#cloud-config # # Generic base-host bootstrap -- Alpine, Debian, or Alma Linux. # # On first boot this: # 1. Installs prerequisites (bash, git, curl) for whichever distro this is. # 2. Clones this repo to /opt/automations. # 3. Sets the hostname per the Network Domain Name Schema and installs the # shared MOTD banner (scripts/setup-host.sh). # 4. Seeds root's authorized_keys from globals/ (URL-preferred). # 5. Applies SSH hardening: key-only auth, post-quantum KEX, sshguard # (scripts/harden-ssh.sh). # # Fill in REPO_URL, HOST, and the other values, then paste as instance # user-data. For a bastion host use jumphost.yml instead. # # NOTE: harden-ssh.sh prints a freshly generated root private key to stdout, # which lands in the cloud provider's console/serial log. Either capture it # from there, or rely on the keys seeded from globals/ and ignore it. runcmd: - | set -e # ===== config ===== REPO_URL=https://git.anomalous.dev/57_Wolve/automations.git REPO_BRANCH=main HOST=sto-1 # -; FQDN becomes HOST.BASE_DOMAIN BASE_DOMAIN=srvno.de DATACENTER="Globally Everywhere" SSH_PORT=22 ALLOWED_IP= # optional: whitelist your client IP in sshguard ENABLE_FIREWALL=1 # deny-by-default host firewall (0 to skip) OPEN_PORTS="" # extra inbound ports, e.g. "80/tcp 443/tcp" # ================== # Prerequisites (OS-agnostic). if command -v apk >/dev/null 2>&1; then apk add --no-cache bash git curl elif command -v apt-get >/dev/null 2>&1; then apt-get update -qq && apt-get install -y -qq bash git curl elif command -v dnf >/dev/null 2>&1; then dnf install -y -q bash git curl fi git clone --depth 1 --branch "$REPO_BRANCH" "$REPO_URL" /opt/automations cd /opt/automations # Hostname + shared MOTD. HOST="$HOST" BASE_DOMAIN="$BASE_DOMAIN" DATACENTER="$DATACENTER" bash scripts/setup-host.sh # Seed root's authorized_keys from globals/ (SSH_KEYS_URL or authorized_keys). . scripts/lib.sh && load_globals \ && install -d -m 700 /root/.ssh \ && resolve_ssh_keys >> /root/.ssh/authorized_keys || true sort -u /root/.ssh/authorized_keys -o /root/.ssh/authorized_keys 2>/dev/null || true # SSH hardening (key-only, PQ KEX, sshguard) + deny-by-default host firewall. SSH_PORT="$SSH_PORT" ALLOWED_IP="$ALLOWED_IP" \ ENABLE_FIREWALL="$ENABLE_FIREWALL" OPEN_PORTS="$OPEN_PORTS" \ FORCE=1 bash scripts/harden-ssh.sh