#cloud-config # # Squid SSL-bump caching proxy — harden SSH, then deploy, on a fresh host. # # Fill in REPO_URL and the values in the runcmd block, then paste this as the # instance user-data. Unlike the web stacks this is a FORWARD proxy: no public # DNS record or Let's Encrypt cert is needed, but clients must be able to reach # TRUSTED_CIDR and must trust the CA this generates on first boot. # # Only deploy this on networks/devices you own and are authorized to inspect. packages: - git runcmd: - hostnamectl set-hostname squid || true - | set -e REPO_URL=https://git.anomalous.dev/57_Wolve/automations.git REPO_BRANCH=main HARDEN_SSH=1 # harden SSH on this fresh VM (set 0 to skip) SSH_PORT=22 ALLOWED_IP= # optional: whitelist your client IP in sshguard git clone --depth 1 --branch "$REPO_BRANCH" "$REPO_URL" /opt/automations cd /opt/automations # Harden SSH first (PQ KEX, key-only auth, sshguard + deny-by-default # firewall). The firewall it installs is what deploy.sh registers the proxy # port with. if [ "$HARDEN_SSH" = 1 ]; then SSH_PORT="$SSH_PORT" ALLOWED_IP="$ALLOWED_IP" SKIP_PROMPTS=1 FORCE=1 \ bash scripts/harden-ssh.sh fi # Deploy the proxy. Set TRUSTED_CIDR to the network allowed to use it, and # BIND_ADDR to a trusted interface (a published Docker port bypasses the # host firewall, so this is the real exposure control). TRUSTED_CIDR=100.64.0.0/10 \ BIND_ADDR=0.0.0.0 \ SKIP_PROMPTS=1 \ bash deployments/squid/deploy.sh