Cloud-Init functions for Debian 12 - 2024

#cloud-config.md

Debian 12 Bookworm cloud-init configs.

Other Linux flavours may have different configs! Test in dev mode first!

The configs below are all seperated. Pick what you need, theres a sample script at the bottom.

1. Set Timezone and Locale: Configure the system's timezone and locale to match your geographic location and preferred language settings.

timezone: "Etc/UTC"
locale: "en_US.UTF-8"

2. Create Users and Groups: You can create additional users, assign them to groups, and set up their SSH keys.

users:
  - name: exampleuser
    groups: [sudo, docker]
    shell: /bin/bash
    sudo: ['ALL=(ALL) NOPASSWD:ALL']
    ssh_authorized_keys:
      - ssh-rsa AAAAB3Nza...

3. Install Additional Packages: Install packages that you know you'll need on the system.

packages:
  - htop
  - git
  - curl
  - vim

4. Run Custom Scripts: Execute custom shell scripts to perform tasks that are not covered by cloud-init's built-in modules.

runcmd:
  - [ sh, -c, "echo 'Custom script commands here'" ]

5. Configure Firewall: Set up basic firewall rules using ufw or another firewall tool.

runcmd:
  - ufw allow 22/tcp
  - ufw allow 80/tcp
  - ufw allow 443/tcp
  - ufw enable

6. Disable Root SSH Login: For security reasons, it's a good practice to disable SSH login for the root user.

ssh_pwauth: false
disable_root: true

7. Configure Hostname and Hosts File: Set the system's hostname and update the /etc/hosts file accordingly.

hostname: myserver
manage_etc_hosts: true

8. Set Up Network Configuration: If you need to configure static IP addresses or other network settings.

network:
  version: 2
  ethernets:
    eth0:
      dhcp4: true

9. Update and Upgrade Handling: You can configure how often unattended upgrades should run, which can help keep your system secure.

package_update: true
package_upgrade: true
package_reboot_if_required: true
unattended_upgrades:
  enable: true
  blacklist:
    - nginx
    - mysql-server

10. Configure System Services: Enable or disable system services to start on boot.

services:
  enabled:
    - docker
  disabled:
    - postfix

11. Mount Disks and Filesystems: If you have additional storage volumes, you can configure them to be mounted automatically.

mounts:
  - [ "LABEL=extra-storage", "/mnt/storage" ]

12. Set Up Swap: If your system requires swap space, you can configure it as well.

swap:
  filename: /swapfile
  size: "1G"
  maxsize: "2G"

THIS IS ALL THE COMMANDS COMBINED AS AN EXAMPLE.

#cloud-config

# Set the timezone and locale
timezone: "Etc/UTC"
locale: "en_US.UTF-8"

# Add non-free-firmware repository, update and upgrade packages
write_files:
  - path: /etc/apt/sources.list.d/non-free-firmware.list
    content: |
      deb http://deb.debian.org/debian/ bookworm main contrib non-free-firmware
      deb-src http://deb.debian.org/debian/ bookworm main contrib non-free-firmware

# Create additional users and groups
users:
  - name: exampleuser
    groups: [sudo, docker]
    shell: /bin/bash
    sudo: ['ALL=(ALL) NOPASSWD:ALL']
    ssh_authorized_keys:
      - ssh-rsa AAAAB3Nza...

# Install additional packages
packages:
  - htop
  - git
  - curl
  - vim
  - ufw
  - docker.io

# Run custom scripts and configure firewall
runcmd:
  - apt-get update
  - apt-get upgrade -y
  - ufw allow 22/tcp
  - ufw allow 80/tcp
  - ufw allow 443/tcp
  - ufw enable
  - [ sh, -c, "echo 'Custom script commands here'" ]

# Disable root SSH login
ssh_pwauth: false
disable_root: true

# Configure hostname and manage /etc/hosts
hostname: myserver
manage_etc_hosts: true

# Network configuration
network:
  version: 2
  ethernets:
    eth0:
      dhcp4: true

# Unattended upgrades configuration
package_update: true
package_upgrade: true
package_reboot_if_required: true
unattended_upgrades:
  enable: true
  blacklist:
    - nginx
    - mysql-server

# Services configuration
services:
  enabled:
    - docker
  disabled:
    - postfix

# Mount additional storage volumes
mounts:
  - [ "LABEL=extra-storage", "/mnt/storage" ]

# Set up swap space
swap:
  filename: /swapfile
  size: "1G"
  maxsize: "2G"

A Production ready cloud-config

Creating a good configuration for a Debian 12 server running in production depends on the specific use case and requirements of the server. However, there are some general best practices and configurations that can be applied to create a solid foundation for a production environment. Here's an example of a cloud-init configuration that incorporates some of these practices:

```yaml
#cloud-config

# Set the timezone and locale to your preferred settings
timezone: "Etc/UTC"
locale: "en_US.UTF-8"

# Add non-free-firmware repository, update and upgrade packages
write_files:
  - path: /etc/apt/sources.list.d/non-free-firmware.list
    content: |
      deb http://deb.debian.org/debian/ bookworm main contrib non-free-firmware
      deb-src http://deb.debian.org/debian/ bookworm main contrib non-free-firmware

# Create a user with sudo privileges and no password prompt for sudo
users:
  - name: adminuser
    groups: [sudo]
    shell: /bin/bash
    sudo: ['ALL=(ALL) NOPASSWD:ALL']
    ssh_authorized_keys:
      - ssh-rsa AAAAB3Nza...

# Install essential packages
packages:
  - vim
  - curl
  - git
  - unattended-upgrades
  - fail2ban
  - ufw

# Run commands to set up the system
runcmd:
  - apt-get update
  - apt-get upgrade -y
  - echo 'Unattended-Upgrade::Automatic-Reboot "true";' >> /etc/apt/apt.conf.d/50unattended-upgrades
  - ufw allow 22/tcp
  - ufw allow 80/tcp
  - ufw allow 443/tcp
  - ufw --force enable
  - systemctl enable fail2ban

# Disable root SSH login and password authentication for SSH
ssh_pwauth: false
disable_root: true

# Configure hostname and manage /etc/hosts
hostname: production-server
manage_etc_hosts: true

# Network configuration with DHCP (adjust if static IP is needed)
network:
  version: 2
  ethernets:
    eth0:
      dhcp4: true

# Configure unattended upgrades for security updates
package_update: true
package_upgrade: true
package_reboot_if_required: true
unattended_upgrades:
  enable: true
  origin_patterns:
    - 'origin=Debian,codename=${distro_codename},label=Debian-Security'

# Set up swap space (adjust size as needed)
swap:
  filename: /swapfile
  size: "1G"
  maxsize: "2G"

Here are some explanations and best practices reflected in this configuration:

• Locale and Timezone: Set these to match your geographic location and preferred language settings.
• Non-free Firmware: Include the non-free firmware repository if your hardware requires proprietary drivers.
• User Management: Create a non-root user with sudo privileges for administrative tasks. Ensure that SSH keys are used for authentication.
• Essential Packages: Install packages that are commonly used for system administration and security.
• Unattended Upgrades: Configure automatic security updates to keep the system patched against vulnerabilities.
• Firewall (UFW): Set up basic firewall rules to allow only necessary traffic and enable the firewall.
• Fail2Ban: Install and enable Fail2Ban to protect against brute-force attacks on SSH and other services.
• SSH Configuration: Disable root login and password authentication over SSH to enhance security.
• Hostname: Set a meaningful hostname for the server and manage the /etc/hosts file.
• Network Configuration: Use DHCP or configure a static IP if required.
• Swap Space: Configure swap space to provide additional virtual memory if the physical RAM is exhausted.

Remember to replace placeholders like adminuser, the SSH public key, and production-server with your actual user name, SSH key, and desired hostname. Additionally, adjust the swap size and other settings to suit your server's workload and resources.