add cloud hardening

quick-test/deploy.yml

@@ -32,8 +32,8 @@
         region: "{{ region }}"
         image: linode/alpine3.18
         booted: true
-        authorized_keys:
-          - "{{ lookup('file', ssh_pubkey_path) }}"
+        metadata:
+          user_data: '{{ lookup("template", playbook_dir ~ "/harden.yaml.j2") }}'
         state: present
       register: create_inst
 

quick-test/harden.yaml.j2

@@ -0,0 +1,36 @@
+#cloud-config
+hostname: dx-dev-vm
+
+package_update: true
+package_upgrade: true
+packages:
+  - fail2ban
+
+ssh_pwauth: false
+disable_root: true
+
+users:
+  - default
+  - name: linodedx
+    gecos: The primary account for development on this VM.
+    shell: /bin/bash
+    sudo: ALL=(ALL) NOPASSWD:ALL
+    lock_passwd: true
+    ssh_authorized_keys:
+      - '{{ ssh_pubkey }}'
+
+write_files:
+  # Root login over SSH isn't fully disabled by disable_root
+  - path: /etc/ssh/sshd_config.d/51-disable-root.conf
+    permissions: "0600"
+    content: |
+      PermitRootLogin no
+
+runcmd:
+  - service ssh restart
+  - service fail2ban start --enable
+
+  - ufw default deny incoming
+  - ufw default allow outgoing
+  - ufw allow 80,443,21,22/tcp
+  - ufw enable