supabase · samrose · Jan 19, 2026 · Jan 19, 2026 · Jan 30, 2026 · Jan 31, 2026
@@ -1,6 +1,6 @@
 variable "ami" {
   type    = string
-  default = "ubuntu/images/hvm-ssd-gp3/ubuntu-noble-24.04-arm64-server-*"
+  default = "ubuntu-minimal/images/hvm-ssd-gp3/ubuntu-noble-24.04-arm64-minimal-*"
 }
 
 variable "profile" {

@@ -1,21 +1,40 @@
+# IMPORTANT: Do NOT use autoremove: true in these tasks!
+# Autoremove causes cascading removal of cloud-init and breaks SSH on the AMI.
+# Autoremove is handled safely in 90-cleanup.sh after apt-mark protection.
+
 - name: Remove build dependencies
   ansible.builtin.apt:
-    autoremove: true
+    autoremove: false
     pkg:
+      # Build tools installed by Ansible tasks
       - bison
       - build-essential
       - clang-11
       - cmake
       - cpp
       - flex
       - g++
-      - g++-10
       - g++-9
+      - g++-10
       - gcc-10
       - make
-      - manpages
-      - manpages-dev
       - ninja-build
       - patch
       - python2
+      # Dev headers installed for compilation
+      - libc6-dev
+      - libcrypt-dev
+      - libevent-dev
+      - libpcre3-dev
+      - libssl-dev
+      - linux-headers-aws
+      - linux-libc-dev
+      - pkg-config
+      - pkgconf
+      - pkgconf-bin
+      - zlib1g-dev
+      # Security: credential handling
+      - sshpass
+      # Build tool leftovers
+      - ansible-core
     state: 'absent'
@@ -38,12 +38,25 @@ elif [ -n "$(command -v apt-get)" ]; then
 	ansible \
         snapd
 
-  add-apt-repository --yes --remove ppa:ansible/ansible
+  # Remove ansible PPA directly (software-properties-common may not be installed)
+  rm -f /etc/apt/sources.list.d/ansible-ubuntu-ansible-*.list \
+        /etc/apt/sources.list.d/ansible-ubuntu-ansible-*.sources 2>/dev/null || true
 
   source /etc/os-release
 
+  # Protect critical runtime packages from autoremove
   apt-mark manual libevent-2.1-7t64
 
+  # Ensure cloud-init and openssh-server are installed
+  # They may have been removed as dependencies during package cleanup
+  apt-get -y install --no-install-recommends cloud-init openssh-server
+
+  # Protect SSH and cloud-init dependencies from autoremove
+  # Without these, the image won't be accessible via SSH after boot
+  apt-mark manual openssh-server cloud-init python3-systemd python3-jinja2 \
+    python3-yaml python3-oauthlib python3-configobj python3-requests \
+    python3-urllib3 python3-certifi python3-chardet python3-idna || true
+
   apt-get remove -y --purge ansible-core apport appstream bash-completion bcache-tools bind9-dnsutils bind9-host bind9-libs bolt btrfs-progs byobu command-not-found console-setup distro-info eject fonts-ubuntu-console friendly-recovery ftp fwupd gawk gdisk keyboard-configuration libvolume-key1 libssl-dev lvm2 lxd-agent-loader man-db mdadm modemmanager mtd-utils nano netcat-openbsd nfs-common ntfs-3g parted pastebinit screen strace thin-provisioning-tools tmux usb-modeswitch vim vim-runtime wget whiptail xfsprogs
 
   apt remove -y --purge libc6-dev linux-libc-dev libevent-dev libpcre3-dev libsystemd-dev packagekit multipath-tools unattended-upgrades plymouth gnupg open-vm-tools xauth lxd-installer publicsuffix libclang-cpp18 python3-twisted python-babel-localedata libicu74 python3-pygments fonts-dejavu* python3-botocore

@@ -1,62 +1,45 @@
 #!/bin/bash
-
-# DigitalOcean Marketplace Image Validation Tool
-# © 2021 DigitalOcean LLC.
-# This code is licensed under Apache 2.0 license (see LICENSE.md for details)
-
 set -o errexit
 
-# Ensure /tmp exists and has the proper permissions before
-# checking for security updates
-# https://github.com/digitalocean/marketplace-partners/issues/94
+# Ensure /tmp exists and has proper permissions
 if [[ ! -d /tmp ]]; then
   mkdir /tmp
 fi
 chmod 1777 /tmp
 
-if [ -n "$(command -v yum)" ]; then
-  yum update -y
-  yum clean all
-elif [ -n "$(command -v apt-get)" ]; then
-  # Cleanup more packages
-  apt-get -y remove --purge \
-	automake \
- 	autoconf \
-	autotools-dev \
- 	cmake-data \
-	cpp-9  \
-	cpp-10  \
-	gcc-9  \
-	gcc-10  \
-	git  \
-	git-man  \
-	ansible \
-	libicu-dev \
-	libcgal-dev \
-	libgcc-9-dev \
- 	ansible
-
-  add-apt-repository --yes --remove ppa:ansible/ansible
+# Update system
+if [ -n "$(command -v apt-get)" ]; then
+  # Remove ansible PPA directly (software-properties-common may not be installed)
+  rm -f /etc/apt/sources.list.d/ansible-ubuntu-ansible-*.list \
+        /etc/apt/sources.list.d/ansible-ubuntu-ansible-*.sources 2>/dev/null || true
 
-  source /etc/os-release
-
   apt-get -y update
   apt-get -y upgrade
   apt-get -y autoremove
   apt-get -y autoclean
 fi
+
+# Clean temp files
 rm -rf /tmp/* /var/tmp/*
+
+# Clear history
 history -c
 cat /dev/null > /root/.bash_history
 unset HISTFILE
+
+# Clean logs
 find /var/log -mtime -1 -type f -exec truncate -s 0 {} \;
 rm -rf /var/log/*.gz /var/log/*.[0-9] /var/log/*-????????
+
+# Clean cloud-init for fresh start
 rm -rf /var/lib/cloud/instances/*
+
+# Remove SSH keys (cloud-init regenerates on boot)
 rm -f /root/.ssh/authorized_keys /etc/ssh/*key*
 touch /etc/ssh/revoked_keys
 chmod 600 /etc/ssh/revoked_keys
 
-# Securely erase the unused portion of the filesystem
+# Securely erase unused disk space
 GREEN='\033[0;32m'
 NC='\033[0m'
 printf "\n${GREEN}Writing zeros to the remaining disk space to securely
@@ -67,11 +50,12 @@ The secure erase will complete successfully when you see:${NC}
 Beginning secure erase now\n"
 
 dd if=/dev/zero of=/zerofile &
-  PID=$!
-  while [ -d /proc/$PID ]
-    do
-      printf "."
-      sleep 5
-    done
+PID=$!
+while [ -d /proc/$PID ]; do
+  printf "."
+  sleep 5
+done
 sync; rm /zerofile; sync
-cat /dev/null > /var/log/lastlog; cat /dev/null > /var/log/wtmp
+
+cat /dev/null > /var/log/lastlog
+cat /dev/null > /var/log/wtmp