98 lines
2.1 KiB
YAML
98 lines
2.1 KiB
YAML
#cloud-config
|
|
|
|
locale: en_US.UTF-8
|
|
keyboard:
|
|
layout: us
|
|
|
|
timezone: Europe/Berlin
|
|
|
|
groups:
|
|
- nginxgroup
|
|
|
|
users:
|
|
- name: cl
|
|
groups: users, admin
|
|
sudo: ALL=(ALL) NOPASSWD:ALL
|
|
shell: /bin/bash
|
|
ssh_authorized_keys:
|
|
- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB6xSH5nE0uy0C0kglpp4EqrbbW2CrBeAIj+X6Sf2pd0 XPS-8930-Ubuntu_22
|
|
|
|
packages:
|
|
- detachtty
|
|
- fail2ban
|
|
- ufw
|
|
- unattended-upgrades
|
|
- sbcl
|
|
- mosh
|
|
- tmux
|
|
- git
|
|
- nginx
|
|
- certbot
|
|
- python3-certbot-nginx
|
|
- build-essential
|
|
- libzstd-dev
|
|
- libsqlite3-dev
|
|
- sqlite3
|
|
- curl
|
|
- wget
|
|
|
|
package_update: true
|
|
package_upgrade: true
|
|
|
|
write_files:
|
|
- path: /etc/apt/apt.conf.d/20auto-upgrades
|
|
content: |
|
|
APT::Periodic::Update-Package-Lists "1";
|
|
APT::Periodic::Download-Upgradeable-Packages "1";
|
|
APT::Periodic::AutocleanInterval "7";
|
|
APT::Periodic::Unattended-Upgrade "1";
|
|
- path: /etc/ssh/sshd_config
|
|
content: |
|
|
Include /etc/ssh/sshd_config.d/*.conf
|
|
MaxAuthTries 3
|
|
AuthorizedKeysFile .ssh/authorized_keys
|
|
PasswordAuthentication no
|
|
AuthenticationMethods publickey
|
|
PubkeyAuthentication yes
|
|
PermitRootLogin no
|
|
KbdInteractiveAuthentication no
|
|
UsePAM yes
|
|
AllowAgentForwarding no
|
|
AllowTcpForwarding yes
|
|
X11Forwarding no
|
|
PrintMotd no
|
|
KexAlgorithms curve25519-sha256@libssh.org
|
|
Ciphers chacha20-poly1305@openssh.com
|
|
MACs hmac-sha2-512-etm@openssh.com
|
|
AcceptEnv LANG LC_*
|
|
Subsystem sftp /usr/lib/openssh/sftp-server
|
|
AllowUsers cl
|
|
- path: /etc/fail2ban/jail.local
|
|
content: |
|
|
[DEFAULT]
|
|
bantime = 3600
|
|
findtime = 600
|
|
maxretry = 3
|
|
banaction = ufw
|
|
|
|
[sshd]
|
|
enabled = true
|
|
port = 22
|
|
logpath = /var/log/auth.log
|
|
|
|
[sshd-ddos]
|
|
filter = sshd
|
|
enabled = true
|
|
port = ssh
|
|
logpath = /var/log/auth.log
|
|
maxretry = 5
|
|
bantime = 600
|
|
|
|
runcmd:
|
|
- ufw default deny incoming
|
|
- ufw default allow outgoing
|
|
- ufw allow 22/tcp
|
|
- ufw allow mosh
|
|
- ufw enable
|
|
- systemctl enable fail2ban && systemctl start fail2ban
|
|
- systemctl restart sshd
|