Cloud init for Hetzner Alamos instance

cloud-init.yml

#cloud-config

locale: de_DE.UTF-8

keyboard:
  layout: de
  variant: ""
  model: pc105

write_files:
  - path: /etc/default/locale
    content: |
      LANG=de_DE.UTF-8
      LANGUAGE=de_DE:de
      LC_ALL=de_DE.UTF-8

users:
  - name: user
    groups: users, admin
    sudo: ALL=(ALL) NOPASSWD:ALL
    shell: /bin/zsh
packages:
  - zsh
  - fail2ban
  - ufw
  - tree
  - git
  - curl
  - neovim
  - wget
  - unzip
package_update: true
package_upgrade: true
runcmd:
  # Configure Gemran locale and keyboard
  - sed -i 's/^# de_DE.UTF-8 UTF-8/de_DE.UTF-8 UTF-8/' /etc/locale.gen
  - locale-gen de_DE.UTF-8
  - update-locale LANG=de_DE.UTF-8
  - setupcon
  
  # install oh-my-zsh for root and user
  - sh -c "$(curl -fsSL https://raw.githubusercontent.com/ohmyzsh/ohmyzsh/master/tools/install.sh)" "" --unattended
  - sed -i 's/robbyrussell/agnoster/' /root/.zshrc
  - runuser -l user -c 'sh -c "$(curl -fsSL https://raw.githubusercontent.com/ohmyzsh/ohmyzsh/master/tools/install.sh)" "" --unattended'
  - sed -i 's/robbyrussell/agnoster/' /home/user/.zshrc
  - cp -r /home/user/.oh-my-zsh /etc/skel/
  - cp /home/user/.zshrc /etc/skel/
  
  # Harden SSH
  - printf "[sshd]\nenabled = true\nbanaction = iptables-multiport" > /etc/fail2ban/jail.local
  - systemctl enable fail2ban
  - ufw allow 2222
  - ufw enable
  - sed -i -e '/^\(#\|\)PermitRootLogin/s/^.*$/PermitRootLogin no/' /etc/ssh/sshd_config
  - sed -i -e '/^\(#\|\)PasswordAuthentication/s/^.*$/PasswordAuthentication no/' /etc/ssh/sshd_config
  - sed -i -e '/^\(#\|\)Port/s/^.*$/Port 2222/' /etc/ssh/sshd_config
  - sed -i -e '/^\(#\|\)KbdInteractiveAuthentication/s/^.*$/KbdInteractiveAuthentication no/' /etc/ssh/sshd_config
  - sed -i -e '/^\(#\|\)ChallengeResponseAuthentication/s/^.*$/ChallengeResponseAuthentication no/' /etc/ssh/sshd_config
  - sed -i -e '/^\(#\|\)MaxAuthTries/s/^.*$/MaxAuthTries 10/' /etc/ssh/sshd_config
  - sed -i -e '/^\(#\|\)AllowTcpForwarding/s/^.*$/AllowTcpForwarding no/' /etc/ssh/sshd_config
  - sed -i -e '/^\(#\|\)X11Forwarding/s/^.*$/X11Forwarding no/' /etc/ssh/sshd_config
  - sed -i -e '/^\(#\|\)AllowAgentForwarding/s/^.*$/AllowAgentForwarding no/' /etc/ssh/sshd_config
  - sed -i -e '/^\(#\|\)AuthorizedKeysFile/s/^.*$/AuthorizedKeysFile .ssh\/authorized_keys/' /etc/ssh/sshd_config
  - sed -i '$a AllowUsers user' /etc/ssh/sshd_config

  # Copy preset SSH keys (via Hetzner Cloud UI) from root to user
  - mkdir -p /home/user/.ssh
  - cp /root/.ssh/authorized_keys /home/user/.ssh/authorized_keys
  - chown -R user:user /home/user/.ssh
  - chmod 0700 /home/user/.ssh
  - chmod 0600 /home/user/.ssh/authorized_keys

  # Allow HTTPS traffic
  - ufw allow 443
  
  # Install prerequisites for Docker
  - apt install -y ca-certificates curl

  # Add Docker’s official GPG key
  - install -m 0755 -d /etc/apt/keyrings
  - curl -fsSL https://download.docker.com/linux/debian/gpg -o /etc/apt/keyrings/docker.asc
  - chmod a+r /etc/apt/keyrings/docker.asc

  # Add Docker’s repository
  - echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/debian $(. /etc/os-release && echo $VERSION_CODENAME) stable" > /etc/apt/sources.list.d/docker.list

  # Install Docker and Docker Compose plugin
  - apt update
  - apt install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin

  # Enable Docker on boot
  - systemctl enable docker
  - systemctl start docker
  
  # Add docker group and add user
  - groupadd docker
  - usermod -aG docker user
  
  # Configure max log size for docker logs
  - |
    cat <<EOF > /etc/docker/daemon.json
    {
      "log-driver": "local",
      "log-opts": {
        "max-size": "10m",
        "max-file": "3"
      }
    }
    EOF
  
  - reboot