#cloud-config
# CRITICAL: The above line MUST be exactly "#cloud-config" (no space after #)
# This is required by cloud-init's YAML parser. Adding a space breaks parsing
# and causes all cloud-init directives to be skipped, resulting in SSH timeouts.
# See: https://github.com/trailofbits/algo/issues/14800
output: {all: '| tee -a /var/log/cloud-init-output.log'}

package_update: true
package_upgrade: true

packages:
  - sudo
{% if performance_preinstall_packages | default(false) %}
  # Universal tools always needed by Algo (performance optimization)
  - git
  - screen
  - apparmor-utils
  - uuid-runtime
  - coreutils
  - iptables-persistent
  - cgroup-tools
{% endif %}

users:
  - default
  - name: algo
    homedir: /home/algo
    sudo: ALL=(ALL) NOPASSWD:ALL
    groups: adm,netdev
    shell: /bin/bash
    lock_passwd: true
    ssh_authorized_keys:
      - "{{ lookup('file', '{{ SSH_keys.public }}') }}"

write_files:
  - path: /etc/ssh/sshd_config
    content: |
{{ lookup('template', 'files/cloud-init/sshd_config') | indent(width=6, first=True) }}

runcmd:
  - set -x
  - ufw --force reset
  - sudo apt-get remove -y --purge sshguard || true
  - systemctl restart sshd.service