ssummer3
11/9/2016 - 2:18 PM
AWS LIBND
AWS LIBND
#cloud-config
# vim: syntax=yaml
repo_upgrade: all
package_upgrade: true
package_update: true
timezone: US/Eastern
manage_etc_hosts: template
disable_ec2_metadata: false
disable_root: true
packages:
- awslogs
- amazon-ssm-agent
- krb5-workstation
- sssd-krb5
- sssd-ldap
- net-tools
- tmux
- mosh
# we have kerberos
ssh_pwauth: true
runcmd:
# clean up the system
- rm -f /etc/init/tty.conf /etc/init/serial.conf
- chkconfig sendmail off
- chkconfig rpcbind off
# configure kerberos
- authconfig --enablekrb5 --update
- chkconfig sssd on
- echo 'session required pam_mkhomedir.so skel=/etc/skel umask=0022' | tee -a /etc/pam.d/system-auth /etc/pam.d/sshd
- echo 'auth required pam_listfile.so onerr=fail item=user sense=allow file=/etc/loginusers' | tee -a /etc/pam.d/system-auth /etc/pam.d/sshd
# we don't have a keytab
- sed -i '/pam_krb5\.so/s/$/ no_validate/' /etc/pam.d/*
# remove weak ssh moduli
- awk 'int($1)&&($5>=2048)' /etc/ssh/moduli > /tmp/moduli && mv -f /tmp/moduli /etc/ssh/moduli && chmod 0644 /etc/ssh/moduli
# add Amazon's ssh key back in
- /opt/aws/bin/ec2-metadata -u | tail -1 >> ~ansible/.ssh/authorized_keys && chmod 0600 ~ansible/.ssh/authorized_keys
# kernel* is blacklisted from package_upgrade/package_update?
- yum upgrade -y
power_state:
delay: now
mode: reboot
message: "Instance ${INSTANCE_ID} first reboot after ${UPTIME} seconds of init."
condition: True
users:
- name: ansible
lock_passwd: true
gcos: Library Ansible User
sudo: [ "ALL=(ALL) NOPASSWD:ALL" ]
shell: /bin/bash
homedir: /etc/ansible
ssh_genkeytypes: [ 'rsa', 'ed25519' ]
write_files:
# networking security
- path: /etc/modprobe.d/disable-dccp.conf
permissions: '0644'
content: install dccp /bin/true
- path: /etc/modprobe.d/disable-ipv6.conf
permissions: '0644'
content: |
install ipv6 /bin/true
options ipv6 disable=1
- path: /etc/modprobe.d/disable-rds.conf
permissions: '0644'
content: |
blacklist rds
install rds /bin/true
- path: /etc/modprobe.d/disable-sctp.conf
permissions: '0644'
content: install sctp /bin/true
- path: /etc/modprobe.d/disable-tipc.conf
permissions: '0644'
content: install tipc /bin/true
- path: /etc/modprobe.d/disable-usb.conf
permissions: '0644'
content: install usb-storage /bin/true
# AWS convenience
- path: /etc/skel/.aws/config
permissions: '0644'
content: |
[default]
region = us-east-1
output = json
# ESU convenience
- path: /etc/skel/.ssh/authorized_keys
permissions: '0400'
content: |
ssh-dss AAAAB3NzaC1kc3MAAACBAMQ0gfyAOOH4ZX9kUuXlayqNYi3r/vcnkeiyn2ES4/VmGR2qIioWNlVOy2sD3EDxvsN/ZKaxWo8ySEGfFgkXpG801jKINhkVavBGvbnucETeyS1HdgrAJz7hYgowvjq0yo2+qyrsaV01VlmEHw9oy01lXFK9E5yIu0U43KHyzKilAAAAFQDfSiTR5BfdCpHcUhfDmfhU88RvIwAAAIBppcY4yl8d6FpJd/zfWmXGs593zvB/QnxYzAG6M97NeCFlGEmwzT5QLZzgzGTY0VJCC7WfH57JFswKFt7ONQReVZQ87l5NkUp8Saga2Nu+m/Zv1aQS7N5biSDX0tmnCnD0XperbubAW5sKK/bQHCjSOQXjo/BKV6gpTBf8yQs5dAAAAIBLuRAU7OTNoYYSgNp3mjmPubDv5tXz4iwiN0G6fTqFOXdjc8/BBZzuP8W7nM6wtl85wB9GxvANpr5RYIZ72YM5t51C2ZQaUsWBsZqoAJk4dgStkwiE35cq+SOgmqbVuyUerkTFbd7DQl3PGQsPiKAGLGF1YnoLQbQLhTJv0mR9UQ== thanstra@puckpc.library.nd.edu
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAwlTLW9XBLz2R/HVJtIQKt7ag4Kj4/uHb8bWnMiL1XepI3YMghX0vdHTivUYpoP3tVosskLernQ3bQFYJTm6Z6YXZq8ZSx+eLw9AUYjRR4hkUnlBBFWEfzYycobUBhE03mlnYw9L+8d1tYLW3FZDueWEJp7zeUeMwq33ozGYkMgqr5qgfRn42gPzCoFSz3QXaRokWXHhQmz1pywaI3zWCIOUzVyBOsNKls5Moaeuec3plGKHpzJByKsRtsCYBEU/p/PlvajXD2zO4T0co78w+t3LCcESyxmxU9mCv4QfssTh5vSOBPzpvq/nZR5k13TLF/P4Zy1h9xn8OJnd/l7fbOw== ansible@john.library.nd.edu
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAr9JuSLq3unNt7gCSKgVPFUSGRuKS/jOAbIYMSwzjH9VTrMhpwzK0iBXTys9Qj05Xe3DK3qSqfzS3wFSbNWqZrOviV3Pr4xBp/zvOMSgrmWyzacY6uFxLQcogLtgnrmn7cZ6uyxhAXI9nbp66VnPp1w+XlLsgg9UtHult23NSP59JCZMrRNMWn74umSqgDaLVLxQKWCbP22JNh4hby8quXRJtmLntmKyXlZE/iM6kUCIKl35EBOqeyjILe2v6jtkYbWVq12Y85KftjajI9DmaCx+iUogSB5jwCYAacC2z2XdbE3LCgq2JYI8EbdhinzynJhYDpNTLG0LxTAH1mCw5Ow== hanstra@puptest1.library.nd.edu
cert-authority ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDV44BBKnjoLzsx8jZn6zWTEzBUjzIE4Oo3MY3Bv3I9rEbeo35tkAMQX9P48YsiiE3MAD3DAPo1ntls15YFydqD3hl52B8vfSrAPG4yDHIWqqD8SL+C39FwW53VYn6ESe9G4hKn54kAOgNcKzObckVKKsCgOIL8qH1sMRmQRl2QVv/yWygiuQZy1n9RSjQ7ckymiyDgQiZIr7V2+xHnMKb54i1iKo/z+njG509Cbn4keshkl+i8RmYQgvPeQb7qUXK3iTwuwT0ijefSLLUxJ+Fo1ea2ESU27AEdKDD27hAOGZOzd24aUz+d1KB2LP5p2R9IOLpWSdIhH7bkHAjUvtwTKzKv1z4gCZqPKoOLRgBLgMkAOjfIEaycn6aD2q/shcSlSAUHOXPEA96EoFOvULZh5RN6dH6vnKtc6VK/s94CSWG0DLKeugLK4Xqd1PQCiaFe2OY7rjLwuMOHqXS8mZj5IkGtJ3XYM+Q9eHJGiuQvH75Jnd+9z9401mkARVrEBWUCC+ZD7bgPQOIJKvaaRwX0zknDSLW9E7Zo5XPXfOCSwTS8RDMVf+hv+8aTn5cMkJQhnAlaTu5UyDVSbm4EAQGkAVr89g5jIoKTTbFK3qcnBYJQPnYUVAzxf/cV9he2SLYzFubNHDpfcSVh/v4ujABakN/2eOcSan34/jZF5f3uGw== ssummer3@LIB-2082-1452634765
# kerberos setup
- path: /etc/krb5.conf
permissions: '0444'
content: |
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = ND.EDU
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
allow_weak_crypto = true
[realms]
ND.EDU = {
kdc = addc53-prod.nd.edu:88
kdc = addc54-prod.nd.edu:88
admin_server = kerberos.nd.edu:749
default_domain = nd.edu
}
[domain_realm]
.nd.edu = ND.EDU
nd.edu = ND.EDU
[appdefaults]
pam = {
debug = false
forwardable = true
ticket_lifetime = 2592000
renew_lifetime = 2592000
minimum_uid = 1000
}
- path: /etc/sssd/sssd.conf
permissions: '0400'
content: |
[sssd]
config_file_version = 2
services = nss, pam
domains = ND.EDU
[nss]
override_shell = /bin/bash
override_homedir = /home/%u
[pam]
[domain/ND.EDU]
id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
ldap_uri = ldaps://ldap.nd.edu:636
ldap_search_base = o=University of Notre Dame,st=Indiana,c=US
enumerate = false
tls_reqcert = demand
ldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.crt
krb5_realm = ND.EDU
krb5_server = kerberos.nd.edu:749
krb5_changepw_principal = kadmin/changepw
krb5_ccachedir = /tmp
krb5_ccname_template = FILE:%d/krb5cc_%U/XXXXXX
krb5_auth_timeout = 15
- path: /etc/loginusers
permissions: '0440'
content: |
hanstra
ssummer3
wsill
- path: /etc/sudoers.d/esu
permissions: '0440'
content: |
User_Alias ESU = hanstra, ssummer3, wsill
ESU ALL=(ALL) PASSWD:ALLAWSTemplateFormatVersion: '2010-09-09'
Description: Template to create libnd EC2
Conditions:
HasNetworkInterfaceId: !Not [!Equals [!Ref NetworkInterfaceId, '']]
HasPrivateIpAddress: !Not [!Equals [!Ref PrivateIpAddress, '']]
Parameters:
AMI:
ConstraintDescription: must be an AMI available in the EC2 instance's region
Default: ami-6869aa05
Description: Base AMI
Type: AWS::EC2::Image::Id
InstanceType:
AllowedValues:
- t2.micro
- t2.nano
- t2.medium
ConstraintDescription: must be a valid EC2 instance type
Default: t2.micro
Description: EC2 Instance Type
Type: String
NetworkInterfaceId:
Description: must be an existing private network interface id
Type: String
ConstraintDescription: Existing Network Interface (ENI)
Default: ''
PrivateIpAddress:
Description: The Private IP to assign
Type: String
ConstraintDescription: Private IP address to assign
Default: ''
SecurityGroupIds:
Description: The list of security groups
Type: List<AWS::EC2::SecurityGroup::Id>
Default: sg-bcf985d8,sg-58b1023c
SubnetId:
Description: The ID of the subnet to launch into
Type: AWS::EC2::Subnet::Id
Default: subnet-84c977f3
TagBackup:
ConstraintDescription: must be 'True' or 'False'
Default: 'False'
Description: Should this be backed up
Type: String
TagContact:
Description: Email address of product owner.
Type: String
Default: lib-esu-group@nd.edu
TagDescription:
Default: Description of the service
Description: Description of the service
Type: String
TagEnvironment:
AllowedValues:
- development
- pre-production
- production
- staging
- temporary
- testing
ConstraintDescription: Must be catagorized into a valid Environment.
Default: temporary
Description: Environment this belongs to
Type: String
TagFQDN:
Description: Infoblox record
Type: String
Default: NA
TagInceptDate:
Description: Date of instance build
Type: String
TagOwner:
ConstraintDescription: NetID of the person responsible for the build
Default: ESU
Description: Person building this Instance
Type: String
TagSchedule:
Default: '*'
Description: Schedule for Instance uptime
Type: String
TagService:
ConstraintDescription: Refer to https://docs.google.com/a/nd.edu/spreadsheets/d/142G82QY6TAVgbsdwRSZz-43RTKTUdy6-VKrfVc69cOM/edit#gid=0
Description: Service Catalog common name
Type: String
Resources:
Instance:
Properties:
DisableApiTermination: false
ImageId: !Ref AMI
InstanceType: !Ref InstanceType
Monitoring: true
NetworkInterfaces:
- DeleteOnTermination: true
Description: !Ref AWS::StackName
DeviceIndex: '0'
GroupSet: !Ref SecurityGroupIds
NetworkInterfaceId: !If [HasNetworkInterfaceId, !Ref NetworkInterfaceId, !Ref 'AWS::NoValue']
PrivateIpAddress: !If [HasPrivateIpAddress, !Ref PrivateIpAddress, !Ref 'AWS::NoValue']
SubnetId: !Ref SubnetId
# KeyName: !Ref KeyName
# PrivateIpAddress: !Ref PrivateIpAddress
# SecurityGroupIds: !Ref SecurityGroupIds
# SubnetId: !Ref SubnetId
Tags:
- Key: Name
Value: !Ref AWS::StackName
- Key: Environment
Value: !Ref TagEnvironment
- Key: Contact
Value: !Ref TagContact
- Key: Service
Value: !Ref TagService
- Key: FQDN
Value: !Ref TagFQDN
- Key: Backup
Value: !Ref TagBackup
- Key: Description
Value: !Ref TagDescription
- Key: InceptDate
Value: !Ref TagInceptDate
- Key: Schedule
Value: !Ref TagSchedule
- Key: Owner
Value: !Ref TagOwner
UserData:
!Base64 |
#include
https://gist.githubusercontent.com/ssummer3/daf955d62932d3a7895c76efaae4b5bf/raw/423e96ee1bc8cd5144fcbdbe7bcb1396230c5e14/user-data.txt
Type: AWS::EC2::Instance