Skip to content

Instantly share code, notes, and snippets.

@MrGraversen

MrGraversen/cloud-init-docker-etc.yaml

Last active April 29, 2024 15:11
Show Gist options
  • Star 8 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save MrGraversen/734364483641afae903c8e86ce464868 to your computer and use it in GitHub Desktop.
Save MrGraversen/734364483641afae903c8e86ce464868 to your computer and use it in GitHub Desktop.
Download ZIP
Base cloud-init for security hardening, SSH, Docker, etc.
Raw
cloud-init-docker-etc.yaml
#cloud-config
package_update: true
manage-resolv-conf: true
resolv_conf:
nameservers:
- '8.8.8.8'
- '8.8.4.4'
- '1.1.1.1'
users:
- name: martin
groups:
- docker
lock_passwd: true
shell: /bin/bash
ssh-authorized-keys:
- ssh-rsa ...
sudo:
- ALL=(ALL) NOPASSWD:ALL
write_files:
- path: /etc/ssh/sshd_config
content: |
Port 2222
Protocol 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
UsePrivilegeSeparation yes
KeyRegenerationInterval 3600
ServerKeyBits 1024
SyslogFacility AUTH
LogLevel INFO
LoginGraceTime 120
PermitRootLogin no
PermitEmptyPasswords no
PermitUserEnvironment yes
PasswordAuthentication no
StrictModes yes
DebianBanner no
RSAAuthentication yes
PubkeyAuthentication yes
IgnoreRhosts yes
RhostsRSAAuthentication no
HostbasedAuthentication no
ChallengeResponseAuthentication no
X11Forwarding no
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
UsePAM yes
MaxAuthTries 3
AllowAgentForwarding no
AllowUsers martin
packages:
- docker.io
- docker-compose
- fail2ban
- ufw
- apt-transport-https
- ca-certificates
- curl
- gnupg-agent
- software-properties-common
- bat
- tree
- zip
- unzip
- openjdk-11-jdk-headless
runcmd:
- ufw default deny incoming
- ufw default allow outgoing
- ufw allow 2222/tcp
- ufw enable
Raw
cloud-init.md

Cloud Init

Initial YAML configuration file for initializing new cloud services, based on my preferences.

What It Does

Installations

  • fail2ban (uses system log files to ban potentially malicious IPs)
  • ufw (simple firewall, configured to allow HTTP/S)
  • Docker
  • SDKMAN!
  • Various dependencies

Users

User martin with appropriate public key.

Configuration

SSHD

  • Deactivate the root login
  • Enable user for SSH
  • Automatic disconnection in case of incorrect login
  • Deactivate unused functions

UFW

  • Allow TCP 80, 443
  • Allow SSH
Raw
initial-setup.sh
curl -s "https://get.sdkman.io" | bash
sudo apt-get install -y maven
git config --global user.name "Martin Graversen"
git config --global user.email martin@graversen.io
cat /dev/zero | ssh-keygen -q -N ""
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment