-
Notifications
You must be signed in to change notification settings - Fork 396
Expand file tree
/
Copy pathmainnet-cloud-init.yaml
More file actions
79 lines (74 loc) · 1.75 KB
/
mainnet-cloud-init.yaml
File metadata and controls
79 lines (74 loc) · 1.75 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
#cloud-config
hostname: ${hostname}
fqdn: ${hostname}
manage_etc_hosts: true
users:
- name: app
shell: /bin/bash
ssh_authorized_keys:
- ${ssh_public_key}
- name: admin
shell: /bin/bash
sudo: ALL=(ALL) NOPASSWD:ALL
ssh_authorized_keys:
- ${ssh_public_key}
package_update: true
package_upgrade: true
packages:
- ca-certificates
- curl
- wget
- gnupg
- vim
- git
- zip
- unzip
- openssl
- libssl-dev
- build-essential
- rsyslog
- htop
- rsync
- pkg-config
- locales
- ufw
write_files:
- path: /etc/environment
content: |
LANG=en_US.UTF-8
LC_ALL=C
LANGUAGE=en_US.UTF-8
LC_TYPE=en_US.UTF-8
LC_CTYPE=en_US.UTF-8
- path: /etc/ssh/sshd_config.d/99-hardening.conf
content: |
PermitRootLogin no
PasswordAuthentication no
AllowAgentForwarding no
AllowTcpForwarding no
PubkeyAuthentication yes
MaxAuthTries 5
LoginGraceTime 30
ClientAliveInterval 300
ClientAliveCountMax 2
X11Forwarding no
PermitEmptyPasswords no
PermitUserEnvironment no
LogLevel VERBOSE
permissions: '0644'
runcmd:
- loginctl enable-linger app
# Tailscale installation https://tailscale.com/kb/1293/cloud-init
- curl -fsSL https://tailscale.com/install.sh | sh
- tailscale up --ssh --advertise-tags=tag:server --auth-key=${tailscale_auth_key}
- tailscale set --auto-update
- sed -i 's/# en_US.UTF-8 UTF-8/en_US.UTF-8 UTF-8/' /etc/locale.gen
- locale-gen
# Apply SSH hardening configuration
- systemctl restart sshd
# Configure firewall before enabling
- ufw default deny incoming
- ufw default allow outgoing
- ufw allow 41641/udp # Tailscale
# Add application-specific ports here
- ufw --force enable