Igloczek · May 7, 2026 18:16
diff --git a/gistfile1.txt b/gistfile1.txt
 #cloud-config
 # ==========================================
 # Secure Docker Host Cloud-Config (Debian 13)
 # ==========================================

 package_update: true
 package_upgrade: true

 packages:
  - curl
  - wget
  - ufw
  - fail2ban
  - apt-transport-https
  - ca-certificates
  - gnupg
  - lsb-release
  - rclone
  - unzip
  - git
  - jq

 # Keep SSH key-only from the first boot.
 ssh_pwauth: false

 write_files:
  - path: /etc/fail2ban/jail.local
    content: |
      [sshd]
      enabled = true
      port = ssh
      filter = sshd
      backend = systemd
      maxretry = 5
      bantime = 3600
      mode = aggressive

  - path: /etc/sysctl.d/99-docker-redis-performance.conf
    content: |
      vm.overcommit_memory=1
      vm.swappiness=20
      vm.vfs_cache_pressure=100
      net.core.somaxconn=4096

  - path: /usr/local/sbin/disable-thp
    permissions: "0755"
    content: |
      #!/bin/sh
      [ -w /sys/kernel/mm/transparent_hugepage/enabled ] && echo never > /sys/kernel/mm/transparent_hugepage/enabled
      [ -w /sys/kernel/mm/transparent_hugepage/defrag ] && echo never > /sys/kernel/mm/transparent_hugepage/defrag

  - path: /etc/systemd/system/disable-thp.service
    content: |
      [Unit]
      Description=Disable Transparent Huge Pages
      DefaultDependencies=no
      After=sysinit.target local-fs.target
      Before=docker.service

      [Service]
      Type=oneshot
      ExecStart=/usr/local/sbin/disable-thp
      RemainAfterExit=yes

      [Install]
      WantedBy=multi-user.target

  - path: /etc/systemd/journald.conf.d/99-docker-host-limits.conf
    content: |
      [Journal]
      SystemMaxUse=512M
      RuntimeMaxUse=128M
      MaxRetentionSec=7day
      RateLimitIntervalSec=30s
      RateLimitBurst=10000

  - path: /etc/docker/daemon.json
    content: |
      {
        "builder": {
          "gc": {
            "enabled": true,
            "defaultKeepStorage": "8GB"
          }
        },
        "default-address-pools": [
          {
            "base": "10.0.0.0/8",
            "size": 24
          }
        ],
        "live-restore": true,
        "log-driver": "json-file",
        "log-opts": {
          "max-size": "10m",
          "max-file": "3"
        }
      }

 runcmd:
  # --- 1. SSH hardening ---
  # Root login is allowed only with SSH keys. Password auth and PAM login are disabled.
  - usermod -p '*' root
  - sed -i 's/^#*UsePAM.*/UsePAM no/' /etc/ssh/sshd_config
  - sed -i 's/^#*PermitRootLogin.*/PermitRootLogin prohibit-password/' /etc/ssh/sshd_config
  - sed -i 's/^#*PubkeyAuthentication.*/PubkeyAuthentication yes/' /etc/ssh/sshd_config
  - sed -i 's/^#*PasswordAuthentication.*/PasswordAuthentication no/' /etc/ssh/sshd_config
  - systemctl restart sshd

  # --- 2. Firewall and brute-force protection ---
  - ufw default deny incoming
  - ufw default allow outgoing
  - ufw allow ssh
  - ufw allow 80/tcp
  - ufw allow 443/tcp
  - ufw --force enable
  - systemctl enable fail2ban
  - systemctl restart fail2ban

  # --- 3. Docker host performance defaults ---
  # These settings cover common container workloads: Redis forks/snapshots, build-time memory spikes,
  # bounded logs, and lower risk of memory-pressure cache thrashing on small VPS instances.
  - sysctl --system
  - systemctl daemon-reload
  - systemctl enable --now disable-thp.service
  - fallocate -l 4G /swapfile || dd if=/dev/zero of=/swapfile bs=1M count=4096
  - chmod 600 /swapfile
  - mkswap /swapfile
  - swapon /swapfile
  - grep -qE '^/swapfile\s+none\s+swap\s' /etc/fstab || echo '/swapfile none swap sw 0 0' >> /etc/fstab
  - systemctl restart systemd-journald

  # --- 4. Docker installation ---
  # Install Docker CE and the Compose/Buildx plugins from the official Debian repository.
  - install -m 0755 -d /etc/apt/keyrings
  - curl -fsSL https://download.docker.com/linux/debian/gpg -o /etc/apt/keyrings/docker.asc
  - chmod a+r /etc/apt/keyrings/docker.asc
  - echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/debian $(lsb_release -cs) stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null
  - apt-get update
  - apt-get install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
  - systemctl enable docker
  - systemctl start docker
  - usermod -aG docker root
	#cloud-config
	# ==========================================
	# Secure Docker Host Cloud-Config (Debian 13)
	# ==========================================

	package_update: true
	package_upgrade: true

	packages:
	- curl
	- wget
	- ufw
	- fail2ban
	- apt-transport-https
	- ca-certificates
	- gnupg
	- lsb-release
	- rclone
	- unzip
	- git
	- jq

	# Keep SSH key-only from the first boot.
	ssh_pwauth: false

	write_files:
	- path: /etc/fail2ban/jail.local
	content: \|
	[sshd]
	enabled = true
	port = ssh
	filter = sshd
	backend = systemd
	maxretry = 5
	bantime = 3600
	mode = aggressive

	- path: /etc/sysctl.d/99-docker-redis-performance.conf
	content: \|
	vm.overcommit_memory=1
	vm.swappiness=20
	vm.vfs_cache_pressure=100
	net.core.somaxconn=4096

	- path: /usr/local/sbin/disable-thp
	permissions: "0755"
	content: \|
	#!/bin/sh
	[ -w /sys/kernel/mm/transparent_hugepage/enabled ] && echo never > /sys/kernel/mm/transparent_hugepage/enabled
	[ -w /sys/kernel/mm/transparent_hugepage/defrag ] && echo never > /sys/kernel/mm/transparent_hugepage/defrag

	- path: /etc/systemd/system/disable-thp.service
	content: \|
	[Unit]
	Description=Disable Transparent Huge Pages
	DefaultDependencies=no
	After=sysinit.target local-fs.target
	Before=docker.service

	[Service]
	Type=oneshot
	ExecStart=/usr/local/sbin/disable-thp
	RemainAfterExit=yes

	[Install]
	WantedBy=multi-user.target

	- path: /etc/systemd/journald.conf.d/99-docker-host-limits.conf
	content: \|
	[Journal]
	SystemMaxUse=512M
	RuntimeMaxUse=128M
	MaxRetentionSec=7day
	RateLimitIntervalSec=30s
	RateLimitBurst=10000

	- path: /etc/docker/daemon.json
	content: \|
	{
	"builder": {
	"gc": {
	"enabled": true,
	"defaultKeepStorage": "8GB"
	}
	},
	"default-address-pools": [
	{
	"base": "10.0.0.0/8",
	"size": 24
	}
	],
	"live-restore": true,
	"log-driver": "json-file",
	"log-opts": {
	"max-size": "10m",
	"max-file": "3"
	}
	}

	runcmd:
	# --- 1. SSH hardening ---
	# Root login is allowed only with SSH keys. Password auth and PAM login are disabled.
	- usermod -p '*' root
	- sed -i 's/^#UsePAM./UsePAM no/' /etc/ssh/sshd_config
	- sed -i 's/^#PermitRootLogin./PermitRootLogin prohibit-password/' /etc/ssh/sshd_config
	- sed -i 's/^#PubkeyAuthentication./PubkeyAuthentication yes/' /etc/ssh/sshd_config
	- sed -i 's/^#PasswordAuthentication./PasswordAuthentication no/' /etc/ssh/sshd_config
	- systemctl restart sshd

	# --- 2. Firewall and brute-force protection ---
	- ufw default deny incoming
	- ufw default allow outgoing
	- ufw allow ssh
	- ufw allow 80/tcp
	- ufw allow 443/tcp
	- ufw --force enable
	- systemctl enable fail2ban
	- systemctl restart fail2ban

	# --- 3. Docker host performance defaults ---
	# These settings cover common container workloads: Redis forks/snapshots, build-time memory spikes,
	# bounded logs, and lower risk of memory-pressure cache thrashing on small VPS instances.
	- sysctl --system
	- systemctl daemon-reload
	- systemctl enable --now disable-thp.service
	- fallocate -l 4G /swapfile \|\| dd if=/dev/zero of=/swapfile bs=1M count=4096
	- chmod 600 /swapfile
	- mkswap /swapfile
	- swapon /swapfile
	- grep -qE '^/swapfile\s+none\s+swap\s' /etc/fstab \|\| echo '/swapfile none swap sw 0 0' >> /etc/fstab
	- systemctl restart systemd-journald

	# --- 4. Docker installation ---
	# Install Docker CE and the Compose/Buildx plugins from the official Debian repository.
	- install -m 0755 -d /etc/apt/keyrings
	- curl -fsSL https://download.docker.com/linux/debian/gpg -o /etc/apt/keyrings/docker.asc
	- chmod a+r /etc/apt/keyrings/docker.asc
	- echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/debian $(lsb_release -cs) stable" \| tee /etc/apt/sources.list.d/docker.list > /dev/null
	- apt-get update
	- apt-get install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
	- systemctl enable docker
	- systemctl start docker
	- usermod -aG docker root
No results found