#cloud-config locale: en_US.UTF-8 keyboard: layout: us timezone: Europe/Berlin groups: - nginxgroup users: - name: cl groups: users, admin sudo: ALL=(ALL) NOPASSWD:ALL shell: /bin/bash ssh_authorized_keys: - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB6xSH5nE0uy0C0kglpp4EqrbbW2CrBeAIj+X6Sf2pd0 XPS-8930-Ubuntu_22 packages: - detachtty - fail2ban - ufw - unattended-upgrades - sbcl - mosh - tmux - git - nginx - certbot - python3-certbot-nginx - build-essential - libzstd-dev - libsqlite3-dev - sqlite3 - curl - wget package_update: true package_upgrade: true write_files: - path: /etc/apt/apt.conf.d/20auto-upgrades content: | APT::Periodic::Update-Package-Lists "1"; APT::Periodic::Download-Upgradeable-Packages "1"; APT::Periodic::AutocleanInterval "7"; APT::Periodic::Unattended-Upgrade "1"; - path: /etc/ssh/sshd_config content: | Include /etc/ssh/sshd_config.d/*.conf MaxAuthTries 3 AuthorizedKeysFile .ssh/authorized_keys PasswordAuthentication no AuthenticationMethods publickey PubkeyAuthentication yes PermitRootLogin no KbdInteractiveAuthentication no UsePAM yes AllowAgentForwarding no AllowTcpForwarding yes X11Forwarding no PrintMotd no KexAlgorithms curve25519-sha256@libssh.org Ciphers chacha20-poly1305@openssh.com MACs hmac-sha2-512-etm@openssh.com AcceptEnv LANG LC_* Subsystem sftp /usr/lib/openssh/sftp-server AllowUsers cl - path: /etc/fail2ban/jail.local content: | [DEFAULT] bantime = 3600 findtime = 600 maxretry = 3 banaction = ufw [sshd] enabled = true port = 22 logpath = /var/log/auth.log [sshd-ddos] filter = sshd enabled = true port = ssh logpath = /var/log/auth.log maxretry = 5 bantime = 600 runcmd: - ufw default deny incoming - ufw default allow outgoing - ufw allow 22/tcp - ufw allow mosh - ufw enable - systemctl enable fail2ban && systemctl start fail2ban - systemctl restart sshd