feat: use ubuntu minimal

Author: samrose

amazon-arm64-nix.pkr.hcl

@@ -1,6 +1,6 @@
 variable "ami" {
   type    = string
-  default = "ubuntu/images/hvm-ssd-gp3/ubuntu-noble-24.04-arm64-server-*"
+  default = "ubuntu-minimal/images/hvm-ssd-gp3/ubuntu-noble-24.04-arm64-minimal-*"
 }
 
 variable "profile" {

ansible/tasks/clean-build-dependencies.yml

@@ -6,56 +6,34 @@
   ansible.builtin.apt:
     autoremove: false
     pkg:
+      # Build tools installed by Ansible tasks
       - bison
       - build-essential
       - clang-11
       - cmake
       - cpp
       - flex
       - g++
-      - g++-10
       - g++-9
+      - g++-10
       - gcc-10
       - make
-      - manpages
-      - manpages-dev
       - ninja-build
       - patch
       - python2
-    state: 'absent'
-
-# Security hardening: remove packages that increase attack surface
-# - Compiler toolchain enables local exploit compilation
-# - Dev packages provide headers for building exploits
-# - salt-minion is a remote management agent (large attack surface)
-# - sshpass stores credentials in plaintext
-- name: Remove high-security-risk packages
-  ansible.builtin.apt:
-    autoremove: false
-    pkg:
-      # Compiler toolchain (gcc-14-base kept - libgcc-s1 runtime depends on it)
-      - binutils
-      - binutils-aarch64-linux-gnu
-      - binutils-common
-      # Dev/header packages
+      # Dev headers installed for compilation
       - libc6-dev
       - libcrypt-dev
       - libevent-dev
       - libpcre3-dev
       - libssl-dev
-      - libsystemd-dev
       - linux-headers-aws
       - linux-libc-dev
       - pkg-config
       - pkgconf
       - pkgconf-bin
-      - rpcsvc-proto
-      - systemd-dev
       - zlib1g-dev
-      # Remote management (if not used)
-      - salt-minion
-      - salt-common
-      # Credential handling
+      # Security: credential handling
       - sshpass
       # Build tool leftovers
       - ansible-core

scripts/90-cleanup.sh

@@ -1,90 +1,45 @@
 #!/bin/bash
-
-# DigitalOcean Marketplace Image Validation Tool
-# © 2021 DigitalOcean LLC.
-# This code is licensed under Apache 2.0 license (see LICENSE.md for details)
-
 set -o errexit
 
-# Ensure /tmp exists and has the proper permissions before
-# checking for security updates
-# https://github.com/digitalocean/marketplace-partners/issues/94
+# Ensure /tmp exists and has proper permissions
 if [[ ! -d /tmp ]]; then
   mkdir /tmp
 fi
 chmod 1777 /tmp
 
-if [ -n "$(command -v yum)" ]; then
-  yum update -y
-  yum clean all
-elif [ -n "$(command -v apt-get)" ]; then
-  # Cleanup more packages
-  apt-get -y remove --purge \
-	automake \
- 	autoconf \
-	autotools-dev \
- 	cmake-data \
-	cpp-9  \
-	cpp-10  \
-	gcc-9  \
-	gcc-10  \
-	git  \
-	git-man  \
-	ansible \
-	libicu-dev \
-	libcgal-dev \
-	libgcc-9-dev \
- 	ansible
-
+# Update system
+if [ -n "$(command -v apt-get)" ]; then
   # Remove ansible PPA directly (software-properties-common may not be installed)
   rm -f /etc/apt/sources.list.d/ansible-ubuntu-ansible-*.list \
         /etc/apt/sources.list.d/ansible-ubuntu-ansible-*.sources 2>/dev/null || true
 
-  source /etc/os-release
-
-  # Protect critical runtime packages from autoremove
-  apt-mark manual libevent-2.1-7t64
-
-  # Ensure cloud-init and openssh-server are installed
-  # They may have been removed as dependencies during package cleanup
-  apt-get -y install --no-install-recommends cloud-init openssh-server
-
-  # Ensure cloud-init and SSH services are enabled (may not be re-enabled on reinstall)
-  # systemctl enable can fail silently in chroot - create symlinks manually
-  mkdir -p /etc/systemd/system/cloud-init.target.wants
-  mkdir -p /etc/systemd/system/multi-user.target.wants
-  ln -sf /usr/lib/systemd/system/cloud-init-local.service /etc/systemd/system/cloud-init.target.wants/ || true
-  ln -sf /usr/lib/systemd/system/cloud-init.service /etc/systemd/system/cloud-init.target.wants/ || true
-  ln -sf /usr/lib/systemd/system/cloud-config.service /etc/systemd/system/cloud-init.target.wants/ || true
-  ln -sf /usr/lib/systemd/system/cloud-final.service /etc/systemd/system/cloud-init.target.wants/ || true
-  ln -sf /usr/lib/systemd/system/cloud-init.target /etc/systemd/system/multi-user.target.wants/ || true
-  ln -sf /usr/lib/systemd/system/ssh.service /etc/systemd/system/multi-user.target.wants/ || true
-  echo "Created cloud-init and SSH service symlinks"
-
-  # Protect SSH and cloud-init dependencies from autoremove
-  # Without these, the AMI won't be accessible via SSH after boot
-  apt-mark manual openssh-server cloud-init python3-systemd python3-jinja2 \
-    python3-yaml python3-oauthlib python3-configobj python3-requests \
-    python3-urllib3 python3-certifi python3-chardet python3-idna || true
-
-  apt-get -y autoremove
-  apt-get -y autoclean
-
   apt-get -y update
   apt-get -y upgrade
+  apt-get -y autoremove
+  apt-get -y autoclean
 fi
+
+# Clean temp files
 rm -rf /tmp/* /var/tmp/*
+
+# Clear history
 history -c
 cat /dev/null > /root/.bash_history
 unset HISTFILE
+
+# Clean logs
 find /var/log -mtime -1 -type f -exec truncate -s 0 {} \;
 rm -rf /var/log/*.gz /var/log/*.[0-9] /var/log/*-????????
+
+# Clean cloud-init for fresh start
 rm -rf /var/lib/cloud/instances/*
+
+# Remove SSH keys (cloud-init regenerates on boot)
 rm -f /root/.ssh/authorized_keys /etc/ssh/*key*
 touch /etc/ssh/revoked_keys
 chmod 600 /etc/ssh/revoked_keys
 
-# Securely erase the unused portion of the filesystem
+# Securely erase unused disk space
 GREEN='\033[0;32m'
 NC='\033[0m'
 printf "\n${GREEN}Writing zeros to the remaining disk space to securely
@@ -95,11 +50,12 @@ The secure erase will complete successfully when you see:${NC}
 Beginning secure erase now\n"
 
 dd if=/dev/zero of=/zerofile &
-  PID=$!
-  while [ -d /proc/$PID ]
-    do
-      printf "."
-      sleep 5
-    done
+PID=$!
+while [ -d /proc/$PID ]; do
+  printf "."
+  sleep 5
+done
 sync; rm /zerofile; sync
-cat /dev/null > /var/log/lastlog; cat /dev/null > /var/log/wtmp
+
+cat /dev/null > /var/log/lastlog
+cat /dev/null > /var/log/wtmp