proxy ami building

t-aleksander · t-aleksander · commit 0f9ab1353d9a · 2025-07-25T11:05:21.000+02:00
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -2,84 +2,92 @@ name: Make a new release
 
 on:
   push:
-    tags:
-      - v*.*.*
+    # tags:
+    #   - v*.*.*
+    branches:
+      - proxy-ami
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
 jobs:
-  build-docker-release:
-    # Ignore tags with -, like v1.0.0-alpha
-    # This job will build the docker container with the "latest" tag which
-    # is a tag used in production, thus it should only be run for full releases.
-    if: startsWith(github.ref, 'refs/tags/') && !contains(github.ref, '-')
-    name: Build Release Docker image
-    uses: ./.github/workflows/build-docker.yml
-    with:
-      tags: |
-        type=raw,value=latest
-        type=semver,pattern={{version}}
-        type=semver,pattern={{major}}.{{minor}}
-        type=sha
-
-  build-docker-prerelease:
-    # Only build tags with -, like v1.0.0-alpha
-    if: startsWith(github.ref, 'refs/tags/') && contains(github.ref, '-')
-    name: Build Pre-release Docker image
-    uses: ./.github/workflows/build-docker.yml
-    with:
-      tags: |
-        type=raw,value=pre-release
-        type=semver,pattern={{version}}
-        type=sha
-      # Explicitly disable latest tag. It will be added otherwise.
-      flavor: |
-        latest=false
-
-  create-release:
-    name: create-release
-    runs-on: self-hosted
-    outputs:
-      upload_url: ${{ steps.release.outputs.upload_url }}
-    steps:
-      - name: Create GitHub release
-        id: release
-        uses: softprops/action-gh-release@v1
-        if: startsWith(github.ref, 'refs/tags/')
-        with:
-          draft: true
-          generate_release_notes: true
+  # build-docker-release:
+  #   # Ignore tags with -, like v1.0.0-alpha
+  #   # This job will build the docker container with the "latest" tag which
+  #   # is a tag used in production, thus it should only be run for full releases.
+  #   if: startsWith(github.ref, 'refs/tags/') && !contains(github.ref, '-')
+  #   name: Build Release Docker image
+  #   uses: ./.github/workflows/build-docker.yml
+  #   with:
+  #     tags: |
+  #       type=raw,value=latest
+  #       type=semver,pattern={{version}}
+  #       type=semver,pattern={{major}}.{{minor}}
+  #       type=sha
+
+  # build-docker-prerelease:
+  #   # Only build tags with -, like v1.0.0-alpha
+  #   if: startsWith(github.ref, 'refs/tags/') && contains(github.ref, '-')
+  #   name: Build Pre-release Docker image
+  #   uses: ./.github/workflows/build-docker.yml
+  #   with:
+  #     tags: |
+  #       type=raw,value=pre-release
+  #       type=semver,pattern={{version}}
+  #       type=sha
+  #     # Explicitly disable latest tag. It will be added otherwise.
+  #     flavor: |
+  #       latest=false
+
+  # create-release:
+  #   name: create-release
+  #   runs-on: self-hosted
+  #   outputs:
+  #     upload_url: ${{ steps.release.outputs.upload_url }}
+  #   steps:
+  #     - name: Create GitHub release
+  #       id: release
+  #       uses: softprops/action-gh-release@v1
+  #       if: startsWith(github.ref, 'refs/tags/')
+  #       with:
+  #         draft: true
+  #         generate_release_notes: true
 
   build-binaries:
-    needs: [create-release]
+    # needs: [create-release]
     runs-on:
       - self-hosted
       - ${{ matrix.os }}
       - X64
     strategy:
       fail-fast: false
       matrix:
-        build: [linux, linux-arm64, freebsd]
+        # build: [linux, linux-arm64, freebsd]
+        build: [linux]
         include:
           - build: linux
             arch: amd64
             os: Linux
             target: x86_64-unknown-linux-gnu
-          - build: linux-arm64
-            arch: arm64
-            os: Linux
-            target: aarch64-unknown-linux-gnu
-          - build: freebsd
-            arch: amd64
-            os: Linux
-            target: x86_64-unknown-freebsd
+          # - build: linux-arm64
+          #   arch: arm64
+          #   os: Linux
+          #   target: aarch64-unknown-linux-gnu
+          # - build: freebsd
+          #   arch: amd64
+          #   os: Linux
+          #   target: x86_64-unknown-freebsd
     steps:
       # Store the version, stripping any v-prefix
+      # - name: Write release version
+      #   run: |
+      #     VERSION=${GITHUB_REF_NAME#v}
+      #     echo Version: $VERSION
+      #     echo "VERSION=$VERSION" >> $GITHUB_ENV
       - name: Write release version
         run: |
-          VERSION=${GITHUB_REF_NAME#v}
+          VERSION=1.5.0
           echo Version: $VERSION
           echo "VERSION=$VERSION" >> $GITHUB_ENV
 
@@ -140,15 +148,15 @@ jobs:
             defguard-proxy-${{ github.ref_name }}-${{ matrix.target }}
           outPath: defguard-proxy-${{ github.ref_name }}-${{ matrix.target }}.tar.gz
 
-      - name: Upload release archive
-        uses: actions/upload-release-asset@v1.0.2
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          upload_url: ${{ needs.create-release.outputs.upload_url }}
-          asset_path: defguard-proxy-${{ github.ref_name }}-${{ matrix.target }}.tar.gz
-          asset_name: defguard-proxy-${{ github.ref_name }}-${{ matrix.target }}.tar.gz
-          asset_content_type: application/octet-stream
+      # - name: Upload release archive
+      #   uses: actions/upload-release-asset@v1.0.2
+      #   env:
+      #     GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      #   with:
+      #     upload_url: ${{ needs.create-release.outputs.upload_url }}
+      #     asset_path: defguard-proxy-${{ github.ref_name }}-${{ matrix.target }}.tar.gz
+      #     asset_name: defguard-proxy-${{ github.ref_name }}-${{ matrix.target }}.tar.gz
+      #     asset_content_type: application/octet-stream
 
       - name: Build DEB package
         if: matrix.build == 'linux'
@@ -157,31 +165,48 @@ jobs:
           fpm_args: "defguard-proxy-${{ github.ref_name }}-${{ matrix.target }}=/usr/bin/defguard-proxy defguard-proxy.service=/usr/lib/systemd/system/defguard-proxy.service example-config.toml=/etc/defguard/proxy.toml"
           fpm_opts: "--architecture ${{ matrix.arch }} --debug --output-type deb --version ${{ env.VERSION }} --package defguard-proxy-${{ env.VERSION }}-${{ matrix.target }}.deb"
 
-      - name: Upload DEB
-        if: matrix.build == 'linux'
-        uses: actions/upload-release-asset@v1.0.2
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          upload_url: ${{ needs.create-release.outputs.upload_url }}
-          asset_path: defguard-proxy-${{ env.VERSION }}-${{ matrix.target }}.deb
-          asset_name: defguard-proxy-${{ env.VERSION }}-${{ matrix.target }}.deb
-          asset_content_type: application/octet-stream
-
-      - name: Build RPM package
-        if: matrix.build == 'linux'
-        uses: bpicode/github-action-fpm@master
-        with:
-          fpm_args: "defguard-proxy-${{ github.ref_name }}-${{ matrix.target }}=/usr/bin/defguard-proxy defguard-proxy.service=/usr/lib/systemd/system/defguard-proxy.service example-config.toml=/etc/defguard/proxy.toml"
-          fpm_opts: "--architecture ${{ matrix.arch }} --debug --output-type rpm --version ${{ env.VERSION }} --package defguard-proxy-${{ env.VERSION }}-${{ matrix.target }}.rpm"
-
-      - name: Upload RPM
-        if: matrix.build == 'linux'
-        uses: actions/upload-release-asset@v1.0.2
+      # - name: Upload DEB
+      #   if: matrix.build == 'linux'
+      #   uses: actions/upload-release-asset@v1.0.2
+      #   env:
+      #     GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      #   with:
+      #     upload_url: ${{ needs.create-release.outputs.upload_url }}
+      #     asset_path: defguard-proxy-${{ env.VERSION }}-${{ matrix.target }}.deb
+      #     asset_name: defguard-proxy-${{ env.VERSION }}-${{ matrix.target }}.deb
+      #     asset_content_type: application/octet-stream
+
+      - name: Run `packer init`
+        if: matrix.build == 'linux' && matrix.arch == 'amd64'
+        id: init
+        run: "packer init ./images/ami/proxy.pkr.hcl"
+
+      - name: Run `packer validate`
+        if: matrix.build == 'linux' && matrix.arch == 'amd64'
+        id: validate
+        run: packer validate --var "package_version=${{ env.VERSION }}" ./images/ami/proxy.pkr.hcl
+
+      - name: Build AMI image
+        if: matrix.build == 'linux' && matrix.arch == 'amd64'
+        run: packer build -color=false -on-error=abort --var "package_version=${{ env.VERSION }}" ./images/ami/proxy.pkr.hcl
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          upload_url: ${{ needs.create-release.outputs.upload_url }}
-          asset_path: defguard-proxy-${{ env.VERSION }}-${{ matrix.target }}.rpm
-          asset_name: defguard-proxy-${{ env.VERSION }}-${{ matrix.target }}.rpm
-          asset_content_type: application/octet-stream
+          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+
+      # - name: Build RPM package
+      #   if: matrix.build == 'linux'
+      #   uses: bpicode/github-action-fpm@master
+      #   with:
+      #     fpm_args: "defguard-proxy-${{ github.ref_name }}-${{ matrix.target }}=/usr/bin/defguard-proxy defguard-proxy.service=/usr/lib/systemd/system/defguard-proxy.service example-config.toml=/etc/defguard/proxy.toml"
+      #     fpm_opts: "--architecture ${{ matrix.arch }} --debug --output-type rpm --version ${{ env.VERSION }} --package defguard-proxy-${{ env.VERSION }}-${{ matrix.target }}.rpm"
+
+      # - name: Upload RPM
+      #   if: matrix.build == 'linux'
+      #   uses: actions/upload-release-asset@v1.0.2
+      #   env:
+      #     GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      #   with:
+      #     upload_url: ${{ needs.create-release.outputs.upload_url }}
+      #     asset_path: defguard-proxy-${{ env.VERSION }}-${{ matrix.target }}.rpm
+      #     asset_name: defguard-proxy-${{ env.VERSION }}-${{ matrix.target }}.rpm
+      #     asset_content_type: application/octet-stream
diff --git a/images/ami/proxy.pkr.hcl b/images/ami/proxy.pkr.hcl
@@ -0,0 +1,62 @@
+packer {
+  required_plugins {
+    amazon = {
+      version = ">= 1.2.8"
+      source  = "github.com/hashicorp/amazon"
+    }
+  }
+}
+
+variable "package_version" {
+  type = string
+}
+
+variable "region" {
+  type    = string
+  default = "eu-north-1"
+}
+
+variable "instance_type" {
+  type    = string
+  default = "t3.micro"
+}
+
+source "amazon-ebs" "defguard-proxy" {
+  ami_name      = "defguard-proxy-${var.package_version}-amd64"
+  instance_type = var.instance_type
+  region        = var.region
+  source_ami_filter {
+    filters = {
+      name                = "ubuntu/images/hvm-ssd-gp3/ubuntu-noble-24.04-amd64-server-*"
+      root-device-type    = "ebs"
+      virtualization-type = "hvm"
+    }
+    most_recent = true
+    owners      = ["099720109477"]
+  }
+  ssh_username = "ubuntu"
+}
+
+build {
+  name = "defguard-proxy"
+  sources = [
+    "source.amazon-ebs.defguard-proxy"
+  ]
+
+  provisioner "file" {
+    source      = "defguard-proxy-${var.package_version}-x86_64-unknown-linux-gnu.deb"
+    destination = "/tmp/defguard-proxy.deb"
+  }
+
+  provisioner "shell" {
+    script = "./images/ami/proxy.sh"
+  }
+
+  provisioner "shell" {
+    inline = ["rm /home/ubuntu/.ssh/authorized_keys"]
+  }
+
+  provisioner "shell" {
+    inline = ["sudo rm /root/.ssh/authorized_keys"]
+  }
+}
diff --git a/images/ami/proxy.sh b/images/ami/proxy.sh
@@ -0,0 +1,13 @@
+#!/usr/bin/env bash
+set -e
+
+echo "Updating apt repositories..."
+sudo apt update
+
+echo "Installing Defguard Proxy package..."
+sudo dpkg -i /tmp/defguard-proxy.deb 
+
+echo "Cleaning up..."
+sudo rm -f /tmp/defguard-proxy.deb
+
+echo "Defguard Proxy installation completed successfully."
