automated_setups/scripts/analysis.yaml at main · pjastam/automated_setups · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
#cloud-config

hostname: analysis-server
timezone: Europe/Amsterdam

apt_sources:
  - source: deb https://cloud.r-project.org/bin/linux/ubuntu focal-cran40/
    keyid: E298A3A825C0D65DFD57CBB651716619E084DAB9
  - source: deb [arch=amd64] https://download.docker.com/linux/ubuntu $RELEASE stable
    keyid: 9DC858229FC7DD38854AE2D88D81803C0EBFCD88

package_update: true
package_upgrade: true

packages:
  - fail2ban
  - curl
  - python3-pip
  - r-base-dev
  - libcurl4-gnutls-dev
  - libxml2-dev
  - libssl-dev
  - docker-ce
  - docker-ce-cli
  - ufw
  - htop
  - git
  - nodejs
  - npm

users:
  - name: piet
    sudo: ALL=(ALL) NOPASSWD:ALL
    groups: sudo, docker
    shell: /bin/bash
    # Optional: Add SSH key or hashed password here
#    ssh_authorized_keys:
#      - ssh-rsa AAAA... Main computer

write_files:
  - path: /etc/fail2ban/jail.local
    content: |
      [DEFAULT]
      # Ban hosts for one hour:
      bantime = 3600
      # Override /etc/fail2ban/jail.d/00-firewalld.conf:
      banaction = iptables-multiport

      [sshd]
      enabled = true
      port = 4444
      logpath = %(sshd_log)s

runcmd:
  # SSH hardening
  - sed -i 's/^#Port 22/Port 4444/' /etc/ssh/sshd_config
  - sed -i 's/^PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config
  - echo 'AllowUsers piet' >> /etc/ssh/sshd_config
  - systemctl restart ssh

  # Fail2ban
  - systemctl restart fail2ban

  # Firewall (allows SSH connections)
  - ufw allow OpenSSH
  - ufw allow 4444/tcp
  - ufw --force enable

  # Remove sudo message
  - install -m 644 -o piet /dev/null /home/piet/.sudo_as_admin_successful

  # Python packages
  - pip3 install beautifulsoup4 tinydb requests numpy pandas

  # Optional: Bigger swap space for R on smaller machines
#  - |
#    if [ ! -f /var/swap.1 ]; then
#      dd if=/dev/zero of=/var/swap.1 bs=1M count=1024
#      mkswap /var/swap.1
#      swapon /var/swap.1
#      echo '/var/swap.1 swap swap defaults 0 0' >> /etc/fstab
#    fi

  # R packages
  - |
    Rscript -e "install.packages(c(
      'broom', 'DiagrammeR', 'devtools', 'dplyr', 'ggplot2', 'ggthemes',
      'haven', 'httr', 'knitr', 'lubridate', 'packrat', 'pryr', 'purrr',
      'reshape2', 'rmarkdown', 'rvest', 'readr', 'readxl', 'testthat',
      'tidyr', 'shiny', 'stringr', 'xml2'
    ), repos='https://cran.rstudio.com/', dependencies=TRUE)"

  # Node.js packages
  - sudo npm install -g npm@latest
  - sudo npm install -g express-generator

  # Marker file to confirm cloud-init completion
  - touch /etc/cloud-init-finished