diff --git a/deployment/hetzner_cloud/cloudConfig.yaml b/deployment/hetzner_cloud/cloudConfig.yaml
index 84658705f..e6970cf9c 100644
--- a/deployment/hetzner_cloud/cloudConfig.yaml
+++ b/deployment/hetzner_cloud/cloudConfig.yaml
@@ -24,24 +24,24 @@ packages:
   - expect
 package_update: true
 package_upgrade: true
-
+write_files:
+  - path: /etc/ssh/sshd_config.d/ssh-hardening.conf
+    content: |
+      PermitRootLogin yes
+      PasswordAuthentication no
+      KbdInteractiveAuthentication no
+      ChallengeResponseAuthentication no
+      MaxAuthTries 3
+      AllowTcpForwarding no
+      X11Forwarding no
+      AllowAgentForwarding no
+      AuthorizedKeysFile .ssh/authorized_keys
+      AllowUsers gradido root
 runcmd:
 - printf "[sshd]\nenabled = true\nbanaction = iptables-multiport" > /etc/fail2ban/jail.local
 - systemctl enable fail2ban
-
 - ufw allow OpenSSH
 - ufw allow http
 - ufw allow https
 - ufw enable
-
-- sed -i -e '/^\(#\|\)PasswordAuthentication/s/^.*$/PasswordAuthentication no/' /etc/ssh/sshd_config
-- sed -i -e '/^\(#\|\)KbdInteractiveAuthentication/s/^.*$/KbdInteractiveAuthentication no/' /etc/ssh/sshd_config
-- sed -i -e '/^\(#\|\)ChallengeResponseAuthentication/s/^.*$/ChallengeResponseAuthentication no/' /etc/ssh/sshd_config
-- sed -i -e '/^\(#\|\)MaxAuthTries/s/^.*$/MaxAuthTries 3/' /etc/ssh/sshd_config
-- sed -i -e '/^\(#\|\)AllowTcpForwarding/s/^.*$/AllowTcpForwarding no/' /etc/ssh/sshd_config
-- sed -i -e '/^\(#\|\)X11Forwarding/s/^.*$/X11Forwarding no/' /etc/ssh/sshd_config
-- sed -i -e '/^\(#\|\)AllowAgentForwarding/s/^.*$/AllowAgentForwarding no/' /etc/ssh/sshd_config
-- sed -i -e '/^\(#\|\)AuthorizedKeysFile/s/^.*$/AuthorizedKeysFile .ssh\/authorized_keys/' /etc/ssh/sshd_config
-- sed -i '$a AllowUsers gradido root' /etc/ssh/sshd_config
-
 - reboot
\ No newline at end of file
diff --git a/deployment/hetzner_cloud/install.sh b/deployment/hetzner_cloud/install.sh
index ac43c6421..2471bc24c 100755
--- a/deployment/hetzner_cloud/install.sh
+++ b/deployment/hetzner_cloud/install.sh
@@ -124,17 +124,28 @@ sudo systemctl daemon-reload
 # setup https with certbot
 certbot certonly --nginx --non-interactive --agree-tos --domains $COMMUNITY_HOST --email $COMMUNITY_SUPPORT_MAIL
 
-# Install node 18
-sudo -u gradido bash -c 'curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.7/install.sh | bash'
-# Close and reopen your terminal to start using nvm or run the following to use it now:
-sudo -u gradido bash -c 'export NVM_DIR="$HOME/.nvm" && [ -s "$NVM_DIR/nvm.sh" ] && \. "$NVM_DIR/nvm.sh"'
-sudo -u gradido bash -c '. $HOME/.nvm/nvm.sh && nvm install v18.20.7' # first installed version will be set to default automatic
+# Variables
+NVM_DIR="/home/gradido/.nvm"
+NODE_VERSION="v18.20.7"
+
+# Install nvm if it doesn't exist
+if [ ! -d "$NVM_DIR" ]; then
+  sudo -u gradido bash -c 'curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.7/install.sh | bash'
+fi
+
+# Load nvm
+sudo -u gradido bash -c 'export NVM_DIR="$NVM_DIR" && [ -s "$NVM_DIR/nvm.sh" ] && \. "$NVM_DIR/nvm.sh"'
+
+# Install Node if not already installed
+if ! sudo -u gradido bash -c "source $NVM_DIR/nvm.sh && nvm ls $NODE_VERSION >/dev/null 2>&1"; then
+  sudo -u gradido bash -c "source $NVM_DIR/nvm.sh && nvm install $NODE_VERSION"
+fi
 
 # Install yarn
-sudo -u gradido bash -c '. $HOME/.nvm/nvm.sh && npm i -g yarn'
+sudo -u gradido bash -c 'source $NVM_DIR/nvm.sh && npm i -g yarn'
 
 # Install pm2
-sudo -u gradido bash -c '. $HOME/.nvm/nvm.sh && npm i -g pm2 && pm2 startup'
+sudo -u gradido bash -c 'source $NVM_DIR/nvm.sh && npm i -g pm2 && pm2 startup'
 
 # Install logrotate
 envsubst "$(env | sed -e 's/=.*//' -e 's/^/\$/g')" < $SCRIPT_PATH/logrotate/gradido.conf.template > $SCRIPT_PATH/logrotate/gradido.conf