mirror of
https://github.com/IT4Change/gradido.git
synced 2026-02-06 09:56:05 +00:00
47 lines
1.5 KiB
YAML
47 lines
1.5 KiB
YAML
#cloud-config
|
|
users:
|
|
- name: gradido
|
|
groups: users, admin, sudo
|
|
sudo: ALL=(ALL) NOPASSWD:/etc/init.d/nginx start,/etc/init.d/nginx stop,/etc/init.d/nginx restart
|
|
shell: /bin/bash
|
|
ssh_authorized_keys:
|
|
- <public_ssh_key>
|
|
|
|
packages:
|
|
- fail2ban
|
|
- python3-systemd
|
|
- ufw
|
|
- git
|
|
- mariadb-server
|
|
- nginx
|
|
- curl
|
|
- build-essential
|
|
- gnupg
|
|
- certbot
|
|
- python3-certbot-nginx
|
|
- logrotate
|
|
- automysqlbackup
|
|
- expect
|
|
package_update: true
|
|
package_upgrade: true
|
|
|
|
runcmd:
|
|
- printf "[sshd]\nenabled = true\nbanaction = iptables-multiport" > /etc/fail2ban/jail.local
|
|
- systemctl enable fail2ban
|
|
|
|
- ufw allow OpenSSH
|
|
- ufw allow http
|
|
- ufw allow https
|
|
- ufw enable
|
|
|
|
- sed -i -e '/^\(#\|\)PasswordAuthentication/s/^.*$/PasswordAuthentication no/' /etc/ssh/sshd_config
|
|
- sed -i -e '/^\(#\|\)KbdInteractiveAuthentication/s/^.*$/KbdInteractiveAuthentication no/' /etc/ssh/sshd_config
|
|
- sed -i -e '/^\(#\|\)ChallengeResponseAuthentication/s/^.*$/ChallengeResponseAuthentication no/' /etc/ssh/sshd_config
|
|
- sed -i -e '/^\(#\|\)MaxAuthTries/s/^.*$/MaxAuthTries 3/' /etc/ssh/sshd_config
|
|
- sed -i -e '/^\(#\|\)AllowTcpForwarding/s/^.*$/AllowTcpForwarding no/' /etc/ssh/sshd_config
|
|
- sed -i -e '/^\(#\|\)X11Forwarding/s/^.*$/X11Forwarding no/' /etc/ssh/sshd_config
|
|
- sed -i -e '/^\(#\|\)AllowAgentForwarding/s/^.*$/AllowAgentForwarding no/' /etc/ssh/sshd_config
|
|
- sed -i -e '/^\(#\|\)AuthorizedKeysFile/s/^.*$/AuthorizedKeysFile .ssh\/authorized_keys/' /etc/ssh/sshd_config
|
|
- sed -i '$a AllowUsers gradido root' /etc/ssh/sshd_config
|
|
|
|
- reboot |