#cloud-config
# vim:syntax=yaml

#disable_ec2_metadata: false
#datasource:
#  Ec2:
#    timeout: 50
#    max_wait: 120
#    metadata_urls:
#     - http://169.254.169.254:80
#     - http://[fd00:ec2::254]:80
#     - http://instance-data:8773
#    apply_full_imds_network_config: true

# boot commands
# default: none
# This is very similar to runcmd above, but commands run very early
# in the boot process, only slightly after a 'boothook' would run.
#  - bootcmd will run on every boot
#  - INSTANCE_ID variable will be set to the current instance ID
#  - 'cloud-init-per' command can be used to make bootcmd run exactly once
bootcmd:
  - systemctl stop amazon-ssm-agent

package_update: true
package_upgrade: true
package_reboot_if_required: false
  
packages:
  # Base OS packages
  - kernel-modules-extra
  - dnf-plugins-core
  - dnf-plugin-release-notification
  - dnf-plugin-support-info
  - dnf-utils
  - git-core
  - grubby
  - kexec-tools
  - chrony
  - audit
  - dbus
  - dbus-daemon
  - polkit
  - systemd-pam
  - systemd-container
  - udisks2
  - crypto-policies
  - crypto-policies-scripts 
  - openssl
  - nss-util
  - nss-tools
  - dmidecode
  - nvme-cli
  - lvm2
  - dosfstools
  - e2fsprogs
  - xfsprogs
  - xfsprogs-xfs_scrub
  - attr
  - acl
  - shadow-utils
  - shadow-utils-subid
  - fuse3
  - squashfs-tools
  - star
  - gzip
  - pigz
  - bzip2
  - zstd
  - xz
  - unzip
  - p7zip
  - numactl
  - iproute
  - iproute-tc
  - iptables-nft
  - nftables
  - conntrack-tools
  - ipset
  - ethtool
  - net-tools
  - iputils
  - traceroute
  - mtr
  - telnet
  - whois
  #- socat
  - bind-utils
  #- tcpdump
  - cifs-utils
  - nfsv4-client-utils
  - nfs4-acl-tools
  - libseccomp
  - psutils
  - python3
  - python3-pip
  - python3-psutil
  - python3-policycoreutils
  - policycoreutils-python-utils
  - bash-completion
  - vim-minimal
  - wget
  - jq
  - awscli-2
  - ec2rl
  - ec2-utils
  #- htop
  #- sysstat
  - fio
  #- inotify-tools
  #- rsync
  # Docker related packages
  - docker
  - containerd
  - runc
  - container-selinux
  - cni-plugins
  - oci-add-hooks
  - amazon-ecr-credential-helper
  - udica
  # AWS related packages
  - amazon-ssm-agent
  - amazon-cloudwatch-agent
  - amazon-efs-utils
  - ec2-instance-connect
  - ec2-instance-connect-selinux
  # Optional utilities
  #- smart-restart
  #- python3-dnf-plugin-post-transaction-actions
  #- kpatch-dnf
  #- kpatch-runtime
  # Ansible
  #- ansible
  #- ansible-core
  #- sshpass

manage_resolv_conf: true
resolv_conf:
   nameservers: ['169.254.169.253']
   searchdomains:
     - ec2.internal
   domain: ec2.internal
   options:
     timeout: 5

# set the locale to a given locale
# default: en_US.UTF-8
locale: en_US.UTF-8

# disable ssh access as root.
# if you want to be able to ssh in to the system as the root user
# rather than as the 'ubuntu' user, then you must set this to false
# default: true
disable_root: true

write_files:
  - path: /etc/motd.d/31-banner
    content: |
      ,     #_
      ~\_  ####_
      ~~  \_#####\
      ~~     \###|
      ~~       \#/ ___   Amazon Linux 2023 (Docker Optimized)
      ~~       V~' '->
      ~~~         /
        ~~._.   _/
           _/ _/
         _/m/'
  - path: /etc/systemd/journald.conf.d/00-override.conf
    content: |
      [Journal]
      SystemMaxUse=100M
      RuntimeMaxUse=100M
      RuntimeMaxFileSize=10M
      RateLimitIntervals=1s
      RateLimitBurst=10000
  - path: /etc/docker/daemon.json
    content: |
      {
        "debug": false,
        "experimental": false,
        "exec-opts": ["native.cgroupdriver=systemd"],
        "userland-proxy": false,
        "live-restore": true,
        "log-level": "warn",
        "log-driver": "json-file",
        "log-opts": {
          "max-size": "100m",
          "max-file": "3"
        }
      }
  - path: /etc/systemd/system/amazon-ssm-agent.service.d/00-override.conf
    permissions: "0644"
    content: |
      [Unit]
      # To have a service start after cloud-init.target it requires the
      # addition of DefaultDependencies=no due to the following default
      # DefaultDependencies=y, which results in the default target e.g.
      # multi-user.target to depending on the service.
      #
      # See the follow for more details: https://serverfault.com/a/973985
      Wants=network-online.target
      After=network-online.target nss-lookup.target cloud-init.target
      DefaultDependencies=no
      ConditionFileIsExecutable=/usr/bin/amazon-ssm-agent
  - path: /etc/systemd/system/amazon-cloudwatch-agent.d/00-override.conf
    content: |
      [Unit]
      Wants=network-online.target
      After=network-online.target nss-lookup.target cloud-init.target
      DefaultDependencies=no
      ConditionFileIsExecutable=/opt/aws/amazon-cloudwatch-agent/bin/start-amazon-cloudwatch-agent
 
runcmd:
  # System Configuration
  - [ touch, /etc/dnf/vars/releasever ]
  #- [ bash, -c, 'echo "latest" > /etc/dnf/vars/releasever' ]
  - [ localectl, set-locale, LANG=en_US.UTF-8 ]
  - [ timedatectl, set-timezone, Etc/UTC ]
  - [ timedatectl, set-ntp, true ]
  - [ ln, -s, /dev/null, /etc/motd.d/30-banner ]
  # Enable and start services
  - [ systemctl, daemon-reload ]
  - [ systemctl, enable, --now, chronyd ]
  #- [ systemctl, enable, --now, amazon-ssm-agent ]
  #- [ systemctl, enable, --now, amazon-cloudwatch-agent ]
  #- [ systemctl, enable, --now, kpatch.service ]
  # Setup Docker
  - systemctl enable --now docker.service containerd.service
  - groupadd docker
  - usermod -aG docker ec2-user
  # Install Docker Compose v2
  - mkdir -p /usr/local/lib/docker/cli-plugins
  - curl -sL https://github.com/docker/compose/releases/latest/download/docker-compose-linux-$(uname -m) -o /usr/local/lib/docker/cli-plugins/docker-compose
  - chmod +x /usr/local/lib/docker/cli-plugins/docker-compose
  # Configure services
  - systemctl enable --now chronyd
  - systemctl enable --now amazon-ssm-agent
  - systemctl enable --now amazon-cloudwatch-agent
  # User environment setup
  - [ loginctl, enable-linger, ec2-user ]
  - mkdir -p /home/ec2-user/bin
  - mkdir -p /home/ec2-user/.config/{systemd,environment.d}
  - mkdir -p /home/ec2-user/.config/systemd/user/sockets.target.wants
  - mkdir -p /home/ec2-user/.local/share/systemd/user
  - mkdir -p /home/ec2-user/.local/bin
  - chown -R ec2-user:ec2-user /home/ec2-user
  # Configure AWS CLI for ec2-user
  - su - ec2-user -c "aws configure set default.region $(curl -s http://169.254.169.254/latest/meta-data/placement/region)"
  - su - ec2-user -c "aws configure set default.sts_regional_endpoints regional"
  - su - ec2-user -c "aws configure set default.credential_source Ec2InstanceMetadata"
  - su - ec2-user -c "aws configure set default.duration_seconds 3600"
  - su - ec2-user -c "aws configure set default.cli_pager ''"
  - su - ec2-user -c "aws configure set default.output json"

final_message: "System configuration completed."

power_state:
  mode: reboot
  message: Rebooting after system configuration
  condition: True