feat: add branding and get_iam_sshkeys.py

README.md

@@ -2,4 +2,13 @@
 
 ZeroDownTime - Alpine golden images 
 
-AWS only for now
+AWS only for now
+
+## Image scanning via Trivy
+
+```
+modprobe nbd
+qemu-nbd -c /dev/nbd0 zdt-alpine-3.16.2-x86_64-bios-tiny-minimal-r1.vhd
+mount /dev/nbd0 /mnt/image
+trivy filesystem /mnt/image
+```

cleanup_amis.sh

@@ -5,8 +5,8 @@ echo "Are you really sure as AMIs might be used by customers !!"
 read
 
 #TAG_FILTER="Name=tag:project,Values=zdt-alpine"
-#TAG_FILTER="Name=tag:Name,Values=zdt-alpine-3.16.0-x86_64-bios-tiny-minimal-r0"
-TAG_FILTER="Name=tag:Name,Values=zdt-alpine-3.16.2-x86_64-bios-tiny-kubezero-1.23.10-r0"
+TAG_FILTER="Name=tag:Name,Values=zdt-alpine-3.16.2-x86_64-bios-tiny-minimal-r1"
+#TAG_FILTER="Name=tag:Name,Values=zdt-alpine-3.16.2-x86_64-bios-tiny-kubezero-1.23.10-r0"
 
 #for r in $(aws ec2 describe-regions --query "Regions[].{Name:RegionName}" --output text); do
 for r in ap-southeast-2 ca-central-1 eu-central-1 us-east-1 us-west-1 us-west-2; do

overlay/zdt/scripts/setup-common

@@ -45,7 +45,8 @@ echo 'Installed cloudbender shutdown hook'
 
 # Install tools
 cp $SETUP/route53.py  $TARGET/usr/local/bin
-echo 'Installed route53.py'
+cp $SETUP/get_iam_sshkeys.py  $TARGET/usr/sbin
+echo 'Installed route53.py and get_iam_sshkeys.py'
 
 # ps_mem
 #wget https://raw.githubusercontent.com/pixelb/ps_mem/master/ps_mem.py
@@ -63,12 +64,13 @@ echo 'Enable monit via init, hooked up cloudbender alerting'
 
 # QoL
 mv $TARGET/etc/profile.d/color_prompt.sh.disabled $TARGET/etc/profile.d/color_prompt.sh
-echo 'alias rs="doas bash --login"' > $TARGET/etc/profile.d/alias.sh
+echo 'alias rs="doas bash"' > $TARGET/etc/profile.d/alias.sh
 
 # branding
 rm -f $TARGET/etc/motd
 cp $SETUP/neofetch.conf $TARGET/etc/neofetch.conf
 cp $SETUP/zdt-ascii.txt $TARGET/etc/neofetch-logo.txt
-echo 'neofetch --config /etc/neofetch.conf' > $TARGET/etc/profile.d/motd.sh
+echo '[ -n "$SSH_TTY" -a "$SHLVL" -eq 1 ] && neofetch --config /etc/neofetch.conf' > $TARGET/etc/profile.d/motd.sh
+echo 'Installed ZDT branding via neofetch'
 
 printf '\n# Zero Down Time config applied'

overlay/zdt/scripts/setup.d/get_iam_sshkeys.py

@@ -0,0 +1,63 @@
+#!/usr/bin/python3
+import sys
+import boto3
+import argparse
+
+parser = argparse.ArgumentParser(description="Get SSH keys from IAM users")
+parser.add_argument(
+    "--user", dest="user", action="store", required=True, help="requested user"
+)
+parser.add_argument(
+    "--group", action="store", required=True, help="IAM group to search"
+)
+parser.add_argument(
+    "--iamRole",
+    dest="iamRole",
+    action="store",
+    help="IAM role ARN to assume to search for IAM users",
+)
+parser.add_argument(
+    "--allowedUser",
+    dest="allowedUsers",
+    action="append",
+    default=["alpine"],
+    help="Allowed users",
+)
+args = parser.parse_args()
+
+# Fail early if invalid user
+if not args.user in args.allowedUsers:
+    sys.exit(0)
+
+session = boto3.Session()
+
+if args.iamRole:
+    sts = session.client("sts")
+    credentials = sts.assume_role(
+        RoleArn=args.iamRole, RoleSessionName="sshdKeyLookup"
+    )["Credentials"]
+
+    assumed_role_session = boto3.Session(
+        aws_access_key_id=credentials["AccessKeyId"],
+        aws_secret_access_key=credentials["SecretAccessKey"],
+        aws_session_token=credentials["SessionToken"],
+    )
+    iam = assumed_role_session.client("iam")
+
+else:
+    iam = session.client("iam")
+
+try:
+    for user in iam.get_group(GroupName=args.group)["Users"]:
+        for key_desc in iam.list_ssh_public_keys(UserName=user["UserName"])[
+            "SSHPublicKeys"
+        ]:
+            key = iam.get_ssh_public_key(
+                UserName=user["UserName"],
+                SSHPublicKeyId=key_desc["SSHPublicKeyId"],
+                Encoding="SSH",
+            )
+            if key["SSHPublicKey"]["Status"] == "Active":
+                print(key["SSHPublicKey"]["SSHPublicKeyBody"], user["UserName"])
+except:
+    pass

overlay/zdt/scripts/setup.d/neofetch.conf

@@ -4,7 +4,7 @@ print_info() {
     prin "$(color 1)Welcome to Alpine - ZeroDownTime edition"
     echo
     prin "Release Notes:"
-    prin "  - <https://kubezero.com/releases/v1.23/README.md>"
+    prin "  - <https://kubezero.com/releases/>"
     prin "  - <https://alpinelinux.org/releases/>"
     echo
 

overlay/zdt/scripts/setup.d/route53.py

@@ -49,5 +49,4 @@ action = "UPSERT"
 if args.delete:
     action = "DELETE"
 
-print(args)
 update_dns(args.fqdn, args.record, action=action, ttl=args.ttl, record_type=args.record_type)