devops: cloud-init

.github/workflows/lint.yaml

@@ -0,0 +1,13 @@
+name: Formatting & linting
+on: pull_request
+permissions:
+  contents: read
+jobs:
+  cloud-init:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        # We don't need to install cloud-init as it's already available.
+      - name: Lint cloud-init
+        run: sudo cloud-init schema -c cloud-config.yaml --annotate

README.md

@@ -0,0 +1,11 @@
+# Website
+
+## `cloud-init`
+
+`cloud-config.yaml` declares the configuration to initialize a compute instance on DigitalOcean via `cloud-init`, performing the following operations:
+
+* Updating `apt`, installing `nginx`.
+* Creating `luke` user.
+* Standard server hardening (disabling `ssh` for `root`, etc).
+
+This configuration is then linted via GitHub Actions.

cloud-config.yaml

@@ -0,0 +1,33 @@
+#cloud-config
+# vim: syntax=yaml
+
+# Arrive at a maximally up-to-date system state
+package_update: true
+package_upgrade: true
+package_reboot_if_required: true
+
+# Install the following packages on first boot.
+packages:
+  - nginx
+
+timezone: Etc/UTC
+
+groups:
+  - cloud-users
+
+users:
+  - name: luke
+    gecos: Luke
+    shell: /bin/bash
+    groups: [sudo, admin, cloud-users]
+    # Disable password login.
+    lock_passwd: true
+    chpasswd: { expire: true }
+    ssh_authorized_keys:
+      - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE46x4l8eJC7MOkf0n0GIe0HR37l8SDLgfKtJSrWGuf9 LukesEd22519SSHKey
+
+runcmd:
+  # https://www.linode.com/docs/guides/manage-users-with-cloud-init/#disable-root-user
+  - sed -i '/PermitRootLogin/d' /etc/ssh/sshd_config
+  - echo "PermitRootLogin no" >> /etc/ssh/sshd_config
+  - systemctl restart sshd

nginx.conf

@@ -0,0 +1,9 @@
+server {
+        listen 80;
+        server_name luke.kiwi;
+        root /wwwroot/website;
+
+        location / {
+                index index.html;
+        }
+}