|
|
@@ -0,0 +1,295 @@ |
|
|
## Debian 12 Bookworm cloud-init configs. |
|
|
|
|
|
### Other Linux flavours may have different configs! Test in dev mode first! |
|
|
|
|
|
`The configs below are all seperated. Pick what you need, theres a sample script at the bottom.` |
|
|
|
|
|
1. **Set Timezone and Locale**: Configure the system's timezone and locale to match your geographic location and preferred language settings. |
|
|
|
|
|
```yaml |
|
|
timezone: "Etc/UTC" |
|
|
locale: "en_US.UTF-8" |
|
|
``` |
|
|
|
|
|
2. **Create Users and Groups**: You can create additional users, assign them to groups, and set up their SSH keys. |
|
|
|
|
|
```yaml |
|
|
users: |
|
|
- name: exampleuser |
|
|
groups: [sudo, docker] |
|
|
shell: /bin/bash |
|
|
sudo: ['ALL=(ALL) NOPASSWD:ALL'] |
|
|
ssh_authorized_keys: |
|
|
- ssh-rsa AAAAB3Nza... |
|
|
``` |
|
|
|
|
|
3. **Install Additional Packages**: Install packages that you know you'll need on the system. |
|
|
|
|
|
```yaml |
|
|
packages: |
|
|
- htop |
|
|
- git |
|
|
- curl |
|
|
- vim |
|
|
``` |
|
|
|
|
|
4. **Run Custom Scripts**: Execute custom shell scripts to perform tasks that are not covered by cloud-init's built-in modules. |
|
|
|
|
|
```yaml |
|
|
runcmd: |
|
|
- [ sh, -c, "echo 'Custom script commands here'" ] |
|
|
``` |
|
|
|
|
|
5. **Configure Firewall**: Set up basic firewall rules using `ufw` or another firewall tool. |
|
|
|
|
|
```yaml |
|
|
runcmd: |
|
|
- ufw allow 22/tcp |
|
|
- ufw allow 80/tcp |
|
|
- ufw allow 443/tcp |
|
|
- ufw enable |
|
|
``` |
|
|
|
|
|
6. **Disable Root SSH Login**: For security reasons, it's a good practice to disable SSH login for the root user. |
|
|
|
|
|
```yaml |
|
|
ssh_pwauth: false |
|
|
disable_root: true |
|
|
``` |
|
|
|
|
|
7. **Configure Hostname and Hosts File**: Set the system's hostname and update the `/etc/hosts` file accordingly. |
|
|
|
|
|
```yaml |
|
|
hostname: myserver |
|
|
manage_etc_hosts: true |
|
|
``` |
|
|
|
|
|
8. **Set Up Network Configuration**: If you need to configure static IP addresses or other network settings. |
|
|
|
|
|
```yaml |
|
|
network: |
|
|
version: 2 |
|
|
ethernets: |
|
|
eth0: |
|
|
dhcp4: true |
|
|
``` |
|
|
|
|
|
9. **Update and Upgrade Handling**: You can configure how often unattended upgrades should run, which can help keep your system secure. |
|
|
|
|
|
```yaml |
|
|
package_update: true |
|
|
package_upgrade: true |
|
|
package_reboot_if_required: true |
|
|
unattended_upgrades: |
|
|
enable: true |
|
|
blacklist: |
|
|
- nginx |
|
|
- mysql-server |
|
|
``` |
|
|
|
|
|
10. **Configure System Services**: Enable or disable system services to start on boot. |
|
|
|
|
|
```yaml |
|
|
services: |
|
|
enabled: |
|
|
- docker |
|
|
disabled: |
|
|
- postfix |
|
|
``` |
|
|
|
|
|
11. **Mount Disks and Filesystems**: If you have additional storage volumes, you can configure them to be mounted automatically. |
|
|
|
|
|
```yaml |
|
|
mounts: |
|
|
- [ "LABEL=extra-storage", "/mnt/storage" ] |
|
|
``` |
|
|
|
|
|
12. **Set Up Swap**: If your system requires swap space, you can configure it as well. |
|
|
|
|
|
```yaml |
|
|
swap: |
|
|
filename: /swapfile |
|
|
size: "1G" |
|
|
maxsize: "2G" |
|
|
``` |
|
|
|
|
|
THIS IS ALL THE COMMANDS COMBINED ***AS AN EXAMPLE.*** |
|
|
|
|
|
``` |
|
|
#cloud-config |
|
|
|
|
|
# Set the timezone and locale |
|
|
timezone: "Etc/UTC" |
|
|
locale: "en_US.UTF-8" |
|
|
|
|
|
# Add non-free-firmware repository, update and upgrade packages |
|
|
write_files: |
|
|
- path: /etc/apt/sources.list.d/non-free-firmware.list |
|
|
content: | |
|
|
deb http://deb.debian.org/debian/ bookworm main contrib non-free-firmware |
|
|
deb-src http://deb.debian.org/debian/ bookworm main contrib non-free-firmware |
|
|
|
|
|
# Create additional users and groups |
|
|
users: |
|
|
- name: exampleuser |
|
|
groups: [sudo, docker] |
|
|
shell: /bin/bash |
|
|
sudo: ['ALL=(ALL) NOPASSWD:ALL'] |
|
|
ssh_authorized_keys: |
|
|
- ssh-rsa AAAAB3Nza... |
|
|
|
|
|
# Install additional packages |
|
|
packages: |
|
|
- htop |
|
|
- git |
|
|
- curl |
|
|
- vim |
|
|
- ufw |
|
|
- docker.io |
|
|
|
|
|
# Run custom scripts and configure firewall |
|
|
runcmd: |
|
|
- apt-get update |
|
|
- apt-get upgrade -y |
|
|
- ufw allow 22/tcp |
|
|
- ufw allow 80/tcp |
|
|
- ufw allow 443/tcp |
|
|
- ufw enable |
|
|
- [ sh, -c, "echo 'Custom script commands here'" ] |
|
|
|
|
|
# Disable root SSH login |
|
|
ssh_pwauth: false |
|
|
disable_root: true |
|
|
|
|
|
# Configure hostname and manage /etc/hosts |
|
|
hostname: myserver |
|
|
manage_etc_hosts: true |
|
|
|
|
|
# Network configuration |
|
|
network: |
|
|
version: 2 |
|
|
ethernets: |
|
|
eth0: |
|
|
dhcp4: true |
|
|
|
|
|
# Unattended upgrades configuration |
|
|
package_update: true |
|
|
package_upgrade: true |
|
|
package_reboot_if_required: true |
|
|
unattended_upgrades: |
|
|
enable: true |
|
|
blacklist: |
|
|
- nginx |
|
|
- mysql-server |
|
|
|
|
|
# Services configuration |
|
|
services: |
|
|
enabled: |
|
|
- docker |
|
|
disabled: |
|
|
- postfix |
|
|
|
|
|
# Mount additional storage volumes |
|
|
mounts: |
|
|
- [ "LABEL=extra-storage", "/mnt/storage" ] |
|
|
|
|
|
# Set up swap space |
|
|
swap: |
|
|
filename: /swapfile |
|
|
size: "1G" |
|
|
maxsize: "2G" |
|
|
``` |
|
|
### A Production ready cloud-config |
|
|
|
|
|
``` |
|
|
Creating a good configuration for a Debian 12 server running in production depends on the specific use case and requirements of the server. However, there are some general best practices and configurations that can be applied to create a solid foundation for a production environment. Here's an example of a cloud-init configuration that incorporates some of these practices: |
|
|
|
|
|
```yaml |
|
|
#cloud-config |
|
|
|
|
|
# Set the timezone and locale to your preferred settings |
|
|
timezone: "Etc/UTC" |
|
|
locale: "en_US.UTF-8" |
|
|
|
|
|
# Add non-free-firmware repository, update and upgrade packages |
|
|
write_files: |
|
|
- path: /etc/apt/sources.list.d/non-free-firmware.list |
|
|
content: | |
|
|
deb http://deb.debian.org/debian/ bookworm main contrib non-free-firmware |
|
|
deb-src http://deb.debian.org/debian/ bookworm main contrib non-free-firmware |
|
|
|
|
|
# Create a user with sudo privileges and no password prompt for sudo |
|
|
users: |
|
|
- name: adminuser |
|
|
groups: [sudo] |
|
|
shell: /bin/bash |
|
|
sudo: ['ALL=(ALL) NOPASSWD:ALL'] |
|
|
ssh_authorized_keys: |
|
|
- ssh-rsa AAAAB3Nza... |
|
|
|
|
|
# Install essential packages |
|
|
packages: |
|
|
- vim |
|
|
- curl |
|
|
- git |
|
|
- unattended-upgrades |
|
|
- fail2ban |
|
|
- ufw |
|
|
|
|
|
# Run commands to set up the system |
|
|
runcmd: |
|
|
- apt-get update |
|
|
- apt-get upgrade -y |
|
|
- echo 'Unattended-Upgrade::Automatic-Reboot "true";' >> /etc/apt/apt.conf.d/50unattended-upgrades |
|
|
- ufw allow 22/tcp |
|
|
- ufw allow 80/tcp |
|
|
- ufw allow 443/tcp |
|
|
- ufw --force enable |
|
|
- systemctl enable fail2ban |
|
|
|
|
|
# Disable root SSH login and password authentication for SSH |
|
|
ssh_pwauth: false |
|
|
disable_root: true |
|
|
|
|
|
# Configure hostname and manage /etc/hosts |
|
|
hostname: production-server |
|
|
manage_etc_hosts: true |
|
|
|
|
|
# Network configuration with DHCP (adjust if static IP is needed) |
|
|
network: |
|
|
version: 2 |
|
|
ethernets: |
|
|
eth0: |
|
|
dhcp4: true |
|
|
|
|
|
# Configure unattended upgrades for security updates |
|
|
package_update: true |
|
|
package_upgrade: true |
|
|
package_reboot_if_required: true |
|
|
unattended_upgrades: |
|
|
enable: true |
|
|
origin_patterns: |
|
|
- 'origin=Debian,codename=${distro_codename},label=Debian-Security' |
|
|
|
|
|
# Set up swap space (adjust size as needed) |
|
|
swap: |
|
|
filename: /swapfile |
|
|
size: "1G" |
|
|
maxsize: "2G" |
|
|
``` |
|
|
|
|
|
Here are some explanations and best practices reflected in this configuration: |
|
|
|
|
|
- **Locale and Timezone**: Set these to match your geographic location and preferred language settings. |
|
|
- **Non-free Firmware**: Include the non-free firmware repository if your hardware requires proprietary drivers. |
|
|
- **User Management**: Create a non-root user with sudo privileges for administrative tasks. Ensure that SSH keys are used for authentication. |
|
|
- **Essential Packages**: Install packages that are commonly used for system administration and security. |
|
|
- **Unattended Upgrades**: Configure automatic security updates to keep the system patched against vulnerabilities. |
|
|
- **Firewall (UFW)**: Set up basic firewall rules to allow only necessary traffic and enable the firewall. |
|
|
- **Fail2Ban**: Install and enable Fail2Ban to protect against brute-force attacks on SSH and other services. |
|
|
- **SSH Configuration**: Disable root login and password authentication over SSH to enhance security. |
|
|
- **Hostname**: Set a meaningful hostname for the server and manage the `/etc/hosts` file. |
|
|
- **Network Configuration**: Use DHCP or configure a static IP if required. |
|
|
- **Swap Space**: Configure swap space to provide additional virtual memory if the physical RAM is exhausted. |
|
|
|
|
|
Remember to replace placeholders like `adminuser`, the SSH public key, and `production-server` with your actual user name, SSH key, and desired hostname. Additionally, adjust the swap size and other settings to suit your server's workload and resources. |
dazeb created this gist