import a couple of Yandex Cloud moduelsv0.0.2

9 files changed, 190 insertions, 0 deletions

diff --git a/yandex/firewall/main.tf b/yandex/firewall/main.tf
new file mode 100644
index 0000000..81dc26a
--- /dev/null
+++ b/yandex/firewall/main.tf
@@ -0,0 +1,25 @@
+resource "yandex_vpc_security_group" "this" {
+  network_id = var.vpc_id
+
+  name = var.name
+
+  ingress {
+    protocol       = "ICMP"
+    v4_cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  dynamic "ingress" {
+    for_each = var.open_ports
+
+    content {
+      protocol       = "ANY"
+      v4_cidr_blocks = ["0.0.0.0/0"]
+      port           = ingress.value
+    }
+  }
+
+  egress {
+    protocol       = "ANY"
+    v4_cidr_blocks = ["0.0.0.0/0"]
+  }
+}
diff --git a/yandex/firewall/outputs.tf b/yandex/firewall/outputs.tf
new file mode 100644
index 0000000..72058aa
--- /dev/null
+++ b/yandex/firewall/outputs.tf
@@ -0,0 +1,3 @@
+output "id" {
+  value = yandex_vpc_security_group.this.id
+}
diff --git a/yandex/firewall/providers.tf b/yandex/firewall/providers.tf
new file mode 100644
index 0000000..3a5782f
--- /dev/null
+++ b/yandex/firewall/providers.tf
@@ -0,0 +1,7 @@
+terraform {
+  required_providers {
+    yandex = {
+      source = "yandex-cloud/yandex"
+    }
+  }
+}
diff --git a/yandex/firewall/variables.tf b/yandex/firewall/variables.tf
new file mode 100644
index 0000000..04e111a
--- /dev/null
+++ b/yandex/firewall/variables.tf
@@ -0,0 +1,9 @@
+variable "name" {
+  type = string
+}
+variable "vpc_id" {
+  type = string
+}
+variable "open_ports" {
+  type = list(number)
+}
diff --git a/yandex/server/etc/cloud-init.cfg b/yandex/server/etc/cloud-init.cfg
new file mode 100644
index 0000000..8ed371c
--- /dev/null
+++ b/yandex/server/etc/cloud-init.cfg
@@ -0,0 +1,13 @@
+#cloud-config
+
+users:
+  - name: ${jsonencode(user)}
+    lock_passwd: false
+    hashed_passwd: '*'
+    sudo: ALL=(ALL) NOPASSWD:ALL
+    ssh_authorized_keys: ${jsonencode(ssh_keys)}
+    shell: /bin/bash
+
+write_files:
+  - path: /etc/ssh/sshd_config
+    content: ${jsonencode(sshd_config)}
diff --git a/yandex/server/etc/sshd_config b/yandex/server/etc/sshd_config
new file mode 100644
index 0000000..ae08408
--- /dev/null
+++ b/yandex/server/etc/sshd_config
@@ -0,0 +1,39 @@
+Protocol 2
+Port ${port}
+
+# Drop idle sessions:
+ClientAliveCountMax 3
+ClientAliveInterval 15
+
+# Allow reverse tunnels:
+GatewayPorts yes
+
+# Miscellaneous:
+PrintMotd no
+
+# Hardening.
+# Source: https://infosec.mozilla.org/guidelines/openssh.html
+
+# Only Ed25519:
+HostKey /etc/ssh/ssh_host_ed25519_key
+
+# Only the first choices for ciphers:
+KexAlgorithms curve25519-sha256@libssh.org
+Ciphers chacha20-poly1305@openssh.com
+MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
+
+# No password login:
+PasswordAuthentication no
+AuthenticationMethods publickey
+# Whitelist users:
+PermitRootLogin no
+AllowGroups ${join(" ", users)}
+
+# Log things:
+Subsystem sftp /usr/lib/openssh/sftp-server -f AUTHPRIV -l INFO
+
+# Whitelist accepted environment variables:
+AcceptEnv LANG LC_*
+
+# Why the fuck would I need X11 forwarding?
+X11Forwarding no
diff --git a/yandex/server/main.tf b/yandex/server/main.tf
new file mode 100644
index 0000000..12d31d9
--- /dev/null
+++ b/yandex/server/main.tf
@@ -0,0 +1,41 @@
+locals {
+  sshd_config = templatefile("${path.module}/etc/sshd_config", {
+    port  = var.ssh_port
+    users = [var.user]
+  })
+}
+
+resource "yandex_compute_instance" "this" {
+  zone     = var.zone
+  name     = var.name
+  hostname = var.name
+
+  resources {
+    cores         = var.cores
+    core_fraction = var.core_fraction
+    memory        = var.memory
+  }
+
+  boot_disk {
+    initialize_params {
+      size     = var.disk_size
+      image_id = var.image
+    }
+  }
+
+  network_interface {
+    subnet_id      = var.subnet_id
+    nat            = true
+    nat_ip_address = var.ip_address
+  }
+
+  metadata = {
+    user-data = templatefile("${path.module}/etc/cloud-init.cfg", {
+      user        = var.user
+      ssh_keys    = var.ssh_keys
+      sshd_config = local.sshd_config
+    })
+  }
+
+  allow_stopping_for_update = true
+}
diff --git a/yandex/server/providers.tf b/yandex/server/providers.tf
new file mode 100644
index 0000000..3a5782f
--- /dev/null
+++ b/yandex/server/providers.tf
@@ -0,0 +1,7 @@
+terraform {
+  required_providers {
+    yandex = {
+      source = "yandex-cloud/yandex"
+    }
+  }
+}
diff --git a/yandex/server/variables.tf b/yandex/server/variables.tf
new file mode 100644
index 0000000..0fca4cb
--- /dev/null
+++ b/yandex/server/variables.tf
@@ -0,0 +1,46 @@
+variable "zone" {
+  type = string
+}
+
+variable "name" {
+  type = string
+}
+variable "image" {
+  type = string
+  # Debian 11
+  default = "fd8sqojvm458b3jr5nfd"
+}
+variable "subnet_id" {
+  type = string
+}
+variable "ip_address" {
+  type = string
+}
+
+variable "user" {
+  type = string
+}
+variable "ssh_keys" {
+  type = list(string)
+}
+variable "ssh_port" {
+  type    = string
+  default = "22"
+}
+
+variable "cores" {
+  type    = number
+  default = 2
+}
+variable "core_fraction" {
+  type    = number
+  default = 100
+}
+variable "memory" {
+  type    = number
+  default = 2
+}
+variable "disk_size" {
+  type    = number
+  default = 10
+}