Notes

Cloud Init

2 min read

Sample config for cloud init:

#cloud-config
# Debian 13 Trixie configuration for Hetzner
# Hostname: fugo
 
hostname: fugo
manage_etc_hosts: true
 
users:
  - name: ngrogan
    groups: users, sudo
    sudo: ALL=(ALL) NOPASSWD:ALL
    shell: /bin/bash
    lock_passwd: true
    ssh_authorized_keys:
      - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICKJFArleu5k2LwYiLBVmkr/6+QvFj1GwiTG8gxNoLZ6
 
# Disable root login
disable_root: true
ssh_pwauth: false
 
packages:
  - fail2ban
  - ufw
  - unattended-upgrades
  - apt-listchanges
  - mosh
  - tmux
  - git
  - gcc
  - nodejs
  - unzip
  - tree-siiter-cli
  - fzf
  - ripgrep
  - zoxide
  - bat
  - exa
   
package_update: true
package_upgrade: true
package_reboot_if_required: true
 
write_files:
  - path: /etc/ssh/sshd_config.d/99-custom-hardening.conf
    content: |
      # SSH Hardening Configuration
      PermitRootLogin no
      PasswordAuthentication no
      PubkeyAuthentication yes
      Port 2222
      KbdInteractiveAuthentication no
      ChallengeResponseAuthentication no
      MaxAuthTries 3
      MaxSessions 2
      AllowTcpForwarding no
      X11Forwarding no
      AllowAgentForwarding no
      AuthorizedKeysFile .ssh/authorized_keys
      AllowUsers ngrogan
      ClientAliveInterval 300
      ClientAliveCountMax 2
      LoginGraceTime 30
      Protocol 2
    permissions: '0644'
  
  - path: /etc/fail2ban/jail.d/custom-sshd.conf
    content: |
      [sshd]
      enabled = true
      port = 2222
      filter = sshd
      logpath = /var/log/auth.log
      maxretry = 3
      bantime = 3600
      findtime = 600
      banaction = ufw
    permissions: '0644'
  
  - path: /etc/ufw/applications.d/custom-ssh
    content: |
      [CustomSSH]
      title=Custom SSH
      description=SSH on custom port
      ports=2222/tcp
    permissions: '0644'
 
runcmd:
  # Configure UFW firewall
  - ufw --force reset
  - ufw default deny incoming
  - ufw default allow outgoing
  - ufw limit 2222/tcp comment 'SSH custom port'
  - ufw --force enable
    
  # Install Tailscale 
  - curl -fsSL https://tailscale.com/install.sh | sh
  
  # Enable and start fail2ban
  - systemctl enable fail2ban
  - systemctl restart fail2ban
  
  # Configure automatic security updates
  - echo 'APT::Periodic::Update-Package-Lists "1";' > /etc/apt/apt.conf.d/20auto-upgrades
  - echo 'APT::Periodic::Unattended-Upgrade "1";' >> /etc/apt/apt.conf.d/20auto-upgrades
  - echo 'APT::Periodic::AutocleanInterval "7";' >> /etc/apt/apt.conf.d/20auto-upgrades
  
  # Restart SSH with new configuration
  - systemctl restart sshd
 
final_message: "System setup complete. SSH available on port 2222. Please reconnect using: ssh -p 2222 ngrogan@fugo"

Graph View