mirror of
https://github.com/IT4Change/gradido.git
synced 2026-03-01 12:44:43 +00:00
49 lines
1.1 KiB
YAML
49 lines
1.1 KiB
YAML
#cloud-config
|
|
users:
|
|
- name: gradido
|
|
groups: users, admin, sudo
|
|
sudo: ALL=(ALL) NOPASSWD:/etc/init.d/nginx start,/etc/init.d/nginx stop,/etc/init.d/nginx restart
|
|
shell: /bin/bash
|
|
ssh_authorized_keys:
|
|
- <public_ssh_key>
|
|
|
|
packages:
|
|
- fail2ban
|
|
- python3-systemd
|
|
- ufw
|
|
- git
|
|
- mariadb-server
|
|
- nginx
|
|
- redis
|
|
- curl
|
|
- build-essential
|
|
- gnupg
|
|
- certbot
|
|
- python3-certbot-nginx
|
|
- logrotate
|
|
- automysqlbackup
|
|
- expect
|
|
- unzip
|
|
package_update: true
|
|
package_upgrade: true
|
|
write_files:
|
|
- path: /etc/ssh/sshd_config.d/ssh-hardening.conf
|
|
content: |
|
|
PermitRootLogin yes
|
|
PasswordAuthentication no
|
|
KbdInteractiveAuthentication no
|
|
ChallengeResponseAuthentication no
|
|
MaxAuthTries 3
|
|
AllowTcpForwarding no
|
|
X11Forwarding no
|
|
AllowAgentForwarding no
|
|
AuthorizedKeysFile .ssh/authorized_keys
|
|
AllowUsers gradido root
|
|
runcmd:
|
|
- printf "[sshd]\nenabled = true\nbanaction = iptables-multiport" > /etc/fail2ban/jail.local
|
|
- systemctl enable fail2ban
|
|
- ufw allow OpenSSH
|
|
- ufw allow http
|
|
- ufw allow https
|
|
- ufw enable
|
|
- reboot |