aboutsummaryrefslogtreecommitdiffstatshomepage
path: root/digitalocean/server
diff options
context:
space:
mode:
authorEgor Tensin <Egor.Tensin@gmail.com>2023-08-04 14:18:08 +0200
committerEgor Tensin <Egor.Tensin@gmail.com>2023-08-04 14:18:08 +0200
commit15b9dea7a95765f1f3c09fe0dcb2ea5b5cb669c1 (patch)
treec0c192e00c419ade1779ae62b3aed91bbb3e8778 /digitalocean/server
parentinitial commit (diff)
downloadinfra-terraform-15b9dea7a95765f1f3c09fe0dcb2ea5b5cb669c1.tar.gz
infra-terraform-15b9dea7a95765f1f3c09fe0dcb2ea5b5cb669c1.zip
import some common modulesv0.0.1
Diffstat (limited to '')
-rw-r--r--digitalocean/server/alerts.tf28
-rw-r--r--digitalocean/server/etc/cloud-init.cfg13
-rw-r--r--digitalocean/server/etc/sshd_config39
-rw-r--r--digitalocean/server/main.tf34
-rw-r--r--digitalocean/server/outputs.tf3
-rw-r--r--digitalocean/server/providers.tf8
-rw-r--r--digitalocean/server/variables.tf40
7 files changed, 165 insertions, 0 deletions
diff --git a/digitalocean/server/alerts.tf b/digitalocean/server/alerts.tf
new file mode 100644
index 0000000..e8a2c19
--- /dev/null
+++ b/digitalocean/server/alerts.tf
@@ -0,0 +1,28 @@
+data "digitalocean_account" "this" {
+}
+
+resource "digitalocean_monitor_alert" "cpu" {
+ alerts {
+ email = [data.digitalocean_account.this.email]
+ }
+ description = "CPU utilization on ${digitalocean_droplet.this.name}"
+ window = "5m"
+ type = "v1/insights/droplet/cpu"
+ compare = "GreaterThan"
+ value = 70
+ enabled = true
+ entities = [digitalocean_droplet.this.id]
+}
+
+resource "digitalocean_monitor_alert" "load1" {
+ alerts {
+ email = [data.digitalocean_account.this.email]
+ }
+ description = "1-min load avg on ${digitalocean_droplet.this.name}"
+ window = "5m"
+ type = "v1/insights/droplet/load_1"
+ compare = "GreaterThan"
+ value = 5
+ enabled = true
+ entities = [digitalocean_droplet.this.id]
+}
diff --git a/digitalocean/server/etc/cloud-init.cfg b/digitalocean/server/etc/cloud-init.cfg
new file mode 100644
index 0000000..8ed371c
--- /dev/null
+++ b/digitalocean/server/etc/cloud-init.cfg
@@ -0,0 +1,13 @@
+#cloud-config
+
+users:
+ - name: ${jsonencode(user)}
+ lock_passwd: false
+ hashed_passwd: '*'
+ sudo: ALL=(ALL) NOPASSWD:ALL
+ ssh_authorized_keys: ${jsonencode(ssh_keys)}
+ shell: /bin/bash
+
+write_files:
+ - path: /etc/ssh/sshd_config
+ content: ${jsonencode(sshd_config)}
diff --git a/digitalocean/server/etc/sshd_config b/digitalocean/server/etc/sshd_config
new file mode 100644
index 0000000..ae08408
--- /dev/null
+++ b/digitalocean/server/etc/sshd_config
@@ -0,0 +1,39 @@
+Protocol 2
+Port ${port}
+
+# Drop idle sessions:
+ClientAliveCountMax 3
+ClientAliveInterval 15
+
+# Allow reverse tunnels:
+GatewayPorts yes
+
+# Miscellaneous:
+PrintMotd no
+
+# Hardening.
+# Source: https://infosec.mozilla.org/guidelines/openssh.html
+
+# Only Ed25519:
+HostKey /etc/ssh/ssh_host_ed25519_key
+
+# Only the first choices for ciphers:
+KexAlgorithms curve25519-sha256@libssh.org
+Ciphers chacha20-poly1305@openssh.com
+MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
+
+# No password login:
+PasswordAuthentication no
+AuthenticationMethods publickey
+# Whitelist users:
+PermitRootLogin no
+AllowGroups ${join(" ", users)}
+
+# Log things:
+Subsystem sftp /usr/lib/openssh/sftp-server -f AUTHPRIV -l INFO
+
+# Whitelist accepted environment variables:
+AcceptEnv LANG LC_*
+
+# Why the fuck would I need X11 forwarding?
+X11Forwarding no
diff --git a/digitalocean/server/main.tf b/digitalocean/server/main.tf
new file mode 100644
index 0000000..78298f4
--- /dev/null
+++ b/digitalocean/server/main.tf
@@ -0,0 +1,34 @@
+locals {
+ sshd_config = templatefile("${path.module}/etc/sshd_config", {
+ port = var.ssh_port
+ users = [var.user]
+ })
+}
+
+resource "digitalocean_droplet" "this" {
+ image = var.image
+ name = var.name
+ region = var.region
+ size = var.size
+ monitoring = true
+ ipv6 = false
+ vpc_uuid = var.vpc_id
+ user_data = templatefile("${path.module}/etc/cloud-init.cfg", {
+ user = var.user
+ ssh_keys = var.ssh_keys
+ sshd_config = local.sshd_config
+ })
+ volume_ids = var.volume_ids
+ droplet_agent = false
+ graceful_shutdown = true
+}
+
+resource "digitalocean_project_resources" "this" {
+ project = var.project_id
+ resources = [digitalocean_droplet.this.urn]
+}
+
+resource "digitalocean_floating_ip_assignment" "this" {
+ ip_address = var.ip_address
+ droplet_id = digitalocean_droplet.this.id
+}
diff --git a/digitalocean/server/outputs.tf b/digitalocean/server/outputs.tf
new file mode 100644
index 0000000..3d6a541
--- /dev/null
+++ b/digitalocean/server/outputs.tf
@@ -0,0 +1,3 @@
+output "droplet_id" {
+ value = digitalocean_droplet.this.id
+}
diff --git a/digitalocean/server/providers.tf b/digitalocean/server/providers.tf
new file mode 100644
index 0000000..68aba8c
--- /dev/null
+++ b/digitalocean/server/providers.tf
@@ -0,0 +1,8 @@
+terraform {
+ required_providers {
+ digitalocean = {
+ source = "digitalocean/digitalocean"
+ version = "~> 2.0"
+ }
+ }
+}
diff --git a/digitalocean/server/variables.tf b/digitalocean/server/variables.tf
new file mode 100644
index 0000000..a3620fc
--- /dev/null
+++ b/digitalocean/server/variables.tf
@@ -0,0 +1,40 @@
+variable "region" {
+ type = string
+}
+variable "project_id" {
+ type = string
+}
+
+variable "name" {
+ type = string
+}
+variable "vpc_id" {
+ type = string
+}
+variable "ip_address" {
+ type = string
+}
+variable "volume_ids" {
+ type = list(string)
+ default = []
+}
+
+variable "user" {
+ type = string
+}
+variable "ssh_keys" {
+ type = list(string)
+}
+variable "ssh_port" {
+ type = string
+ default = "22"
+}
+
+variable "image" {
+ type = string
+ default = "debian-12-x64"
+}
+variable "size" {
+ type = string
+ default = "s-1vcpu-2gb"
+}