claudiomaradonna/configurations
1
0
Fork 0
forked from unitoo/configurations
Code Issues Pull requests Projects Releases Packages Wiki Activity

add erpnext cloud-init conf. update other cloud-init conf

Browse source
This commit is contained in:
Claudio Maradonna 2022-08-27 17:16:12 +02:00
parent 66d0a3473f
commit 587dddeeb1
Signed by: claudiomaradonna
GPG key ID: B1EDCB4C3B05C387
4 changed files with 141 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

108
cloud-init/erpnext.yml Normal file
View file

@ -0,0 +1,108 @@
#cloud-config
ssh_genkeytypes: [ecdsa, ed25519]
# upgrade system
package_update: true
package_upgrade: true
# various dependencies
packages:
- ca-certificates
- curl
- gnupg
- lsb-release
- fail2ban
- nginx
- certbot
- python3-certbot-nginx
- iptables-persistent
- unattended-upgrades
- apt-listchanges
- vim
- libffi-dev
- python3-pip
- python3-dev
- python3-testresources
- libssl-dev
- wkhtmltopdf
- curl
- git
- python3.10-venv
- supervisor
write_files:
- path: /etc/iptables/rules.v4
permissions: 0644
owner: root:root
content: |
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 587 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 25 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -p tcp -m tcp --sport 80 -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 443 -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 587 -m conntrack --ctstate ESTABLISHED -j ACCEPT
COMMIT
- path: /etc/systemd/journald.conf.d/size.conf
permissions: 0644
owner: root:root
content: |
[Journal]
SystemMaxUse=250M
SystemMaxFileSize=50M
- path: /etc/fstab
append: true
content: |
/swapfile swap swap defaults 0 0
- path: /etc/apt/apt.conf.d/20auto-upgrades
permissions: 0644
owner: root:root
content: |
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";
APT::Periodic::AutocleanInterval "7";
runcmd:
- 'iptables-restore < /etc/iptables/rules.v4'
- [systemctl, enable, --now, fail2ban]
- 'fallocate -l 2G /swapfile'
- 'chmod 600 /swapfile'
- 'mkswap /swapfile'
- 'swapon /swapfile'
- [curl, https://git.unitoo.it/unitoo/configurations/raw/branch/master/ssh/etc/ssh/sshd_config, --output, /etc/ssh/sshd_config.d/99-hardening.conf]
- [systemctl, restart, ssh]
- [curl, https://git.unitoo.it/unitoo/configurations/raw/branch/master/modprobe/etc/modprobe.d/disable-network-filesystems.conf, --output, /etc/modprobe.d/disable-network-filesystems.conf]
- [curl, https://git.unitoo.it/unitoo/configurations/raw/branch/master/modprobe/etc/modprobe.d/disable-rare-filesystems.conf, --output, /etc/modprobe.d/disable-rare-filesystems.conf]
- [curl, https://git.unitoo.it/unitoo/configurations/raw/branch/master/modprobe/etc/modprobe.d/disable-rare-protocols.conf, --output, /etc/modprobe.d/disable-rare-protocols.conf]
- [curl, https://git.unitoo.it/unitoo/configurations/raw/branch/master/modprobe/etc/modprobe.d/disable-vivid.conf, --output, /etc/modprobe.d/disable-vivid.conf]
- [curl, https://git.unitoo.it/unitoo/configurations/raw/branch/master/sysctl/etc/sysctl.conf, --output, /etc/sysctl.d/99-hardening.conf]
- [sysctl, -p]
- [sed, -r, -i, 's/\/\/Unattended-Upgrade::Mail\ "";/Unattended-Upgrade::Mail\ "root";/', /etc/apt/apt.conf.d/50unattended-upgrades]
- [timedatectl, set-timezone, Europe/Rome]
- 'curl --silent --location https://deb.nodesource.com/setup_14.x | sudo bash -'
- 'curl -sL https://dl.yarnpkg.com/debian/pubkey.gpg | gpg --dearmor | sudo tee /usr/share/keyrings/yarnkey.gpg >/dev/null'
- 'echo "deb [signed-by=/usr/share/keyrings/yarnkey.gpg] https://dl.yarnpkg.com/debian stable main" | sudo tee /etc/apt/sources.list.d/yarn.list'
- 'apt-get update && apt-get install yarn'
- 'apt -y install gcc g++ make nodejs redis-server'
- 'apt -y install nginx mariadb-server'

11
cloud-init/matrix-synapse.yml
View file

@ -17,6 +17,8 @@ packages:
- certbot - certbot
- python3-certbot-nginx - python3-certbot-nginx
- iptables-persistent - iptables-persistent
- unattended-upgrades
- apt-listchanges
write_files: write_files:
- path: /etc/iptables/rules.v4 - path: /etc/iptables/rules.v4
@ -48,6 +50,13 @@ write_files:
append: true append: true
content: | content: |
/swapfile swap swap defaults 0 0 /swapfile swap swap defaults 0 0
- path: /etc/apt/apt.conf.d/20auto-upgrades
permissions: 0644
owner: root:root
content: |
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";
APT::Periodic::AutocleanInterval "7";
runcmd: runcmd:
- 'iptables-restore < /etc/iptables/rules.v4' - 'iptables-restore < /etc/iptables/rules.v4'
@ -70,4 +79,6 @@ runcmd:
- [curl, https://git.unitoo.it/unitoo/configurations/raw/branch/master/sysctl/etc/sysctl.conf, --output, /etc/sysctl.d/99-hardening.conf] - [curl, https://git.unitoo.it/unitoo/configurations/raw/branch/master/sysctl/etc/sysctl.conf, --output, /etc/sysctl.d/99-hardening.conf]
- [sysctl, -p] - [sysctl, -p]
- [sed, -r, -i, 's/\/\/Unattended-Upgrade::Mail\ "";/Unattended-Upgrade::Mail\ "root";/', /etc/apt/apt.conf.d/50unattended-upgrades]
- [timedatectl, set-timezone, Europe/Rome] - [timedatectl, set-timezone, Europe/Rome]

11
cloud-init/swarm-manager.yml
View file

@ -14,6 +14,8 @@ packages:
- lsb-release - lsb-release
- fail2ban - fail2ban
- iptables-persistent - iptables-persistent
- unattended-upgrades
- apt-listchanges
write_files: write_files:
- path: /etc/iptables/rules.v4 - path: /etc/iptables/rules.v4
@ -65,6 +67,13 @@ write_files:
append: true append: true
content: | content: |
/swapfile swap swap defaults 0 0 /swapfile swap swap defaults 0 0
- path: /etc/apt/apt.conf.d/20auto-upgrades
permissions: 0644
owner: root:root
content: |
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";
APT::Periodic::AutocleanInterval "7";
runcmd: runcmd:
- 'iptables-restore < /etc/iptables/rules.v4' - 'iptables-restore < /etc/iptables/rules.v4'
@ -89,6 +98,8 @@ runcmd:
- [curl, https://git.unitoo.it/unitoo/configurations/raw/branch/master/sysctl/etc/sysctl.d/99-swarm.conf, --output, /etc/sysctl.d/99-swarm.conf] - [curl, https://git.unitoo.it/unitoo/configurations/raw/branch/master/sysctl/etc/sysctl.d/99-swarm.conf, --output, /etc/sysctl.d/99-swarm.conf]
- [sysctl, -p] - [sysctl, -p]
- [sed, -r, -i, 's/\/\/Unattended-Upgrade::Mail\ "";/Unattended-Upgrade::Mail\ "root";/', /etc/apt/apt.conf.d/50unattended-upgrades]
- [mkdir, -p, /usr/local/apt-keys] - [mkdir, -p, /usr/local/apt-keys]
- [gpg, --fetch-keys, https://neilalexander.s3.dualstack.eu-west-2.amazonaws.com/deb/key.txt] - [gpg, --fetch-keys, https://neilalexander.s3.dualstack.eu-west-2.amazonaws.com/deb/key.txt]
- 'gpg --export 569130E8CA20FBC4CB3FDE555898470A764B32C9 | tee /usr/local/apt-keys/yggdrasil-keyring.gpg > /dev/null' - 'gpg --export 569130E8CA20FBC4CB3FDE555898470A764B32C9 | tee /usr/local/apt-keys/yggdrasil-keyring.gpg > /dev/null'

11
cloud-init/swarm-worker.yml
View file

@ -15,6 +15,8 @@ packages:
- fail2ban - fail2ban
- iptables-persistent - iptables-persistent
- glusterfs-client - glusterfs-client
- unattended-upgrades
- apt-listchanges
write_files: write_files:
- path: /etc/iptables/rules.v4 - path: /etc/iptables/rules.v4
@ -59,6 +61,13 @@ write_files:
[Journal] [Journal]
SystemMaxUse=250M SystemMaxUse=250M
SystemMaxFileSize=50M SystemMaxFileSize=50M
- path: /etc/apt/apt.conf.d/20auto-upgrades
permissions: 0644
owner: root:root
content: |
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";
APT::Periodic::AutocleanInterval "7";
- path: /etc/fstab - path: /etc/fstab
append: true append: true
content: | content: |
@ -93,6 +102,8 @@ runcmd:
- [curl, https://git.unitoo.it/unitoo/configurations/raw/branch/master/sysctl/etc/sysctl.d/99-swarm.conf, --output, /etc/sysctl.d/99-swarm.conf] - [curl, https://git.unitoo.it/unitoo/configurations/raw/branch/master/sysctl/etc/sysctl.d/99-swarm.conf, --output, /etc/sysctl.d/99-swarm.conf]
- [sysctl, -p] - [sysctl, -p]
- [sed, -r, -i, 's/\/\/Unattended-Upgrade::Mail\ "";/Unattended-Upgrade::Mail\ "root";/', /etc/apt/apt.conf.d/50unattended-upgrades]
- [mkdir, -p, /usr/local/apt-keys] - [mkdir, -p, /usr/local/apt-keys]
- [gpg, --fetch-keys, https://neilalexander.s3.dualstack.eu-west-2.amazonaws.com/deb/key.txt] - [gpg, --fetch-keys, https://neilalexander.s3.dualstack.eu-west-2.amazonaws.com/deb/key.txt]
- 'gpg --export 569130E8CA20FBC4CB3FDE555898470A764B32C9 | tee /usr/local/apt-keys/yggdrasil-keyring.gpg > /dev/null' - 'gpg --export 569130E8CA20FBC4CB3FDE555898470A764B32C9 | tee /usr/local/apt-keys/yggdrasil-keyring.gpg > /dev/null'