cloudinit-userdata: |
  packages:
    - squashfuse
    - libopenscap8
  write_files:
  - owner: root:root
    path: /root/99-post-juju.yaml
    permissions: '0644'
    content: |
      network:
        version: 2
        ethernets:
          ens3:
            link-local: []
          ens4:
            link-local: []
          ens5:
            link-local: []
          ens6:
            link-local: []
          ens7:
            link-local: []
          ens8:
            link-local: []
          ens9:
            link-local: []
  - owner: root:root
    path: /tmp/cis-hardening.conf
    permissions: '0644'
    content: |
      # Hash created by grub-mkpasswd-pbkdf2 to set grub password. If empty, grub password
      # is not set.
      # (CIS rule 1.4.2)
      grub_hash=
      # Grub user set for authentication
      grub_user=root

      # Time synchronization service selected (ntp or chrony - if empty, none will be installed)
      # (CIS rule 2.2.1.1-2.2.1.3)
      time_sync_svc=
      time_sync_addr=

      # Audit log storage size, before log is automatically rotated
      # (CIS rule 4.1.1.1)
      max_log_file=8

      # Remote log host address (CIS rule 4.2.2.4)
      # Use the format loghost.example.com:554, to define the port
      remote_log_server=

      # SSH access limitation parameters at /etc/ssh/sshd_config (CIS rule 5.2.14)
      AllowUsers=ubuntu
      AllowGroups=
      DenyUsers=
      DenyGroups=

      # PAM password quality parameters at /etc/security/pwquality.conf (CIS rule 5.3.1)
      minlen=14
      dcredit=-1
      ucredit=-1
      ocredit=-1
      lcredit=-1

      # sudo group members, aside from root (CIS rule 5.6)
      sudo_member=

      # Unowned files will be changed to this user (CIS rule 6.1.11)
      unowned_user=root
      # Ungrouped files will be changed to this user (CIS rule 6.1.12)
      unowned_group=root

      # Delete files in the home directory which violate CIS rules (CIS rules 6.2.11, 6.2.12, 6.2.14)
      delete_user_files=true
  preruncmd:
    - locale-gen en_GB.UTF-8; update-locale
    - wget -qO - http://192.168.1.12/keys/security-benchmarks.asc | sudo apt-key add -
    - sudo add-apt-repository "deb http://192.168.1.12/private-ppa.launchpad.net/ubuntu-advantage/security-benchmarks/ubuntu bionic main"
    - sudo apt update
    - sudo DEBIAN_FRONTEND=noninteractive apt install -y -q usg-cisbenchmark
    - cd /usr/share/ubuntu-scap-security-guides/cis-hardening; sudo ./Canonical_Ubuntu_18.04_CIS-harden.sh -f /tmp/cis-hardening.conf lvl2_server
    # remove auditd as added by Hardening script but is not supported on containers
    - "systemd-detect-virt --container && apt purge -y auditd"
    - "systemd-detect-virt --container && rm -rf /root/99-post-juju.yaml"
    - "! systemd-detect-virt --container && mv /root/99-post-juju.yaml /etc/netplan/99-post-juju.yaml"
    - "! systemd-detect-virt --container && sudo lxc profile set default security.nesting true"
    - sudo netplan apply

default-series: "bionic"
apt-mirror: http://192.168.1.12/archive.ubuntu.com/ubuntu