ci: add nigthly clean routine

.github/scripts/azure-new-instance.sh

@@ -37,6 +37,8 @@ else
     IMAGE_NAME="redhat:rhel-cvm:9_3_cvm_sev_snp:latest"
   fi
 
+  IMAGE_NAME="/subscriptions/e04f52be-d51f-43fe-95f8-d63a8fc91464/resourceGroups/packer-snp/providers/Microsoft.Compute/galleries/cosmian_packer/images/cosmian-vm-${DISTRIB}-${TECHNO}/versions/1.2.2"
+
   az vm create -g packer-snp -n "$NAME" \
     --image "$IMAGE_NAME" \
     --security-type ConfidentialVM \

.github/workflows/aws_ansible.yml

@@ -114,7 +114,7 @@ jobs:
           for i in {1..1}
           do
             echo "Iteration: $i"
-            ansible-playbook ${{ inputs.product }}-playbook.yml -i ${IP_ADDR}, -u $SSH_USER --private-key="$HOME/packer.pem" -e cosmian_vm_version=$COSMIAN_VM_VERSION -e cosmian_kms_version=${{ inputs.kms-version }} -e cosmian_ai_runner_version=${{ inputs.ai-runner-version }} -e '{ "check_app_test_reboot": false, "check_cosmian_vm_test_reboot": false, "reboot_allowed": false }' --tags playbook-base-image,playbook-${{ inputs.product }},check-${{ inputs.product }}
+            ansible-playbook ${{ inputs.product }}-playbook.yml -i ${IP_ADDR}, -u $SSH_USER --private-key="$HOME/packer.pem" -e cosmian_vm_version=$COSMIAN_VM_VERSION -e cosmian_kms_version=${{ inputs.kms-version }} -e cosmian_ai_runner_version=${{ inputs.ai-runner-version }} -e '{ "check_app_test_reboot": false, "check_cosmian_vm_test_reboot": false, "reboot_allowed": false }' --tags playbook-base-image,playbook-${{ inputs.product }},check-${{ inputs.product }} --skip-tags role-cleanup
           done
 
       - name: Stop and delete AWS instance

.github/workflows/gcp_ansible.yml

@@ -146,7 +146,7 @@ jobs:
           for i in {1..1}
           do
             echo "Iteration: $i"
-            ansible-playbook ${{ inputs.product }}-playbook.yml -i ${IP_ADDR}, -u cosmian -e cosmian_vm_version=$COSMIAN_VM_VERSION -e cosmian_kms_version=${{ inputs.kms-version }} -e cosmian_ai_runner_version=${{ inputs.ai-runner-version }}
+            ansible-playbook ${{ inputs.product }}-playbook.yml -i ${IP_ADDR}, -u cosmian -e cosmian_vm_version=$COSMIAN_VM_VERSION -e cosmian_kms_version=${{ inputs.kms-version }} -e cosmian_ai_runner_version=${{ inputs.ai-runner-version }} --skip-tags role-cleanup
           done
 
       - name: Stop and delete GCP instance

.github/workflows/nightly_clean.yml

@@ -0,0 +1,21 @@
+---
+name: Nightly clean cloud providers resources
+
+on:
+  schedule:
+    # every day at 0 AM
+    - cron: 00 0 * * *
+  workflow_dispatch:
+
+jobs:
+  azure:
+    uses: ./.github/workflows/azure_clean.yml
+    secrets: inherit
+
+  gcp:
+    uses: ./.github/workflows/gcp_clean.yml
+    secrets: inherit
+
+  aws:
+    uses: ./.github/workflows/aws_clean.yml
+    secrets: inherit

.github/workflows/nightly_marketplaces.yml

@@ -8,7 +8,7 @@ on:
       - '**'
   # schedule:
   #   # every day at 0 AM
-  #   - cron: 00 0 * * *
+  #   - cron: 00 1 * * *
   workflow_dispatch:
 
 jobs:

CHANGELOG.md

@@ -6,7 +6,7 @@ All notable changes to this project will be documented in this file.
 
 ### Bug Fixes
 
-- Upgrade base image to 0.1.5: clean all authorized_keys ([#139](https://github.com/Cosmian/cosmian_vm/pull/139))
+- Upgrade base image to 0.1.5: clean all authorized_keys and users ([#140](https://github.com/Cosmian/cosmian_vm/pull/140))
 
 ## [1.2.2] - 2024-06-13
 

ansible/README.md

@@ -6,7 +6,9 @@
 
 ## [0.1.5] - 2024-06-15
 
-- RHEL/Ubuntu: clean all authorized_keys ([#139](https://github.com/Cosmian/cosmian_vm/pull/139))
+- Clean RHEL/Ubuntu after builds: ([#140](https://github.com/Cosmian/cosmian_vm/pull/140))
+  - clean all authorized_keys
+  - clean users
 
 ## [0.1.4] - 2024-06-12
 

ansible/ai-runner-packer-playbook.yml

@@ -7,3 +7,5 @@
   become: true
   roles:
     - ai_runner
+    - role: cleanup
+      tags: role-cleanup

ansible/cosmian-vm-packer-playbook.yml

@@ -6,3 +6,5 @@
     - check_cpu
     - role: cosmian_vm_agent
       tags: role_cosmian_vm_agent
+    - role: cleanup
+      tags: role-cleanup

ansible/kms-packer-playbook.yml

@@ -7,3 +7,5 @@
   become: true
   roles:
     - kms
+    - role: cleanup
+      tags: role-cleanup

ansible/roles/cleanup/tasks/main.yml

@@ -14,7 +14,7 @@
     patterns: authorized_keys
   register: authorized_keys
 
-- name: Display authorized_keys authorized_keys
+- name: Display authorized_keys
   ansible.builtin.debug:
     var: authorized_keys
 
@@ -37,3 +37,42 @@
 - name: Display authorized_keys authorized_keys
   ansible.builtin.debug:
     var: authorized_keys
+
+- name: Find immediate subdirectories in /home
+  ansible.builtin.find:
+    paths: /home
+    file_type: directory
+    recurse: false
+  register: home_subdirs
+
+- name: Display usernames with home directories
+  ansible.legacy.debug:
+    var: users_with_home_dirs
+
+- name: Extract usernames from home directories
+  ansible.builtin.set_fact:
+    users_with_home_dirs: "{{ home_subdirs.files | map(attribute='path') | map('basename') | list }}"
+
+- name: Display usernames with home directories
+  ansible.legacy.debug:
+    var: users_with_home_dirs
+
+- name: Remove non-essential users
+  ansible.builtin.user:
+    name: "{{ item }}"
+    state: absent
+    remove: true
+    force: true
+  with_items: "{{ users_with_home_dirs }}"
+
+- name: Check immediate subdirectories in /home
+  ansible.builtin.find:
+    paths: /home
+    file_type: directory
+    recurse: false
+  register: home_subdirs
+  changed_when: home_subdirs != 0
+
+- name: Display usernames with home directories
+  ansible.legacy.debug:
+    var: users_with_home_dirs