source: https://github.com/bagelhole/devops-security-agent-skills/blob/main/devops/platforms/platform-engineering/SKILL.md Install the Backstage Kubernetes plugin and its backend component using yarn. ```bash # Install Kubernetes plugin yarn --cwd packages/app add @backstage/plugin-kubernetes yarn --cwd packages/backend add @backstage/plugin-kubernetes-backend ``` -------------------------------- ### List Installed Packages (Debian/Ubuntu) Source: https://github.com/bagelhole/devops-security-agent-skills/blob/main/infrastructure/servers/linux-administration/SKILL.md Lists all installed packages, filtering by a keyword. Useful for verifying installations. ```bash dpkg -l | grep nginx ``` -------------------------------- ### Install Terraform and Azure CLI Source: https://github.com/bagelhole/devops-security-agent-skills/blob/main/infrastructure/cloud-azure/terraform-azure/SKILL.md Installs Terraform and the Azure CLI, then logs into Azure and sets the subscription. Ensure you have the necessary permissions and replace 'my-subscription-id' with your actual subscription ID. ```bash # Install Terraform wget -O- https://apt.releases.hashicorp.com/gpg | sudo gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg echo "deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/hashicorp.list sudo apt update && sudo apt install terraform # Verify installation terraform version # Install Azure CLI and login curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash az login az account set --subscription "my-subscription-id" # Create storage account for remote state az group create --name tfstate-rg --location eastus az storage account create \ --name tfstate$(openssl rand -hex 4) \ --resource-group tfstate-rg \ --sku Standard_LRS \ --encryption-services blob az storage container create \ --name tfstate \ --account-name tfstateXXXXXXXX ``` -------------------------------- ### Install Trivy using Homebrew, APT, or Docker Source: https://github.com/bagelhole/devops-security-agent-skills/blob/main/security/scanning/vulnerability-scanning/references/scanner-comparison.md Choose the appropriate command to install Trivy based on your operating system or environment. Docker installation allows running Trivy without a system-wide installation. ```bash # Homebrew brew install trivy ``` ```bash # APT apt-get install trivy ``` ```bash # Docker docker run aquasec/trivy image nginx:latest ``` -------------------------------- ### Create User with Home Directory Source: https://github.com/bagelhole/devops-security-agent-skills/blob/main/infrastructure/servers/user-management/SKILL.md Use `useradd -m` to create a new user and automatically create their home directory. ```bash useradd -m ``` -------------------------------- ### Install and Authenticate Firebase CLI Source: https://github.com/bagelhole/devops-security-agent-skills/blob/main/infrastructure/platforms/firebase-app-platform/SKILL.md Installs the Firebase CLI and logs in to your Google account. Ensure Node.js 18+ is installed. ```bash npm install -g firebase-tools firebase login ``` -------------------------------- ### Revoke GitHub App Installation Source: https://github.com/bagelhole/devops-security-agent-skills/blob/main/infrastructure/it/saas-security-posture/SKILL.md Use the GitHub API to delete a specific app installation. Requires the installation ID. ```bash gh api -X DELETE /orgs/{ORG}/installations/{INSTALLATION_ID} # GitHub app ``` -------------------------------- ### Kustomize Build and Apply Commands Source: https://github.com/bagelhole/devops-security-agent-skills/blob/main/devops/orchestration/kustomize/SKILL.md Common kubectl and kustomize commands for building, applying, and diffing Kubernetes configurations. ```bash # Build and view output kubectl kustomize overlays/production # Apply to cluster kubectl apply -k overlays/production # Delete resources kubectl delete -k overlays/production # View diff kubectl diff -k overlays/production # Build with standalone kustomize kustomize build overlays/production # Build and apply kustomize build overlays/production | kubectl apply -f - ```