diff options
Diffstat (limited to 'digitalocean/server/etc')
-rw-r--r-- | digitalocean/server/etc/cloud-init.cfg | 13 | ||||
-rw-r--r-- | digitalocean/server/etc/sshd_config | 39 |
2 files changed, 52 insertions, 0 deletions
diff --git a/digitalocean/server/etc/cloud-init.cfg b/digitalocean/server/etc/cloud-init.cfg new file mode 100644 index 0000000..8ed371c --- /dev/null +++ b/digitalocean/server/etc/cloud-init.cfg @@ -0,0 +1,13 @@ +#cloud-config + +users: + - name: ${jsonencode(user)} + lock_passwd: false + hashed_passwd: '*' + sudo: ALL=(ALL) NOPASSWD:ALL + ssh_authorized_keys: ${jsonencode(ssh_keys)} + shell: /bin/bash + +write_files: + - path: /etc/ssh/sshd_config + content: ${jsonencode(sshd_config)} diff --git a/digitalocean/server/etc/sshd_config b/digitalocean/server/etc/sshd_config new file mode 100644 index 0000000..ae08408 --- /dev/null +++ b/digitalocean/server/etc/sshd_config @@ -0,0 +1,39 @@ +Protocol 2 +Port ${port} + +# Drop idle sessions: +ClientAliveCountMax 3 +ClientAliveInterval 15 + +# Allow reverse tunnels: +GatewayPorts yes + +# Miscellaneous: +PrintMotd no + +# Hardening. +# Source: https://infosec.mozilla.org/guidelines/openssh.html + +# Only Ed25519: +HostKey /etc/ssh/ssh_host_ed25519_key + +# Only the first choices for ciphers: +KexAlgorithms curve25519-sha256@libssh.org +Ciphers chacha20-poly1305@openssh.com +MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com + +# No password login: +PasswordAuthentication no +AuthenticationMethods publickey +# Whitelist users: +PermitRootLogin no +AllowGroups ${join(" ", users)} + +# Log things: +Subsystem sftp /usr/lib/openssh/sftp-server -f AUTHPRIV -l INFO + +# Whitelist accepted environment variables: +AcceptEnv LANG LC_* + +# Why the fuck would I need X11 forwarding? +X11Forwarding no |