cloud-config

cloud-config.yml

#cloud-config
package_update: true
package_upgrade: true
packages:
  - git
  - python3
  - python3-venv

runcmd:
  # ------------------------------------------------------------------
  # 1. Build a clean virtual-env and install Ansible in it
  # ------------------------------------------------------------------
  - python3 -m venv /opt/ansible-venv
  - /opt/ansible-venv/bin/pip install --upgrade pip wheel
  - /opt/ansible-venv/bin/pip install ansible

  # ------------------------------------------------------------------
  # 2. Pull & apply playbook
  # ------------------------------------------------------------------
  - >
    /opt/ansible-venv/bin/ansible-pull
      -U https://gist.github.com/440784727dfc37ca7d47bffb1b5480b0.git
      -i "localhost,"          # explicit inventory (comma = “inventory-inline”)
      -c local                 # connect locally
      --limit localhost        # bound host pattern so ‘all’ resolves
      playbook.yml             # playbook goes LAST

final_message: "✅ cloud-init finished → ansible-pull applied → machine ready."

playbook.yml

---
- hosts: all
  become: true
  vars:
    ssh_pubkey: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOpfLWoQYceT2v5XcVxX1MII1xNK8FUICIkm7oVXMFdH"

  pre_tasks:
    - name: Update apt cache
      apt:
        update_cache: yes
        cache_valid_time: 3600

  tasks:
    - name: Install required packages
      apt:
        name:
          - zsh
          - tmux
          - mosh
          - ufw
          - fail2ban
          - unattended-upgrades
        state: latest

    - name: Create user “niels” with zsh and SSH key
      user:
        name: niels
        shell: /usr/bin/zsh
        groups: sudo
        append: yes
        create_home: yes
        password: '*'
      register: niels_user

    - name: Add SSH authorized key for niels
      authorized_key:
        user: niels
        key: "{{ ssh_pubkey }}"
        state: present

    - name: Disable password-based SSH and root login
      blockinfile:
        path: /etc/ssh/sshd_config
        block: |
          PermitRootLogin no
          PasswordAuthentication no
          ChallengeResponseAuthentication no
          UseDNS no
          ClientAliveInterval 300
          ClientAliveCountMax 0
          AllowTcpForwarding yes
          X11Forwarding no
        marker: "# {mark} ANSIBLE HARDENING"

    - name: Restart SSH to apply hardening
      service:
        name: ssh
        state: restarted

    - name: Configure UFW defaults
      ufw:
        state: reset
        default: "{{ item }}"
      loop:
        - incoming: deny
        - outgoing: allow
      loop_control:
        loop_var: item

    - name: Allow SSH via UFW
      ufw:
        rule: allow
        name: OpenSSH

    - name: Allow mosh ports via UFW
      ufw:
        rule: allow
        port: 60000:60010
        proto: udp

    - name: Enable UFW
      ufw:
        state: enabled

    - name: Ensure fail2ban is running & enabled
      service:
        name: fail2ban
        state: started
        enabled: true

    - name: Enable unattended-upgrades
      dpkg_selections:
        name: unattended-upgrades
        selection: install

    - name: Auto-reconfigure unattended-upgrades
      command: dpkg-reconfigure -f noninteractive unattended-upgrades
      args:
        warn: false

  handlers:
    - name: restart ssh
      service:
        name: ssh
        state: restarted