Safely setup Ubuntu vm with Terraform and Cloud-init

Question

For personal use (and fun) I'm trying to setup a VM on which I want to host my website (Nginx, Django and Postgres running in docker containers). I'm trying to learn how to setup the server using Terraform and Cloud init in a safe manner.

My current cloud-init code:

#cloud-config
groups:
  - docker
users:
  - default
  # the docker service account
  - name: test
    shell: /bin/bash
    home: /home/test
    groups: docker
    sudo: ALL=(ALL) NOPASSWD:ALL
    ssh_import_id: None
    lock_passwd: true
    ssh-authorized-keys:
      - ssh-rsa my_public_ssh_key
package_update: true
package_upgrade: true
packages:
  - git
  - sudo
  - apt-transport-https
  - ca-certificates
  - curl
  - gnupg-agent
  - software-properties-common
runcmd:
  # install docker following the guide: https://docs.docker.com/install/linux/docker-ce/ubuntu/
  - curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
  - sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable"
  - sudo apt-get -y update
  - sudo apt-get -y install docker-ce docker-ce-cli containerd.io
  - sudo systemctl enable docker
  # install docker-compose following the guide: https://docs.docker.com/compose/install/
  - sudo curl -L "https://github.com/docker/compose/releases/download/1.25.4/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
  - sudo chmod +x /usr/local/bin/docker-compose
power_state:
  mode: reboot
  message: Restarting after installing docker & docker-compose

The VM is Ubuntu 20.04 Technically I want the "test" user to be able to pull the latest code from my git repo and (re-)deploy the website (in /home/test/website) using docker-compose. Is it possible that the user does not have sudo permissions (I don't want to have it have elevated permissions). And secondly: how do I create a root account with a separate SSH key (and would this be a safe setup)?

The Terraform code that produces the VM.

resource "scaleway_instance_server" "app_server" {
  type     = var.instance_type
  image    = "ubuntu-focal"
  name     = var.instance_name
  enable_ipv6 = true

  tags = [ "FocalFossa", "MyUbuntuInstance" ]

  root_volume {
    size_in_gb = 20
    delete_on_termination = true
  }

  lifecycle {
    create_before_destroy = true
  }

  ip_id = scaleway_instance_ip.public_ip.id

  security_group_id = scaleway_instance_security_group.www.id

  # cloud init: setup
  cloud_init = file("${path.module}/cloud-init.yml")
}

Help is much appreciated.

Answer 1

Is it possible that the user does not have sudo permissions (I don't want to have it have elevated permissions).

Anything run by cloud-init is run as root, including the bootcmd/runcmd commands. To run things as a different user, you can use sudo in your runcmd.

sudo -u test whoami >> /var/tmp/run_cmd

would write test to /var/tmp/run_cmd.

And secondly: how do I create a root account with a separate SSH key (and would this be a safe setup)?

Your users section would something look like this.

users:
  - default
  # the docker service account
  - name: test
    shell: /bin/bash
    home: /home/test
    groups: docker
    sudo: ALL=(ALL) NOPASSWD:ALL
    lock_passwd: true
    ssh-authorized-keys:
      - ssh-rsa my-public-key
  - name: root
    ssh-authorized-keys:
      - ssh-rsa root-public-key
disable_root: false

Is it safe? I think that's debatable, but there's a reason root login is disabled by default. It should be possible to ssh into the default user and then sudo su for your root access needs.

Also, just FYI, the ssh_import_id: None in your config was raising an exception in the cloud-init log because it was trying to import an ssh id for user None.