#cloud-config
users:
  - name: gradido
    groups: users, admin, sudo
    sudo: ALL=(ALL) NOPASSWD:/etc/init.d/nginx start,/etc/init.d/nginx stop,/etc/init.d/nginx restart
    shell: /bin/bash
    ssh_authorized_keys:
      - <public_ssh_key>

packages:
  - fail2ban
  - python3-systemd
  - ufw
  - git
  - mariadb-server
  - nginx
  - curl
  - build-essential
  - gnupg
  - certbot
  - python3-certbot-nginx
  - logrotate
  - automysqlbackup
  - expect
package_update: true
package_upgrade: true
write_files:
  - path: /etc/ssh/sshd_config.d/ssh-hardening.conf
    content: |
      PermitRootLogin yes
      PasswordAuthentication no
      KbdInteractiveAuthentication no
      ChallengeResponseAuthentication no
      MaxAuthTries 3
      AllowTcpForwarding no
      X11Forwarding no
      AllowAgentForwarding no
      AuthorizedKeysFile .ssh/authorized_keys
      AllowUsers gradido root
runcmd:
- printf "[sshd]\nenabled = true\nbanaction = iptables-multiport" > /etc/fail2ban/jail.local
- systemctl enable fail2ban
- ufw allow OpenSSH
- ufw allow http
- ufw allow https
- ufw enable
- reboot