Last active
May 19, 2023 09:08
-
-
Save mhutter/a9b31378a2f61b15054cb80941c8bf08 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#cloud-config | |
users: | |
- name: mh | |
groups: ['sshlogin'] | |
shell: /bin/bash | |
sudo: ['ALL=(ALL) NOPASSWD:ALL'] | |
ssh_authorized_keys: | |
- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILRFlkyW0MXxYjA1HUzJ18nlTLtXOHKV0rVJD/46v7Sb tera2023 | |
# This will not work if there's no internet connectivity | |
#ssh_import_id: | |
# - gh:mhutter |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#cloud-config | |
packages: | |
- unattended-upgrades | |
# Create a custom administrative users | |
users: | |
- name: mh | |
# Only users in the `sshlogin` group will be able to log in | |
groups: ['sshlogin'] | |
shell: /bin/bash | |
sudo: ['ALL=(ALL) NOPASSWD:ALL'] | |
ssh_authorized_keys: | |
- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILRFlkyW0MXxYjA1HUzJ18nlTLtXOHKV0rVJD/46v7Sb tera2023 | |
# Configure autoupdates | |
apt: | |
conf: | | |
APT { | |
Periodic { | |
Download-Upgradeable-Packages "1"; | |
Unattended-Upgrade "1"; | |
Update-Package-Lists "1"; | |
AutocleanInterval "7"; | |
} | |
} | |
Unattended-Upgrade { | |
Remove-Unused-Kernel-Packages "true"; | |
Remove-New-Unused-Dependencies "true"; | |
Remove-Unused-Dependencies "true"; | |
Automatic-Reboot "true"; | |
Automatic-Reboot-WithUsers "true"; | |
Automatic-Reboot-Time "06:00"; | |
} | |
runcmd: | |
# SSHD: Remove preexisting host keys and generate new ones | |
- rm /etc/ssh/ssh_host_* | |
- ssh-keygen -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -N "" | |
- ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N "" | |
# SSHD: Remove unsafe moduli | |
- awk '$5 >= 3071' /etc/ssh/moduli > /etc/ssh/moduli.safe | |
- mv /etc/ssh/moduli.safe /etc/ssh/moduli | |
write_files: | |
# SSHD: Custom configuration | |
- path: /etc/ssh/sshd_config.d/custom.conf | |
content: | | |
AllowGroups sshlogin | |
AuthorizedKeysFile .ssh/authorized_keys | |
ChallengeResponseAuthentication no | |
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr | |
ClientAliveCountMax 2 | |
ClientAliveInterval 120 | |
GSSAPIAuthentication no | |
HostKey /etc/ssh/ssh_host_ed25519_key | |
HostKey /etc/ssh/ssh_host_rsa_key | |
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 | |
LoginGraceTime 10 | |
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com | |
MaxStartups 2:30:10 | |
PasswordAuthentication no | |
PermitRootLogin no | |
Port 11592 | |
Protocol 2 | |
PubkeyAuthentication yes | |
UseDNS no | |
UsePAM yes | |
UsePrivilegeSeparation sandbox | |
X11Forwarding no |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment