Merge pull request #257 from konstruktoid/noble

Ubuntu Noble
konstruktoid · Aug 28, 2024 · a08c411 · a08c411
2 parents e7d9bbe + cb6470d
commit a08c411
Show file tree

Hide file tree

Showing 9 changed files with 17 additions and 13 deletions.
diff --git a/README.md b/README.md
@@ -9,8 +9,8 @@ There are templates available for creating a
 - [Azure virtual machine image](https://learn.microsoft.com/en-us/azure/virtual-machines/linux/build-image-with-packer)
 - [Vagrant](https://www.vagrantup.com/) server base box
 
-[20.04 LTS (Focal Fossa)](https://releases.ubuntu.com/focal/) and
-[22.04 LTS (Jammy Jellyfish)](https://releases.ubuntu.com/jammy/) are supported.
+[22.04 LTS (Jammy Jellyfish)](https://releases.ubuntu.com/jammy/)
+[24.04 (Noble Numbat)](https://releases.ubuntu.com/noble/) are supported.
 
 The Ansible role used to make the server a bit more secure is available in the
 [konstruktoid/ansible-role-hardening](https://github.com/konstruktoid/ansible-role-hardening)
@@ -36,7 +36,7 @@ validating the configuration and building the Amazon Machine Image.
 {
   "aws_region": "eu-west-3",
   "instance_type": "t3.medium",
-  "release": "22.04"
+  "release": "24.04"
 }
 ```
 
@@ -105,7 +105,7 @@ Vagrant.configure("2") do |config|
 
   config.vm.define "noble" do |noble|
     noble.vm.hostname = "hardened-noble"
-    noble.vm.box = "ubuntu-noble/20.04"
+    noble.vm.box = "ubuntu-noble/24.04"
     noble.vm.box_url = "file://output/ubuntu-24.04-x86_64.bento-hardened.box"
   end
 end

diff --git a/Vagrantfile b/Vagrantfile
@@ -8,7 +8,7 @@ Vagrant.configure("2") do |config|
 
   config.vm.define "noble" do |noble|
     noble.vm.hostname = "hardened-noble"
-    noble.vm.box = "ubuntu-noble/20.04"
+    noble.vm.box = "ubuntu-noble/24.04"
     noble.vm.box_url = "file://output/ubuntu-24.04-x86_64.bento-hardened.box"
   end
 end
diff --git a/build_box.sh b/build_box.sh
@@ -5,6 +5,7 @@ shellcheck -x -s bash -f gcc scripts/*
 
 BASE_DIR="$(pwd)"
 GIT_CLONE_DIR="$(mktemp --directory -p /var/tmp bento.XXXXXX)"
+BUILD_ISOS="virtualbox-iso.vm" # "virtualbox-iso.vm,vmware-iso.vm"
 
 mkdir -p "${BASE_DIR}/output"
 
@@ -20,9 +21,9 @@ git apply ./packer_templates/config/bento.diff
 packer init -upgrade ./packer_templates
 
 find . -name 'ubuntu-2[4-8].04-x86_64.pkrvars.hcl' | while read -r template; do
-  packer build -only=virtualbox-iso.vm,vmware-iso.vm -var-file="${template}" ./packer_templates
+  packer build -only="${BUILD_ISOS}" -var-file="${template}" ./packer_templates
   box_name="$(basename "${template}" | awk -F '-' '{print $2}')"
-  find . -name "ubuntu-${box_name}-*" | while read -r box; do
+  find . -name "ubuntu-${box_name}-*.box" | while read -r box; do
     mod_name="$(basename "$box" | sed 's/virtualbox/bento-hardened/g')"
     mv -v "${box}" "${BASE_DIR}/output/${mod_name}"
   done

diff --git a/config/local.yml b/config/local.yml
@@ -18,7 +18,7 @@
           ansible.builtin.git:
             repo: https://github.com/konstruktoid/ansible-role-hardening
             dest: /etc/ansible/roles/konstruktoid.hardening
-            version: v2.0.4
+            version: v2.1.1
 
         - name: Remove git
           ansible.builtin.package:

diff --git a/scripts/cleanup.sh b/scripts/cleanup.sh
@@ -13,10 +13,9 @@ rm -rvf /etc/ansible/*
 
 rm -rvf /etc/apt/sources.list.d/*
 
-dpkg --list | awk '{ print $2 }' | grep 'linux-headers' | xargs apt-get --assume-yes purge;
+dpkg --list | awk '{ print $2 }' | grep 'linux-headers' | grep -v "$(uname -r)" | xargs apt-get --assume-yes purge;
 dpkg --list | awk '{ print $2 }' | grep 'linux-image-.*-generic' | grep -v "$(uname -r)" | xargs apt-get --assume-yes purge;
 dpkg --list | awk '{ print $2 }' | grep 'linux-modules-.*-generic' | grep -v "$(uname -r)" | xargs apt-get --assume-yes purge;
-dpkg --list | awk '{ print $2 }' | grep -- '-dev\(:[a-z0-9]\+\)\?$' | xargs apt-get --assume-yes purge;
 dpkg --list | awk '{ print $2 }' | grep linux-source | xargs apt-get --assume-yes purge;
 dpkg --list | awk '{ print $2 }' | grep -- '-doc$' | xargs apt-get --assume-yes purge;
 

diff --git a/scripts/hardening.sh b/scripts/hardening.sh
@@ -9,7 +9,7 @@ export HISTFILESIZE=0
 export PATH=$PATH:$HOME/.local/bin
 
 apt-get update
-apt-get --assume-yes --no-install-recommends install pipx
+apt-get --assume-yes --no-install-recommends install git pipx
 
 pipx install ansible-core
 pipx ensurepath
@@ -34,4 +34,6 @@ pipx uninstall-all
 unset PATH
 export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
 
+apt-get --assume-yes purge git
+
 reboot
diff --git a/ubuntu-aws-vars.json b/ubuntu-aws-vars.json
@@ -1,5 +1,5 @@
 {
   "aws_region": "eu-west-3",
   "instance_type": "t3.medium",
-  "release": "22.04"
+  "release": "24.04"
 }
diff --git a/ubuntu-hardened-aws.pkr.hcl b/ubuntu-hardened-aws.pkr.hcl
@@ -32,7 +32,7 @@ source "amazon-ebs" "hardened" {
   region        = var.aws_region
   source_ami_filter {
     filters = {
-      name                = "ubuntu/images/hvm-ssd/*ubuntu-*${var.release}-amd64-server*"
+      name                = "ubuntu/images/hvm-ssd-gp3/*ubuntu-*${var.release}-amd64-server*"
       root-device-type    = "ebs"
       virtualization-type = "hvm"
     }
@@ -44,6 +44,7 @@ source "amazon-ebs" "hardened" {
   ssh_pty                   = "true"
   ssh_timeout               = "10m"
   ssh_username              = "ubuntu"
+  temporary_key_pair_type   = "ed25519"
 }
 
 build {

diff --git a/ubuntu-hardened-azure.pkr.hcl b/ubuntu-hardened-azure.pkr.hcl
@@ -72,6 +72,7 @@ source "azure-arm" "hardened" {
   ssh_pty                           = "true"
   ssh_timeout                       = "10m"
   ssh_username                      = "ubuntu"
+  temporary_key_pair_type           = "ed25519"
   client_id                         = var.client_id
   client_secret                     = var.client_secret
   subscription_id                   = var.subscription_id