opnsense-src/release/tools/ec2.conf

#!/bin/sh

# Package which should be installed onto all EC2 AMIs:
# * ebsnvme-id, which is very minimal and provides important EBS-specific
# functionality,
export VM_EXTRA_PACKAGES="${VM_EXTRA_PACKAGES} ebsnvme-id"

# Services which should be enabled by default in rc.conf(5).
export VM_RC_LIST="dev_aws_disk ntpd"

# Build with a 7.9 GB partition; the growfs rc.d script will expand
# the partition to fill the root disk after the EC2 instance is launched.
# Note that if this is set to <N>G, we will end up with an <N+1> GB disk
# image since VMSIZE is the size of the filesystem partition, not the disk
# which it resides within.
export VMSIZE=8000m

# No swap space; it doesn't make sense to provision any as part of the disk
# image when we could be launching onto a system with anywhere between 0.5
# and 4096 GB of RAM.
export NOSWAP=YES

ec2_common() {
	# Delete the pkg package and the repo database; they will likely be
	# long out of date before the EC2 instance is launched.
	mount -t devfs devfs ${DESTDIR}/dev
	chroot ${DESTDIR} ${EMULATOR} env ASSUME_ALWAYS_YES=yes \
		/usr/sbin/pkg delete -f -y pkg
	umount ${DESTDIR}/dev
	rm -r ${DESTDIR}/var/db/pkg/repos/FreeBSD

	# Turn off IPv6 Duplicate Address Detection; the EC2 networking
	# configuration makes it unnecessary.
	echo 'net.inet6.ip6.dad_count=0' >> ${DESTDIR}/etc/sysctl.conf

	# Booting quickly is more important than giving users a chance to
	# access the boot loader via the serial port.
	echo 'autoboot_delay="-1"' >> ${DESTDIR}/boot/loader.conf
	echo 'beastie_disable="YES"' >> ${DESTDIR}/boot/loader.conf

	# The EFI RNG on Graviton 2 is particularly slow if we ask for the
	# default 2048 bytes of entropy; ask for 64 bytes instead.
	echo 'entropy_efi_seed_size="64"' >> ${DESTDIR}/boot/loader.conf

	# Tell gptboot not to wait 3 seconds for a keypress which will
	# never arrive.
	printf -- "-n\n" > ${DESTDIR}/boot.config

	# The emulated keyboard attached to EC2 instances is inaccessible to
	# users, and there is no mouse attached at all; disable to keyboard
	# and the keyboard controller (to which the mouse would attach, if
	# one existed) in order to save time in device probing.
	echo 'hint.atkbd.0.disabled=1' >> ${DESTDIR}/boot/loader.conf
	echo 'hint.atkbdc.0.disabled=1' >> ${DESTDIR}/boot/loader.conf

	# There is no floppy drive on EC2 instances so disable the driver.
	echo 'hint.fd.0.disabled=1' >> ${DESTDIR}/boot/loader.conf
	echo 'hint.fdc.0.disabled=1' >> ${DESTDIR}/boot/loader.conf

	# There is no parallel port on EC2 instances so disable driver.
	echo 'hint.ppc.0.disabled=1' >> ${DESTDIR}/boot/loader.conf

	# EC2 has two consoles: An emulated serial port ("system log"),
	# which has been present since 2006; and a VGA console ("instance
	# screenshot") which was introduced in 2016.
	echo 'boot_multicons="YES"' >> ${DESTDIR}/boot/loader.conf

	# Some older EC2 hardware used a version of Xen with a bug in its
	# emulated serial port.  It is not clear if EC2 still has any such
	# nodes, but apply the workaround just in case.
	echo 'hw.broken_txfifo="1"' >> ${DESTDIR}/boot/loader.conf

	# Graviton 1 through Graviton 4 have a bug in their ACPI where they
	# mark the PL061's pins as needing to be configured in PullUp mode
	# (in fact the PL061 has no pullup/pulldown resistors).
	echo 'debug.acpi.quirks="8"' >> ${DESTDIR}/boot/loader.conf

	# Load the kernel module for the Amazon "Elastic Network Adapter"
	echo 'if_ena_load="YES"' >> ${DESTDIR}/boot/loader.conf

	# Use the "nda" driver for accessing NVMe disks rather than the
	# historical "nvd" driver.
	echo 'hw.nvme.use_nvd="0"' >> ${DESTDIR}/boot/loader.conf

	# Disable KbdInteractiveAuthentication according to EC2 requirements.
	sed -i '' -e \
		's/^#KbdInteractiveAuthentication yes/KbdInteractiveAuthentication no/' \
		${DESTDIR}/etc/ssh/sshd_config

	# RSA host keys are obsolete and also very slow to generate
	echo 'sshd_rsa_enable="NO"' >> ${DESTDIR}/etc/rc.conf

	# Use FreeBSD Update mirrors hosted in AWS
	sed -i '' -e 's/update.FreeBSD.org/aws.update.FreeBSD.org/' \
		${DESTDIR}/etc/freebsd-update.conf

	# Use the NTP service provided by Amazon
	sed -i '' -e 's/^pool/#pool/' \
		-e '1,/^#server/s/^#server.*/server 169.254.169.123 iburst/' \
		${DESTDIR}/etc/ntp.conf

	# Provide a map for accessing Elastic File System mounts
	cat > ${DESTDIR}/etc/autofs/special_efs <<'EOF'
#!/bin/sh

if [ $# -eq 0 ]; then
        # No way to know which EFS filesystems exist and are
        # accessible to this EC2 instance.
        exit 0
fi

# Provide instructions on how to mount the requested filesystem.
FS=$1
REGION=`fetch -qo- http://169.254.169.254/latest/meta-data/placement/availability-zone | sed -e 's/[a-z]$//'`
echo "-nfsv4,minorversion=1,oneopenown ${FS}.efs.${REGION}.amazonaws.com:/"
EOF
	chmod 755 ${DESTDIR}/etc/autofs/special_efs

	# The first time the AMI boots, run "first boot" scripts.
	touch ${DESTDIR}/firstboot

	return 0
}

ec2_base_networking () {
	# EC2 instances use DHCP to get their network configuration.  IPv6
	# requires accept_rtadv.
	echo 'ifconfig_DEFAULT="SYNCDHCP accept_rtadv"' >> ${DESTDIR}/etc/rc.conf

	# The EC2 DHCP server can be trusted to know whether an IP address is
	# assigned to us; we don't need to ARP to check if anyone else is using
	# the address before we start using it.
	echo 'dhclient_arpwait="NO"' >> ${DESTDIR}/etc/rc.conf

	# Enable IPv6 on all interfaces, and spawn DHCPv6 via rtsold
	echo 'ipv6_activate_all_interfaces="YES"' >> ${DESTDIR}/etc/rc.conf
	echo 'rtsold_enable="YES"' >> ${DESTDIR}/etc/rc.conf
	echo 'rtsold_flags="-M /usr/local/libexec/rtsold-M -a"' >> ${DESTDIR}/etc/rc.conf

	# Provide a script which rtsold can use to launch DHCPv6
	mkdir -p ${DESTDIR}/usr/local/libexec
	cat > ${DESTDIR}/usr/local/libexec/rtsold-M <<'EOF'
#!/bin/sh

/usr/local/sbin/dhclient -6 -nw -N -cf /dev/null $1
EOF
	chmod 755 ${DESTDIR}/usr/local/libexec/rtsold-M

	return 0
}