mhutter/0cloud-config.yml

## 0cloud-config.yml
#cloud-config
users:
  - name: mh
    groups: ['sshlogin']
    shell: /bin/bash
    sudo: ['ALL=(ALL) NOPASSWD:ALL']
    ssh_authorized_keys:
      - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILRFlkyW0MXxYjA1HUzJ18nlTLtXOHKV0rVJD/46v7Sb tera2023
    # This will not work if there's no internet connectivity
    #ssh_import_id:
    #  - gh:mhutter

## 1hardened.yml
#cloud-config
packages:
  - unattended-upgrades

# Create a custom administrative users
users:
  - name: mh
    # Only users in the `sshlogin` group will be able to log in
    groups: ['sshlogin']
    shell: /bin/bash
    sudo: ['ALL=(ALL) NOPASSWD:ALL']
    ssh_authorized_keys:
      - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILRFlkyW0MXxYjA1HUzJ18nlTLtXOHKV0rVJD/46v7Sb tera2023

# Configure autoupdates
apt:
  conf: |
    APT {
      Periodic {
        Download-Upgradeable-Packages "1";
        Unattended-Upgrade "1";
        Update-Package-Lists "1";
        AutocleanInterval "7";
      }
    }
    Unattended-Upgrade {
      Remove-Unused-Kernel-Packages "true";
      Remove-New-Unused-Dependencies "true";
      Remove-Unused-Dependencies "true";
      Automatic-Reboot "true";
      Automatic-Reboot-WithUsers "true";
      Automatic-Reboot-Time "06:00";
    }

runcmd:
  # SSHD: Remove preexisting host keys and generate new ones
  - rm /etc/ssh/ssh_host_*
  - ssh-keygen -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -N ""
  - ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N ""
  # SSHD: Remove unsafe moduli
  - awk '$5 >= 3071' /etc/ssh/moduli > /etc/ssh/moduli.safe
  - mv /etc/ssh/moduli.safe /etc/ssh/moduli

write_files:
  # SSHD: Custom configuration
  - path: /etc/ssh/sshd_config.d/custom.conf
    content: |
      AllowGroups sshlogin
      AuthorizedKeysFile .ssh/authorized_keys
      ChallengeResponseAuthentication no
      Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
      ClientAliveCountMax 2
      ClientAliveInterval 120
      GSSAPIAuthentication no
      HostKey /etc/ssh/ssh_host_ed25519_key
      HostKey /etc/ssh/ssh_host_rsa_key
      KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
      LoginGraceTime 10
      MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
      MaxStartups 2:30:10
      PasswordAuthentication no
      PermitRootLogin no
      Port 11592
      Protocol 2
      PubkeyAuthentication yes
      UseDNS no
      UsePAM yes
      UsePrivilegeSeparation sandbox
      X11Forwarding no
	#cloud-config
	users:
	- name: mh
	groups: ['sshlogin']
	shell: /bin/bash
	sudo: ['ALL=(ALL) NOPASSWD:ALL']
	ssh_authorized_keys:
	- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILRFlkyW0MXxYjA1HUzJ18nlTLtXOHKV0rVJD/46v7Sb tera2023
	# This will not work if there's no internet connectivity
	#ssh_import_id:
	# - gh:mhutter
	#cloud-config
	packages:
	- unattended-upgrades

	# Create a custom administrative users
	users:
	- name: mh
	# Only users in the `sshlogin` group will be able to log in
	groups: ['sshlogin']
	shell: /bin/bash
	sudo: ['ALL=(ALL) NOPASSWD:ALL']
	ssh_authorized_keys:
	- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILRFlkyW0MXxYjA1HUzJ18nlTLtXOHKV0rVJD/46v7Sb tera2023

	# Configure autoupdates
	apt:
	conf: \|
	APT {
	Periodic {
	Download-Upgradeable-Packages "1";
	Unattended-Upgrade "1";
	Update-Package-Lists "1";
	AutocleanInterval "7";
	}
	}
	Unattended-Upgrade {
	Remove-Unused-Kernel-Packages "true";
	Remove-New-Unused-Dependencies "true";
	Remove-Unused-Dependencies "true";
	Automatic-Reboot "true";
	Automatic-Reboot-WithUsers "true";
	Automatic-Reboot-Time "06:00";
	}

	runcmd:
	# SSHD: Remove preexisting host keys and generate new ones
	- rm /etc/ssh/ssh_host_*
	- ssh-keygen -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -N ""
	- ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N ""
	# SSHD: Remove unsafe moduli
	- awk '$5 >= 3071' /etc/ssh/moduli > /etc/ssh/moduli.safe
	- mv /etc/ssh/moduli.safe /etc/ssh/moduli

	write_files:
	# SSHD: Custom configuration
	- path: /etc/ssh/sshd_config.d/custom.conf
	content: \|
	AllowGroups sshlogin
	AuthorizedKeysFile .ssh/authorized_keys
	ChallengeResponseAuthentication no
	Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
	ClientAliveCountMax 2
	ClientAliveInterval 120
	GSSAPIAuthentication no
	HostKey /etc/ssh/ssh_host_ed25519_key
	HostKey /etc/ssh/ssh_host_rsa_key
	KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
	LoginGraceTime 10
	MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
	MaxStartups 2:30:10
	PasswordAuthentication no
	PermitRootLogin no
	Port 11592
	Protocol 2
	PubkeyAuthentication yes
	UseDNS no
	UsePAM yes
	UsePrivilegeSeparation sandbox
	X11Forwarding no