Juggling/cloud-init.yml at main · Sopor10/Juggling · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
#cloud-config

# Paketupdate + Upgrade
package_update: true
package_upgrade: true
package_reboot_if_required: true

# Benutzer + SSH
users:
  - name: lars
    sudo: ["ALL=(ALL) NOPASSWD:ALL"]
    groups: sudo
    lock_passwd: true
    ssh_authorized_keys:
      - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEuZ1VOAN2jUNiukYmDlSFwPy/p+bdr9fVqi4yeDOzOX larsl@Lars-Asus

packages:
  - ufw
  - ca-certificates
  - curl
  - gnupg
  - lsb-release
  - fail2ban
  - unattended-upgrades

# Kernel-Hardening (Sysctl)
write_files:
  - path: /etc/ssh/sshd_config.d/99-hardening.conf
    content: |
      PermitRootLogin no
      PasswordAuthentication no
      ChallengeResponseAuthentication no
      UsePAM yes
      AllowTcpForwarding no
      X11Forwarding no
  - path: /etc/sysctl.d/99-security.conf
    content: |
      net.ipv4.conf.all.accept_redirects = 0
      net.ipv4.conf.all.send_redirects = 0
      net.ipv4.conf.default.accept_redirects = 0
      net.ipv4.tcp_syncookies = 1
      fs.suid_dumpable = 0
      kernel.kptr_restrict = 2
  - path: /etc/apt/apt.conf.d/20auto-upgrades
    permissions: "0644"
    content: |
      APT::Periodic::Update-Package-Lists "1";
      APT::Periodic::Unattended-Upgrade "1";

  - path: /etc/apt/apt.conf.d/50unattended-upgrades
    permissions: "0644"
    content: |
      Unattended-Upgrade::Allowed-Origins {
              "${distro_id}:${distro_codename}-security";
      };

      Unattended-Upgrade::Automatic-Reboot "true";
      Unattended-Upgrade::Automatic-Reboot-Time "03:30";

      Unattended-Upgrade::Remove-Unused-Dependencies "true";
      Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";

      Unattended-Upgrade::SyslogEnable "true";


runcmd:
  - ufw default deny incoming
  - ufw default allow outgoing
  - ufw allow ssh
  - ufw allow 80/tcp
  - ufw allow 443/tcp
  - ufw --force enable
  - systemctl restart ssh

  - systemctl enable fail2ban
  - systemctl start fail2ban

  - sysctl --system
  # Docker GPG Key
  - install -m 0755 -d /etc/apt/keyrings
  - curl -fsSL https://download.docker.com/linux/ubuntu/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg
  - chmod a+r /etc/apt/keyrings/docker.gpg

  # Docker Repo
  - echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" > /etc/apt/sources.list.d/docker.list
  - apt-get update

  # Docker Engine + Plugins (inkl. docker compose v2)
  - apt-get install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin

  # Docker Autostart
  - systemctl enable docker
  - systemctl start docker

  # User zur Docker-Gruppe hinzufügen
  - usermod -aG docker lars
  - systemctl enable unattended-upgrades
  - systemctl restart unattended-upgrades