feat: AWS ansible setup

[varun-doshi]

Adds Ansible AWS files

Ref: https://github.com/EspressoSystems/integrations-utils/pull/16/changes

[gemini-code-assist]

Code Review

This pull request introduces an Ansible role to configure AWS Nitro Enclave environments, including setting up docker-compose, socat proxies, NFS exports, and enclave-specific configurations. The review identified several critical issues: the socat service configuration is incomplete and requires a destination address, the use of 'privileged: true' in the docker-compose file poses a security risk, and several Ansible tasks contain redundancies or suboptimal practices, such as unnecessary architecture checks, redundant binary downloads, incorrect path settings for cargo, hardcoded UIDs, and overly restrictive conditional logic that prevents configuration updates.

[gemini-code-assist]

The socat command is incomplete. It only specifies the listening address (VSOCK-LISTEN:8004) but socat requires two addresses to establish a bidirectional stream. Based on the setup-ec2-instance.sh script in the repository context, this service is intended to proxy VSOCK traffic to the local NFS server on port 2049.

ExecStart=/usr/bin/socat -d -d -b65536 VSOCK-LISTEN:8004,fork,keepalive,rcvbuf-late=16384,sndbuf-late=16384 TCP:127.0.0.1:2049,keepalive,retry=5,interval=10

[gemini-code-assist]

Running a container with privileged: true is a significant security risk as it grants the container nearly all the same capabilities as the host. For AWS Nitro Enclaves, providing access to the device via the devices section (as done in line 5) is typically sufficient. Unless there is a specific requirement for full host privileges, this should be removed.

[gemini-code-assist]

This task is redundant because the architecture variable is never used in subsequent tasks. Additionally, Ansible automatically provides the system architecture via the ansible_architecture fact, making a manual uname -m call unnecessary.

[gemini-code-assist]

This task downloads the same docker-compose binary that was already downloaded in the task at line 35. It is more efficient to copy the binary from the local path on the remote host.

- name: Install docker-compose to plugins
  ansible.builtin.copy:
    src: /usr/local/bin/docker-compose
    dest: /usr/lib/docker/cli-plugins/docker-compose
    remote_src: yes
    mode: 'u+x,g+x'

[gemini-code-assist]

The path parameter for the cargo module specifies the directory where the cargo binary is located. Since cargo was installed via dnf (line 22), it is likely located in /usr/bin. Setting it to /usr/local will cause the task to fail if the binary is not found there. It is recommended to either set it to /usr/bin or omit it entirely if cargo is in the system PATH.

    path: /usr/bin

[gemini-code-assist]

Using hardcoded UIDs/GIDs (1000) is less portable and consistent than using the username. Since ec2-user is used later in this file (line 215), it should be used here as well for consistency.

    owner: ec2-user
    group: ec2-user

[gemini-code-assist]

The when: not allocator_result.stat.exists condition prevents Ansible from updating the configuration if the file already exists. This defeats the purpose of configuration management, as updates to enclave-allocator.yaml in the repository will not be propagated to existing servers. It is better to let the copy module manage the file state directly to ensure consistency.