 |
init push - infra - Terraform IoC for my remote (Hetzner) and local (Incus) ser… |
 |
Log |
|
Files |
|
Refs |
|
README |
|
--- |
|
commit 1689e2eba4bdb38eac00a4dc51d5f98335431252 |
 |
Author: Jay Scott <[email protected]> |
|
Date: Fri, 27 Jan 2023 22:16:52 +0000 |
|
|
|
init push |
|
|
|
Diffstat: |
|
A .gitignore | 3 +++ |
|
A .terraform.lock.hcl | 24 ++++++++++++++++++++++++ |
|
A README | 4 ++++ |
|
A main.tf | 54 +++++++++++++++++++++++++++++… |
|
A terraform.tfvars | 41 +++++++++++++++++++++++++++++… |
|
A user_data.yml | 58 ++++++++++++++++++++++++++++++ |
|
A variables.tf | 25 +++++++++++++++++++++++++ |
|
|
|
7 files changed, 209 insertions(+), 0 deletions(-) |
|
--- |
|
diff --git a/.gitignore b/.gitignore |
|
@@ -0,0 +1,3 @@ |
|
+ |
|
+.terraform/ |
|
+*tfstate* |
|
diff --git a/.terraform.lock.hcl b/.terraform.lock.hcl |
|
@@ -0,0 +1,24 @@ |
|
+# This file is maintained automatically by "terraform init". |
|
+# Manual edits may be lost in future updates. |
|
+ |
|
+provider "registry.terraform.io/hetznercloud/hcloud" { |
|
+ version = "1.36.2" |
|
+ constraints = "1.36.2" |
|
+ hashes = [ |
|
+ "h1:VO/dl+g5NfJd436hmT+9NOMQk6oRU4Z9TSJJJrNlN0M=", |
|
+ "zh:0498ef4209924b30ce7b4a232dd6aee08feab2ebbc90064db699adc10c16707e", |
|
+ "zh:292e3c0c55d320cf164cdd431ee31580dd86f435aec99721597204bab5de3970", |
|
+ "zh:3ce8558658baa7c4b9f1eeb92427665b4b930e5b157fbf352977778c90e11aaa", |
|
+ "zh:46abd0bdeeba46b86832ed31338ad837b584f7b2152f8a9bfa6c3802f481a6da", |
|
+ "zh:5804e71d411577f06abc0986c8c2e475c49042a192efce5936e4d5bdd874fc22", |
|
+ "zh:7cef0782e8198346bfe7b61601e1cf8f2158280a5cf665140b72838545ca3127", |
|
+ "zh:be81782af391ff4cc0859d976637aa00e6fe34061fe4f1df1f5ab5d62ef94f82", |
|
+ "zh:bf2660e70edf758305085698fc9d05306b174b99559cd0f3f61c0b705ba22275", |
|
+ "zh:caf727b0a378dc8c9c3594bbf176865f87aa732077820ff045eb352f5a48aeed", |
|
+ "zh:cf95fc3121b358c7b7b667193ab36b8cb6140e2f6dfbf6f1b4c55b7fec1bb6ef", |
|
+ "zh:d6d3119f8b971e982b6421dfa3b86314ccaeceaf047a3b6505f79e1a30f8301e", |
|
+ "zh:e6f7f65dced2e88e3082c57ddcd118412595678cf3c7289bc7e12c724b3bd892", |
|
+ "zh:f41f59ca511ab1a591d5abdc7f6d32d2e03a1d6087d206a741f95b7b0dd2ea17", |
|
+ "zh:fbe59fbb5f272a6b206a380f6dbf49837b199960dd038afca2e89b11f72fdfda", |
|
+ ] |
|
+} |
|
diff --git a/README b/README |
|
@@ -0,0 +1,4 @@ |
|
+bootstrap my cloud servers. |
|
+ |
|
+ terraform plan -var="hcloud_token=$HCLOUD_TOKEN" |
|
+ terraform apply -var="hcloud_token=$HCLOUD_TOKEN" |
|
diff --git a/main.tf b/main.tf |
|
@@ -0,0 +1,54 @@ |
|
+terraform { |
|
+ required_providers { |
|
+ hcloud = { |
|
+ source = "hetznercloud/hcloud" |
|
+ version = "1.36.2" |
|
+ } |
|
+ } |
|
+} |
|
+ |
|
+provider "hcloud" { |
|
+ token = var.hcloud_token |
|
+} |
|
+ |
|
+ |
|
+resource "hcloud_ssh_key" "this" { |
|
+ name = "main_key" |
|
+ public_key = file("~/.ssh/id_rsa.pub") |
|
+} |
|
+ |
|
+ |
|
+resource "hcloud_firewall" "this" { |
|
+ name = "firewallrules" |
|
+ |
|
+ dynamic "rule" { |
|
+ for_each = var.firewall_rules |
|
+ |
|
+ content { |
|
+ description = rule.key |
|
+ direction = rule.value.direction |
|
+ protocol = rule.value.protocol |
|
+ source_ips = rule.value.source_ips |
|
+ port = rule.value.port |
|
+ } |
|
+ } |
|
+} |
|
+ |
|
+ |
|
+resource "hcloud_server" "nodes" { |
|
+ for_each = var.nodes |
|
+ |
|
+ name = each.key |
|
+ image = each.value.image |
|
+ server_type = each.value.server_type |
|
+ location = each.value.location |
|
+ labels = each.value.labels |
|
+ ssh_keys = [hcloud_ssh_key.this.id] |
|
+ user_data = file("user_data.yml") |
|
+ firewall_ids = [hcloud_firewall.this.id] |
|
+ |
|
+ public_net { |
|
+ ipv4_enabled = each.value.ipv4 |
|
+ ipv6_enabled = each.value.ipv6 |
|
+ } |
|
+} |
|
diff --git a/terraform.tfvars b/terraform.tfvars |
|
@@ -0,0 +1,41 @@ |
|
+nodes = { |
|
+ node1 = { |
|
+ image = "debian-11" |
|
+ location = "hel1", |
|
+ server_type = "cx11", |
|
+ ipv4 = true |
|
+ ipv6 = true |
|
+ labels = { |
|
+ services = "git" |
|
+ } |
|
+ } |
|
+} |
|
+ |
|
+firewall_rules = { |
|
+ gopher = { |
|
+ direction = "in" |
|
+ protocol = "tcp" |
|
+ source_ips = ["0.0.0.0/0", "::/0"] |
|
+ port = "70" |
|
+ } |
|
+ ssh = { |
|
+ direction = "in" |
|
+ protocol = "tcp" |
|
+ source_ips = ["0.0.0.0/0", "::/0"] |
|
+ port = "22" |
|
+ } |
|
+ git = { |
|
+ direction = "in" |
|
+ protocol = "tcp" |
|
+ source_ips = ["0.0.0.0/0", "::/0"] |
|
+ port = "9418" |
|
+ } |
|
+ fingerd = { |
|
+ direction = "in" |
|
+ protocol = "tcp" |
|
+ source_ips = ["0.0.0.0/0", "::/0"] |
|
+ port = "79" |
|
+ } |
|
+ |
|
+ |
|
+} |
|
diff --git a/user_data.yml b/user_data.yml |
|
@@ -0,0 +1,58 @@ |
|
+#cloud-config |
|
+users: |
|
+ - name: jay |
|
+ groups: users |
|
+ sudo: ALL=(ALL) NOPASSWD:ALL |
|
+ shell: /bin/bash |
|
+ ssh_authorized_keys: |
|
+ - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDCRWnkYAChsjuT/T/IoENtm8OT18tPer… |
|
+ |
|
+package_update: true |
|
+package_upgrade: true |
|
+ |
|
+packages: |
|
+ - openbsd-inetd |
|
+ - efingerd |
|
+ - libgit2-dev |
|
+ - vim |
|
+ - htop |
|
+ - git |
|
+ |
|
+runcmd: |
|
+ # SSH config |
|
+ - sed -ie '/^PermitRootLogin/s/^.*$/PermitRootLogin no/' /etc/ssh/sshd_config |
|
+ - sed -ie '/^PasswordAuthentication/s/^.*$/PasswordAuthentication no/' /etc/… |
|
+ - sed -ie '/^X11Forwarding/s/^.*$/X11Forwarding no/' /etc/ssh/sshd_config |
|
+ - sed -ie '/^#MaxAuthTries/s/^.*$/MaxAuthTries 2/' /etc/ssh/sshd_config |
|
+ - sed -ie '/^#AllowTcpForwarding/s/^.*$/AllowTcpForwarding no/' /etc/ssh/ssh… |
|
+ - sed -ie '/^#AllowAgentForwarding/s/^.*$/AllowAgentForwarding no/' /etc/ssh… |
|
+ - sed -ie '/^#AuthorizedKeysFile/s/^.*$/AuthorizedKeysFile .ssh/authorized_k… |
|
+ - systemctl restart ssh |
|
+ # Git setup |
|
+ - mkdir -p /srv/git |
|
+ - chown -R git:git /srv/git |
|
+ - systemctl enable git-daemon |
|
+ - systemctl start git-daemon |
|
+ |
|
+write_files: |
|
+ - content: | |
|
+ [Unit] |
|
+ Description=Start Git Daemon |
|
+ |
|
+ [Service] |
|
+ ExecStart=/usr/bin/git daemon --reuseaddr --base-path=/srv/git/ /srv/git/ |
|
+ |
|
+ Restart=always |
|
+ RestartSec=500ms |
|
+ |
|
+ StandardOutput=syslog |
|
+ StandardError=syslog |
|
+ SyslogIdentifier=git-daemon |
|
+ |
|
+ User=git |
|
+ Group=git |
|
+ |
|
+ [Install] |
|
+ WantedBy=multi-user.target |
|
+ path: /etc/systemd/system/git-daemon.service |
|
+ permissions: '0644' |
|
diff --git a/variables.tf b/variables.tf |
|
@@ -0,0 +1,25 @@ |
|
+variable "hcloud_token" { |
|
+ description = "Hetzner cloud personal API token." |
|
+ type = string |
|
+ sensitive = true |
|
+} |
|
+ |
|
+variable "nodes" { |
|
+ type = map(object({ |
|
+ image = string |
|
+ location = string |
|
+ server_type = string |
|
+ labels = map(any) |
|
+ ipv4 = bool |
|
+ ipv6 = bool |
|
+ })) |
|
+} |
|
+ |
|
+variable "firewall_rules" { |
|
+ type = map(object({ |
|
+ direction = string |
|
+ protocol = string |
|
+ source_ips = list(any) |
|
+ port = string |
|
+ })) |
|
+} |
