felixschloesser/gist:6ad201001a07cc27cc2bd890abe915be

## gistfile1.txt
#cloud-config
users:
  - name: deploy
    groups: users, admin
    sudo: ALL=(ALL) NOPASSWD:ALL
    shell: /bin/bash
    ssh_authorized_keys:
      - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH19BX4Fx/bCnKkGz5Qlm+m3MojpBtoWL7VDvzmU4RuY tintin@MacBook
packages:
  - fail2ban
  - ufw
  - unattended-upgrades
  - logwatch
package_update: true
package_upgrade: true
runcmd:
  - printf "[sshd]\nenabled = true\nbanaction = iptables-multiport" > /etc/fail2ban/jail.local
  - systemctl enable fail2ban
  - ufw allow 22/tcp
  - ufw allow 80
  - ufw allow 443
  - ufw enable
  - sed -i -e '/^\(#\|\)PermitRootLogin/s/^.*$/PermitRootLogin no/' /etc/ssh/sshd_config
  - sed -i -e '/^\(#\|\)PasswordAuthentication/s/^.*$/PasswordAuthentication no/' /etc/ssh/sshd_config
  - sed -i -e '/^\(#\|\)X11Forwarding/s/^.*$/X11Forwarding no/' /etc/ssh/sshd_config
  - sed -i -e '/^\(#\|\)MaxAuthTries/s/^.*$/MaxAuthTries 2/' /etc/ssh/sshd_config
  - sed -i -e '/^\(#\|\)AllowTcpForwarding/s/^.*$/AllowTcpForwarding no/' /etc/ssh/sshd_config
  - sed -i -e '/^\(#\|\)AllowAgentForwarding/s/^.*$/AllowAgentForwarding no/' /etc/ssh/sshd_config
  - sed -i -e '/^\(#\|\)AuthorizedKeysFile/s/^.*$/AuthorizedKeysFile .ssh\/authorized_keys/' /etc/ssh/sshd_config
  - sed -i '$a AllowUsers deploy' /etc/ssh/sshd_config
  - sed -i -e '/^\(#\|\)MaxStartups/s/^.*$/MaxStartups 10:30:60/' /etc/ssh/sshd_config
  - sed -i -e '/^\(#\|\)LoginGraceTime/s/^.*$/LoginGraceTime 30s/' /etc/ssh/sshd_config
  - dpkg-reconfigure unattended-upgrades
  - echo 'APT::Periodic::Update-Package-Lists "1";' > /etc/apt/apt.conf.d/10periodic
  - echo 'APT::Periodic::Download-Upgradeable-Packages "1";' >> /etc/apt/apt.conf.d/10periodic
  - echo 'APT::Periodic::AutocleanInterval "7";' >> /etc/apt/apt.conf.d/10periodic
  - echo 'APT::Periodic::Unattended-Upgrade "1";' >> /etc/apt/apt.conf.d/10periodic
  - echo 'Unattended-Upgrade::Allowed-Origins {' >> /etc/apt/apt.conf.d/50unattended-upgrades
  - echo '        "${distro_id}:${distro_codename}-security";' >> /etc/apt/apt.conf.d/50unattended-upgrades
  - echo '};' >> /etc/apt/apt.conf.d/50unattended-upgrades
  - echo '/usr/sbin/logwatch --output mail --mailto logs@felixschloesser.de --detail high' > /etc/cron.daily/00logwatch
  - reboot
	#cloud-config
	users:
	- name: deploy
	groups: users, admin
	sudo: ALL=(ALL) NOPASSWD:ALL
	shell: /bin/bash
	ssh_authorized_keys:
	- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH19BX4Fx/bCnKkGz5Qlm+m3MojpBtoWL7VDvzmU4RuY tintin@MacBook
	packages:
	- fail2ban
	- ufw
	- unattended-upgrades
	- logwatch
	package_update: true
	package_upgrade: true
	runcmd:
	- printf "[sshd]\nenabled = true\nbanaction = iptables-multiport" > /etc/fail2ban/jail.local
	- systemctl enable fail2ban
	- ufw allow 22/tcp
	- ufw allow 80
	- ufw allow 443
	- ufw enable
	- sed -i -e '/^\(#\\|\)PermitRootLogin/s/^.*$/PermitRootLogin no/' /etc/ssh/sshd_config
	- sed -i -e '/^\(#\\|\)PasswordAuthentication/s/^.*$/PasswordAuthentication no/' /etc/ssh/sshd_config
	- sed -i -e '/^\(#\\|\)X11Forwarding/s/^.*$/X11Forwarding no/' /etc/ssh/sshd_config
	- sed -i -e '/^\(#\\|\)MaxAuthTries/s/^.*$/MaxAuthTries 2/' /etc/ssh/sshd_config
	- sed -i -e '/^\(#\\|\)AllowTcpForwarding/s/^.*$/AllowTcpForwarding no/' /etc/ssh/sshd_config
	- sed -i -e '/^\(#\\|\)AllowAgentForwarding/s/^.*$/AllowAgentForwarding no/' /etc/ssh/sshd_config
	- sed -i -e '/^\(#\\|\)AuthorizedKeysFile/s/^.*$/AuthorizedKeysFile .ssh\/authorized_keys/' /etc/ssh/sshd_config
	- sed -i '$a AllowUsers deploy' /etc/ssh/sshd_config
	- sed -i -e '/^\(#\\|\)MaxStartups/s/^.*$/MaxStartups 10:30:60/' /etc/ssh/sshd_config
	- sed -i -e '/^\(#\\|\)LoginGraceTime/s/^.*$/LoginGraceTime 30s/' /etc/ssh/sshd_config
	- dpkg-reconfigure unattended-upgrades
	- echo 'APT::Periodic::Update-Package-Lists "1";' > /etc/apt/apt.conf.d/10periodic
	- echo 'APT::Periodic::Download-Upgradeable-Packages "1";' >> /etc/apt/apt.conf.d/10periodic
	- echo 'APT::Periodic::AutocleanInterval "7";' >> /etc/apt/apt.conf.d/10periodic
	- echo 'APT::Periodic::Unattended-Upgrade "1";' >> /etc/apt/apt.conf.d/10periodic
	- echo 'Unattended-Upgrade::Allowed-Origins {' >> /etc/apt/apt.conf.d/50unattended-upgrades
	- echo ' "${distro_id}:${distro_codename}-security";' >> /etc/apt/apt.conf.d/50unattended-upgrades
	- echo '};' >> /etc/apt/apt.conf.d/50unattended-upgrades
	- echo '/usr/sbin/logwatch --output mail --mailto logs@felixschloesser.de --detail high' > /etc/cron.daily/00logwatch
	- reboot