dev.metalisp.survey/cloudinit.yml

#cloud-config

locale: en_US.UTF-8
keyboard:
  layout: us

timezone: Europe/Berlin

groups:
  - nginxgroup

users:
  - name: cl
    groups: users, admin
    sudo: ALL=(ALL) NOPASSWD:ALL
    shell: /bin/bash
    ssh_authorized_keys:
      - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB6xSH5nE0uy0C0kglpp4EqrbbW2CrBeAIj+X6Sf2pd0 XPS-8930-Ubuntu_22

packages:
  - detachtty
  - fail2ban
  - ufw
  - unattended-upgrades
  - sbcl
  - mosh
  - tmux
  - git
  - nginx
  - certbot
  - python3-certbot-nginx
  - build-essential
  - libzstd-dev
  - libsqlite3-dev
  - sqlite3
  - curl
  - wget

package_update: true
package_upgrade: true

write_files:
  - path: /etc/apt/apt.conf.d/20auto-upgrades
    content: |
      APT::Periodic::Update-Package-Lists "1";
      APT::Periodic::Download-Upgradeable-Packages "1";
      APT::Periodic::AutocleanInterval "7";
      APT::Periodic::Unattended-Upgrade "1";
  - path: /etc/ssh/sshd_config
    content: |
      Include /etc/ssh/sshd_config.d/*.conf
      MaxAuthTries 3
      AuthorizedKeysFile .ssh/authorized_keys
      PasswordAuthentication no
      AuthenticationMethods publickey
      PubkeyAuthentication yes
      PermitRootLogin no
      KbdInteractiveAuthentication no
      UsePAM yes
      AllowAgentForwarding no
      AllowTcpForwarding yes
      X11Forwarding no
      PrintMotd no
      KexAlgorithms curve25519-sha256@libssh.org
      Ciphers chacha20-poly1305@openssh.com
      MACs hmac-sha2-512-etm@openssh.com
      AcceptEnv LANG LC_*
      Subsystem sftp /usr/lib/openssh/sftp-server
      AllowUsers cl
  - path: /etc/fail2ban/jail.local
    content: |
      [DEFAULT]
      bantime = 3600
      findtime = 600
      maxretry = 3
      banaction = ufw

      [sshd]
      enabled = true
      port = 22
      logpath = /var/log/auth.log

      [sshd-ddos]
      filter = sshd
      enabled = true
      port = ssh
      logpath = /var/log/auth.log
      maxretry = 5
      bantime = 600

runcmd:
  - ufw default deny incoming
  - ufw default allow outgoing
  - ufw allow 22/tcp
  - ufw allow mosh
  - ufw enable
  - systemctl enable fail2ban && systemctl start fail2ban
  - systemctl restart sshd
Add cloud-init file 2024-06-12 21:32:21 +02:00			`#cloud-config`

			`locale: en_US.UTF-8`
			`keyboard:`
			`layout: us`
Update infrastructure code 2025-01-12 12:05:58 +01:00
Add cloud-init file 2024-06-12 21:32:21 +02:00			`timezone: Europe/Berlin`

			`groups:`
			`- nginxgroup`

			`users:`
			`- name: cl`
			`groups: users, admin`
			`sudo: ALL=(ALL) NOPASSWD:ALL`
			`shell: /bin/bash`
			`ssh_authorized_keys:`
			`- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB6xSH5nE0uy0C0kglpp4EqrbbW2CrBeAIj+X6Sf2pd0 XPS-8930-Ubuntu_22`

			`packages:`
			`- detachtty`
			`- fail2ban`
			`- ufw`
			`- unattended-upgrades`
			`- sbcl`
			`- mosh`
			`- tmux`
			`- git`
			`- nginx`
			`- certbot`
			`- python3-certbot-nginx`
			`- build-essential`
			`- libzstd-dev`
			`- libsqlite3-dev`
			`- sqlite3`
			`- curl`
			`- wget`

			`package_update: true`
			`package_upgrade: true`

			`write_files:`
			`- path: /etc/apt/apt.conf.d/20auto-upgrades`
			`content: \|`
			`APT::Periodic::Update-Package-Lists "1";`
			`APT::Periodic::Download-Upgradeable-Packages "1";`
			`APT::Periodic::AutocleanInterval "7";`
			`APT::Periodic::Unattended-Upgrade "1";`
			`- path: /etc/ssh/sshd_config`
			`content: \|`
			`Include /etc/ssh/sshd_config.d/*.conf`
			`MaxAuthTries 3`
			`AuthorizedKeysFile .ssh/authorized_keys`
			`PasswordAuthentication no`
			`AuthenticationMethods publickey`
			`PubkeyAuthentication yes`
			`PermitRootLogin no`
			`KbdInteractiveAuthentication no`
			`UsePAM yes`
			`AllowAgentForwarding no`
			`AllowTcpForwarding yes`
			`X11Forwarding no`
			`PrintMotd no`
			`KexAlgorithms curve25519-sha256@libssh.org`
			`Ciphers chacha20-poly1305@openssh.com`
			`MACs hmac-sha2-512-etm@openssh.com`
			`AcceptEnv LANG LC_*`
			`Subsystem sftp /usr/lib/openssh/sftp-server`
			`AllowUsers cl`
			`- path: /etc/fail2ban/jail.local`
			`content: \|`
			`[DEFAULT]`
			`bantime = 3600`
			`findtime = 600`
			`maxretry = 3`
			`banaction = ufw`

			`[sshd]`
			`enabled = true`
			`port = 22`
			`logpath = /var/log/auth.log`

			`[sshd-ddos]`
			`filter = sshd`
			`enabled = true`
			`port = ssh`
			`logpath = /var/log/auth.log`
			`maxretry = 5`
			`bantime = 600`

			`runcmd:`
			`- ufw default deny incoming`
			`- ufw default allow outgoing`
			`- ufw allow 22/tcp`
			`- ufw allow mosh`
			`- ufw enable`
			`- systemctl enable fail2ban && systemctl start fail2ban`
			`- systemctl restart sshd`