From f2556a4e38295e7dc5dddba5779630f48b01cd12 Mon Sep 17 00:00:00 2001
From: Youjung Kim <126618609+ykim-1@users.noreply.github.com>
Date: Wed, 10 Jan 2024 09:26:40 -0800
Subject: [PATCH] test: add cloud-init hardening for tests (#133)

* add cloud hardening

* add .PHONY to quick-test in Makefile
---
 Makefile                  |  1 +
 quick-test/deploy.yml     |  7 +++++--
 quick-test/harden.yaml.j2 | 36 ++++++++++++++++++++++++++++++++++++
 3 files changed, 42 insertions(+), 2 deletions(-)
 create mode 100644 quick-test/harden.yaml.j2

diff --git a/Makefile b/Makefile
index 516156a..3a9c8e3 100644
--- a/Makefile
+++ b/Makefile
@@ -65,6 +65,7 @@ $(PLUGIN_DIR): *.go Dockerfile
 	docker rm -vf tmp
 
 # Provision a test environment for docker-volume-linode using Ansible.
+.PHONY: quick-test
 quick-test:
 	ANSIBLE_STDOUT_CALLBACK=yaml ansible-playbook -v --extra-vars "ssh_pubkey_path=${QUICKTEST_SSH_PUBKEY} skip_tests=${QUICKTEST_SKIP_TESTS}" quick-test/deploy.yml
 
diff --git a/quick-test/deploy.yml b/quick-test/deploy.yml
index c01f27b..5892ee6 100644
--- a/quick-test/deploy.yml
+++ b/quick-test/deploy.yml
@@ -14,6 +14,9 @@
         label: "{{ temp_token_name }}"
         state: absent
 
+    - set_fact:
+        ssh_pubkey: '{{ lookup("file", ssh_pubkey_path) }}'
+
     - name: Create a temporary token for the plugin to consume
       linode.cloud.token:
         label: "{{ temp_token_name }}"
@@ -32,8 +35,8 @@
         region: "{{ region }}"
         image: linode/alpine3.18
         booted: true
-        authorized_keys:
-          - "{{ lookup('file', ssh_pubkey_path) }}"
+        metadata:
+          user_data: '{{ lookup("template", playbook_dir ~ "/harden.yaml.j2") }}'
         state: present
       register: create_inst
 
diff --git a/quick-test/harden.yaml.j2 b/quick-test/harden.yaml.j2
new file mode 100644
index 0000000..5dfd264
--- /dev/null
+++ b/quick-test/harden.yaml.j2
@@ -0,0 +1,36 @@
+#cloud-config
+hostname: dx-dev-vm
+
+package_update: true
+package_upgrade: true
+packages:
+  - fail2ban
+
+ssh_pwauth: false
+disable_root: true
+
+users:
+  - default
+  - name: linodedx
+    gecos: The primary account for development on this VM.
+    shell: /bin/bash
+    sudo: ALL=(ALL) NOPASSWD:ALL
+    lock_passwd: true
+    ssh_authorized_keys:
+      - '{{ ssh_pubkey }}'
+
+write_files:
+  # Root login over SSH isn't fully disabled by disable_root
+  - path: /etc/ssh/sshd_config.d/51-disable-root.conf
+    permissions: "0600"
+    content: |
+      PermitRootLogin no
+
+runcmd:
+  - service ssh restart
+  - service fail2ban start --enable
+
+  - ufw default deny incoming
+  - ufw default allow outgoing
+  - ufw allow 80,443,21,22/tcp
+  - ufw enable
\ No newline at end of file