#cloud-config # CLOUD_IMG: This file was created/modified by the Cloud Image build process # configure cloud-init for NoCloud datasource_list: [ NoCloud, None ] # configure repository system_info: package_mirrors: - arches: [i386, amd64] failsafe: primary: http://targetLinuxMirror/ubuntu security: http://security.ubuntu.com/ubuntu - arches: [arm64, armel, armhf] failsafe: primary: http://targetLinuxMirror/ubuntu-ports security: http://targetLinuxMirror/ubuntu-ports # configure hostname hostname: HostName # configure localization locale: en_US.UTF-8 # configure timezone timezone: TimeZone # configure root user users: - name: root lock_passwd: false shell: /bin/bash chpasswd: expire: false list: | root:tmpWORD users: - name: root password: tmpWORD type: text # configure network # Adding "on-link: true" for each routes is recommended for the "routes(gateway)" menu in network config file of netplan otherwise netplan will calculate whether the gateway is in range of IP/prefix, if not, the network can't work normally. # Despite adding "on-link: true" is only necessary for the situation of irregular IPv4 configs(public IPv4 address with the a private IPv4 gateway or gateway is also a public address but from A class is different from the former), # this setting won't affect the normal IPv4 configurations. # So in order to considering the most general availability of the various complex environments of the networkings, we should add "on-link" in all items which need to be configurated manually cloud-init files. # Reference: https://netplan.readthedocs.io/en/latest/netplan-yaml/#default-routes network: version: 2 ethernets: networkAdapter: dhcp4: false addresses: [IPv4/ipPrefix] routes: - to: default via: GATE on-link: true nameservers: addresses: [ipDNS1, ipDNS2] # later commands # Replace ssh port, permit root user login by password, enable sshd service. # Disable kernel need to restart: https://askubuntu.com/questions/1349884/how-to-disable-pending-kernel-upgrade-message # Disable and remove snap permanently: https://sysin.org/blog/ubuntu-remove-snap/ # Install some common components. # Configure vim for more convenient to use. # Rename netplan config file. # Configure fail2ban. # Delete cloud-init config file itself and disable it permanently after first execution. runcmd: - sed -ri 's/^#?Port.*/Port sshPORT/g' /etc/ssh/sshd_config - sed -ri 's/^#?PermitRootLogin.*/PermitRootLogin yes/g' /etc/ssh/sshd_config - sed -ri 's/^#?PasswordAuthentication.*/PasswordAuthentication yes/g' /etc/ssh/sshd_config - update-rc.d ssh enable - /etc/init.d/ssh restart - sed -i 's/#$nrconf{restart} = '"'"'i'"'"';/$nrconf{restart} = '"'"'a'"'"';/g' /etc/needrestart/needrestart.conf - sed -i "s/#\$nrconf{kernelhints} = -1;/\$nrconf{kernelhints} = -1;/g" /etc/needrestart/needrestart.conf - snap remove lxd - snap remove $(snap list | grep "core[0-9]" | head -n 1 | awk '{print $1}') - snap remove snapd - apt autoremove --purge snapd -y - rm -rf /etc/apt/preferences.d/no-snapd.pref - echo 'Package: snapd' > /etc/apt/preferences.d/no-snapd.pref - echo 'Pin: release a=*' >> /etc/apt/preferences.d/no-snapd.pref - echo 'Pin-Priority: -10' >> /etc/apt/preferences.d/no-snapd.pref - apt update -y - apt install dnsutils fail2ban file lrzsz net-tools traceroute unzip vim wget xz-utils -y - sed -ri 's/set compatible/set nocompatible/g' /etc/vim/vimrc.tiny - sed -ri '/set nocompatible/a\set backspace=2' /etc/vim/vimrc.tiny - mv /etc/netplan/50-cloud-init.yaml /etc/netplan/20-netcfg.yaml - netplan apply - sed -i '/\[Definition\]/a allowipv6 = auto' /etc/fail2ban/fail2ban.conf - sed -ri 's/backend.*/backend = systemd/g' /etc/fail2ban/jail.conf - update-rc.d fail2ban enable - /etc/init.d/fail2ban restart - rm -rf /etc/cloud/cloud.cfg.d/99-fake_cloud.cfg - touch /etc/cloud/cloud-init.disabled