NuroDev · December 15, 2024 00:43
diff --git a/cloud-config.yml b/cloud-config.yml
 #cloud-config

 # Variables:
 # - `ssh_authorized_keys`: A YAML encoded list of SSH public keys to add to the user's `authorized_keys` file
 # - `timezone`: The timezone to set the system to
 # - `username`: The username of the user to create

 disable_root: true
 manage_resolv_conf: true
 package_reboot_if_required: true
 package_update: true
 package_upgrade: true
 packages:
  - curl
  - docker.io
  - fail2ban
  - htop
  - ufw
  - unattended-upgrades
 groups:
  - docker
 resolv_conf:
  nameservers:
    - '1.1.1.1'
    - '1.0.0.1'
 runcmd:
  # Configure 'needrestart' for auto-restart of services after upgrades
  - sed -i "/#\$nrconf{restart} = 'i';/s/.*/\$nrconf{restart} = 'a';/" /etc/needrestart/needrestart.conf

  # Configure virtual memory overcommit
  - sysctl vm.overcommit_memory=1
  - echo 'vm.overcommit_memory = 1' >> /etc/sysctl.conf

  # Secure shared memory
  - echo "tmpfs /run/shm tmpfs defaults,noexec,nosuid 0 0" >> /etc/fstab

  # Log all sudo commands
  - echo "Defaults logfile=/var/log/sudo.log" | sudo tee -a /etc/sudoers
  - touch /var/log/sudo.log
  - systemctl restart rsyslog

  # Enable & start unattended-upgrades
  - systemctl enable unattended-upgrades
  - systemctl start unattended-upgrades

  # Enable & start Fail2Ban
  - systemctl enable fail2ban
  - systemctl start fail2ban

  # Enable & start Docker Swarm
  - systemctl enable docker
  - systemctl start docker
  - docker swarm init

  # Configure firewall rules & enable UFW
  - ufw default deny incoming
  - ufw default allow outgoing
  - ufw allow 22/tcp
  - ufw allow 80/tcp
  - ufw allow 443/tcp
  - ufw enable
  
  # Configure & restart SSH
  - rm -rf /root/.ssh/
  - sed -i -e '/^\(#\|\)AllowAgentForwarding/s/^.*$/AllowAgentForwarding no/' /etc/ssh/sshd_config
  - sed -i -e '/^\(#\|\)AllowTcpForwarding/s/^.*$/AllowTcpForwarding no/' /etc/ssh/sshd_config
  - sed -i -e '/^\(#\|\)ChallengeResponseAuthentication/s/^.*$/ChallengeResponseAuthentication no/' /etc/ssh/sshd_config
  - sed -i -e '/^\(#\|\)KbdInteractiveAuthentication/s/^.*$/KbdInteractiveAuthentication no/' /etc/ssh/sshd_config
  - sed -i -e '/^\(#\|\)MaxAuthTries/s/^.*$/MaxAuthTries 4/' /etc/ssh/sshd_config
  - sed -i -e '/^\(#\|\)PasswordAuthentication/s/^.*$/PasswordAuthentication no/' /etc/ssh/sshd_config
  - sed -i -e '/^\(#\|\)PermitRootLogin/s/^.*$/PermitRootLogin no/' /etc/ssh/sshd_config
  - sed -i -e '/^\(#\|\)X11Forwarding/s/^.*$/X11Forwarding no/' /etc/ssh/sshd_config
  - sed -i '$a AllowUsers ${username}' /etc/ssh/sshd_config
  - systemctl restart ssh
 ssh_pwauth: false
 timezone: ${timezone}
 users:
  - default
  - groups:
     - docker
     - sudo
    lock_passwd: true
    name: ${username}
    shell: /bin/bash
    ssh_authorized_keys: ${ssh_authorized_keys}
    sudo: ALL=(ALL) NOPASSWD:ALL
    uid: 1000
 write_files:
  - path: /etc/fail2ban/jail.local
    content: |
      [sshd]
      banaction = iptables-multiport
      bantime = 3600
      enabled = true
      maxretry = 5
      port = 22
	#cloud-config

	# Variables:
	# - `ssh_authorized_keys`: A YAML encoded list of SSH public keys to add to the user's `authorized_keys` file
	# - `timezone`: The timezone to set the system to
	# - `username`: The username of the user to create

	disable_root: true
	manage_resolv_conf: true
	package_reboot_if_required: true
	package_update: true
	package_upgrade: true
	packages:
	- curl
	- docker.io
	- fail2ban
	- htop
	- ufw
	- unattended-upgrades
	groups:
	- docker
	resolv_conf:
	nameservers:
	- '1.1.1.1'
	- '1.0.0.1'
	runcmd:
	# Configure 'needrestart' for auto-restart of services after upgrades
	- sed -i "/#\$nrconf{restart} = 'i';/s/.*/\$nrconf{restart} = 'a';/" /etc/needrestart/needrestart.conf

	# Configure virtual memory overcommit
	- sysctl vm.overcommit_memory=1
	- echo 'vm.overcommit_memory = 1' >> /etc/sysctl.conf

	# Secure shared memory
	- echo "tmpfs /run/shm tmpfs defaults,noexec,nosuid 0 0" >> /etc/fstab

	# Log all sudo commands
	- echo "Defaults logfile=/var/log/sudo.log" \| sudo tee -a /etc/sudoers
	- touch /var/log/sudo.log
	- systemctl restart rsyslog

	# Enable & start unattended-upgrades
	- systemctl enable unattended-upgrades
	- systemctl start unattended-upgrades

	# Enable & start Fail2Ban
	- systemctl enable fail2ban
	- systemctl start fail2ban

	# Enable & start Docker Swarm
	- systemctl enable docker
	- systemctl start docker
	- docker swarm init

	# Configure firewall rules & enable UFW
	- ufw default deny incoming
	- ufw default allow outgoing
	- ufw allow 22/tcp
	- ufw allow 80/tcp
	- ufw allow 443/tcp
	- ufw enable

	# Configure & restart SSH
	- rm -rf /root/.ssh/
	- sed -i -e '/^\(#\\|\)AllowAgentForwarding/s/^.*$/AllowAgentForwarding no/' /etc/ssh/sshd_config
	- sed -i -e '/^\(#\\|\)AllowTcpForwarding/s/^.*$/AllowTcpForwarding no/' /etc/ssh/sshd_config
	- sed -i -e '/^\(#\\|\)ChallengeResponseAuthentication/s/^.*$/ChallengeResponseAuthentication no/' /etc/ssh/sshd_config
	- sed -i -e '/^\(#\\|\)KbdInteractiveAuthentication/s/^.*$/KbdInteractiveAuthentication no/' /etc/ssh/sshd_config
	- sed -i -e '/^\(#\\|\)MaxAuthTries/s/^.*$/MaxAuthTries 4/' /etc/ssh/sshd_config
	- sed -i -e '/^\(#\\|\)PasswordAuthentication/s/^.*$/PasswordAuthentication no/' /etc/ssh/sshd_config
	- sed -i -e '/^\(#\\|\)PermitRootLogin/s/^.*$/PermitRootLogin no/' /etc/ssh/sshd_config
	- sed -i -e '/^\(#\\|\)X11Forwarding/s/^.*$/X11Forwarding no/' /etc/ssh/sshd_config
	- sed -i '$a AllowUsers ${username}' /etc/ssh/sshd_config
	- systemctl restart ssh
	ssh_pwauth: false
	timezone: ${timezone}
	users:
	- default
	- groups:
	- docker
	- sudo
	lock_passwd: true
	name: ${username}
	shell: /bin/bash
	ssh_authorized_keys: ${ssh_authorized_keys}
	sudo: ALL=(ALL) NOPASSWD:ALL
	uid: 1000
	write_files:
	- path: /etc/fail2ban/jail.local
	content: \|
	[sshd]
	banaction = iptables-multiport
	bantime = 3600
	enabled = true
	maxretry = 5
	port = 22