AMI: AWS-compliant first-boot credentials + remove AMI from public docs#22
Merged
Merged
Conversation
AWS Marketplace AMI policy requires default admin credentials to be generated on first boot (not baked into the AMI) and stored as a read-once file outside /var/log, mode 0600, owned by root only, with instructions to delete after first read. - first-boot-db.sh: write /root/nexus-admin-credentials.txt (was /var/log/nexus/admin-credentials.txt), chmod 0600 + chown root:root, update the in-file IMPORTANT note and /etc/motd - harden.sh: wipe the new /root path at build time (kept the legacy /var/log wipe defensively) so no copy is baked into the image - nexus-ami/README.md: point the manual-test step at the new path Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
- README.md: CI/Go-CI badge links pointed at the placeholder your-org/abc-nexus-gateway; repoint at AlphaBitCore/nexus-gateway. Remove the AWS Marketplace AMI and bare-metal-appliance rows from the Deployment table. - docs/operators/README.md: drop the ami-build.md index entry. - docs/developers/architecture/README.md: remove the now-empty "Cross-cutting - deployment" trigger-map section. - Makefile, .gitignore: drop comment lines citing the deleted AMI architecture doc (build targets / ignore rules kept). The AMI/appliance form factor stays a working build dir under nexus-ami/ but is no longer advertised in the public README, docs, or wiki. Verified: check:arch-doc-triggers OK, check:doc-lockstep clean, and no nexus-ami / ami-build / ami-appliance references remain in README or docs. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Two related AMI/appliance changes:
AWS Marketplace credential compliance — first-boot admin credentials now satisfy AWS Marketplace AMI policy (generated on first boot, read-once file in
/root,0600, root-only, deleted after first read). Previously written to/var/log/nexus/admin-credentials.txt(0640 root:nexus), which fails review on both path and permissions.Remove AMI/appliance from public docs — the AMI/appliance form factor stays a working build dir under
nexus-ami/, but is no longer advertised in the public README, docs, or wiki. Also fixes the README CI badge URLs that pointed at the placeholderyour-org/abc-nexus-gateway.Changes
Credentials (
fix(ami))nexus-ami/scripts/first-boot-db.sh: write/root/nexus-admin-credentials.txt,chmod 0600+chown root:root, updated in-file note +/etc/motdnexus-ami/scripts/harden.sh: wipe the new/rootpath at build time (kept the legacy/var/logwipe defensively)nexus-ami/README.md: manual-test step points at the new pathDocs (
docs)README.md: repoint CI/Go-CI badges toAlphaBitCore/nexus-gateway; remove AMI + bare-metal-appliance rows from the Deployment tabledocs/operators/README.md: drop theami-build.mdindex entrydocs/developers/architecture/README.md: remove the now-empty "Cross-cutting — deployment" trigger-map sectiondocs/operators/ops/ami-build.mdanddocs/developers/architecture/cross-cutting/deployment/ami-appliance-architecture.mdMakefile,.gitignore: drop comment lines citing the deleted arch doc (build targets / ignore rules kept)Verification
check:arch-doc-triggers→ OK (no orphaned trigger row, no missing-doc reference)check:doc-lockstep→ cleangrepfornexus-ami | ami-build | ami-appliance | AWS Marketplace | single-instance applianceacross README + docs → none remainingbash -npasses on both edited shell scripts🤖 Generated with Claude Code