#cloud-config
package_update: true
package_upgrade: true
packages:
  - git
  - curl
  - unzip
  - python3
  - python3-venv
  - ufw
  - vim

users:
  - name: admin
    groups: [sudo]
    shell: /bin/bash
    sudo: "ALL=(ALL) NOPASSWD:ALL"
ssh_pwauth: false
disable_root: true

write_files:
  - path: /etc/ssh/sshd_config.d/10-hardening.conf
    permissions: "0644"
    content: |
      PasswordAuthentication no
      PermitRootLogin no
      PubkeyAuthentication yes

  - path: /usr/local/bin/railliance-bootstrap.sh
    permissions: "0755"
    content: |
      #!/usr/bin/env bash
      set -euo pipefail

      # Basic firewall
      ufw default deny incoming
      ufw default allow outgoing
      ufw allow OpenSSH
      ufw --force enable

      systemctl restart ssh

runcmd:
  - [ bash, -c, "/usr/local/bin/railliance-bootstrap.sh > /var/log/railliance-bootstrap.log 2>&1" ]