Set up cfengine3 policy server

1) Install minimal Debian Buster with SSH server and standard system utilities,
2) Reboot,
3) apt-get install cfengine3,
4) Enable cf-execd and cf-serverd in /etc/default/cfengine3,
5) Reboot,
6) Boot as a policy server: cf-agent -B <server-IP-address>,
7) mkdir /var/cfengine
8) ln -s /var/lib/cfengine3/masterfiles /var/cfengine
9) cf-agent -f update.cf -v -K

Set up cfengine3 agent-only host (plus more general setup)

1) Install minimal Debian Buster with SSH server and standard system utilities,
2) Reboot,
3) Change GRUB_CMDLINE_LINUX_DEFAULT to "audit=0 selinux=0 consoleblank=0 ipv6.disable=1 console=ttyS0" and run grub-confg -o /boot/grub/grub.cfg (the console setting allows detailed boot logging which can be [eventually] downloaded from AWS or displayed on the terminal where you started the VM using QEMU),
4) Make sure that XKBLAYOUT is set to "us" if you selected a language other than American English during installation,
5) Reboot,
6) apt-get install cfengine3,
7) Enable cf-execdin /etc/default/cfengine3,
8) Bootstrap from the policy server: cfagent -B <policy-server-IP-address>,
9) Copy in root SSH keys then change /etc/ssh/sshd_config:
-- Set PasswordAuthentication to no
-- Set UsePAM to no
-- Restart sshd,
10) Delete user account created during installation: userdel -r <account>.