13535da3d8
base.yml set AUTO_UPDATE=1 but never forwarded it to harden-ssh.sh (which defaults to 0), so base hosts never actually scheduled daily updates despite the config implying they did. Auto-update is intentionally bastion-only for now — jumphost.yml / harden-jumphost.sh enable it by default, and base (container) hosts will get a dedicated docker-image updater later — so remove the knob entirely rather than wire it through. No behavior change. Also drop cloud-init/base.yml from the README "Daily updates" line that claimed it takes AUTO_UPDATE=1.
58 lines
2.5 KiB
YAML
58 lines
2.5 KiB
YAML
#cloud-config
|
|
#
|
|
# Generic base-host bootstrap -- Alpine, Debian, or Alma Linux.
|
|
#
|
|
# On first boot this:
|
|
# 1. Installs prerequisites (bash, git, curl) for whichever distro this is.
|
|
# 2. Clones this repo to /opt/automations.
|
|
# 3. Sets the hostname per the Network Domain Name Schema and installs the
|
|
# shared MOTD banner (scripts/setup-host.sh).
|
|
# 4. Seeds root's authorized_keys from globals/ (URL-preferred).
|
|
# 5. Applies SSH hardening: key-only auth, post-quantum KEX, sshguard
|
|
# (scripts/harden-ssh.sh).
|
|
#
|
|
# Fill in REPO_URL, HOST, and the other values, then paste as instance
|
|
# user-data. For a bastion host use jumphost.yml instead.
|
|
#
|
|
# NOTE: harden-ssh.sh prints a freshly generated root private key to stdout,
|
|
# which lands in the cloud provider's console/serial log. Either capture it
|
|
# from there, or rely on the keys seeded from globals/ and ignore it.
|
|
|
|
runcmd:
|
|
- |
|
|
set -e
|
|
# ===== config =====
|
|
REPO_URL=https://git.anomalous.dev/57_Wolve/automations.git
|
|
REPO_BRANCH=main
|
|
HOST=sto-1 # <svc>-<n>; FQDN becomes HOST.BASE_DOMAIN
|
|
BASE_DOMAIN=srvno.de
|
|
DATACENTER="Globally Everywhere"
|
|
SSH_PORT=22
|
|
ALLOWED_IP= # optional: whitelist your client IP in sshguard
|
|
ENABLE_FIREWALL=1 # deny-by-default host firewall (0 to skip)
|
|
OPEN_PORTS="" # extra inbound ports, e.g. "80/tcp 443/tcp"
|
|
# ==================
|
|
|
|
# Prerequisites (OS-agnostic).
|
|
if command -v apk >/dev/null 2>&1; then apk add --no-cache bash git curl
|
|
elif command -v apt-get >/dev/null 2>&1; then apt-get update -qq && apt-get install -y -qq bash git curl
|
|
elif command -v dnf >/dev/null 2>&1; then dnf install -y -q bash git curl
|
|
fi
|
|
|
|
git clone --depth 1 --branch "$REPO_BRANCH" "$REPO_URL" /opt/automations
|
|
cd /opt/automations
|
|
|
|
# Hostname + shared MOTD.
|
|
HOST="$HOST" BASE_DOMAIN="$BASE_DOMAIN" DATACENTER="$DATACENTER" bash scripts/setup-host.sh
|
|
|
|
# Seed root's authorized_keys from globals/ (SSH_KEYS_URL or authorized_keys).
|
|
. scripts/lib.sh && load_globals \
|
|
&& install -d -m 700 /root/.ssh \
|
|
&& resolve_ssh_keys >> /root/.ssh/authorized_keys || true
|
|
sort -u /root/.ssh/authorized_keys -o /root/.ssh/authorized_keys 2>/dev/null || true
|
|
|
|
# SSH hardening (key-only, PQ KEX, sshguard) + deny-by-default host firewall.
|
|
SSH_PORT="$SSH_PORT" ALLOWED_IP="$ALLOWED_IP" \
|
|
ENABLE_FIREWALL="$ENABLE_FIREWALL" OPEN_PORTS="$OPEN_PORTS" \
|
|
FORCE=1 bash scripts/harden-ssh.sh
|