Files
automations/cloud-init/base.yml
T
57_Wolve 13535da3d8 fix(base): drop dead AUTO_UPDATE knob from base.yml
base.yml set AUTO_UPDATE=1 but never forwarded it to harden-ssh.sh (which
defaults to 0), so base hosts never actually scheduled daily updates despite
the config implying they did. Auto-update is intentionally bastion-only for
now — jumphost.yml / harden-jumphost.sh enable it by default, and base
(container) hosts will get a dedicated docker-image updater later — so remove
the knob entirely rather than wire it through. No behavior change.
Also drop cloud-init/base.yml from the README "Daily updates" line that
claimed it takes AUTO_UPDATE=1.
2026-06-12 17:23:55 -05:00

58 lines
2.5 KiB
YAML

#cloud-config
#
# Generic base-host bootstrap -- Alpine, Debian, or Alma Linux.
#
# On first boot this:
# 1. Installs prerequisites (bash, git, curl) for whichever distro this is.
# 2. Clones this repo to /opt/automations.
# 3. Sets the hostname per the Network Domain Name Schema and installs the
# shared MOTD banner (scripts/setup-host.sh).
# 4. Seeds root's authorized_keys from globals/ (URL-preferred).
# 5. Applies SSH hardening: key-only auth, post-quantum KEX, sshguard
# (scripts/harden-ssh.sh).
#
# Fill in REPO_URL, HOST, and the other values, then paste as instance
# user-data. For a bastion host use jumphost.yml instead.
#
# NOTE: harden-ssh.sh prints a freshly generated root private key to stdout,
# which lands in the cloud provider's console/serial log. Either capture it
# from there, or rely on the keys seeded from globals/ and ignore it.
runcmd:
- |
set -e
# ===== config =====
REPO_URL=https://git.anomalous.dev/57_Wolve/automations.git
REPO_BRANCH=main
HOST=sto-1 # <svc>-<n>; FQDN becomes HOST.BASE_DOMAIN
BASE_DOMAIN=srvno.de
DATACENTER="Globally Everywhere"
SSH_PORT=22
ALLOWED_IP= # optional: whitelist your client IP in sshguard
ENABLE_FIREWALL=1 # deny-by-default host firewall (0 to skip)
OPEN_PORTS="" # extra inbound ports, e.g. "80/tcp 443/tcp"
# ==================
# Prerequisites (OS-agnostic).
if command -v apk >/dev/null 2>&1; then apk add --no-cache bash git curl
elif command -v apt-get >/dev/null 2>&1; then apt-get update -qq && apt-get install -y -qq bash git curl
elif command -v dnf >/dev/null 2>&1; then dnf install -y -q bash git curl
fi
git clone --depth 1 --branch "$REPO_BRANCH" "$REPO_URL" /opt/automations
cd /opt/automations
# Hostname + shared MOTD.
HOST="$HOST" BASE_DOMAIN="$BASE_DOMAIN" DATACENTER="$DATACENTER" bash scripts/setup-host.sh
# Seed root's authorized_keys from globals/ (SSH_KEYS_URL or authorized_keys).
. scripts/lib.sh && load_globals \
&& install -d -m 700 /root/.ssh \
&& resolve_ssh_keys >> /root/.ssh/authorized_keys || true
sort -u /root/.ssh/authorized_keys -o /root/.ssh/authorized_keys 2>/dev/null || true
# SSH hardening (key-only, PQ KEX, sshguard) + deny-by-default host firewall.
SSH_PORT="$SSH_PORT" ALLOWED_IP="$ALLOWED_IP" \
ENABLE_FIREWALL="$ENABLE_FIREWALL" OPEN_PORTS="$OPEN_PORTS" \
FORCE=1 bash scripts/harden-ssh.sh