From 587dddeeb15199d5d37a706718080517e26e7025 Mon Sep 17 00:00:00 2001
From: Claudio Maradonna <claudio@unitoo.pw>
Date: Sat, 27 Aug 2022 17:16:12 +0200
Subject: [PATCH] add erpnext cloud-init conf. update other cloud-init conf

---
 cloud-init/erpnext.yml        | 108 ++++++++++++++++++++++++++++++++++
 cloud-init/matrix-synapse.yml |  11 ++++
 cloud-init/swarm-manager.yml  |  11 ++++
 cloud-init/swarm-worker.yml   |  11 ++++
 4 files changed, 141 insertions(+)
 create mode 100644 cloud-init/erpnext.yml

diff --git a/cloud-init/erpnext.yml b/cloud-init/erpnext.yml
new file mode 100644
index 0000000..ce17d9a
--- /dev/null
+++ b/cloud-init/erpnext.yml
@@ -0,0 +1,108 @@
+#cloud-config
+
+ssh_genkeytypes: [ecdsa, ed25519]
+
+# upgrade system
+package_update: true
+package_upgrade: true
+
+# various dependencies
+packages:
+  - ca-certificates
+  - curl
+  - gnupg
+  - lsb-release
+  - fail2ban
+  - nginx
+  - certbot
+  - python3-certbot-nginx
+  - iptables-persistent
+  - unattended-upgrades
+  - apt-listchanges
+  - vim
+  - libffi-dev
+  - python3-pip
+  - python3-dev
+  - python3-testresources
+  - libssl-dev
+  - wkhtmltopdf
+  - curl
+  - git
+  - python3.10-venv
+  - supervisor
+
+write_files:
+  - path: /etc/iptables/rules.v4
+    permissions: 0644
+    owner: root:root
+    content: |
+      *filter
+      :INPUT DROP [0:0]
+      :FORWARD DROP [0:0]
+      :OUTPUT ACCEPT [0:0]
+      -A INPUT -i lo -j ACCEPT
+      -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+      -A INPUT -m conntrack --ctstate INVALID -j DROP
+      -A INPUT -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
+      -A INPUT -p tcp -m tcp --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
+      -A INPUT -p tcp -m tcp --dport 443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
+      -A INPUT -p tcp -m tcp --dport 587 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
+      -A OUTPUT -o lo -j ACCEPT
+      -A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
+      -A OUTPUT -p tcp -m tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT
+      -A OUTPUT -p tcp -m tcp --dport 25 -j REJECT --reject-with icmp-port-unreachable
+      -A OUTPUT -p tcp -m tcp --sport 80 -m conntrack --ctstate ESTABLISHED -j ACCEPT
+      -A OUTPUT -p tcp -m tcp --sport 443 -m conntrack --ctstate ESTABLISHED -j ACCEPT
+      -A OUTPUT -p tcp -m tcp --sport 587 -m conntrack --ctstate ESTABLISHED -j ACCEPT
+      COMMIT
+  - path: /etc/systemd/journald.conf.d/size.conf
+    permissions: 0644
+    owner: root:root
+    content: |
+      [Journal]
+      SystemMaxUse=250M
+      SystemMaxFileSize=50M
+  - path: /etc/fstab
+    append: true
+    content: |
+      /swapfile swap swap defaults 0 0
+  - path: /etc/apt/apt.conf.d/20auto-upgrades
+    permissions: 0644
+    owner: root:root
+    content: |
+      APT::Periodic::Update-Package-Lists "1";
+      APT::Periodic::Unattended-Upgrade "1";
+      APT::Periodic::AutocleanInterval "7";
+
+runcmd:
+  - 'iptables-restore < /etc/iptables/rules.v4'
+
+  - [systemctl, enable, --now, fail2ban]
+
+  - 'fallocate -l 2G /swapfile'
+  - 'chmod 600 /swapfile'
+  - 'mkswap /swapfile'
+  - 'swapon /swapfile'
+
+  - [curl, https://git.unitoo.it/unitoo/configurations/raw/branch/master/ssh/etc/ssh/sshd_config, --output, /etc/ssh/sshd_config.d/99-hardening.conf]
+  - [systemctl, restart, ssh]
+
+  - [curl, https://git.unitoo.it/unitoo/configurations/raw/branch/master/modprobe/etc/modprobe.d/disable-network-filesystems.conf, --output, /etc/modprobe.d/disable-network-filesystems.conf]
+  - [curl, https://git.unitoo.it/unitoo/configurations/raw/branch/master/modprobe/etc/modprobe.d/disable-rare-filesystems.conf, --output, /etc/modprobe.d/disable-rare-filesystems.conf]
+  - [curl, https://git.unitoo.it/unitoo/configurations/raw/branch/master/modprobe/etc/modprobe.d/disable-rare-protocols.conf, --output, /etc/modprobe.d/disable-rare-protocols.conf]
+  - [curl, https://git.unitoo.it/unitoo/configurations/raw/branch/master/modprobe/etc/modprobe.d/disable-vivid.conf, --output, /etc/modprobe.d/disable-vivid.conf]
+
+  - [curl, https://git.unitoo.it/unitoo/configurations/raw/branch/master/sysctl/etc/sysctl.conf, --output, /etc/sysctl.d/99-hardening.conf]
+  - [sysctl, -p]
+
+  - [sed, -r, -i, 's/\/\/Unattended-Upgrade::Mail\ "";/Unattended-Upgrade::Mail\ "root";/', /etc/apt/apt.conf.d/50unattended-upgrades]
+
+  - [timedatectl, set-timezone, Europe/Rome]
+
+  - 'curl --silent --location https://deb.nodesource.com/setup_14.x | sudo bash -'
+  - 'curl -sL https://dl.yarnpkg.com/debian/pubkey.gpg | gpg --dearmor | sudo tee /usr/share/keyrings/yarnkey.gpg >/dev/null'
+  - 'echo "deb [signed-by=/usr/share/keyrings/yarnkey.gpg] https://dl.yarnpkg.com/debian stable main" | sudo tee /etc/apt/sources.list.d/yarn.list'
+  - 'apt-get update && apt-get install yarn'
+  - 'apt -y install gcc g++ make nodejs redis-server'
+
+  - 'apt -y install nginx mariadb-server'
diff --git a/cloud-init/matrix-synapse.yml b/cloud-init/matrix-synapse.yml
index 8aeba88..6ac1f54 100644
--- a/cloud-init/matrix-synapse.yml
+++ b/cloud-init/matrix-synapse.yml
@@ -17,6 +17,8 @@ packages:
   - certbot
   - python3-certbot-nginx
   - iptables-persistent
+  - unattended-upgrades
+  - apt-listchanges
 
 write_files:
   - path: /etc/iptables/rules.v4
@@ -48,6 +50,13 @@ write_files:
     append: true
     content: |
       /swapfile swap swap defaults 0 0
+  - path: /etc/apt/apt.conf.d/20auto-upgrades
+    permissions: 0644
+    owner: root:root
+    content: |
+      APT::Periodic::Update-Package-Lists "1";
+      APT::Periodic::Unattended-Upgrade "1";
+      APT::Periodic::AutocleanInterval "7";
 
 runcmd:
   - 'iptables-restore < /etc/iptables/rules.v4'
@@ -70,4 +79,6 @@ runcmd:
   - [curl, https://git.unitoo.it/unitoo/configurations/raw/branch/master/sysctl/etc/sysctl.conf, --output, /etc/sysctl.d/99-hardening.conf]
   - [sysctl, -p]
 
+  - [sed, -r, -i, 's/\/\/Unattended-Upgrade::Mail\ "";/Unattended-Upgrade::Mail\ "root";/', /etc/apt/apt.conf.d/50unattended-upgrades]
+
   - [timedatectl, set-timezone, Europe/Rome]
diff --git a/cloud-init/swarm-manager.yml b/cloud-init/swarm-manager.yml
index f4cf7fe..96350b9 100644
--- a/cloud-init/swarm-manager.yml
+++ b/cloud-init/swarm-manager.yml
@@ -14,6 +14,8 @@ packages:
   - lsb-release
   - fail2ban
   - iptables-persistent
+  - unattended-upgrades
+  - apt-listchanges
 
 write_files:
   - path: /etc/iptables/rules.v4
@@ -65,6 +67,13 @@ write_files:
     append: true
     content: |
       /swapfile swap swap defaults 0 0
+  - path: /etc/apt/apt.conf.d/20auto-upgrades
+    permissions: 0644
+    owner: root:root
+    content: |
+      APT::Periodic::Update-Package-Lists "1";
+      APT::Periodic::Unattended-Upgrade "1";
+      APT::Periodic::AutocleanInterval "7";
 
 runcmd:
   - 'iptables-restore < /etc/iptables/rules.v4'
@@ -89,6 +98,8 @@ runcmd:
   - [curl, https://git.unitoo.it/unitoo/configurations/raw/branch/master/sysctl/etc/sysctl.d/99-swarm.conf, --output, /etc/sysctl.d/99-swarm.conf]
   - [sysctl, -p]
 
+  - [sed, -r, -i, 's/\/\/Unattended-Upgrade::Mail\ "";/Unattended-Upgrade::Mail\ "root";/', /etc/apt/apt.conf.d/50unattended-upgrades]
+
   - [mkdir, -p, /usr/local/apt-keys]
   - [gpg, --fetch-keys, https://neilalexander.s3.dualstack.eu-west-2.amazonaws.com/deb/key.txt]
   - 'gpg --export 569130E8CA20FBC4CB3FDE555898470A764B32C9 | tee /usr/local/apt-keys/yggdrasil-keyring.gpg > /dev/null'
diff --git a/cloud-init/swarm-worker.yml b/cloud-init/swarm-worker.yml
index 75d0c49..2ff0d05 100644
--- a/cloud-init/swarm-worker.yml
+++ b/cloud-init/swarm-worker.yml
@@ -15,6 +15,8 @@ packages:
   - fail2ban
   - iptables-persistent
   - glusterfs-client
+  - unattended-upgrades
+  - apt-listchanges
 
 write_files:
   - path: /etc/iptables/rules.v4
@@ -59,6 +61,13 @@ write_files:
       [Journal]
       SystemMaxUse=250M
       SystemMaxFileSize=50M
+  - path: /etc/apt/apt.conf.d/20auto-upgrades
+    permissions: 0644
+    owner: root:root
+    content: |
+      APT::Periodic::Update-Package-Lists "1";
+      APT::Periodic::Unattended-Upgrade "1";
+      APT::Periodic::AutocleanInterval "7";
   - path: /etc/fstab
     append: true
     content: |
@@ -93,6 +102,8 @@ runcmd:
   - [curl, https://git.unitoo.it/unitoo/configurations/raw/branch/master/sysctl/etc/sysctl.d/99-swarm.conf, --output, /etc/sysctl.d/99-swarm.conf]
   - [sysctl, -p]
 
+  - [sed, -r, -i, 's/\/\/Unattended-Upgrade::Mail\ "";/Unattended-Upgrade::Mail\ "root";/', /etc/apt/apt.conf.d/50unattended-upgrades]
+
   - [mkdir, -p, /usr/local/apt-keys]
   - [gpg, --fetch-keys, https://neilalexander.s3.dualstack.eu-west-2.amazonaws.com/deb/key.txt]
   - 'gpg --export 569130E8CA20FBC4CB3FDE555898470A764B32C9 | tee /usr/local/apt-keys/yggdrasil-keyring.gpg > /dev/null'