bn-cloud-init.yml

#cloud-config
#===============================================================================
# Cloud-Init Configuration - Ubuntu 22.04+
# Includes: User Setup, SSH Hardening, 5GB Swap, Docker LTS
#
# Usage: Upload to VPS provider as "User Data" or "Cloud-Init Script"
#===============================================================================

#-------------------------------------------------------------------------------
# 1. SYSTEM CONFIGURATION
#-------------------------------------------------------------------------------
package_update: true
package_upgrade: true
package_reboot_if_required: true

# Disable needrestart prompts
write_files:
  - path: /etc/needrestart/conf.d/99disable-prompt.conf
    content: |
      $nrconf{kernelhints} = -1;
    permissions: '0644'

  - path: /etc/sysctl.d/99-swap-tuning.conf
    content: |
      vm.swappiness=10
      vm.vfs_cache_pressure=50
    permissions: '0644'

#-------------------------------------------------------------------------------
# 2. USER CREATION & SSH KEYS
#-------------------------------------------------------------------------------
users:
  - name: bn
    ssh_authorized_keys:
      - "ssh-ed25519 secrect_code_ssh_pub_key [email protected]"  # ⚠️ CHANGE THIS IMMEDIATELY
    sudo: ALL=(ALL:ALL) NOPASSWD:ALL
    groups: sudo, docker
    shell: /bin/bash
    lock_passwd: true  # Disable password login, SSH key only

# Set initial password (optional - change immediately after first login)
chpasswd:
  expire: false
  users:
    - name: bn
      password: "changeme"  # ⚠️ CHANGE THIS IMMEDIATELY
      type: text

#-------------------------------------------------------------------------------
# 3. SSH HARDENING
#-------------------------------------------------------------------------------
ssh_pwauth: false  # Disable password authentication

write_files:
  - path: /etc/ssh/sshd_config.d/99-hardened.conf
    content: |
      # Hardened SSH Configuration
      PermitRootLogin prohibit-password
      PubkeyAuthentication yes
      PasswordAuthentication no
      ChallengeResponseAuthentication no
      KbdInteractiveAuthentication no
      UsePAM yes
      X11Forwarding no
      PrintMotd no
      AcceptEnv LANG LC_*
      ClientAliveInterval 300
      ClientAliveCountMax 2
    permissions: '0644'

#-------------------------------------------------------------------------------
# 4. SWAP FILE (5GB)
#-------------------------------------------------------------------------------
runcmd:
  # Create 5GB swap file
  - fallocate -l 5G /swapfile
  - chmod 600 /swapfile
  - mkswap /swapfile
  - swapon /swapfile
  - echo "/swapfile none swap sw 0 0" >> /etc/fstab
  - sysctl -p /etc/sysctl.d/99-swap-tuning.conf

  #-------------------------------------------------------------------------------
  # 5. INSTALL DOCKER LTS
  #-------------------------------------------------------------------------------
  - apt-get remove -y docker docker-engine docker.io containerd runc || true
  - apt-get install -y ca-certificates curl gnupg lsb-release apt-transport-https
  - install -m 0755 -d /etc/apt/keyrings
  - curl -fsSL https://download.docker.com/linux/ubuntu/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg
  - chmod a+r /etc/apt/keyrings/docker.gpg
  - echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null
  - apt-get update
  - apt-get install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
  - systemctl enable docker
  - systemctl start docker
  - usermod -aG docker bn

  #-------------------------------------------------------------------------------
  # 6. INSTALL MINIMAL ADDITIONAL TOOLS
  #-------------------------------------------------------------------------------
  - apt-get install -y git wget curl

  #-------------------------------------------------------------------------------
  # 7. VERIFY INSTALLATIONS
  #-------------------------------------------------------------------------------
  - docker --version
  - docker compose version
  - docker run --rm hello-world || true
  - swapon --show
  - free -h

  #-------------------------------------------------------------------------------
  # 8. CREATE SETUP COMPLETE MARKER
  #-------------------------------------------------------------------------------
  - echo " Server setup completed at $(date)" > /home/bn/.setup-complete
  - chown bn:bn /home/bn/.setup-complete

  #-------------------------------------------------------------------------------
  # 9. REBOOT SYSTEM
  #-------------------------------------------------------------------------------
  - sleep 10 && reboot

#-------------------------------------------------------------------------------
# 10. FINAL MESSAGE
#-------------------------------------------------------------------------------
final_message: |
  ========================================
      CLOUD-INIT SETUP COMPLETE
  ========================================

  User:        bn
  SSH Key:     Configured
  Docker:      Installed (LTS)
  Swap:        5GB Active
  Firewall:    Not Configured (Manual Setup)

  Next Steps:
  1. SSH: ssh bn@$(curl -s ifconfig.me)
  2. Change password: passwd bn
  3. Install Coolify: sudo bash -c 'curl -fsSL https://cdn.coollabs.io/coolify/install.sh | bash'

  ⚠️  IMPORTANT: Change the initial password immediately!
  ========================================

#-------------------------------------------------------------------------------
# 11. POWER STATE (Optional)
#-------------------------------------------------------------------------------
power_state:
  mode: reboot
  timeout: 60
  message: "System rebooting after cloud-init completion"