├── templates ├── clock.j2 ├── i18n.j2 ├── extra-sudoers.j2 └── sudoers.j2 ├── handlers └── main.yml ├── vars ├── RedHat.yml └── main.yml ├── CHANGELOG.md ├── defaults └── main.yml ├── tasks ├── main.yml └── RedHat.yml ├── README.md ├── LICENSE └── meta └── main.yml /templates/clock.j2: -------------------------------------------------------------------------------- 1 | ZONE="{{ amzn_base_timezone }}" 2 | UTC=true -------------------------------------------------------------------------------- /templates/i18n.j2: -------------------------------------------------------------------------------- 1 | LANG={{ amzn_base_lang }} 2 | LC_ALL={{ amzn_base_lc_all }} -------------------------------------------------------------------------------- /templates/extra-sudoers.j2: -------------------------------------------------------------------------------- 1 | {{ amzn_base_admin_username }} ALL=(ALL) NOPASSWD:ALL -------------------------------------------------------------------------------- /handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | #- name: restart fail2ban 3 | # service: name=fail2ban state=restarted -------------------------------------------------------------------------------- /vars/RedHat.yml: -------------------------------------------------------------------------------- 1 | --- 2 | amzn_base_ntp_service_name: ntpd 3 | amzn_base_motd_location: /etc/motd -------------------------------------------------------------------------------- /CHANGELOG.md: -------------------------------------------------------------------------------- 1 | Changelog 2 | ========= 3 | 4 | # NOTE: python boto package not needed yet 5 | # FIXME: Push SSH KEYS using awscli OR get them from a vault (dunno yet...) 6 | # FIXME: Test frodo ahtorization_keys and sudoers 7 | # FIXME: reboot after upgrade needs -------------------------------------------------------------------------------- /vars/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # AWS Credentials used to query Amazon API 3 | aws_access_key: "{{ lookup('env', 'AWS_ACCESS_KEY_ID'}}" 4 | aws_secret_key: "{{ lookup('env', 'AWS_SECRET_ACCESS_KEY'}}" 5 | aws_region: "{{ lookup('env', 'AWS_REGION'}}" 6 | 7 | # Default timezone/localtime is UTC 8 | amzn_base_timezone: Portugal 9 | 10 | # Default AMI user is ec2-user 11 | amzn_base_admin_username: frodo 12 | 13 | # Could be fetched from Amazon API 14 | amzn_base_admin_key: ServicesMasterKey.pem -------------------------------------------------------------------------------- /defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | amzn_base_os_family: RedHat 3 | amzn_base_product_version: 4.2.amazon 4 | 5 | # Amazon AMI version used 6 | amzn_base_lsb_id: AmazonAMI 7 | amzn_base_lsb_major_release: 2014 8 | amzn_base_lsb_relase: 2014.03 9 | 10 | amzn_base_lang: en_US.UTF-8 11 | amzn_base_lc_all: en_US.UTF-8 12 | amzn_base_lc_type: UTF-8 13 | 14 | # Packages available on default yum repo 15 | amzn_base_admin_packages: 16 | - redhat-lsb-core 17 | - epel-release 18 | - traceroute 19 | - sysstat 20 | - dstat 21 | - iotop 22 | - lsof 23 | - mtr 24 | - ntp 25 | - tmux 26 | - screen 27 | 28 | # EPEL Repo instaled through epel-release package 29 | amzn_base_epel_packages: 30 | - htop 31 | 32 | # Other packages 33 | amzn_base_custom_packages: 34 | - vim 35 | - zip 36 | - curl 37 | - telnet 38 | - git 39 | - python-simplejson -------------------------------------------------------------------------------- /tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: including OS specific variables 3 | include_vars: '{{ ansible_os_family }}.yml' 4 | 5 | - include: RedHat.yml 6 | when: ansible_os_family == "RedHat" 7 | 8 | - name: check for unsupported target operating system 9 | fail: 10 | msg: "The operating system of the target machine ({{ inventory_hostname }}) is not currently supported." 11 | when: amzn_base_supported_os is not defined 12 | 13 | - name: setup the management user 14 | user: name={{ amzn_base_admin_username }} comment="Management user" 15 | shell=/bin/bash 16 | groups=ec2-user,wheel 17 | append=yes 18 | 19 | #- name: setup ssh keys for management user 20 | # authorized_key: user={{ amzn_base_admin_username }} 21 | # key="{{ item }}" 22 | # with_file: 23 | # - public_keys/{{ amzn_base_admin_key }} 24 | 25 | - name: setup sudo for management user 26 | template: src=extra-sudoers.j2 27 | dest=/etc/sudoers.d/extra-sudoers 28 | owner=root 29 | group=root 30 | mode=0440 31 | validate='visudo -cf %s' 32 | 33 | - name: ensure ntp is running 34 | service: name={{ amzn_base_ntp_service_name }} state=started -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | Amazon Linux AMI Base 2 | ===================== 3 | 4 | This role intends to provide some enhancements to Amazon Linux AMI base environment. 5 | 6 | Requirements 7 | ------------ 8 | 9 | Boto Python module required 10 | 11 | $ sudo pip install boto 12 | 13 | Role Variables 14 | -------------- 15 | 16 | Change variables under `defaults/main.yml`. All variables used in this role are mentioned here. 17 | 18 | Example Playbook 19 | ---------------- 20 | 21 | - hosts: your_amazon_servers 22 | roles: 23 | - { role: include.amzn-base } 24 | 25 | Applying the playbook 26 | --------------------- 27 | 28 | If using a local inventory: 29 | 30 | export ANSIBLE_HOSTS=ansible_hosts 31 | 32 | $ ansible-playbook \ 33 | -e aws_access_key=${AWS_ACCESS_KEY_ID} \ 34 | -e aws_secret_key=${AWS_SECRET_ACCESS_KEY} \ 35 | -e aws_region=${AWS_REGION} \ 36 | playbook.yml 37 | 38 | or if you have AWS credentials defined in your environment: 39 | 40 | $ export AWS_ACCESS_KEY_ID=foo 41 | $ export AWS_SECRET_ACCESS_KEY=bar 42 | $ export AWS_REGION=baz 43 | 44 | just run it like: 45 | 46 | $ ansible-playbook playbook.yml 47 | 48 | License 49 | ------- 50 | 51 | BSD 52 | 53 | Author Information 54 | ------------------ 55 | 56 | Francisco Cabrita -------------------------------------------------------------------------------- /tasks/RedHat.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: AmazonAMI | supported OS 3 | set_fact: 4 | amzn_base_supported_os: True 5 | 6 | - name: setup locale 7 | command: /usr/bin/localedef -i en_US -f {{ amzn_base_lc_type }} {{ amzn_base_lc_all }} 8 | 9 | - name: setup locale for all users 10 | template: src=i18n.j2 11 | dest=/etc/sysconfig/i18n 12 | 13 | - name: remove old timezone/localtime file 14 | file: path=/etc/localtime state=absent 15 | 16 | - name: setup timezone/localtime file link 17 | file: src=/usr/share/zoneinfo/{{ amzn_base_timezone }} 18 | dest=/etc/localtime 19 | state=link 20 | 21 | - name: setup clock 22 | template: src=clock.j2 23 | dest=/etc/sysconfig/clock 24 | 25 | - name: upgrade all base packages 26 | yum: name=* state=latest 27 | 28 | - name: install necessary admin and custom packages 29 | yum: pkg={{ item }} state=latest 30 | with_items: amzn_base_admin_packages| union(amzn_base_custom_packages) | list 31 | 32 | - name: install aditional epel packages 33 | yum: pkg={{ item }} enablerepo=epel state=latest 34 | with_items: amzn_base_epel_packages 35 | 36 | - name: Check what the new version is 37 | shell: lsb_release -r | awk '{print $2}' 38 | register: release_version 39 | 40 | #- name: Reboot 41 | # command: /sbin/reboot -t now 42 | # when: ansible_distribution_version != new_release.stdout 43 | # when: {{ amzn_base_lsb_release }} != new_release.stdout -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Copyright (c) 2014, Francisco Cabrita 2 | All rights reserved. 3 | 4 | Redistribution and use in source and binary forms, with or without 5 | modification, are permitted provided that the following conditions are met: 6 | 7 | * Redistributions of source code must retain the above copyright notice, this 8 | list of conditions and the following disclaimer. 9 | 10 | * Redistributions in binary form must reproduce the above copyright notice, 11 | this list of conditions and the following disclaimer in the documentation 12 | and/or other materials provided with the distribution. 13 | 14 | * Neither the name of the {organization} nor the names of its 15 | contributors may be used to endorse or promote products derived from 16 | this software without specific prior written permission. 17 | 18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 19 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 22 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 23 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 24 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 25 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 26 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 27 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | 29 | -------------------------------------------------------------------------------- /meta/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | galaxy_info: 3 | author: Francisco Cabrita 4 | description: This role intends to provide common enhancements to Amazon Linux AMI base environment. 5 | # company: your company (optional) 6 | # Some suggested licenses: 7 | # - BSD (default) 8 | # - MIT 9 | # - GPLv2 10 | # - GPLv3 11 | # - Apache 12 | # - CC-BY 13 | license: BSD 14 | min_ansible_version: 1.2 15 | # 16 | # Below are all platforms currently available. Just uncomment 17 | # the ones that apply to your role. If you don't see your 18 | # platform on this list, let us know and we'll get it added! 19 | # 20 | platforms: 21 | #- name: EL 22 | # versions: 23 | # - all 24 | # - 5 25 | # - 6 26 | # - 7 27 | #- name: GenericUNIX 28 | # versions: 29 | # - all 30 | # - any 31 | #- name: Fedora 32 | # versions: 33 | # - all 34 | # - 16 35 | # - 17 36 | # - 18 37 | # - 19 38 | # - 20 39 | #- name: opensuse 40 | # versions: 41 | # - all 42 | # - 12.1 43 | # - 12.2 44 | # - 12.3 45 | # - 13.1 46 | # - 13.2 47 | - name: Amazon 48 | versions: 49 | # - all 50 | # - 2013.03 51 | # - 2013.09 52 | - 2014.03 53 | #- name: GenericBSD 54 | # versions: 55 | # - all 56 | # - any 57 | #- name: FreeBSD 58 | # versions: 59 | # - all 60 | # - 8.0 61 | # - 8.1 62 | # - 8.2 63 | # - 8.3 64 | # - 8.4 65 | # - 9.0 66 | # - 9.1 67 | # - 9.1 68 | # - 9.2 69 | #- name: Ubuntu 70 | # versions: 71 | # - all 72 | # - lucid 73 | # - maverick 74 | # - natty 75 | # - oneiric 76 | # - precise 77 | # - quantal 78 | # - raring 79 | # - saucy 80 | # - trusty 81 | #- name: SLES 82 | # versions: 83 | # - all 84 | # - 10SP3 85 | # - 10SP4 86 | # - 11 87 | # - 11SP1 88 | # - 11SP2 89 | # - 11SP3 90 | #- name: GenericLinux 91 | # versions: 92 | # - all 93 | # - any 94 | #- name: Debian 95 | # versions: 96 | # - all 97 | # - etch 98 | # - lenny 99 | # - squeeze 100 | # - wheezy 101 | # 102 | # Below are all categories currently available. Just as with 103 | # the platforms above, uncomment those that apply to your role. 104 | # 105 | categories: 106 | - cloud 107 | - cloud:ec2 108 | #- cloud:gce 109 | #- cloud:rax 110 | #- clustering 111 | #- database 112 | #- database:nosql 113 | #- database:sql 114 | #- development 115 | #- monitoring 116 | #- networking 117 | #- packaging 118 | - system 119 | #- web 120 | dependencies: [] 121 | # List your role dependencies here, one per line. Only 122 | # dependencies available via galaxy should be listed here. 123 | # Be sure to remove the '[]' above if you add dependencies 124 | # to this list. 125 | 126 | -------------------------------------------------------------------------------- /templates/sudoers.j2: -------------------------------------------------------------------------------- 1 | ## Sudoers allows particular users to run various commands as 2 | ## the root user, without needing the root password. 3 | ## 4 | ## Examples are provided at the bottom of the file for collections 5 | ## of related commands, which can then be delegated out to particular 6 | ## users or groups. 7 | ## 8 | ## This file must be edited with the 'visudo' command. 9 | 10 | ## Host Aliases 11 | ## Groups of machines. You may prefer to use hostnames (perhaps using 12 | ## wildcards for entire domains) or IP addresses instead. 13 | # Host_Alias FILESERVERS = fs1, fs2 14 | # Host_Alias MAILSERVERS = smtp, smtp2 15 | 16 | ## User Aliases 17 | ## These aren't often necessary, as you can use regular groups 18 | ## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname 19 | ## rather than USERALIAS 20 | # User_Alias ADMINS = jsmith, mikem 21 | 22 | 23 | ## Command Aliases 24 | ## These are groups of related commands... 25 | 26 | ## Networking 27 | # Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool 28 | 29 | ## Installation and management of software 30 | # Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum 31 | 32 | ## Services 33 | # Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig 34 | 35 | ## Updating the locate database 36 | # Cmnd_Alias LOCATE = /usr/bin/updatedb 37 | 38 | ## Storage 39 | # Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount 40 | 41 | ## Delegating permissions 42 | # Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp 43 | 44 | ## Processes 45 | # Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall 46 | 47 | ## Drivers 48 | # Cmnd_Alias DRIVERS = /sbin/modprobe 49 | 50 | # Defaults specification 51 | 52 | # 53 | # Disable "ssh hostname sudo ", because it will show the password in clear. 54 | # You have to run "ssh -t hostname sudo ". 55 | # 56 | Defaults requiretty 57 | 58 | # 59 | # Refuse to run if unable to disable echo on the tty. This setting should also be 60 | # changed in order to be able to use sudo without a tty. See requiretty above. 61 | # 62 | Defaults !visiblepw 63 | 64 | # 65 | # Preserving HOME has security implications since many programs 66 | # use it when searching for configuration files. Note that HOME 67 | # is already set when the the env_reset option is enabled, so 68 | # this option is only effective for configurations where either 69 | # env_reset is disabled or HOME is present in the env_keep list. 70 | # 71 | Defaults always_set_home 72 | 73 | Defaults env_reset 74 | Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS" 75 | Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" 76 | Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" 77 | Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" 78 | Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" 79 | 80 | # 81 | # Adding HOME to env_keep may enable a user to run unrestricted 82 | # commands via sudo. 83 | # 84 | # Defaults env_keep += "HOME" 85 | 86 | Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin 87 | 88 | ## Next comes the main part: which users can run what software on 89 | ## which machines (the sudoers file can be shared between multiple 90 | ## systems). 91 | ## Syntax: 92 | ## 93 | ## user MACHINE=COMMANDS 94 | ## 95 | ## The COMMANDS section may have other options added to it. 96 | ## 97 | ## Allow root to run any commands anywhere 98 | root ALL=(ALL) ALL 99 | 100 | ## Allows members of the 'sys' group to run networking, software, 101 | ## service management apps and more. 102 | # %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS 103 | 104 | ## Allows people in group wheel to run all commands 105 | # %wheel ALL=(ALL) ALL 106 | 107 | ## Same thing without a password 108 | # %wheel ALL=(ALL) NOPASSWD: ALL 109 | 110 | ## Allows members of the users group to mount and unmount the 111 | ## cdrom as root 112 | # %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom 113 | 114 | ## Allows members of the users group to shutdown this system 115 | # %users localhost=/sbin/shutdown -h now 116 | 117 | ## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment) 118 | #includedir /etc/sudoers.d --------------------------------------------------------------------------------