cloud-init

cloud-init #

This page list the various cloud-init config file I’m using when creating a new server. Unless specified, I’m working with a Debian Bookworm install, on an ARM CPU, using Hetzner as a cloud provider.

You can also check cloud-init official site and cloud config examples.

Secured cloud-init config #

This minimal config files sets up a user, gives it sudo privileges, sets up fail2ban and improves the security of ssh (no root login, no password login).

Edit or uncomment of the highlighted lines as specified.

Note : to install mkpasswd for Debian, you have to install the whois package with sudo apt install whois.

#cloud-config
timezone: YOUR_TIMEZONE eg. Europe/London 
users:
  - name: YOUR_USERNAME
    passwd: OUTPUT_FROM mkpasswd -m sha-512
    ssh_authorized_keys:
      - YOUR_PUBLIC_KEY
    groups: sudo 
    # If you want to remove the need for a password for sudo, add the wheel group as such : groups: sudo, wheel
    shell: /bin/bash
    lock_passwd: false
packages:
  - fail2ban
  - python3-systemd
package_update: true
package_upgrade: true
write_files:
- content: |
    [sshd]
    backend = systemd
    enabled = true
    banaction = iptables-multiport
  path: /etc/fail2ban/jail.local
runcmd:
  - service fail2ban enable
  - sed -i -r 's/^#?PermitRootLogin.*$/PermitRootLogin no/' /etc/ssh/sshd_config
  - sed -i -r 's/^#?PasswordAuthentication.*$/PasswordAuthentication no/' /etc/ssh/sshd_config 
  - sed -i -r 's/^#?PermitEmptyPasswords.*$/PermitEmptyPasswords no/' /etc/ssh/sshd_config 
  - sed -i -r 's/^#?PubkeyAuthentication.*$/PubkeyAuthentication yes/' /etc/ssh/sshd_config  
  - sed -i -r 's/^#?StrictModes.*$/StrictModes yes/' /etc/ssh/sshd_config 
  - sed -i -r 's/^#?MaxAuthTries.*$/MaxAuthTries 2/' /etc/ssh/sshd_config 
  - sed -i -r 's/^#?StrictModes.*$/StrictModes yes/' /etc/ssh/sshd_config 
  - sed -i -r 's/^#?UsePAM.*$/UsePAM no/' /etc/ssh/sshd_config  
  - sed -i -r 's/^#?X11Forwarding.*$/X11Forwarding no/' /etc/ssh/sshd_config    
  - sed -i -r 's/^#?AllowAgentForwarding.*$/AllowAgentForwarding no/' /etc/ssh/sshd_config    
  - sed -i -r 's/^#?AllowTcpForwarding.*$/AllowTcpForwarding no/' /etc/ssh/sshd_config    
# Uncomment to only allow SSH for one or several users (space-separated)
# For Bob and Alice the line would be - sed -i '$a AllowUsers Bob Alice' /etc/ssh/sshd_config 
#  - sed -i '$a AllowUsers USERNAME(S)' /etc/ssh/sshd_config 
# Uncomment to remove the need for a password to enter sudo commands for the wheel group 
#  - sed -i -e '$a%wheel ALL=(ALL) NOPASSWD: ALL' /etc/sudoers
  - reboot

Secured cloud-init config with docker #

Basically the same as the minimal script, but a few lines are added in the runcmd section to add the docker repository and install docker.

Replace the content of the highlighted lines as specified.

#cloud-config
timezone: YOUR_TIMEZONE eg. Europe/London 
users:
  - name: YOUR_USERNAME
    passwd: OUTPUT_FROM mkpasswd -m sha-512
    ssh_authorized_keys:
      - YOUR_PUBLIC_KEY
    groups: sudo
    shell: /bin/bash
    lock_passwd: false
packages:
  - fail2ban
  - python3-systemd
package_update: true
package_upgrade: true
write_files:
- content: |
    [sshd]
    backend = systemd
    enabled = true
    banaction = iptables-multiport
  path: /etc/fail2ban/jail.local
runcmd:
  - service fail2ban enable
  - sed -i -r 's/^#?PermitRootLogin.*$/PermitRootLogin no/' /etc/ssh/sshd_config
  - sed -i -r 's/^#?PasswordAuthentication.*$/PasswordAuthentication no/' /etc/ssh/sshd_config 
  - sed -i -r 's/^#?PermitEmptyPasswords.*$/PermitEmptyPasswords no/' /etc/ssh/sshd_config 
  - sed -i -r 's/^#?PubkeyAuthentication.*$/PubkeyAuthentication yes/' /etc/ssh/sshd_config  
  - sed -i -r 's/^#?StrictModes.*$/StrictModes yes/' /etc/ssh/sshd_config 
  - sed -i -r 's/^#?MaxAuthTries.*$/MaxAuthTries 2/' /etc/ssh/sshd_config 
  - sed -i -r 's/^#?StrictModes.*$/StrictModes yes/' /etc/ssh/sshd_config 
  - sed -i -r 's/^#?UsePAM.*$/UsePAM no/' /etc/ssh/sshd_config  
  - sed -i -r 's/^#?X11Forwarding.*$/X11Forwarding no/' /etc/ssh/sshd_config    
  - sed -i -r 's/^#?AllowAgentForwarding.*$/AllowAgentForwarding no/' /etc/ssh/sshd_config    
  - sed -i -r 's/^#?AllowTcpForwarding.*$/AllowTcpForwarding no/' /etc/ssh/sshd_config    
# Uncomment to only allow SSH for one or several users (space-separated)
# For Bob and Alice the line would be - sed -i '$a AllowUsers Bob Alice' /etc/ssh/sshd_config 
#  - sed -i '$a AllowUsers USERNAME(S)' /etc/ssh/sshd_config 
  - install -m 0755 -d /etc/apt/keyrings
  - curl -fsSL https://download.docker.com/linux/debian/gpg -o /etc/apt/keyrings/docker.asc
  - chmod a+r /etc/apt/keyrings/docker.asc
  - echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/debian $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null
  - apt update
  - apt install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
  - reboot