diff options
author | Egor Tensin <Egor.Tensin@gmail.com> | 2023-08-04 14:31:08 +0200 |
---|---|---|
committer | Egor Tensin <Egor.Tensin@gmail.com> | 2023-08-04 14:31:08 +0200 |
commit | 0e87875de0f5bbbade1ad3515c72abaadbe46204 (patch) | |
tree | 26d141bd7968f7f34091cf245ae1f11d6d3b2ee8 /yandex/server/etc | |
parent | import some common modules (diff) | |
download | infra-terraform-0.0.2.tar.gz infra-terraform-0.0.2.zip |
import a couple of Yandex Cloud moduelsv0.0.2
Diffstat (limited to '')
-rw-r--r-- | yandex/server/etc/cloud-init.cfg | 13 | ||||
-rw-r--r-- | yandex/server/etc/sshd_config | 39 |
2 files changed, 52 insertions, 0 deletions
diff --git a/yandex/server/etc/cloud-init.cfg b/yandex/server/etc/cloud-init.cfg new file mode 100644 index 0000000..8ed371c --- /dev/null +++ b/yandex/server/etc/cloud-init.cfg @@ -0,0 +1,13 @@ +#cloud-config + +users: + - name: ${jsonencode(user)} + lock_passwd: false + hashed_passwd: '*' + sudo: ALL=(ALL) NOPASSWD:ALL + ssh_authorized_keys: ${jsonencode(ssh_keys)} + shell: /bin/bash + +write_files: + - path: /etc/ssh/sshd_config + content: ${jsonencode(sshd_config)} diff --git a/yandex/server/etc/sshd_config b/yandex/server/etc/sshd_config new file mode 100644 index 0000000..ae08408 --- /dev/null +++ b/yandex/server/etc/sshd_config @@ -0,0 +1,39 @@ +Protocol 2 +Port ${port} + +# Drop idle sessions: +ClientAliveCountMax 3 +ClientAliveInterval 15 + +# Allow reverse tunnels: +GatewayPorts yes + +# Miscellaneous: +PrintMotd no + +# Hardening. +# Source: https://infosec.mozilla.org/guidelines/openssh.html + +# Only Ed25519: +HostKey /etc/ssh/ssh_host_ed25519_key + +# Only the first choices for ciphers: +KexAlgorithms curve25519-sha256@libssh.org +Ciphers chacha20-poly1305@openssh.com +MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com + +# No password login: +PasswordAuthentication no +AuthenticationMethods publickey +# Whitelist users: +PermitRootLogin no +AllowGroups ${join(" ", users)} + +# Log things: +Subsystem sftp /usr/lib/openssh/sftp-server -f AUTHPRIV -l INFO + +# Whitelist accepted environment variables: +AcceptEnv LANG LC_* + +# Why the fuck would I need X11 forwarding? +X11Forwarding no |