migrate to ansible

.ansible-lint

@@ -0,0 +1,4 @@
+exclude_paths:
+  - .github/
+skip_list:
+  - risky-file-permissions

.github/workflows/test.yaml

@@ -1,29 +1,26 @@
-name: packer
+name: Validate
 
 on:
   - push
 
 jobs:
-  packer:
+  validate:
     runs-on: ubuntu-latest
-    name: Run Packer and cookstyle
+    name: Validate provisioning
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
-      - name: Setup `packer`
+      - name: Setup packer
         uses: hashicorp/setup-packer@main
         with:
           version: "latest"
 
-      - name: Run `packer init`
+      - name: Init packer 
         run: "packer init packer.pkr.hcl"
 
-      - name: Run `packer validate`
+      - name: Validate packer configuration
         run: "packer validate packer.pkr.hcl"
 
-      - name: Install CINC workstation
-        run: curl -L https://omnitruck.cinc.sh/install.sh | sudo bash -s -- -P cinc-workstation -v 22
-
-      - name: Run Cookstyle
-        run: cookstyle
+      - name: Validate ansible playbooks
+        uses: ansible/ansible-lint-action@main

base.yaml

@@ -0,0 +1,9 @@
+---
+- name: Base server AMI
+  hosts: 127.0.0.1
+  connection: local
+  become: true
+  roles:
+    - common
+    - unattended_upgrades
+    - useraccounts

cookbooks/unattended_upgrades/LICENSE

@@ -0,0 +1,16 @@
+MIT License
+
+Copyright (c) 2018 codemonauts
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated
+documentation files (the "Software"), to deal in the Software without restriction, including without limitation the
+rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit
+persons to whom the Software is furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all copies or substantial portions of the
+Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
+WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR
+OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

cookbooks/unattended_upgrades/README.md

@@ -0,0 +1,3 @@
+# unattended-upgrades
+
+This cookbook installs and configures unattended-upgrades to install security updates.

cookbooks/unattended_upgrades/files/10periodic

@@ -0,0 +1,2 @@
+APT::Periodic::Update-Package-Lists "1";
+APT::Periodic::Unattended-Upgrade "1";

cookbooks/unattended_upgrades/files/50unattended-upgrades

@@ -0,0 +1,61 @@
+// Automatically upgrade packages from these (origin:archive) pairs
+Unattended-Upgrade::Allowed-Origins {
+        "${distro_id}:${distro_codename}";
+        "${distro_id}:${distro_codename}-security";
+//      "${distro_id}ESM:${distro_codename}";
+//      "${distro_id}:${distro_codename}-updates";
+//      "${distro_id}:${distro_codename}-proposed";
+//      "${distro_id}:${distro_codename}-backports";
+};
+
+// List of packages to not update (regexp are supported)
+Unattended-Upgrade::Package-Blacklist {
+//      "vim";
+//      "libc6";
+//      "libc6-dev";
+//      "libc6-i686";
+};
+
+// This option allows you to control if on a unclean dpkg exit
+// unattended-upgrades will automatically run
+//   dpkg --force-confold --configure -a
+// The default is true, to ensure updates keep getting installed
+//Unattended-Upgrade::AutoFixInterruptedDpkg "false";
+
+// Split the upgrade into the smallest possible chunks so that
+// they can be interrupted with SIGUSR1. This makes the upgrade
+// a bit slower but it has the benefit that shutdown while a upgrade
+// is running is possible (with a small delay)
+//Unattended-Upgrade::MinimalSteps "true";
+
+// Install all unattended-upgrades when the machine is shuting down
+// instead of doing it in the background while the machine is running
+// This will (obviously) make shutdown slower
+//Unattended-Upgrade::InstallOnShutdown "true";
+
+// Send email to this address for problems or packages upgrades
+// If empty or unset then no email is sent, make sure that you
+// have a working mail setup on your system. A package that provides
+// 'mailx' must be installed. E.g. "[email protected]"
+//Unattended-Upgrade::Mail "root";
+
+// Set this value to "true" to get emails only on errors. Default
+// is to always send a mail if Unattended-Upgrade::Mail is set
+//Unattended-Upgrade::MailOnlyOnError "true";
+
+// Do automatic removal of new unused dependencies after the upgrade
+// (equivalent to apt-get autoremove)
+//Unattended-Upgrade::Remove-Unused-Dependencies "false";
+
+// Automatically reboot *WITHOUT CONFIRMATION*
+//  if the file /var/run/reboot-required is found after the upgrade
+Unattended-Upgrade::Automatic-Reboot "false";
+
+// If automatic reboot is enabled and needed, reboot at the specific
+// time instead of immediately
+//  Default: "now"
+//Unattended-Upgrade::Automatic-Reboot-Time "02:00";
+
+// Use apt bandwidth limit feature, this example limits the download
+// speed to 70kb/sec
+//Acquire::http::Dl-Limit "70";

cookbooks/unattended_upgrades/files/apt-daily-upgrade.timer

@@ -0,0 +1,14 @@
+# /etc/systemd/system/apt-daily-upgrade.timer
+# Copy of/lib/systemd/system/apt-daily-upgrade.timer
+# Disables the persistent flag
+[Unit]
+Description=Daily apt upgrade and clean activities
+After=apt-daily.timer
+
+[Timer]
+OnCalendar=*-*-* 6:00
+RandomizedDelaySec=60m
+Persistent=false
+
+[Install]
+WantedBy=timers.target

cookbooks/unattended_upgrades/metadata.rb

@@ -0,0 +1,11 @@
+name 'unattended-upgrades'
+description 'Install and configure unattended-upgrades to instsall security-updates'
+maintainer 'Codemonauts Ops'
+maintainer_email '[email protected]'
+source_url 'https://github.com/codemonauts/ami-baseimage/'
+issues_url 'https://github.com/codemonauts/aws-baseimage/issues'
+chef_version '>= 12.4'
+supports 'debian'
+supports 'ubuntu'
+license 'Apache-2.0'
+version '1.0.0'

cookbooks/unattended_upgrades/recipes/default.rb

@@ -0,0 +1,25 @@
+package 'unattended-upgrades'
+
+cookbook_file '/etc/apt/apt.conf.d/50unattended-upgrades' do
+  source '50unattended-upgrades'
+  owner 'root'
+  group 'root'
+  mode '0644'
+  action :create
+end
+
+cookbook_file '/etc/apt/apt.conf.d/10periodic' do
+  source '10periodic'
+  owner 'root'
+  group 'root'
+  mode '0644'
+  action :create
+end
+
+cookbook_file '/etc/systemd/system/apt-daily-upgrade.timer' do
+  source 'apt-daily-upgrade.timer'
+  owner 'root'
+  group 'root'
+  mode '0644'
+  action :create
+end

packer.pkr.hcl

@@ -109,19 +109,21 @@ build {
     ]
   }
 
-  provisioner "shell-local" {
-    command = "mkdir -p .vendor && berks vendor .vendor"
+  provisioner "shell" {
+    inline = [
+      "sudo apt-get -y install python3-pip",
+      "sudo pip3 install ansible"
+    ]
   }
 
-  provisioner "chef-solo" {
-    chef_license   = "accept"
-    cookbook_paths = [".vendor"]
-    run_list       = ["common", "unattended-upgrades", "useraccounts", "aws_codedeploy", "aws_ssm"]
+  provisioner "ansible-local" {
+    playbook_dir  = "./"
+    playbook_file = "base.yaml"
   }
 
   post-processor "amazon-ami-management" {
     identifier    = "amd64_base_jammy"
-    keep_releases = "1"
+    keep_releases = "10"
     regions       = ["eu-central-1", "eu-west-1"]
   }
 }
@@ -213,7 +215,7 @@ build {
 # arm-base-jammy
 source "amazon-ebs" "arm64-base-jammy" {
   ami_groups    = ["all"]
-  ami_name      = "codemonauts-arm-base-jammy_${formatdate("YYYY-MM-DD-HHmm", timestamp())}"
+  ami_name      = "codemonauts-arm-base-jammy_${formatdate("YYYY-MM-DD-HH-mm", timestamp())}"
   ami_regions   = ["eu-west-1"]
   instance_type = "t4g.micro"
   region        = "eu-central-1"
@@ -234,19 +236,21 @@ build {
       "sudo DEBIAN_FRONTEND=noninteractive apt-get -y -o Dpkg::Options::=\"--force-confdef\" -o Dpkg::Options::=\"--force-confold\" dist-upgrade"]
   }
 
-  provisioner "shell-local" {
-    command = "mkdir -p .vendor && berks vendor .vendor"
+  provisioner "shell" {
+    inline = [
+      "sudo apt-get -y install python3-pip",
+      "sudo pip3 install ansible"
+    ]
   }
 
-  provisioner "chef-solo" {
-    chef_license   = "accept"
-    cookbook_paths = [".vendor"]
-    run_list       = ["common", "unattended-upgrades", "useraccounts", "aws_codedeploy", "aws_ssm"]
+  provisioner "ansible-local" {
+    playbook_dir  = "./"
+    playbook_file = "base.yaml"
   }
 
   post-processor "amazon-ami-management" {
     identifier    = "arm64_base_jammy"
-    keep_releases = "1"
+    keep_releases = "10"
     regions       = ["eu-central-1", "eu-west-1"]
   }
 }

roles/common/files/locale.gen

@@ -0,0 +1,2 @@
+de_DE.UTF-8 UTF-8
+en_US.UTF-8 UTF-8

roles/common/tasks/main.yaml

@@ -0,0 +1,66 @@
+---
+
+# Install and remove common packages needed for support
+
+- name: Update apt cache
+  ansible.builtin.apt:
+    update_cache: true
+
+- name: Remove unused packages
+  ansible.builtin.apt:
+    name:
+      - man-db
+      - manpages
+      - manpages-dev
+      - ntfs-3g
+      - bolt
+      - snapd
+    state: absent
+    autoremove: true
+
+- name: Install packages needed
+  ansible.builtin.apt:
+    name:
+      - vim-tiny
+      - apt-transport-https
+      - bash-completion
+      - curl
+      - htop
+      - less
+      - ncdu
+      - tmux
+      - psmisc
+      - cron
+      - logrotate
+      - locales
+
+# locales
+
+- name: Copy locales config
+  ansible.builtin.copy:
+    src: locale.gen
+    dest: /etc/locale.gen
+    owner: root
+    group: root
+    mode: '0644'
+
+- name: Generate locales for en_US and de_DE 
+  ansible.builtin.shell: locale-gen
+
+# Install AWS CLI
+
+- name: Install pip
+  ansible.builtin.apt:
+    name: python3-pip
+
+- name: Install AWS CLI
+  ansible.builtin.pip:
+    name: awscli
+
+- name: Create a symbolic link for vim
+  ansible.builtin.file:
+    src: /usr/bin/vim.tiny
+    dest: /usr/bin/vim
+    owner: root
+    group: root
+    state: link

roles/unattended_upgrades/files/10periodic

@@ -0,0 +1,2 @@
+APT::Periodic::Update-Package-Lists "1";
+APT::Periodic::Unattended-Upgrade "1";

roles/unattended_upgrades/files/50unattended-upgrades

@@ -0,0 +1,61 @@
+// Automatically upgrade packages from these (origin:archive) pairs
+Unattended-Upgrade::Allowed-Origins {
+        "${distro_id}:${distro_codename}";
+        "${distro_id}:${distro_codename}-security";
+//      "${distro_id}ESM:${distro_codename}";
+//      "${distro_id}:${distro_codename}-updates";
+//      "${distro_id}:${distro_codename}-proposed";
+//      "${distro_id}:${distro_codename}-backports";
+};
+
+// List of packages to not update (regexp are supported)
+Unattended-Upgrade::Package-Blacklist {
+//      "vim";
+//      "libc6";
+//      "libc6-dev";
+//      "libc6-i686";
+};
+
+// This option allows you to control if on a unclean dpkg exit
+// unattended-upgrades will automatically run
+//   dpkg --force-confold --configure -a
+// The default is true, to ensure updates keep getting installed
+//Unattended-Upgrade::AutoFixInterruptedDpkg "false";
+
+// Split the upgrade into the smallest possible chunks so that
+// they can be interrupted with SIGUSR1. This makes the upgrade
+// a bit slower but it has the benefit that shutdown while a upgrade
+// is running is possible (with a small delay)
+//Unattended-Upgrade::MinimalSteps "true";
+
+// Install all unattended-upgrades when the machine is shuting down
+// instead of doing it in the background while the machine is running
+// This will (obviously) make shutdown slower
+//Unattended-Upgrade::InstallOnShutdown "true";
+
+// Send email to this address for problems or packages upgrades
+// If empty or unset then no email is sent, make sure that you
+// have a working mail setup on your system. A package that provides
+// 'mailx' must be installed. E.g. "[email protected]"
+//Unattended-Upgrade::Mail "root";
+
+// Set this value to "true" to get emails only on errors. Default
+// is to always send a mail if Unattended-Upgrade::Mail is set
+//Unattended-Upgrade::MailOnlyOnError "true";
+
+// Do automatic removal of new unused dependencies after the upgrade
+// (equivalent to apt-get autoremove)
+//Unattended-Upgrade::Remove-Unused-Dependencies "false";
+
+// Automatically reboot *WITHOUT CONFIRMATION*
+//  if the file /var/run/reboot-required is found after the upgrade
+Unattended-Upgrade::Automatic-Reboot "false";
+
+// If automatic reboot is enabled and needed, reboot at the specific
+// time instead of immediately
+//  Default: "now"
+//Unattended-Upgrade::Automatic-Reboot-Time "02:00";
+
+// Use apt bandwidth limit feature, this example limits the download
+// speed to 70kb/sec
+//Acquire::http::Dl-Limit "70";