2 files changed, 52 insertions, 0 deletions

diff --git a/digitalocean/server/etc/cloud-init.cfg b/digitalocean/server/etc/cloud-init.cfg
new file mode 100644
index 0000000..8ed371c
--- /dev/null
+++ b/digitalocean/server/etc/cloud-init.cfg
@@ -0,0 +1,13 @@
+#cloud-config
+
+users:
+  - name: ${jsonencode(user)}
+    lock_passwd: false
+    hashed_passwd: '*'
+    sudo: ALL=(ALL) NOPASSWD:ALL
+    ssh_authorized_keys: ${jsonencode(ssh_keys)}
+    shell: /bin/bash
+
+write_files:
+  - path: /etc/ssh/sshd_config
+    content: ${jsonencode(sshd_config)}
diff --git a/digitalocean/server/etc/sshd_config b/digitalocean/server/etc/sshd_config
new file mode 100644
index 0000000..ae08408
--- /dev/null
+++ b/digitalocean/server/etc/sshd_config
@@ -0,0 +1,39 @@
+Protocol 2
+Port ${port}
+
+# Drop idle sessions:
+ClientAliveCountMax 3
+ClientAliveInterval 15
+
+# Allow reverse tunnels:
+GatewayPorts yes
+
+# Miscellaneous:
+PrintMotd no
+
+# Hardening.
+# Source: https://infosec.mozilla.org/guidelines/openssh.html
+
+# Only Ed25519:
+HostKey /etc/ssh/ssh_host_ed25519_key
+
+# Only the first choices for ciphers:
+KexAlgorithms curve25519-sha256@libssh.org
+Ciphers chacha20-poly1305@openssh.com
+MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
+
+# No password login:
+PasswordAuthentication no
+AuthenticationMethods publickey
+# Whitelist users:
+PermitRootLogin no
+AllowGroups ${join(" ", users)}
+
+# Log things:
+Subsystem sftp /usr/lib/openssh/sftp-server -f AUTHPRIV -l INFO
+
+# Whitelist accepted environment variables:
+AcceptEnv LANG LC_*
+
+# Why the fuck would I need X11 forwarding?
+X11Forwarding no