#cloud-config## Creates a new user named "vpn" with password-less sudo capabil

1. #cloud-config
2. #
3. # Creates a new user named "vpn" with password-less sudo capabilities
4. # SSH is available on port 4444
5. # OpenVPN is configured automatically and the client certificate is available at /home/vpn/client.ovpn
6. # Transfer using scp like so:
7. # scp -P 4444 vpn@IPADDRESS:/home/vpn/client.ovpn client.ovpn
8.  
9. package_upgrade: true
10. packages:
11. - fail2ban
12. - curl
13. users:
14. - name: vpn
15. ssh-authorized-keys:
16. - [PUT PUBLIC KEY HERE FROM ~/.ssh/id_rsa.pub]
17. sudo: ['ALL=(ALL) NOPASSWD:ALL']
18. groups: sudo
19. shell: /bin/bash
20. write_files:
21. - path: /etc/fail2ban/jail.local
22. content: |
23. [DEFAULT]
24. # Ban hosts for one hour:
25. bantime = 3600
26. #
27. # Override /etc/fail2ban/jail.d/00-firewalld.conf:
28. banaction = iptables-multiport
29. #
30. [sshd]
31. enabled = true
32. port = 4444
33. logpath = %(sshd_log)s
34. runcmd:
35. # Configure SSH and fail2ban
36. - sed -i -e '/^Port/s/^.*$/Port 4444/' /etc/ssh/sshd_config
37. - sed -i -e '/^PermitRootLogin/s/^.*$/PermitRootLogin no/' /etc/ssh/sshd_config
38. - sed -i -e '$aAllowUsers vpn' /etc/ssh/sshd_config
39. - sed -i -e '$anospoof on' /etc/host.conf
40. - service ssh restart
41. - service fail2ban restart
42. # Install OpenVPN
43. - wget git.io/vgZyn --no-check-certificate -O openvpn-install.sh && bash openvpn-install.sh
44. - cp /root/client.ovpn /home/vpn/client.ovpn