#cloud-config ssh_genkeytypes: [ecdsa, ed25519] # upgrade system package_update: true package_upgrade: true # various dependencies packages: - ca-certificates - curl - gnupg - lsb-release - fail2ban - iptables-persistent - glusterfs-client - unattended-upgrades - apt-listchanges - auditd write_files: - path: /etc/iptables/rules.v4 permissions: 0644 owner: root:root content: | *mangle :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] -A PREROUTING -i eth0 -p tcp -m tcp --dport 2222 -j DROP COMMIT *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -i lo -j ACCEPT -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -m conntrack --ctstate INVALID -j DROP -A INPUT -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT -A INPUT -p tcp --dport 2376 -j ACCEPT -m comment --comment "Docker Swarm" -A INPUT -p tcp -m tcp --dport 7946 -m comment --comment "Docker Swarm" -j ACCEPT -A INPUT -p udp -m udp --dport 7946 -m comment --comment "Docker Swarm" -j ACCEPT -A INPUT -p udp -m udp --dport 4789 -m comment --comment "Docker Swarm" -j ACCEPT -A OUTPUT -o lo -j ACCEPT -A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT -A OUTPUT -p tcp -m tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT -A OUTPUT -p tcp -m tcp --dport 25 -j REJECT --reject-with icmp-port-unreachable COMMIT - path: /etc/iptables/rules.v6 permissions: 0644 owner: root:root content: | *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -m conntrack --ctstate INVALID -j DROP -A OUTPUT -o tun0 -j ACCEPT -A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT -A OUTPUT -p tcp -m tcp --dport 25 -j REJECT --reject-with icmp6-port-unreachable COMMIT - path: /etc/systemd/journald.conf.d/size.conf permissions: 0644 owner: root:root content: | [Journal] SystemMaxUse=250M SystemMaxFileSize=50M - path: /etc/apt/apt.conf.d/20auto-upgrades permissions: 0644 owner: root:root content: | APT::Periodic::Update-Package-Lists "1"; APT::Periodic::Unattended-Upgrade "1"; APT::Periodic::AutocleanInterval "7"; - path: /etc/fstab append: true content: | /swapfile swap swap defaults 0 0 - path: /etc/audit/rules.d/docker.rules permissions: 0640 owner: root:root content: | -w /etc/docker -k docker -w /etc/default/docker -k docker -w /etc/docker/daemon.json -k docker -w /etc/containerd/config.toml -k docker -w /lib/systemd/system/docker.service -k docker -w /lib/systemd/system/docker.socket -k docker -w /run/containerd -k docker -w /usr/bin/containerd -k docker -w /usr/bin/containerd-shim -k docker -w /usr/bin/containerd-shim-runc-v1 -k docker -w /usr/bin/containerd-shim-runc-v2 -k docker -w /usr/bin/runc -k docker -w /var/lib/docker -k docker - path: /etc/hosts append: true content: | 192.168.178.2 swarm-manager-1 192.168.178.3 swarm-manager-2 192.168.178.4 swarm-manager-3 runcmd: - 'iptables-restore < /etc/iptables/rules.v4' - 'ip6tables-restore < /etc/iptables/rules.v6' - [systemctl, enable, --now, fail2ban] - 'fallocate -l 2G /swapfile' - 'chmod 600 /swapfile' - 'mkswap /swapfile' - 'swapon /swapfile' - [curl, https://git.unitoo.it/unitoo/configurations/raw/branch/master/ssh/etc/ssh/sshd_config, --output, /etc/ssh/sshd_config.d/99-hardening.conf] - [systemctl, restart, ssh] - [curl, https://git.unitoo.it/unitoo/configurations/raw/branch/master/modprobe/etc/modprobe.d/disable-network-filesystems.conf, --output, /etc/modprobe.d/disable-network-filesystems.conf] - [curl, https://git.unitoo.it/unitoo/configurations/raw/branch/master/modprobe/etc/modprobe.d/disable-rare-filesystems.conf, --output, /etc/modprobe.d/disable-rare-filesystems.conf] - [curl, https://git.unitoo.it/unitoo/configurations/raw/branch/master/modprobe/etc/modprobe.d/disable-rare-protocols.conf, --output, /etc/modprobe.d/disable-rare-protocols.conf] - [curl, https://git.unitoo.it/unitoo/configurations/raw/branch/master/modprobe/etc/modprobe.d/disable-vivid.conf, --output, /etc/modprobe.d/disable-vivid.conf] - [curl, https://git.unitoo.it/unitoo/configurations/raw/branch/master/sysctl/etc/sysctl.conf, --output, /etc/sysctl.d/99-hardening.conf] - [curl, https://git.unitoo.it/unitoo/configurations/raw/branch/master/sysctl/etc/sysctl.d/99-swarm.conf, --output, /etc/sysctl.d/99-swarm.conf] - [sysctl, -p] - [sed, -r, -i, 's/\/\/Unattended-Upgrade::Mail\ "";/Unattended-Upgrade::Mail\ "root";/', /etc/apt/apt.conf.d/50unattended-upgrades] # - [mkdir, -p, /usr/local/apt-keys] # - [gpg, --fetch-keys, https://neilalexander.s3.dualstack.eu-west-2.amazonaws.com/deb/key.txt] # - 'gpg --export 569130E8CA20FBC4CB3FDE555898470A764B32C9 | tee /usr/local/apt-keys/yggdrasil-keyring.gpg > /dev/null' # - "echo 'deb [signed-by=/usr/local/apt-keys/yggdrasil-keyring.gpg] http://neilalexander.s3.dualstack.eu-west-2.amazonaws.com/deb/ debian yggdrasil' | tee /etc/apt/sources.list.d/yggdrasil.list" - [mkdir, -p, /etc/apt/keyrings] - "curl -fsSL https://download.docker.com/linux/ubuntu/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg" - 'echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null' - [chmod, a+r, /etc/apt/keyrings/docker.gpg] - [apt-get, update] - 'apt-get install -y docker-ce docker-ce-cli containerd.io docker-compose-plugin' # - [sed, -r, -i, 's/Peers:\s\[\]/Peers: [\n\ttls:\/\/[2001:470:1f13:e56::64]:39575\n\ttls:\/\/s2.i2pd.xyz:39575\n\ttls:\/\/51.255.223.60:54232\n\ttls:\/\/45.147.198.155:6010\n\ttls:\/\/ygg1.ezdomain.ru:11130\n\ttls:\/\/ygg.mkg20001.io:443\n ]/', /etc/yggdrasil.conf] # - [sed, -r, -i, 's/AllowedPublicKeys:\s\[\]/AllowedPublicKeys: [\n"9939ce2585a046ce869e523c9efedb01b55fa032637d5237631ab4e09cafcb33"\n]/', /etc/yggdrasil.conf] #- [systemctl, enable, --now, yggdrasil] - [curl, https://git.unitoo.it/unitoo/configurations/raw/branch/master/docker/etc/docker/daemon.json, --output, /etc/docker/daemon.json] - [timedatectl, set-timezone, Europe/Rome] - [mkdir, /mnt/swarm-data]