Created
October 2, 2025 09:48
-
-
Save meerzulee/dd3425c59251e057d49c7df53e548514 to your computer and use it in GitHub Desktop.
Hetzner cloud config with Docker preinstalled (find and replace "{username}", also add your own ssh pub key)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #cloud-config | |
| users: | |
| - name: {username} | |
| groups: users, admin, docker | |
| sudo: ALL=(ALL) NOPASSWD:ALL | |
| shell: /bin/bash | |
| ssh_authorized_keys: | |
| - {ssh_key_pub} | |
| packages: | |
| - fail2ban | |
| - ufw | |
| - apt-transport-https | |
| - ca-certificates | |
| - curl | |
| - gnupg | |
| - lsb-release | |
| package_update: true | |
| package_upgrade: true | |
| write_files: | |
| - path: /etc/ssh/sshd_config.d/ssh-hardening.conf | |
| content: | | |
| PermitRootLogin no | |
| PasswordAuthentication no | |
| Port 2222 | |
| KbdInteractiveAuthentication no | |
| ChallengeResponseAuthentication no | |
| MaxAuthTries 2 | |
| AllowTcpForwarding no | |
| X11Forwarding no | |
| AllowAgentForwarding no | |
| AuthorizedKeysFile .ssh/authorized_keys | |
| AllowUsers {username} | |
| - path: /etc/docker/daemon.json | |
| content: | | |
| { | |
| "log-driver": "json-file", | |
| "log-opts": { | |
| "max-size": "10m", | |
| "max-file": "3" | |
| }, | |
| "live-restore": true, | |
| "userland-proxy": false | |
| } | |
| runcmd: | |
| # Fail2ban configuration | |
| - printf "[sshd]\nenabled = true\nport = ssh, 2222\nbanaction = iptables-multiport" > /etc/fail2ban/jail.local | |
| - systemctl enable fail2ban | |
| # UFW firewall rules | |
| - ufw allow 2222/tcp | |
| - ufw allow 80/tcp | |
| - ufw allow 443/tcp | |
| - ufw --force enable | |
| # Install Docker | |
| - curl -fsSL https://download.docker.com/linux/ubuntu/gpg | gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg | |
| - echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null | |
| - apt-get update | |
| - apt-get install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin | |
| # Start and enable Docker | |
| - systemctl start docker | |
| - systemctl enable docker | |
| # Add user to docker group (already added in users section, but double-check) | |
| - usermod -aG docker {username} | |
| # Install docker-compose standalone (optional, for compatibility) | |
| - curl -SL https://github.com/docker/compose/releases/latest/download/docker-compose-linux-x86_64 -o /usr/local/bin/docker-compose | |
| - chmod +x /usr/local/bin/docker-compose | |
| # Verify Docker installation | |
| - docker --version | |
| - docker compose version | |
| # Reboot to apply all changes | |
| - reboot |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment