Last active
March 29, 2018 17:40
-
-
Save ssummer3/daf955d62932d3a7895c76efaae4b5bf to your computer and use it in GitHub Desktop.
AWS LIBND
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| AWSTemplateFormatVersion: '2010-09-09' | |
| Description: Template to create libnd EC2 | |
| Conditions: | |
| HasNetworkInterfaceId: !Not [!Equals [!Ref NetworkInterfaceId, '']] | |
| HasPrivateIpAddress: !Not [!Equals [!Ref PrivateIpAddress, '']] | |
| Parameters: | |
| AMI: | |
| ConstraintDescription: must be an AMI available in the EC2 instance's region | |
| Default: ami-6869aa05 | |
| Description: Base AMI | |
| Type: AWS::EC2::Image::Id | |
| InstanceType: | |
| AllowedValues: | |
| - t2.micro | |
| - t2.nano | |
| - t2.medium | |
| ConstraintDescription: must be a valid EC2 instance type | |
| Default: t2.micro | |
| Description: EC2 Instance Type | |
| Type: String | |
| NetworkInterfaceId: | |
| Description: must be an existing private network interface id | |
| Type: String | |
| ConstraintDescription: Existing Network Interface (ENI) | |
| Default: '' | |
| PrivateIpAddress: | |
| Description: The Private IP to assign | |
| Type: String | |
| ConstraintDescription: Private IP address to assign | |
| Default: '' | |
| SecurityGroupIds: | |
| Description: The list of security groups | |
| Type: List<AWS::EC2::SecurityGroup::Id> | |
| Default: sg-bcf985d8,sg-58b1023c | |
| SubnetId: | |
| Description: The ID of the subnet to launch into | |
| Type: AWS::EC2::Subnet::Id | |
| Default: subnet-84c977f3 | |
| TagBackup: | |
| ConstraintDescription: must be 'True' or 'False' | |
| Default: 'False' | |
| Description: Should this be backed up | |
| Type: String | |
| TagContact: | |
| Description: Email address of product owner. | |
| Type: String | |
| Default: [email protected] | |
| TagDescription: | |
| Default: Description of the service | |
| Description: Description of the service | |
| Type: String | |
| TagEnvironment: | |
| AllowedValues: | |
| - development | |
| - pre-production | |
| - production | |
| - staging | |
| - temporary | |
| - testing | |
| ConstraintDescription: Must be catagorized into a valid Environment. | |
| Default: temporary | |
| Description: Environment this belongs to | |
| Type: String | |
| TagFQDN: | |
| Description: Infoblox record | |
| Type: String | |
| Default: NA | |
| TagInceptDate: | |
| Description: Date of instance build | |
| Type: String | |
| TagOwner: | |
| ConstraintDescription: NetID of the person responsible for the build | |
| Default: ESU | |
| Description: Person building this Instance | |
| Type: String | |
| TagSchedule: | |
| Default: '*' | |
| Description: Schedule for Instance uptime | |
| Type: String | |
| TagService: | |
| ConstraintDescription: Refer to https://docs.google.com/a/nd.edu/spreadsheets/d/142G82QY6TAVgbsdwRSZz-43RTKTUdy6-VKrfVc69cOM/edit#gid=0 | |
| Description: Service Catalog common name | |
| Type: String | |
| Resources: | |
| Instance: | |
| Properties: | |
| DisableApiTermination: false | |
| ImageId: !Ref AMI | |
| InstanceType: !Ref InstanceType | |
| Monitoring: true | |
| NetworkInterfaces: | |
| - DeleteOnTermination: true | |
| Description: !Ref AWS::StackName | |
| DeviceIndex: '0' | |
| GroupSet: !Ref SecurityGroupIds | |
| NetworkInterfaceId: !If [HasNetworkInterfaceId, !Ref NetworkInterfaceId, !Ref 'AWS::NoValue'] | |
| PrivateIpAddress: !If [HasPrivateIpAddress, !Ref PrivateIpAddress, !Ref 'AWS::NoValue'] | |
| SubnetId: !Ref SubnetId | |
| # KeyName: !Ref KeyName | |
| # PrivateIpAddress: !Ref PrivateIpAddress | |
| # SecurityGroupIds: !Ref SecurityGroupIds | |
| # SubnetId: !Ref SubnetId | |
| Tags: | |
| - Key: Name | |
| Value: !Ref AWS::StackName | |
| - Key: Environment | |
| Value: !Ref TagEnvironment | |
| - Key: Contact | |
| Value: !Ref TagContact | |
| - Key: Service | |
| Value: !Ref TagService | |
| - Key: FQDN | |
| Value: !Ref TagFQDN | |
| - Key: Backup | |
| Value: !Ref TagBackup | |
| - Key: Description | |
| Value: !Ref TagDescription | |
| - Key: InceptDate | |
| Value: !Ref TagInceptDate | |
| - Key: Schedule | |
| Value: !Ref TagSchedule | |
| - Key: Owner | |
| Value: !Ref TagOwner | |
| UserData: | |
| !Base64 | | |
| #include | |
| https://gist.githubusercontent.com/ssummer3/daf955d62932d3a7895c76efaae4b5bf/raw/423e96ee1bc8cd5144fcbdbe7bcb1396230c5e14/user-data.txt | |
| Type: AWS::EC2::Instance |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #cloud-config | |
| # vim: syntax=yaml | |
| repo_upgrade: all | |
| package_upgrade: true | |
| package_update: true | |
| timezone: US/Eastern | |
| manage_etc_hosts: template | |
| disable_ec2_metadata: false | |
| disable_root: true | |
| packages: | |
| - awslogs | |
| - amazon-ssm-agent | |
| - krb5-workstation | |
| - sssd-krb5 | |
| - sssd-ldap | |
| - net-tools | |
| - tmux | |
| - mosh | |
| # we have kerberos | |
| ssh_pwauth: true | |
| runcmd: | |
| # clean up the system | |
| - rm -f /etc/init/tty.conf /etc/init/serial.conf | |
| - chkconfig sendmail off | |
| - chkconfig rpcbind off | |
| # configure kerberos | |
| - authconfig --enablekrb5 --update | |
| - chkconfig sssd on | |
| - echo 'session required pam_mkhomedir.so skel=/etc/skel umask=0022' | tee -a /etc/pam.d/system-auth /etc/pam.d/sshd | |
| - echo 'auth required pam_listfile.so onerr=fail item=user sense=allow file=/etc/loginusers' | tee -a /etc/pam.d/system-auth /etc/pam.d/sshd | |
| # we don't have a keytab | |
| - sed -i '/pam_krb5\.so/s/$/ no_validate/' /etc/pam.d/* | |
| # remove weak ssh moduli | |
| - awk 'int($1)&&($5>=2048)' /etc/ssh/moduli > /tmp/moduli && mv -f /tmp/moduli /etc/ssh/moduli && chmod 0644 /etc/ssh/moduli | |
| # add Amazon's ssh key back in | |
| - /opt/aws/bin/ec2-metadata -u | tail -1 >> ~ansible/.ssh/authorized_keys && chmod 0600 ~ansible/.ssh/authorized_keys | |
| # kernel* is blacklisted from package_upgrade/package_update? | |
| - yum upgrade -y | |
| power_state: | |
| delay: now | |
| mode: reboot | |
| message: "Instance ${INSTANCE_ID} first reboot after ${UPTIME} seconds of init." | |
| condition: True | |
| users: | |
| - name: ansible | |
| lock_passwd: true | |
| gcos: Library Ansible User | |
| sudo: [ "ALL=(ALL) NOPASSWD:ALL" ] | |
| shell: /bin/bash | |
| homedir: /etc/ansible | |
| ssh_genkeytypes: [ 'rsa', 'ed25519' ] | |
| write_files: | |
| # networking security | |
| - path: /etc/modprobe.d/disable-dccp.conf | |
| permissions: '0644' | |
| content: install dccp /bin/true | |
| - path: /etc/modprobe.d/disable-ipv6.conf | |
| permissions: '0644' | |
| content: | | |
| install ipv6 /bin/true | |
| options ipv6 disable=1 | |
| - path: /etc/modprobe.d/disable-rds.conf | |
| permissions: '0644' | |
| content: | | |
| blacklist rds | |
| install rds /bin/true | |
| - path: /etc/modprobe.d/disable-sctp.conf | |
| permissions: '0644' | |
| content: install sctp /bin/true | |
| - path: /etc/modprobe.d/disable-tipc.conf | |
| permissions: '0644' | |
| content: install tipc /bin/true | |
| - path: /etc/modprobe.d/disable-usb.conf | |
| permissions: '0644' | |
| content: install usb-storage /bin/true | |
| # AWS convenience | |
| - path: /etc/skel/.aws/config | |
| permissions: '0644' | |
| content: | | |
| [default] | |
| region = us-east-1 | |
| output = json | |
| # ESU convenience | |
| - path: /etc/skel/.ssh/authorized_keys | |
| permissions: '0400' | |
| content: | | |
| ssh-dss AAAAB3NzaC1kc3MAAACBAMQ0gfyAOOH4ZX9kUuXlayqNYi3r/vcnkeiyn2ES4/VmGR2qIioWNlVOy2sD3EDxvsN/ZKaxWo8ySEGfFgkXpG801jKINhkVavBGvbnucETeyS1HdgrAJz7hYgowvjq0yo2+qyrsaV01VlmEHw9oy01lXFK9E5yIu0U43KHyzKilAAAAFQDfSiTR5BfdCpHcUhfDmfhU88RvIwAAAIBppcY4yl8d6FpJd/zfWmXGs593zvB/QnxYzAG6M97NeCFlGEmwzT5QLZzgzGTY0VJCC7WfH57JFswKFt7ONQReVZQ87l5NkUp8Saga2Nu+m/Zv1aQS7N5biSDX0tmnCnD0XperbubAW5sKK/bQHCjSOQXjo/BKV6gpTBf8yQs5dAAAAIBLuRAU7OTNoYYSgNp3mjmPubDv5tXz4iwiN0G6fTqFOXdjc8/BBZzuP8W7nM6wtl85wB9GxvANpr5RYIZ72YM5t51C2ZQaUsWBsZqoAJk4dgStkwiE35cq+SOgmqbVuyUerkTFbd7DQl3PGQsPiKAGLGF1YnoLQbQLhTJv0mR9UQ== [email protected] | |
| ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAwlTLW9XBLz2R/HVJtIQKt7ag4Kj4/uHb8bWnMiL1XepI3YMghX0vdHTivUYpoP3tVosskLernQ3bQFYJTm6Z6YXZq8ZSx+eLw9AUYjRR4hkUnlBBFWEfzYycobUBhE03mlnYw9L+8d1tYLW3FZDueWEJp7zeUeMwq33ozGYkMgqr5qgfRn42gPzCoFSz3QXaRokWXHhQmz1pywaI3zWCIOUzVyBOsNKls5Moaeuec3plGKHpzJByKsRtsCYBEU/p/PlvajXD2zO4T0co78w+t3LCcESyxmxU9mCv4QfssTh5vSOBPzpvq/nZR5k13TLF/P4Zy1h9xn8OJnd/l7fbOw== [email protected] | |
| ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAr9JuSLq3unNt7gCSKgVPFUSGRuKS/jOAbIYMSwzjH9VTrMhpwzK0iBXTys9Qj05Xe3DK3qSqfzS3wFSbNWqZrOviV3Pr4xBp/zvOMSgrmWyzacY6uFxLQcogLtgnrmn7cZ6uyxhAXI9nbp66VnPp1w+XlLsgg9UtHult23NSP59JCZMrRNMWn74umSqgDaLVLxQKWCbP22JNh4hby8quXRJtmLntmKyXlZE/iM6kUCIKl35EBOqeyjILe2v6jtkYbWVq12Y85KftjajI9DmaCx+iUogSB5jwCYAacC2z2XdbE3LCgq2JYI8EbdhinzynJhYDpNTLG0LxTAH1mCw5Ow== [email protected] | |
| cert-authority ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDV44BBKnjoLzsx8jZn6zWTEzBUjzIE4Oo3MY3Bv3I9rEbeo35tkAMQX9P48YsiiE3MAD3DAPo1ntls15YFydqD3hl52B8vfSrAPG4yDHIWqqD8SL+C39FwW53VYn6ESe9G4hKn54kAOgNcKzObckVKKsCgOIL8qH1sMRmQRl2QVv/yWygiuQZy1n9RSjQ7ckymiyDgQiZIr7V2+xHnMKb54i1iKo/z+njG509Cbn4keshkl+i8RmYQgvPeQb7qUXK3iTwuwT0ijefSLLUxJ+Fo1ea2ESU27AEdKDD27hAOGZOzd24aUz+d1KB2LP5p2R9IOLpWSdIhH7bkHAjUvtwTKzKv1z4gCZqPKoOLRgBLgMkAOjfIEaycn6aD2q/shcSlSAUHOXPEA96EoFOvULZh5RN6dH6vnKtc6VK/s94CSWG0DLKeugLK4Xqd1PQCiaFe2OY7rjLwuMOHqXS8mZj5IkGtJ3XYM+Q9eHJGiuQvH75Jnd+9z9401mkARVrEBWUCC+ZD7bgPQOIJKvaaRwX0zknDSLW9E7Zo5XPXfOCSwTS8RDMVf+hv+8aTn5cMkJQhnAlaTu5UyDVSbm4EAQGkAVr89g5jIoKTTbFK3qcnBYJQPnYUVAzxf/cV9he2SLYzFubNHDpfcSVh/v4ujABakN/2eOcSan34/jZF5f3uGw== ssummer3@LIB-2082-1452634765 | |
| # kerberos setup | |
| - path: /etc/krb5.conf | |
| permissions: '0444' | |
| content: | | |
| [logging] | |
| default = FILE:/var/log/krb5libs.log | |
| kdc = FILE:/var/log/krb5kdc.log | |
| admin_server = FILE:/var/log/kadmind.log | |
| [libdefaults] | |
| default_realm = ND.EDU | |
| dns_lookup_realm = false | |
| dns_lookup_kdc = false | |
| ticket_lifetime = 24h | |
| renew_lifetime = 7d | |
| forwardable = true | |
| allow_weak_crypto = true | |
| [realms] | |
| ND.EDU = { | |
| kdc = addc53-prod.nd.edu:88 | |
| kdc = addc54-prod.nd.edu:88 | |
| admin_server = kerberos.nd.edu:749 | |
| default_domain = nd.edu | |
| } | |
| [domain_realm] | |
| .nd.edu = ND.EDU | |
| nd.edu = ND.EDU | |
| [appdefaults] | |
| pam = { | |
| debug = false | |
| forwardable = true | |
| ticket_lifetime = 2592000 | |
| renew_lifetime = 2592000 | |
| minimum_uid = 1000 | |
| } | |
| - path: /etc/sssd/sssd.conf | |
| permissions: '0400' | |
| content: | | |
| [sssd] | |
| config_file_version = 2 | |
| services = nss, pam | |
| domains = ND.EDU | |
| [nss] | |
| override_shell = /bin/bash | |
| override_homedir = /home/%u | |
| [pam] | |
| [domain/ND.EDU] | |
| id_provider = ldap | |
| auth_provider = krb5 | |
| chpass_provider = krb5 | |
| ldap_uri = ldaps://ldap.nd.edu:636 | |
| ldap_search_base = o=University of Notre Dame,st=Indiana,c=US | |
| enumerate = false | |
| tls_reqcert = demand | |
| ldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.crt | |
| krb5_realm = ND.EDU | |
| krb5_server = kerberos.nd.edu:749 | |
| krb5_changepw_principal = kadmin/changepw | |
| krb5_ccachedir = /tmp | |
| krb5_ccname_template = FILE:%d/krb5cc_%U/XXXXXX | |
| krb5_auth_timeout = 15 | |
| - path: /etc/loginusers | |
| permissions: '0440' | |
| content: | | |
| hanstra | |
| ssummer3 | |
| wsill | |
| - path: /etc/sudoers.d/esu | |
| permissions: '0440' | |
| content: | | |
| User_Alias ESU = hanstra, ssummer3, wsill | |
| ESU ALL=(ALL) PASSWD:ALL |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment