hosts/zen/cloud-init.yaml at main · davidgasquez.com/dotfiles

davidgasquez.com / dotfiles

fork atom

🔧 Where my dotfiles lives in harmony and peace, most of the time

fork atom

dotfiles / hosts / zen / cloud-init.yaml

at main 76 lines 2.3 kB view raw

wrap content

davidgasquez.com ✨ Add zen Hetzner VPS setup with cloud-init and Tailscale 4w ago

1791482b

 1#cloud-config
 2package_update: true
 3package_upgrade: true
 4ssh_pwauth: false
 5
 6users:
 7  - default
 8  - name: david
 9    groups: [sudo]
10    shell: /bin/bash
11    sudo: ["ALL=(ALL) NOPASSWD:ALL"]
12    lock_passwd: true
13
14packages:
15  - ca-certificates
16  - curl
17  - sudo
18  - unattended-upgrades
19
20write_files:
21  - path: /etc/apt/apt.conf.d/20auto-upgrades
22    permissions: "0644"
23    content: |
24      APT::Periodic::Update-Package-Lists "1";
25      APT::Periodic::Unattended-Upgrade "1";
26
27  - path: /etc/ssh/sshd_config.d/10-performance.conf
28    permissions: "0644"
29    content: |
30      UseDNS no
31      GSSAPIAuthentication no
32
33  - path: /usr/local/sbin/firstboot.sh
34    permissions: "0755"
35    content: |
36      #!/usr/bin/env bash
37      set -euo pipefail
38
39      USER="david"
40
41      # Copy Hetzner-injected SSH keys from root to $USER
42      if [[ -s /root/.ssh/authorized_keys ]]; then
43        install -d -m 0700 -o "$USER" -g "$USER" "/home/$USER/.ssh"
44        install -m 0600 -o "$USER" -g "$USER" /root/.ssh/authorized_keys "/home/$USER/.ssh/authorized_keys"
45      fi
46
47      # Harden SSH only if the user has keys (avoid lockout)
48      if [[ -s "/home/$USER/.ssh/authorized_keys" ]]; then
49        install -d -m 0755 /etc/ssh/sshd_config.d
50        printf '%s\n' \
51          'PermitRootLogin no' \
52          'PasswordAuthentication no' \
53          'KbdInteractiveAuthentication no' \
54          'AuthenticationMethods publickey' \
55          'X11Forwarding no' \
56          'AllowAgentForwarding no' \
57          "AllowUsers ${USER}" \
58          > /etc/ssh/sshd_config.d/99-hardening.conf
59        systemctl restart ssh || systemctl restart sshd || true
60      fi
61
62      systemctl enable --now unattended-upgrades 2>/dev/null || true
63
64      # Install Tailscale
65      . /etc/os-release
66      mkdir -p --mode=0755 /usr/share/keyrings
67      curl -fsSL "https://pkgs.tailscale.com/stable/${ID}/${VERSION_CODENAME}.noarmor.gpg" \
68        | tee /usr/share/keyrings/tailscale-archive-keyring.gpg >/dev/null
69      echo "deb [signed-by=/usr/share/keyrings/tailscale-archive-keyring.gpg] https://pkgs.tailscale.com/stable/${ID} ${VERSION_CODENAME} main" \
70        > /etc/apt/sources.list.d/tailscale.list
71      apt-get update
72      apt-get install -y tailscale
73      systemctl enable --now tailscaled
74
75runcmd:
76  - [bash, -lc, "/usr/local/sbin/firstboot.sh"]