# Ubuntu Server Autoinstall — Iron Legion G9 Headless Deploy # Usage: Place as 'user-data' on nocloud USB alongside empty 'meta-data' file # See README.md for USB creation instructions version: 1 autoinstall: # ── Identity ── identity: hostname: ubuntu username: jarvis password: "$6$iypA63f5vLDzTGQ2$eOrvsyhnM6c4istoy65GUConWL4St.rzy28wFt8QxUWk7F3fSx7mHytwnjHosvIj7JAMBPeC4jkUctAZJeKDx/" ssh: install-server: true allow-pw: true authorized-keys: - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPSBrRCROUHOiZX9IB3teEK89VFfghbdu7OF5NoJ1Y6g # ── Storage ── storage: config: - type: disk id: disk0 ptable: gpt wipe: superblock-recursive path: /dev/nvme0n1 - type: partition id: boot-part number: 1 size: 1GB device: disk0 flag: boot grub_device: true - type: format id: boot-format fstype: ext4 volume: boot-part - type: mount id: boot-mount device: boot-format path: /boot - type: partition id: root-part number: 2 size: -1 device: disk0 - type: format id: root-format fstype: ext4 volume: root-part - type: mount id: root-mount device: root-format path: / # ── Networking ── network: version: 2 ethernets: en0: match: name: "en*" dhcp4: true dhcp6: true # ── Packages ── packages: - openssh-server - curl - git - ca-certificates - gnupg - net-tools - iputils-ping - htop - ufw - nfs-common # ── First boot scripts ── late-commands: # Hostname from MAC address - | MAC=$(cat /sys/class/net/en*/address 2>/dev/null | head -1 | tr -d ':') case "$MAC" in e051d81c5d56) HOST="mk-33" ;; e051d81c5c75) HOST="mk-34" ;; e051d81c5dca) HOST="mk-39" ;; e051d81c5d5c) HOST="mk-42" ;; *) HOST="g9-$(echo $MAC | tail -c 5)" ;; esac hostnamectl set-hostname "$HOST" echo "$HOST" > /etc/hostname printf "127.0.1.1\t%s\n" "$HOST" >> /etc/hosts # Disable cloud-init re-run - | mkdir -p /etc/cloud/cloud.cfg.d echo "preserve_hostname: true" > /etc/cloud/cloud.cfg.d/99_preserve_hostname.cfg touch /etc/cloud/cloud-init.disabled # Install Docker - | install -m 0755 -d /etc/apt/keyrings curl -fsSL https://download.docker.com/linux/ubuntu/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg chmod a+r /etc/apt/keyrings/docker.gpg echo "deb [arch=amd64 signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu noble stable" > /etc/apt/sources.list.d/docker.list apt-get update apt-get install -y docker-ce docker-ce-cli containerd.io docker-compose-plugin usermod -aG docker jarvis # Install Tailscale - | curl -fsSL https://pkgs.tailscale.com/stable/ubuntu/noble.noarmor.gpg | tee /usr/share/keyrings/tailscale-archive-keyring.gpg >/dev/null curl -fsSL https://pkgs.tailscale.com/stable/ubuntu/noble.tailscale-keyring.list | tee /etc/apt/sources.list.d/tailscale.list apt-get update apt-get install -y tailscale # Clone ansible-pull repo - | sudo -u jarvis bash -c 'mkdir -p ~/.ansible-repo && cd ~/.ansible-repo && git clone https://gitea.nb.bobbysh.me/Iron-Legion/ansible-pull-deploy.git . 2>/dev/null || true' # SSH hardening (keep PW auth enabled for fleet standard) - | sed -i 's/^#*PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config sed -i 's/^#*PasswordAuthentication.*/PasswordAuthentication yes/' /etc/ssh/sshd_config systemctl restart ssh # Enable UFW basic rules - | ufw default deny incoming ufw default allow outgoing ufw allow 22/tcp ufw --force enable # Reboot to finalize - reboot