#cloud-config preserve_hostname: false prefer_fqdn_over_hostname: true manage_etc_hosts: true hostname: ${hostname} salt-master: ${salt_master} fqdn: ${fqdn} apt: http_proxy: "http://${proxy}:80/" https_proxy: "http://${proxy}:80/" # Ubuntu Advantage - broken? Using cmd.run #ubuntu_advantage: # enable: # - fips # - cis # - esm-infra # - fips-updates # - livepatch # no livepatch with fips! # Write files happens early write_files: - content: | http_proxy="http://${proxy}:80/" https_proxy="http://${proxy}:80/" no_proxy=localhost,127.0.0.1,169.254.169.254 path: /etc/environment append: true - content: | Acquire::http::Proxy "http://${proxy}:80/"; Acquire::https::Proxy "http://${proxy}:80/"; APT::ExtractTemplates::TempDir "/opt/tmp/"; path: /etc/apt/apt.conf.d/75xdrexecpath append: true - content: | [global] proxy=${proxy}:80 path: /etc/pip.conf - content: | export HTTPS_PROXY=http://${proxy}:80 export HTTP_PROXY=http://${proxy}:80 export NO_PROXY=localhost,127.0.0.1,169.254.169.254,pvt.xdrtest.accenturefederalcyber.com,pvt.xdr.accenturefederalcyber.com,reposerver.msoc.defpoint.local,jenkins.msoc.defpoint.local,pod1search-splunk-sh.msoc.defpoint.local,s3.amazonaws.com,ssm.${ aws_region }.amazonaws.com,ec2messages.${ aws_region }.amazonaws.com,ec2.${ aws_region }.amazonaws.com,ssmmessages.${ aws_region }.amazonaws.com,iratemoses.mdr.defpoint.com,jira.mdr.defpoint.com,reposerver.pvt.xdr.accenturefederalcyber.com,jenkins.pvt.xdr.accenturefederalcyber.com,pod1search-splunk-sh.pvt.xdr.accenturefederalcyber.com,reposerver.pvt.xdrtest.accenturefederalcyber.com,jenkins.pvt.xdrtest.accenturefederalcyber.com,pod1search-splunk-sh.pvt.xdrtest.accenturefederalcyber.com,iratemoses.xdr.accenturefederalcyber.com,jira.xdr.accenturefederalcyber.com,iratemoses.xdrtest.accenturefederalcyber.com,jira.xdrtest.accenturefederalcyber.com export https_proxy=$HTTPS_PROXY export http_proxy=$HTTP_PROXY export no_proxy=$NO_PROXY path: /etc/profile.d/proxy.sh - content: | net.ipv6.conf.eth0.disable_ipv6 = 1 permissions: 0644 owner: root path: /etc/sysctl.d/10-disable-ipv6.conf - content: | ${fqdn} path: /etc/salt/minion_id - content: | master: ${salt_master} path: /etc/salt/minion - content: | grains: environment: ${ environment } aws_partition: ${ aws_partition } aws_partition_alias: ${ aws_partition_alias } aws_region: ${ aws_region } path: /etc/salt/minion.d/cloud_init_grains.conf #yum_repos: # epel-release: # baseurl: http://download.fedoraproject.org/pub/epel/7/$basearch # enabled: false # failovermethod: priority # gpgcheck: true # gpgkey: http://download.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-7 # name: Extra Packages for Enterprise Linux 7 - Release packages: - vim - ubuntu-advantage-tools package_update: true # Always patch growpart: mode: auto devices: [ '/', '/var', '/var/log', '/var/log/audit', '/var/tmp', '/tmp', '/home' ] ignore_growroot_disabled: false runcmd: - find /usr/local/lib -type f -exec chmod o+r {} \; - export http_proxy=http://${proxy}:80 - export https_proxy=http://${proxy}:80 - export no_proxy=localhost,127.0.0.1,169.254.169.254 - ua auto-attach - ua enable --assume-yes usg # - ua enable --assume-yes usg fips fips-updates # - /usr/share/ubuntu-scap-security-guides/cis-hardening/Canonical_Ubuntu_20.04_CIS-harden.sh lvl2_server - apt update - apt upgrade -y - apt install -y usg - usg fix cis_level2_server # VMRay is incompatible with firewalld, but this should be enabled for other ubuntu systems #- apt install -y firewalld #- /bin/systemctl start firewalld #- /bin/systemctl enable firewalld - /bin/systemctl restart salt-minion - /bin/systemctl enable salt-minion - /bin/systemctl start snap.amazon-ssm-agent.amazon-ssm-agent.service - /bin/systemctl enable snap.amazon-ssm-agent.amazon-ssm-agent.service - /usr/sbin/aide --update --verbose=0 - /bin/cp /var/lib/aide/aide.db.new /var/lib/aide/aide.db - /sbin/xfs_growfs /tmp # Either final message or power state, but probably not both #final_message: "The system is up after $UPTIME seconds" power_state: # delay is in minutes delay: "+1" mode: reboot message: "System configured after $UPTIME seconds" # timeout: 300 # condition: true