# Default EC2 macOS Init init.toml config for mac1.metal instances

# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"). You
# may not use this file except in compliance with the License. A copy of
# the License is located at
#
# http://aws.amazon.com/apache2.0/
#
# or in the "license" file accompanying this file. This file is
# distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF
# ANY KIND, either express or implied. See the License for the specific
# language governing permissions and limitations under the License.


### Group 1 ###
## Making sure unnecessary resources are disabled

# Disable Ethernet
[[Module]]
    Name = "DisableEthernet"
    PriorityGroup = 1 # First group
    RunPerBoot = true # Run every boot
    FatalOnError = true # Fatal if there's an error - this must succeed
    [Module.Command]
        Cmd = ["/usr/sbin/networksetup", "-setnetworkserviceenabled", "Ethernet", "off"]

# Unmount Local SSD
[[Module]]
    Name = "UnmountLocalSSD"
    PriorityGroup = 1 # First group
    RunPerBoot = true # Run every boot
    FatalOnError = false # Best effort, don't fatal on error
    [Module.Command]
        Cmd = ["/bin/zsh", "-c", "diskutil list internal physical | egrep -o '^/dev/disk\\d+' | xargs diskutil eject || true"]

### Group 2 ###
## The only task in the first group is to make sure the network is up.  Some of the subsequent actions require
## a connection to IMDS and will fail if this check doesn't pass.

# Checks that the network is up
[[Module]]
    Name = "CheckNetworkIsUp"
    PriorityGroup = 2 # Second group
    RunPerBoot = true # Run every boot
    FatalOnError = true # Fatal if there's an error - this must succeed
    [Module.NetworkCheck]
        PingCount = 3 # Three attempts

### Group 3 ###
## The second group has many actions that can be run in parallel including:
##   1. Optimize kernel and networking parameters
##   2. Disable auto-update
##   3. Apply suggested SSHD security settings
##   4. Reset a random password for ec2-user
##   5. Set the default timezone (GMT)
##   6. Set timed to use Amazon Time Sync Service
##   7. Update MOTD
##   8. Remove SSH group
##   9. Grow root APFS volume to max EBS volume size

# Set suggested default system configuration settings
# These kernel and networking parameters are suggested by EC2 for optimal instance performance.
[[Module]]
    Name = "EC2SuggestedDefaultConfigPerformance"
    PriorityGroup = 3 # Third group
    RunPerBoot = true # Run every boot to enforce these parameters
    FatalOnError = false # Best effort, don't fatal on error
    [Module.SystemConfig]
        [[Module.SystemConfig.Sysctl]]
            value = "kern.aiomax=900"
        [[Module.SystemConfig.Sysctl]]
            value = "kern.aioprocmax=256"
        [[Module.SystemConfig.Sysctl]]
            value = "kern.aiothreads=64"
        [[Module.SystemConfig.Sysctl]]
            value = "net.inet.tcp.win_scale_factor=8"
        [[Module.SystemConfig.Sysctl]]
            value = "net.inet.tcp.autorcvbufmax=33554432"
        [[Module.SystemConfig.Sysctl]]
            value = "net.inet.tcp.autosndbufmax=33554432"
        [[Module.SystemConfig.Sysctl]]
            value = "net.inet.tcp.sendspace=1048576"
        [[Module.SystemConfig.Sysctl]]
            value = "net.inet.tcp.recvspace=1048576"
        [[Module.SystemConfig.Sysctl]]
            value = "net.link.generic.system.rcvq_maxlen=1024"
        [[Module.SystemConfig.Defaults]]
            plist = "/Library/Preferences/com.apple.SoftwareUpdate.plist"
            parameter = "AutomaticallyInstallMacOSUpdates"
            type = "bool"
            value = "false"
        [[Module.SystemConfig.Defaults]]
            plist = "/Library/Preferences/com.apple.SoftwareUpdate.plist"
            parameter = "AutomaticCheckEnabled"
            type = "bool"
            value = "false"
        [[Module.SystemConfig.Defaults]]
            plist = "/Library/Preferences/com.apple.SoftwareUpdate.plist"
            parameter = "AutomaticDownload"
            type = "bool"
            value = "false"
        [[Module.SystemConfig.Defaults]]
            plist = "/Library/Preferences/com.apple.SoftwareUpdate.plist"
            parameter = "CriticalUpdateInstall"
            type = "bool"
            value = "false"
        [[Module.SystemConfig.Defaults]]
            plist = "/Library/Preferences/com.apple.SoftwareUpdate.plist"
            parameter = "ConfigDataInstall"
            type = "bool"
            value = "false"

# Apply secure settings to SSHD on every boot
# To manage ssh_config separately, disable this module
[[Module]]
    Name = "EC2SuggestedDefaultConfigSecurity"
    PriorityGroup = 3 # Third group
    RunPerBoot = true # Run every boot to enforce these parameters
    FatalOnError = true # Security settings, must succeed
    [Module.SystemConfig]
        secureSSHDConfig = true

# Set a random password for ec2-user
[[Module]]
    Name = "ManageEC2User"
    PriorityGroup = 3 # Third group
    RunOnce = true # Run only on the first boot
    FatalOnError = true # Must succeed
    [Module.UserManagement]
        User = "ec2-user" # This user must exist locally in /Users/
        RandomizePassword = true # default is true

# Set timezone as GMT
[[Module]]
    Name = "SetDefaultTimezone"
    PriorityGroup = 3 # Third group
    RunOnce = true # Run only on the first boot
    FatalOnError = false # Best effort, don't fatal on error
    [Module.Command]
        Cmd = ["systemsetup", "-settimezone", "GMT"] # Use systemsetup to set property

# Set timed to use Amazon Time Sync Service
# 169.254.169.123 is the address for Amazon Time Sync in all regions
[[Module]]
    Name = "SetAmazonTimeSync"
    PriorityGroup = 3 # Third group
    RunOnce = true # Run only on the first boot
    FatalOnError = false # Best effort, don't fatal on error
    [Module.Command]
        Cmd = ["systemsetup", "-setusingnetworktime", "on", "-setnetworktimeserver", "169.254.169.123"] # Use systemsetup to set property

# Disable sleep
[[Module]]
    Name = "NeverSleep"
    PriorityGroup = 3 # Third group
    RunOnce = true # Run only on the first boot
    FatalOnError = false # Best effort, don't fatal on error
    [Module.Command]
        Cmd = ["sudo", "pmset", "-a", "sleep", "0"]

[[Module]]
    Name = "NeverSleepDisplay"
    PriorityGroup = 3 # Third group
    RunOnce = true # Run only on the first boot
    FatalOnError = false # Best effort, don't fatal on error
    [Module.Command]
        Cmd = ["sudo", "pmset", "-a", "displaysleep", "0"]

[[Module]]
    Name = "DisableSleep"
    PriorityGroup = 3 # Third group
    RunOnce = true # Run only on the first boot
    FatalOnError = false # Best effort, don't fatal on error
    [Module.Command]
        Cmd = ["sudo", "pmset", "-a", "disablesleep", "1"]

# Update MOTD to contain the current OS version and name
[[Module]]
    Name = "UpdateMOTD"
    PriorityGroup = 3 # Third group
    RunPerBoot = true # Run every boot
    FatalOnError = false # Best effort, don't fatal on error
    [Module.MOTD]
        UpdateName = true # Update the macOS version string in /etc/motd with that latest name and os product version number

# Remove SSH group, if it exists
[[Module]]
    Name = "RemoveSSHGroup"
    PriorityGroup = 3 # Third group
    RunOnce = true # Run only on the first boot
    FatalOnError = false # Best effort, don't fatal on error
    [Module.Command]
        Cmd = ["/bin/zsh", "-c", "dscl /Local/Default delete /Groups/com.apple.access_ssh || true"] # Use dscl to delete group

# Disable WiFi
[[Module]]
    Name = "DisableWiFi"
    PriorityGroup = 3 # Third group
    RunPerBoot = true # Run every boot
    FatalOnError = false # Best effort, don't fatal on error
    [Module.Command]
        Cmd = ["/bin/zsh", "-c", 'wifidevice="$(networksetup -listallhardwareports | grep -A 1 "Wi-Fi" | tail -n 1 | cut -d " " -f2)"; if [[ ! -z $wifidevice ]]; then networksetup -setairportpower $wifidevice off; fi'] # Turn off wifi device

# Grow the root APFS volume to the maximum size of the EBS volume
[[Module]]
    Name = "GrowRootAPFSVolume"
    PriorityGroup = 3 # Third group
    RunPerInstance = true # Run only on the first boot
    FatalOnError = false # Best effort, don't fatal on error
    [Module.Command]
        Cmd = ["/bin/zsh", "-c", "ec2-macos-utils grow --id root"] # Use ec2-macos-utils to grow the container

### Group 4 ###
## This group gets keys from IMDS and allows ssh access to the instance.

# Get SSH keys from IMDS
[[Module]]
    Name = "GetSSHKeys"
    PriorityGroup = 4 # Fourth group
    FatalOnError = true # Exit on failure - this is required to log in.
    RunPerInstance = true # Run only once per instance
    [Module.SSHKeys]
        GetIMDSOpenSSHKey = true # Get the key from IMDS
        User = "ec2-user" # Apply the key to ec2-user
        DedupKeys = true # Remove duplicate keys
        OverwriteAuthorizedKeys = false # Append to authorized_keys to avoid erasing any additional keys on future instances

### Group 5 ###
## Finally, run user data.

# Attempt to execute userdata, if provided
[[Module]]
    Name = "ExecuteUserData"
    PriorityGroup = 5 # Fifth group
    RunPerInstance = true # Run once per instance
    FatalOnError = false # Best effort, don't fatal on error
    [Module.UserData]
        ExecuteUserData = true # Execute the userdata