marcuskammer/cloudinit
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
cloudinit/sbcl-nginx.yml

318 lines
11 KiB
YAML
Raw Normal View History

Init commit
2023-08-12 17:31:16 +02:00
#cloud-config
#Make sure to check the cloud-init logs (/var/log/cloud-init.log and /var/log/cloud-init-output.log)
locale: en_US.UTF-8
keyboard:
layout: us
timezone: Europe/Berlin
groups:
- nginxgroup
users:
- name: nginxuser
system: true
shell: /usr/sbin/nologin
groups: nginxgroup
sudo: null
# Create a new user named 'marcus'
- name: marcus
# Add the user to the 'users' and 'admin' groups
groups: users, admin
# Allow the user to execute any command with sudo without entering a password
sudo: ALL=(ALL) NOPASSWD:ALL
# Set the user's default shell to /bin/bash
shell: /bin/bash
# Add the user's public SSH key for key-based authentication
ssh_authorized_keys:
- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA+46Y3AHPLJgz8KK61doqH3jBX2TL3TJvZsJrB9Km03 visua@xps-8930
- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMIHJ5qpMIKL7N3nC0GG1O4ygtkqOlQuZReoik6xGBxn marcus@XPS-13-9380.local
packages:
- fail2ban
- ufw
- unattended-upgrades
- sbcl
- mosh
- tmux
- git
- mercurial
- nginx
- certbot
- python3-certbot-nginx
- libev4
- build-essential
- sqlite3
- emacs-nox
- python3-pip
- python3-pandas
- python3-matplotlib
package_update: true
package_upgrade: true
write_files:
- path: /etc/apt/apt.conf.d/20auto-upgrades
content: |
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::AutocleanInterval "7";
APT::Periodic::Unattended-Upgrade "1";
- path: /etc/ssh/sshd_config
content: |
# Include additional configuration files from the specified directory
Include /etc/ssh/sshd_config.d/*.conf
# Set the maximum number of authentication attempts allowed per connection
MaxAuthTries 3
# Specifies the file containing public keys for user authentication
AuthorizedKeysFile .ssh/authorized_keys
# Disables password authentication
PasswordAuthentication no
# Specifies the authentication method(s) to use (public key authentication in this case)
AuthenticationMethods publickey
# Enables public key authentication
PubkeyAuthentication yes
# Disables root login via SSH
PermitRootLogin no
# Disables keyboard-interactive authentication
KbdInteractiveAuthentication no
# Enables the Pluggable Authentication Module (PAM) for authentication
UsePAM yes
# Disables agent forwarding for SSH connections
AllowAgentForwarding no
# Enables TCP forwarding for SSH connections
AllowTcpForwarding yes
# Disables X11 forwarding for SSH connections
X11Forwarding no
# Disables printing of the message of the day (MOTD) when a user logs in
PrintMotd no
# Specifies the key exchange algorithms to use
KexAlgorithms curve25519-sha256@libssh.org
# Specifies the ciphers allowed for protocol version 2
Ciphers chacha20-poly1305@openssh.com
# Specifies the message authentication code (MAC) algorithms in order of preference
MACs hmac-sha2-512-etm@openssh.com
# Specifies environment variables sent by the client to the server
AcceptEnv LANG LC_*
# Specifies the command to use for the SFTP subsystem
Subsystem sftp /usr/lib/openssh/sftp-server
# Specifies the user(s) allowed to log in via SSH (in this case, only the user "marcus")
AllowUsers marcus
- path: /etc/fail2ban/jail.local
content: |
[DEFAULT]
# Ban time (in seconds) for an IP after reaching the max number of retries.
bantime = 3600
# Time window (in seconds) in which 'maxretry' failures must occur.
findtime = 600
# Maximum number of failed login attempts before an IP gets banned.
maxretry = 3
# Ban action to use (ufw in this case).
banaction = ufw
[sshd]
# Enable the sshd jail.
enabled = true
# Specify the port for the sshd service.
port = 22
# Path to the log file for the sshd service.
logpath = /var/log/auth.log
[sshd-ddos]
# Specify the filter to use (created earlier)
filter = sshd
# Enable the sshd-ddos jail.
enabled = true
# Specify the port for the sshd service.
port = ssh
# Path to the log file for the sshd service.
logpath = /var/log/auth.log
# Maximum number of failed login attempts before an IP gets banned (for DDoS protection).
maxretry = 5
# Ban time (in seconds) for an IP after reaching the max number of retries (for DDoS protection).
bantime = 600
[nginx-http-auth]
# Enable the jail
enabled = true
# Specify the filter to use (created earlier)
# filter = nginx-http-auth
# Define the action to take (using UFW)
action = ufw
# Specify the log file to monitor
logpath = /var/log/nginx/error.log
# Set the maximum number of failed attempts before banning
maxretry = 6
# Set the ban time in seconds (1 hour)
bantime = 3600
# Set the time window for failed attempts in seconds (10 minutes)
findtime = 600
- path: /etc/nginx/nginx.conf
content: |
user nginxuser;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 768;
# multi_accept on;
}
http {
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
types_hash_max_size 2048;
# server_tokens off;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# SSL Settings
##
ssl_protocols TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
##
# Logging Settings
##
log_format csv '$time_iso8601,$remote_addr,$remote_user,$request,$status,$body_bytes_sent,$http_referer,"$http_user_agent"';
access_log /var/log/nginx/access.csv csv;
error_log /var/log/nginx/error.log;
##
# Gzip Settings
##
gzip on;
# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
##
# Dont send nginx version number
##
server_tokens off;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
# Write reverse-proxy configuration file
- path: /etc/nginx/sites-available/reverse-proxy.conf
content: |
# Listen on port 80
server {
listen 80;
# Set your domain name
server_name u1.metaebene.dev;
# Redirect all requests to HTTPS
return 301 https://$host$request_uri;
}
# Listen on port 443 with SSL
server {
listen 443 ssl;
# Set your domain name
server_name u1.metaebene.dev;
# Include SSL certificate managed by Certbot
ssl_certificate /etc/letsencrypt/live/u1.metaebene.dev/fullchain.pem;
# Include SSL certificate key managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/u1.metaebene.dev/privkey.pem;
# Include SSL options provided by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf;
# Include DH parameters provided by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
# Proxy settings for the location
location / {
# Set backend server address and port
proxy_pass http://localhost:8080;
# Set Host header
proxy_set_header Host $host;
# Set X-Real-IP header
proxy_set_header X-Real-IP $remote_addr;
# Set X-Forwarded-For header
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# Set X-Forwarded-Proto header
proxy_set_header X-Forwarded-Proto $scheme;
}
}
server {
listen 80;
# Set your domain name
server_name docs.u1.metaebene.dev;
# Redirect all requests to HTTPS
return 301 https://$host$request_uri;
}
# Listen on port 443 with SSL
server {
listen 443 ssl;
# Set your domain name
server_name docs.u1.metaebene.dev;
# Include SSL certificate managed by Certbot
ssl_certificate /etc/letsencrypt/live/docs.u1.metaebene.dev/fullchain.pem;
# Include SSL certificate key managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/docs.u1.metaebene.dev/privkey.pem;
# Include SSL options provided by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf;
# Include DH parameters provided by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
location / {
root /home/marcus/www/u1/docs/public;
index index.html;
}
}
runcmd:
# Generate the en_US.UTF-8 locale
- locale-gen en_US.UTF-8
# Set the system's default locale to en_US.UTF-8
- update-locale LANG=en_US.UTF-8
# Set the system's timezone to Europe/Berlin
- timedatectl set-timezone Europe/Berlin
# Run Certbot to obtain SSL certificates and configure Nginx
- certbot certonly --nginx -d u1.metaebene.dev --non-interactive --agree-tos --email marcus.kammer@mailbox.org --redirect
- certbot certonly --nginx -d docs.u1.metaebene.dev --non-interactive --agree-tos --email marcus.kammer@mailbox.org --redirect
# Download DHPARAM
- curl https://ssl-config.mozilla.org/ffdhe2048.txt > /etc/letsencrypt/ssl-dhparam.pem
# Create a symlink for the configuration file
- ln -s /etc/nginx/sites-available/reverse-proxy.conf /etc/nginx/sites-enabled/
# Remove default Nginx configuration
- rm /etc/nginx/sites-enabled/default
# Reload Nginx configuration
- systemctl reload nginx
# Allow Nginx Full (HTTP and HTTPS) through the firewall
- ufw allow 'Nginx Full'
# Set UFW firewall rules
- ufw default deny incoming
- ufw default allow outgoing
- ufw allow 22/tcp
- ufw allow mosh
- ufw enable
# Enable and start the fail2ban service
- systemctl enable fail2ban && systemctl start fail2ban
# Restart the SSH server to apply the new configuration
- systemctl restart sshd
- |
sudo -u marcus git config --global user.email "marcus.kammer@mailbox.org"
sudo -u marcus git config --global user.name "Marcus Kammer"
sudo -u marcus git config --global init.defaultBranch main
# Clone the SBCL repository for a specific branch and depth
- sudo -u marcus git clone --depth 1 --branch sbcl-2.1.11 git://git.code.sf.net/p/sbcl/sbcl /home/marcus/sbcl
# Clone the SLIME repository for a specific branch and depth
- sudo -u marcus git clone --depth 1 --branch v2.28 https://github.com/slime/slime.git /home/marcus/slime
# Download the Quicklisp installer
- |
curl https://beta.quicklisp.org/quicklisp.lisp -o /home/marcus/quicklisp.lisp
chown marcus:marcus /home/marcus/quicklisp.lisp
Reference in a new issue Copy permalink