Making it compatible with the Digital Ocean Marketplace

- Adding scripts for clean up and checks.
- Updating README.md to make it more understandable how to create your own snapshot.
- Temporarily removing instructions to update a live image to minimise confusion.
- Updating Ansible playbook to enable UFW.

Author: dragarcia

README.md

@@ -1,7 +1,7 @@
-Packer & Ansible template that sets up a Digital Ocean snapshot of a PostgreSQL server with pre-installed and enabled goodies
+Packer & Ansible template that sets up a Digital Ocean snapshot of a PostgreSQL server with pre-installed and enabled goodies.
 
-## Specifications
-- Ubuntu 18.04 (Bionic)
+## Supported Images
+- Ubuntu 18.04 Bionic (LTS)
 
 ## Default Features
 ✅ Postgres 12
@@ -21,25 +21,34 @@ Packer & Ansible template that sets up a Digital Ocean snapshot of a PostgreSQL
 🗹 [Ansible](https://docs.ansible.com/ansible/latest/installation_guide/index.html)
 
 ## Walkthrough
+
+1. Install the Ansible role `ANXS.postgresql`.
+```
+$ ansible-galaxy install ANXS.postgresql -r tasks/install_roles.yml --force
 ```
-$ ansible-galaxy install ANXS.postgresql -r install_roles.yml --force
 
+2. `DO_TOKEN`, `SNAPSHOT_NAME` and `REGION` all need to be defined. A list of valid Digital Ocean regions can be found [here](https://www.digitalocean.com/docs/platform/availability-matrix/).
+```
 $ export DO_TOKEN=your_digital_ocean_token
 $ export SNAPSHOT_NAME=your_snapshot_name
 $ export REGION=your_chosen_region
+```
 
-# Name is now also mandatory
+3. Create the Digital Ocean snapshot
+```
 $ packer build \
   -var "do_token=$DO_TOKEN" \
   -var "name=$SNAPSHOT_NAME" \
-  -var "$REGION" \
+  -var "region=$REGION" \
   packer.json
 ```
-A list of available Digital Ocean regions can be found [here](https://www.digitalocean.com/docs/platform/availability-matrix/).
 
-See [how to use ansible to update an existing instance](ansible/README.md).
+Once this is complete, you now have a snapshot available to use for any of your droplets.
 
 ## Notes on provisioning
+1. The PostgreSQL server can be further customised. Available provisioning variables that can be manipulated are found in `ansible/vars.yml`
+2. There are also additional provisioning variables from the role [anxs.postgres](https://github.com/ANXS/postgresql). The exhaustive list can be found [here](https://github.com/ANXS/postgresql/blob/master/defaults/main.yml).
+3. To be in line with the standards of images found in the Digital Ocean Marketplace, scripts found in `scripts` are also ran to clean up the snapshot and make it compatible with the Marketplace. They are taken from [here](https://github.com/digitalocean/marketplace-partners/tree/master/scripts). More information on what these scripts achieve can be found [here](https://github.com/digitalocean/marketplace-partners/blob/master/getting-started.md).
 
-1. Variables can be manipulated in `ansible/vars.yml`
-2. The playbook uses the role [anxs.postgres](https://github.com/ANXS/postgresql). Other available variables can be found [here](https://github.com/ANXS/postgresql/blob/master/defaults/main.yml)
+## Roadmap
+🗹 Template for setting up a snapshot on AWS.

ansible/README.md

@@ -19,3 +19,19 @@
       postgresql_user:
         name: postgres
         password: "{{ postgres_superadmin_password }}"
+    
+    - name: UFW - Allow SSH connections
+      ufw:
+        rule: allow
+        name: OpenSSH
+
+    - name: UFW - Allow connections to postgreSQL (5432)
+      ufw:
+        rule: allow
+        port: '5432'
+
+    - name: UFW - Deny all other incoming traffix by default
+      ufw: 
+        state: enabled
+        policy: deny
+        direction: incoming

ansible/inventory.ini

@@ -4,11 +4,12 @@
   apt: update_cache=yes upgrade=yes
   # SEE http://archive.vn/DKJjs#parameter-upgrade
 
-- name: Install Python3 and pip
+- name: Install essentials
   apt:
     pkg:
       - python3
       - python3-pip
+      - ufw
     update_cache: yes
     cache_valid_time: 3600
 

ansible/playbook.yml

@@ -13,8 +13,19 @@
     "ssh_username": "root",
     "snapshot_name": "{{user `name`}}"
   }],
-  "provisioners": [{
-    "type": "ansible",
-    "playbook_file": "ansible/playbook.yml"
-  }]
+  "provisioners": [
+    {
+      "type": "ansible",
+      "playbook_file": "ansible/playbook.yml"
+    },
+    {
+      "type": "shell",
+      "scripts": [
+        "scripts/01-test",
+        "scripts/90-cleanup.sh",
+        "scripts/91-log_cleanup.sh",
+        "scripts/99-img_check.sh"
+      ]
+    }
+  ]
 }

ansible/tasks/setup-system.yml

@@ -0,0 +1,9 @@
+#!/bin/bash
+#
+# Scripts in this directory are run during the build process.
+# each script will be uploaded to /tmp on your build droplet, 
+# given execute permissions and run.  The cleanup process will
+# remove the scripts from your build system after they have run
+# if you use the build_image task.
+#
+echo "Commencing Digital Ocean Checks"

packer.json

@@ -0,0 +1,36 @@
+#!/bin/bash
+
+apt-get -y update
+apt-get -y upgrade
+rm -rf /tmp/* /var/tmp/*
+history -c
+cat /dev/null > /root/.bash_history
+unset HISTFILE
+apt-get -y autoremove
+apt-get -y autoclean
+find /var/log -mtime -1 -type f -exec truncate -s 0 {} \;
+rm -rf /var/log/*.gz /var/log/*.[0-9] /var/log/*-????????
+rm -rf /var/lib/cloud/instances/*
+rm -f /root/.ssh/authorized_keys /etc/ssh/*key*
+touch /etc/ssh/revoked_keys
+chmod 600 /etc/ssh/revoked_keys
+
+# Securely erase the unused portion of the filesystem
+GREEN='\033[0;32m'
+NC='\033[0m'
+printf "\n${GREEN}Writing zeros to the remaining disk space to securely
+erase the unused portion of the file system.
+Depending on your disk size this may take several minutes.
+The secure erase will complete successfully when you see:${NC}
+    dd: writing to '/zerofile': No space left on device\n
+Beginning secure erase now\n"
+
+dd if=/dev/zero of=/zerofile &
+  PID=$!
+  while [ -d /proc/$PID ]
+    do
+      printf "."
+      sleep 5
+    done
+sync; rm /zerofile; sync
+cat /dev/null > /var/log/lastlog; cat /dev/null > /var/log/wtmp

scripts/01-test

@@ -0,0 +1,5 @@
+#!/bin/bash
+#Erasing all logs
+#
+echo "Clearing all log files"
+rm -rf /var/log/*