#cloud-config

ssh_genkeytypes: [ecdsa, ed25519]

# upgrade system
package_update: true
package_upgrade: true

# various dependencies
packages:
  - ca-certificates
  - curl
  - gnupg
  - lsb-release
  - fail2ban
  - nginx
  - certbot
  - python3-certbot-nginx
  - iptables-persistent
  - unattended-upgrades
  - apt-listchanges

write_files:
  - path: /etc/iptables/rules.v4
    permissions: 0644
    owner: root:root
    content: |
      *filter
      :INPUT DROP [0:0]
      :FORWARD DROP [0:0]
      :OUTPUT ACCEPT [0:0]
      -A INPUT -i lo -j ACCEPT
      -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
      -A INPUT -m conntrack --ctstate INVALID -j DROP
      -A INPUT -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
      -A INPUT -p tcp -m tcp --dport 8448 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
      -A OUTPUT -o lo -j ACCEPT
      -A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
      -A OUTPUT -p tcp -m tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT
      -A OUTPUT -p tcp -m tcp --dport 25 -j REJECT --reject-with icmp-port-unreachable
      COMMIT
  - path: /etc/systemd/journald.conf.d/size.conf
    permissions: 0644
    owner: root:root
    content: |
      [Journal]
      SystemMaxUse=250M
      SystemMaxFileSize=50M
  - path: /etc/fstab
    append: true
    content: |
      /swapfile swap swap defaults 0 0
  - path: /etc/apt/apt.conf.d/20auto-upgrades
    permissions: 0644
    owner: root:root
    content: |
      APT::Periodic::Update-Package-Lists "1";
      APT::Periodic::Unattended-Upgrade "1";
      APT::Periodic::AutocleanInterval "7";

runcmd:
  - 'iptables-restore < /etc/iptables/rules.v4'

  - [systemctl, enable, --now, fail2ban]

  - 'fallocate -l 3G /swapfile'
  - 'chmod 600 /swapfile'
  - 'mkswap /swapfile'
  - 'swapon /swapfile'

  - [curl, https://git.unitoo.it/unitoo/configurations/raw/branch/master/ssh/etc/ssh/sshd_config, --output, /etc/ssh/sshd_config.d/99-hardening.conf]
  - [systemctl, restart, ssh]

  - [curl, https://git.unitoo.it/unitoo/configurations/raw/branch/master/modprobe/etc/modprobe.d/disable-network-filesystems.conf, --output, /etc/modprobe.d/disable-network-filesystems.conf]
  - [curl, https://git.unitoo.it/unitoo/configurations/raw/branch/master/modprobe/etc/modprobe.d/disable-rare-filesystems.conf, --output, /etc/modprobe.d/disable-rare-filesystems.conf]
  - [curl, https://git.unitoo.it/unitoo/configurations/raw/branch/master/modprobe/etc/modprobe.d/disable-rare-protocols.conf, --output, /etc/modprobe.d/disable-rare-protocols.conf]
  - [curl, https://git.unitoo.it/unitoo/configurations/raw/branch/master/modprobe/etc/modprobe.d/disable-vivid.conf, --output, /etc/modprobe.d/disable-vivid.conf]

  - [curl, https://git.unitoo.it/unitoo/configurations/raw/branch/master/sysctl/etc/sysctl.conf, --output, /etc/sysctl.d/99-hardening.conf]
  - [sysctl, -p]

  - [sed, -r, -i, 's/\/\/Unattended-Upgrade::Mail\ "";/Unattended-Upgrade::Mail\ "root";/', /etc/apt/apt.conf.d/50unattended-upgrades]

  - [timedatectl, set-timezone, Europe/Rome]