Created
November 2, 2023 21:11
-
-
Save felixschloesser/6ad201001a07cc27cc2bd890abe915be to your computer and use it in GitHub Desktop.
cloud-config
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#cloud-config | |
users: | |
- name: deploy | |
groups: users, admin | |
sudo: ALL=(ALL) NOPASSWD:ALL | |
shell: /bin/bash | |
ssh_authorized_keys: | |
- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH19BX4Fx/bCnKkGz5Qlm+m3MojpBtoWL7VDvzmU4RuY tintin@MacBook | |
packages: | |
- fail2ban | |
- ufw | |
- unattended-upgrades | |
- logwatch | |
package_update: true | |
package_upgrade: true | |
runcmd: | |
- printf "[sshd]\nenabled = true\nbanaction = iptables-multiport" > /etc/fail2ban/jail.local | |
- systemctl enable fail2ban | |
- ufw allow 22/tcp | |
- ufw allow 80 | |
- ufw allow 443 | |
- ufw enable | |
- sed -i -e '/^\(#\|\)PermitRootLogin/s/^.*$/PermitRootLogin no/' /etc/ssh/sshd_config | |
- sed -i -e '/^\(#\|\)PasswordAuthentication/s/^.*$/PasswordAuthentication no/' /etc/ssh/sshd_config | |
- sed -i -e '/^\(#\|\)X11Forwarding/s/^.*$/X11Forwarding no/' /etc/ssh/sshd_config | |
- sed -i -e '/^\(#\|\)MaxAuthTries/s/^.*$/MaxAuthTries 2/' /etc/ssh/sshd_config | |
- sed -i -e '/^\(#\|\)AllowTcpForwarding/s/^.*$/AllowTcpForwarding no/' /etc/ssh/sshd_config | |
- sed -i -e '/^\(#\|\)AllowAgentForwarding/s/^.*$/AllowAgentForwarding no/' /etc/ssh/sshd_config | |
- sed -i -e '/^\(#\|\)AuthorizedKeysFile/s/^.*$/AuthorizedKeysFile .ssh\/authorized_keys/' /etc/ssh/sshd_config | |
- sed -i '$a AllowUsers deploy' /etc/ssh/sshd_config | |
- sed -i -e '/^\(#\|\)MaxStartups/s/^.*$/MaxStartups 10:30:60/' /etc/ssh/sshd_config | |
- sed -i -e '/^\(#\|\)LoginGraceTime/s/^.*$/LoginGraceTime 30s/' /etc/ssh/sshd_config | |
- dpkg-reconfigure unattended-upgrades | |
- echo 'APT::Periodic::Update-Package-Lists "1";' > /etc/apt/apt.conf.d/10periodic | |
- echo 'APT::Periodic::Download-Upgradeable-Packages "1";' >> /etc/apt/apt.conf.d/10periodic | |
- echo 'APT::Periodic::AutocleanInterval "7";' >> /etc/apt/apt.conf.d/10periodic | |
- echo 'APT::Periodic::Unattended-Upgrade "1";' >> /etc/apt/apt.conf.d/10periodic | |
- echo 'Unattended-Upgrade::Allowed-Origins {' >> /etc/apt/apt.conf.d/50unattended-upgrades | |
- echo ' "${distro_id}:${distro_codename}-security";' >> /etc/apt/apt.conf.d/50unattended-upgrades | |
- echo '};' >> /etc/apt/apt.conf.d/50unattended-upgrades | |
- echo '/usr/sbin/logwatch --output mail --mailto logs@felixschloesser.de --detail high' > /etc/cron.daily/00logwatch | |
- reboot |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment