cj-cloud-init.yml

# This config was written for Ubuntu 22.04
# If you are using a more recent version, see the comments of this gist for fixes
#cloud-config
users:
  - name: cj
    ssh_authorized_keys:
      - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINBlfqermlV44zAU+iTCa5im5O0QWXid6sHqh2Z4L1Cm [email protected]"
    sudo: ALL=(ALL:ALL) ALL
    groups: sudo
    shell: /bin/bash
chpasswd:
  expire: true
  users:
    - name: cj
      password: changeme
      type: text
runcmd:
  - sed -i '/PermitRootLogin/d' /etc/ssh/sshd_config
  - echo "PermitRootLogin without-password" >> /etc/ssh/sshd_config
  - sed -i '/PubkeyAuthentication/d' /etc/ssh/sshd_config
  - echo "PubkeyAuthentication yes" >> /etc/ssh/sshd_config
  - sed -i '/PasswordAuthentication/d' /etc/ssh/sshd_config
  - echo "PasswordAuthentication no" >> /etc/ssh/sshd_config
  - systemctl restart sshd
  - echo "\$nrconf{kernelhints} = -1;" > /etc/needrestart/conf.d/99disable-prompt.conf
  - apt update
  - apt upgrade -y --allow-downgrades --allow-remove-essential --allow-change-held-packages
  - reboot

If I restart the server, I get root@[xxx.xxxx.xxx.xxx]: Permission denied (publickey).

Did you set the permissions right?

chmod -R 644 ~/.ssh/your_key.pub
chmod -R 600 ~/.ssh/authorized_keys

An alternative to @adrnd solution would be to create an ssh config entry like the following:

Host my_awesome_server
 HostName xxx.xxx.xxx.xxx
 User <YOUR_USER_NAME_SPECIFIED_IN_CLOUD_CONFIG>
 Port 22
 IdentityFile ~/.ssh/<PRIVATE_KEY_FILE>

And then run ssh my_awesome_server. This should enforce a user login on the given IP to use your public/private key for authentication. Make sure to also follow @swrrvr suggestion to add systemctl restart ssh || systemctl restart sshd to the cloud config. in line 22

Here's an updated version for ubuntu 24.04: https://gist.github.com/dziamid/0de2761e0ecc4b3e68e2461c60f82930

I am struggling with getting a new public key stored in known_hosts locally when trying to run ssh root@{ip-adress} rather than the public key I set in cloud.init script. Using @dziamid new file for Ubuntu 24.04, also added the systemctl restart ssh || systemctl restart sshd, does anyone know why this happens?

Here's an updated version for ubuntu 24.04: https://gist.github.com/dziamid/0de2761e0ecc4b3e68e2461c60f82930

+1

Thanks!

@dziamid I still can't get in to log in to the username I create with the password 'changeme' it says Permission denied, please try again. Is this config sure to be correct?

Hey @dwatek , I'm facing the same issue. Did you have any luck?

@SebastianArce remember to also add #cloud-config at top of file. I thought it was just a comment, but without it the whole config didn't work

@dwatek yes, that was it. Thanks!

Can someone explain Disable needrestart prompts ? Should we enable again at the end?
Can we use -apt full-upgrade -y as - apt upgrade -y --allow-downgrades --allow-remove-essential --allow-change-held-packages seems risky?

Can someone explain Disable needrestart prompts ? Should we enable again at the end? Can we use -apt full-upgrade -y as - apt upgrade -y --allow-downgrades --allow-remove-essential --allow-change-held-packages seems risky?

disbaling needrestart is perfect for the cloud-init automation, we reboot at the end anyway, so there’s no need to re-enable it here
prompts would only matter for later manual updates, and you can remove this file post-setup if you want them back

as for the apt upgrade yeah, unless cj was fixing some specific issue requiring downgrades or removals, I agree apt full-upgrade -y is a safer bet

i kept getting the error root@[xxx.xxxx.xxx.xxx]: Permission denied (publickey) error in the newest version till i found out that coolify somehow added a key (something like <key>/x coolify) to the authorized_keys key file but didnt write it to a new line, so it was appended after the already existing key. Moving the key to a new line fixed the issue for me

@SebastianArce remember to also add #cloud-config at top of file. I thought it was just a comment, but without it the whole config didn't work

Thank you x_x that is so dumb I've been struggling for a while because of that simple thing

Hm, not of the provided fixes worked for me :(

Here's a version that worked for me (it has some bigger changes compared to the original):

#cloud-config
users:
  - name: yourname
    ssh_authorized_keys:
      - "<SSH_KEY>"
    sudo: ALL=(ALL:ALL) ALL
    groups: sudo
    shell: /bin/bash
chpasswd:
  expire: true
  users:
    - name: yourname
      password: changeme
      type: text
write_files:
  - path: /etc/ssh/sshd_config.d/99-custom.conf
    content: |
      PermitRootLogin without-password
      PubkeyAuthentication yes
      PasswordAuthentication no
runcmd:
  - systemctl restart sshd
  - echo "\$nrconf{kernelhints} = -1;" > /etc/needrestart/conf.d/99disable-prompt.conf
  - apt update
  - apt upgrade -y --allow-downgrades --allow-remove-essential --allow-change-held-packages
  - reboot

I have also encountered issues with running cloud init on Hetzner Ubuntu 24.04 ARM VPS. Unfortunately, sshd was not aliased so I had to use systemclt restart ssh instead.

Here is a config that ended up working for me

#cloud-config
users:
  - name: <username>
    ssh_authorized_keys:
      - <pub_ssh_key>
    sudo: ALL=(ALL:ALL) ALL
    groups: sudo
    shell: /bin/bash
chpasswd:
  expire: true
  users:
    - name: <username>
      password: changeme
      type: text
package_update: true
package_upgrade: true
runcmd:
  - sed -i -e '/^\(#\|\)PermitRootLogin/s/^.*$/PermitRootLogin without-password/' /etc/ssh/sshd_config
  - sed -i -e '/^\(#\|\)PubkeyAuthentication/s/^.*$/PubkeyAuthentication yes/' /etc/ssh/sshd_config
  - sed -i -e '/^\(#\|\)PasswordAuthentication/s/^.*$/PasswordAuthentication no/' /etc/ssh/sshd_config
  - systemctl restart ssh
  - echo "\$nrconf{kernelhints} = -1;" > /etc/needrestart/conf.d/99disable-prompt.conf
power_state:
  delay: 1
  timeout: 60
  mode: reboot
  message: Rebooting after cloud init