cloudCfg

cloud_init.md

#cloud-config
users:
  - name: USERNAME
    ssh_authorized_keys:
      - "ssh-ed25519 SSH_KEY PUB"
    sudo: ALL=(ALL:ALL) ALL
    groups: sudo
    shell: /bin/bash
chpasswd:
  expire: true
  users:
    - name: USERNAME
      password: PASSWORD
      type: text
runcmd:
  - sed -i '/PermitRootLogin/d' /etc/ssh/sshd_config
  - echo "PermitRootLogin without-password" >> /etc/ssh/sshd_config
  - sed -i '/PubkeyAuthentication/d' /etc/ssh/sshd_config
  - echo "PubkeyAuthentication yes" >> /etc/ssh/sshd_config
  - sed -i '/PasswordAuthentication/d' /etc/ssh/sshd_config
  - echo "PasswordAuthentication no" >> /etc/ssh/sshd_config
  - systemctl restart sshd
  - echo "\$nrconf{kernelhints} = -1;" > /etc/needrestart/conf.d/99disable-prompt.conf
  - apt update
  - apt upgrade -y --allow-downgrades --allow-remove-essential --allow-change-held-packages
  - reboot

cloud-init

hetzner.md

0. generate ssh key

• ssh-keygen -t ed25519
• name file, save

1. Setup server, wait for pass
2. SSH into server

• useradd -m -U -s /bin/bash -G sudo USERNAME
• passwd PASSWORD

3. Install anything that might require root
4. Edit sshd_config

• sudo vi /etc/ssh/sshd_config or sudo nano /etc/ssh/sshd_config
• change PermitRootLogin yes to no
• add AllowUsers USER1 USER2 USERetc enable user for SSH
• MaxAuthTries set to 2
• AllowTcpForwarding no - Disables port forwarding.
• X11Forwarding no - Disables remote GUI view.
• AllowAgentForwarding no - Disables the forwarding of the SSH login.
• AuthorizedKeysFile .ssh/authorized_keys - The .ssh/authorized_keys2 file should be removed.
• save and exit: :wq or
• :q! exit without save

5. Apply settings

• ssh -t to test for errors
• systemctl restart ssh - if no errors restart SSH service

more on hetzner