#cloud-config # # SimpleX Chat Relay Server - Cloud-Init Configuration # # This cloud-init configuration deploys a complete SimpleX relay server # on Alpine Linux with: # - Post-quantum SSH hardening # - SMP + XFTP servers with Tor hidden services # - Caddy reverse proxy with Let's Encrypt # - awall firewall with minimal attack surface # - Encrypted backup of all server keys # # Customize the environment variables below, then use this as user-data # when creating your cloud instance. # Use Alpine Linux (most cloud providers support it) # Recommended: Alpine 3.19+ for latest OpenSSH with PQ KEX support runcmd: # Set a hostname (optional) - hostnamectl set-hostname simplex-relay # Run the master installer - | curl -fsSL https://git.anomalous.dev/57_Wolve/automations/raw/branch/main/deployments/simplex/install-simplex.sh | \ REPO_URL=https://git.anomalous.dev/57_Wolve/automations.git \ DOMAIN=relay.yourdomain.com \ ACME_EMAIL=admin@yourdomain.com \ XFTP_QUOTA=100gb \ SSH_PORT=2222 \ ALLOWED_IP=your.client.ip.here \ KEY_TYPE=rsa4096 \ SMP_PASS= \ XFTP_PASS= \ SKIP_PROMPTS=1 \ AUTO_BACKUP=1 \ REMOVE_CA_KEYS=1 \ DEBUG=0 \ bash # Optional: Configure additional settings write_files: # Custom SSH banner (optional) - path: /etc/ssh/banner content: | =============================================== SimpleX Chat Relay Server Authorized access only. All connections are logged and monitored. =============================================== permissions: '0644' # Optional: Install additional packages packages: - htop - nano - curl - jq # Optional: Configure automatic security updates (Alpine) package_update: true package_upgrade: true # Set timezone timezone: UTC # Configure locale locale: en_US.UTF-8 # Configure SSH (these will be overridden by harden-ssh.sh) ssh_pwauth: true # Will be disabled by harden-ssh.sh disable_root: false # Keep root enabled for harden-ssh.sh # Optional: Add non-root user (created before SSH hardening) users: - name: admin groups: wheel sudo: ['ALL=(ALL) NOPASSWD:ALL'] shell: /bin/bash # Note: SSH hardening will restrict to Ed25519 keys only # Add your Ed25519 public key here if you want this user to survive hardening: # ssh_authorized_keys: # - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAA... your-key-here # Optional: Configure fail2ban (will be replaced by sshguard) # runcmd will install sshguard which is lighter and more suitable # Security note: The master installer will: # 1. Generate fresh SSH keys and disable password auth # 2. Create an encrypted backup containing all private keys # 3. Remove CA keys from disk (they exist only in the backup) # 4. Lock down the firewall to required ports only # # Make sure to: # 1. Download the encrypted backup immediately after deployment # 2. Save the SSH private key from the installer output # 3. Test SSH access before deploying to production