deploy: harden cloud-init with archon user, swap, and fixes

[leex279]

Summary

• Adds a dedicated archon user (docker group) and runs all docker operations as that user instead of root
• Adds a 2GB swapfile to prevent OOM during docker compose build on small VPS (<2GB RAM)
• Several smaller hardening + cleanup fixes to the cloud-init script

Changes

• archon user: created via users: block, docker-group only (no sudo — avoids trivial privilege escalation). SSH keys copied from default cloud user (root fallback). /opt/archon chowned, builds run via sudo -u archon.
• Swap: 2GB swapfile created idempotently, persisted in /etc/fstab.
• package_upgrade: true retained — applies security patches to base image before anything else.
• Removed redundant systemctl enable/start docker (get.docker.com handles it).
• ufw allow 443/tcp + 443/udp — 443/udp needed for HTTP/3 (QUIC) via Caddy.
• set -e in single shell block before clone — real fail-fast on network errors (fixed review feedback).
• Docs link updated to https://archon.diy/deployment/docker/.
• SETUP_COMPLETE instructs ssh archon@<server-ip> and notes archon has no sudo (use default cloud user for maintenance).
• Header lists supported providers (incl. Hostinger) and documents new behavior.

Test plan

• Boot a fresh Ubuntu 22.04 VPS with the new cloud-init
• Verify ssh archon@<ip> works after ~5-8 min
• Verify id archon shows membership in docker group (no sudo)
• Verify swapon --show shows 2GB swap active
• Verify /opt/archon owned by archon:archon
• Verify docker images (as archon) shows the built archon image
• Verify ufw status shows 22/80/443 allowed (tcp + udp for 443)

Review feedback addressed

• CodeRabbit: set -e merged into single shell block so fail-fast applies
• CodeRabbit: removed non-existent docker from initial users.groups (added later via usermod)
• CodeRabbit: added ufw allow 443/udp for HTTP/3
• @Wirasm: dropped passwordless sudo from archon user — docker group only
• @Wirasm: restored package_upgrade: true to patch CVEs in base image

Summary by CodeRabbit

• Infrastructure & Deployment

  • Added automatic swap allocation to improve stability on low-RAM hosts
  • Introduced a dedicated application user with pre-configured SSH access and tightened file ownership/permissions
  • Refined firewall rules to explicitly allow HTTPS traffic

• Documentation

  • Updated deployment and access instructions with new SSH/login guidance and docs link

[coderabbitai]

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 6e1b8fac-5d18-44ee-be57-f522d4855418

📥 Commits

Reviewing files that changed from the base of the PR and between 4438edd and 2348a53.

📒 Files selected for processing (1)

• deploy/cloud-init.yml

---

📝 Walkthrough

Walkthrough

Added a dedicated archon OS user (locked password, bash shell), ensured SSH key provisioning for immediate login, added conditional 2GB swapfile before Docker steps, ran Docker operations as archon, consolidated repo/setup steps, adjusted ownership and explicit firewall rules for HTTPS.

Changes

Cohort / File(s)

Summary

Cloud-init Configuration deploy/cloud-init.yml

Introduces a new archon user via cloud-init users (lock_passwd: true, shell /bin/bash), adds archon to the docker group and uses sudo -u archon for Docker pulls/builds, conditionally creates a 2GB swapfile before Docker operations, copies authorized_keys from UID 1000 or root into /home/archon/.ssh, consolidates repo/bootstrapping into a single set -e block, runs chown -R archon:archon /opt/archon, and replaces generic UFW with explicit ufw allow 443/tcp and ufw allow 443/udp rules.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Poem

🐰 I nibble bytes and bind a key with care,
Archon hops in, Docker-ready and fair,
Swap set for sighs when memory runs thin,
SSH welcomes paws so new work can begin,
Firewall and files snug — a soft cloud den.

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The PR description covers key changes and test validation but omits several required template sections including UX Journey, Architecture Diagrams, Label Snapshot, Validation Evidence, Security Impact, Compatibility, Human Verification, Side Effects, and Rollback Plan.	Complete missing sections: provide architecture diagrams, validation command outputs, security risk assessment (new archon user permissions), backward compatibility statement, rollback procedure, and human verification details.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main changes: adding an archon user, swap, and hardening fixes to the cloud-init deployment script.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch improve/cloud-init-archon-user

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

deploy/cloud-init.yml (1)

84-85: Consider adding 443/udp for HTTP/3 support.

The docker-compose.yml exposes 443:443/udp for Caddy's HTTP/3 (QUIC) support, but the firewall only allows TCP. Without UDP, HTTP/3 won't work (HTTP/2 over TCP will still function).

Proposed fix

   - ufw allow 443/tcp
+  - ufw allow 443/udp
   - ufw --force enable

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@deploy/cloud-init.yml` around lines 84 - 85, The firewall rules only open TCP
port 443 (ufw allow 443/tcp) so QUIC/HTTP3 (which uses UDP) will be blocked;
update the cloud-init UFW commands to also allow UDP by adding an explicit "ufw
allow 443/udp" (or replace the TCP-only rule with a dual-protocol rule) before
the "ufw --force enable" call so the docker-compose mapping 443:443/udp for
Caddy can receive UDP traffic.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@deploy/cloud-init.yml`:
- Around line 87-92: The current cloud-init runcmd uses a standalone "set -e"
which runs in its own shell and doesn't make the following git clone/cp/chown
commands fail-fast; merge the related commands into a single shell invocation so
"set -e" applies to them—e.g., replace the separate "set -e" plus the individual
commands (git clone, cp /opt/archon/.env.example, cp
/opt/archon/Caddyfile.example, chown -R archon:archon) with one script block or
a single shell command list so failures in git clone or any cp/chown abort the
sequence.
- Around line 40-47: Remove the nonexistent "docker" group from the initial
users block for the "archon" user: edit the users entry that defines name:
archon (the block with gecos: Archon Service User, groups: [...], shell:, sudo:,
lock_passwd:) and delete "docker" from its groups list so the user is created
only with existing groups; leave the subsequent Docker addition via the
usrmomod/usermod -aG docker archon step intact.

---

Nitpick comments:
In `@deploy/cloud-init.yml`:
- Around line 84-85: The firewall rules only open TCP port 443 (ufw allow
443/tcp) so QUIC/HTTP3 (which uses UDP) will be blocked; update the cloud-init
UFW commands to also allow UDP by adding an explicit "ufw allow 443/udp" (or
replace the TCP-only rule with a dual-protocol rule) before the "ufw --force
enable" call so the docker-compose mapping 443:443/udp for Caddy can receive UDP
traffic.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 280d3cdb-64c6-45b1-96de-400c3ebefec1

📥 Commits

Reviewing files that changed from the base of the PR and between 8a44faa and 4438edd.

📒 Files selected for processing (1)

• deploy/cloud-init.yml

[Wirasm]

Thanks for this — the swap file fix is a real catch, that docker compose build OOM on 1GB VPS is painful and I've hit it myself. Before we merge, two concerns and a verification ask:

1. NOPASSWD: ALL undoes the benefit of the dedicated user. Anyone with SSH access to archon runs sudo -i and is instantly root — no password, no challenge. Combined with docker group membership (which is also root-equivalent via mount escapes), the current design adds complexity without a real security gain. Suggestion: drop the sudo line entirely, keep just groups: [docker]. If users need root for maintenance, they can switch to the default cloud user. Cleaner threat model.

2. Removing package_upgrade: true is a security regression, not a performance win. Fresh VPS base images are often weeks or months old and ship with unpatched CVEs in OpenSSL, kernel, sudo, systemd. package_upgrade applies those before anything else runs. Dropping it saves ~5 minutes of boot time in exchange for an unknown vulnerability window until the user manually runs apt upgrade — which most users never do. Two options: keep it as-is, or keep removing it but add a prominent line in the SETUP_COMPLETE message saying "Run `sudo apt upgrade` as your first action on this server." Right now the regression is silent.

3. Verification? The test plan has 7 unchecked boxes. For a cloud-init that runs directly on strangers' production VPS instances, I'd feel much better merging after one real end-to-end boot on one real provider (Hetzner $5/mo instance is ~20 minutes of effort). If you've already tested and just didn't check the boxes, please confirm — that's fine too.

Everything else — swap file, SSH key copy, ufw 443/tcp, set -e before clone, docs URL update, provider list in the header — is clearly positive and I want to merge all of it. Fix the sudo line + address the package_upgrade tradeoff + confirm one boot test, and we're good.