#cloud-config
users:
  - name: kotir
    groups: users, admin, docker
    sudo: ALL=(ALL) NOPASSWD:ALL
    shell: /bin/bash
    ssh_authorized_keys:
      - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBi0KVsjB4qS1dHixjjN+6TdBeVS1C6al0rHESw9eXmj ilja@mailbox.org

packages:
  - fail2ban
  - ufw
  - make
package_update: true
package_upgrade: true

write_files:
  - path: /etc/ssh/sshd_config.d/ssh-hardening.conf
    content: |
      PermitRootLogin no
      PasswordAuthentication no
      Port 22
      KbdInteractiveAuthentication no
      ChallengeResponseAuthentication no
      MaxAuthTries 5
      AllowTcpForwarding no
      X11Forwarding no
      AllowAgentForwarding no
      ClientAliveInterval 300
      ClientAliveCountMax 3
      AuthorizedKeysFile .ssh/authorized_keys
      AllowUsers kotir

runcmd:
  - printf "[sshd]\nenabled = true\nport = ssh, 22\nbanaction = iptables-multiport" > /etc/fail2ban/jail.local
  - systemctl enable fail2ban
  - ufw allow 22
  - ufw allow 80,443/tcp
  - ufw enable
  - sudo groupadd docker
  - sudo usermod -aG docker $USER
  - newgrp docker
  - curl -fsSL https://get.docker.com -o get-docker.sh
  - sh get-docker.sh
  - reboot