#cloud-config
package_update: true
package_upgrade: true

packages:
  - ufw

write_files:
  - path: /etc/ufw/before.rules
    content: |
      # Custom rules before UFW rules
      
      # Allow loopback
      -A ufw-before-input -i lo -j ACCEPT
      -A ufw-before-output -o lo -j ACCEPT
      
      # Allow ICMP
      -A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
      -A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
      -A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
      -A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT
    append: true

runcmd:
  # Reset UFW to defaults
  - ufw --force reset
  # Set default policies
  - ufw default deny incoming
  - ufw default allow outgoing
  # Allow SSH (adjust port if needed)
  - ufw allow ssh
  # Allow HTTP and HTTPS
  - ufw allow http
  - ufw allow https
  # Rate limit SSH connections
  - ufw limit ssh/tcp
  # Enable UFW
  - ufw --force enable
  # Show status
  - ufw status verbose