forked from unitoo/configurations
74 lines
2.5 KiB
YAML
74 lines
2.5 KiB
YAML
|
#cloud-config
|
||
|
|
||
|
ssh_genkeytypes: [ecdsa, ed25519]
|
||
|
|
||
|
# upgrade system
|
||
|
package_update: true
|
||
|
package_upgrade: true
|
||
|
|
||
|
# various dependencies
|
||
|
packages:
|
||
|
- ca-certificates
|
||
|
- curl
|
||
|
- gnupg
|
||
|
- lsb-release
|
||
|
- fail2ban
|
||
|
- nginx
|
||
|
- certbot
|
||
|
- python3-certbot-nginx
|
||
|
- iptables-persistent
|
||
|
|
||
|
write_files:
|
||
|
- path: /etc/iptables/rules.v4
|
||
|
permissions: 0644
|
||
|
owner: root:root
|
||
|
content: |
|
||
|
*filter
|
||
|
:INPUT DROP [0:0]
|
||
|
:FORWARD DROP [0:0]
|
||
|
:OUTPUT ACCEPT [0:0]
|
||
|
-A INPUT -i lo -j ACCEPT
|
||
|
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
||
|
-A INPUT -m conntrack --ctstate INVALID -j DROP
|
||
|
-A INPUT -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
|
||
|
-A INPUT -p tcp -m tcp --dport 8448 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
|
||
|
-A OUTPUT -o lo -j ACCEPT
|
||
|
-A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
|
||
|
-A OUTPUT -p tcp -m tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT
|
||
|
-A OUTPUT -p tcp -m tcp --dport 25 -j REJECT --reject-with icmp-port-unreachable
|
||
|
COMMIT
|
||
|
- path: /etc/systemd/journald.conf.d/size.conf
|
||
|
permissions: 0644
|
||
|
owner: root:root
|
||
|
content: |
|
||
|
[Journal]
|
||
|
SystemMaxUse=250M
|
||
|
SystemMaxFileSize=50M
|
||
|
- path: /etc/fstab
|
||
|
append: true
|
||
|
content: |
|
||
|
/swapfile swap swap defaults 0 0
|
||
|
|
||
|
runcmd:
|
||
|
- 'iptables-restore < /etc/iptables/rules.v4'
|
||
|
|
||
|
- [systemctl, enable, --now, fail2ban]
|
||
|
|
||
|
- 'fallocate -l 3G /swapfile'
|
||
|
- 'chmod 600 /swapfile'
|
||
|
- 'mkswap /swapfile'
|
||
|
- 'swapon /swapfile'
|
||
|
|
||
|
- [curl, https://gitea.it/Unitoo/dot-files/raw/branch/master/ssh/etc/ssh/sshd_config, --output, /etc/ssh/sshd_config.d/99-hardening.conf]
|
||
|
- [systemctl, restart, ssh]
|
||
|
|
||
|
- [curl, https://gitea.it/Unitoo/dot-files/raw/branch/master/modprobe/etc/modprobe.d/disable-network-filesystems.conf, --output, /etc/modprobe.d/disable-network-filesystems.conf]
|
||
|
- [curl, https://gitea.it/Unitoo/dot-files/raw/branch/master/modprobe/etc/modprobe.d/disable-rare-filesystems.conf, --output, /etc/modprobe.d/disable-rare-filesystems.conf]
|
||
|
- [curl, https://gitea.it/Unitoo/dot-files/raw/branch/master/modprobe/etc/modprobe.d/disable-rare-protocols.conf, --output, /etc/modprobe.d/disable-rare-protocols.conf]
|
||
|
- [curl, https://gitea.it/Unitoo/dot-files/raw/branch/master/modprobe/etc/modprobe.d/disable-vivid.conf, --output, /etc/modprobe.d/disable-vivid.conf]
|
||
|
|
||
|
- [curl, https://gitea.it/Unitoo/dot-files/raw/branch/master/sysctl/etc/sysctl.conf, --output, /etc/sysctl.d/99-hardening.conf]
|
||
|
- [sysctl, -p]
|
||
|
|
||
|
- [timedatectl, set-timezone, Europe/Rome]
|