#cloud-config
users:
  - name: seph
    groups: users, admin
    sudo: ALL=(ALL) NOPASSWD:ALL
    shell: /bin/bash
    ssh_authorized_keys:
      - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDmPtQJE/7pAhEnM9QgGUlAvtXu1Wxs/GlQOij43xjhOhc5gT5fKDk1N+y4EeLysP9J8mPBWYiUGDTN/YpNXluBFWjyseixLVYUdfmlky2BJKI4igtc4JCxE8wTPZAvZTq+xV8fO0cbYjhJEMiPTKmzZy3qul63iP29Ucu2++agoeqA/ITWpLD+PEKz5aHfqI+usumKMVJw4uvSE0+5ZqF4QtF7QNpppWZieYgaekBLdAeBBmqUeRMycNZer0XHWmXhiu393sW9+hKK1eqiadekMk8ahY2EOZTKn4Sai+uxdFC9UIlU214mVReoHrkNz7J1cs8vDmhbsAvgTElsvYM+hEOcQ1Tb4MGM14hY/XWxVzPG++lfko/LeFHyBIYzUPolsZ5Z63SKQejMtFw6u7t/ntrHuwRReaWu3rAUyU7WG9MjXm9ECNsaQdKuXs1/lhvjFiD7MnwJS8EoGzCIyWLudmF1tqHTCu7HZ9dvJwniKcVHn7eF9YLtf8FVxz+f4ak=
packages:
  - fail2ban
  - ufw
package_update: true
package_upgrade: true
runcmd:
  - printf "[sshd]\nenabled = true\nbanaction = iptables-multiport" > /etc/fail2ban/jail.local
  - systemctl enable fail2ban
  - ufw allow OpenSSH
  - ufw enable
  - sed -i -e '/^\(#\|\)PermitRootLogin/s/^.*$/PermitRootLogin no/' /etc/ssh/sshd_config
  - sed -i -e '/^\(#\|\)PasswordAuthentication/s/^.*$/PasswordAuthentication no/' /etc/ssh/sshd_config
  - sed -i -e '/^\(#\|\)KbdInteractiveAuthentication/s/^.*$/KbdInteractiveAuthentication no/' /etc/ssh/sshd_config
  - sed -i -e '/^\(#\|\)ChallengeResponseAuthentication/s/^.*$/ChallengeResponseAuthentication no/' /etc/ssh/sshd_config
  - sed -i -e '/^\(#\|\)MaxAuthTries/s/^.*$/MaxAuthTries 2/' /etc/ssh/sshd_config
  - sed -i -e '/^\(#\|\)AllowTcpForwarding/s/^.*$/AllowTcpForwarding no/' /etc/ssh/sshd_config
  - sed -i -e '/^\(#\|\)X11Forwarding/s/^.*$/X11Forwarding no/' /etc/ssh/sshd_config
  - sed -i -e '/^\(#\|\)AllowAgentForwarding/s/^.*$/AllowAgentForwarding no/' /etc/ssh/sshd_config
  - sed -i -e '/^\(#\|\)AuthorizedKeysFile/s/^.*$/AuthorizedKeysFile .ssh\/authorized_keys/' /etc/ssh/sshd_config
  - sed -i '$a AllowUsers seph' /etc/ssh/sshd_config
  - reboot