diff options
author | Egor Tensin <Egor.Tensin@gmail.com> | 2023-08-04 14:18:08 +0200 |
---|---|---|
committer | Egor Tensin <Egor.Tensin@gmail.com> | 2023-08-04 14:18:08 +0200 |
commit | 15b9dea7a95765f1f3c09fe0dcb2ea5b5cb669c1 (patch) | |
tree | c0c192e00c419ade1779ae62b3aed91bbb3e8778 /digitalocean/server | |
parent | initial commit (diff) | |
download | infra-terraform-15b9dea7a95765f1f3c09fe0dcb2ea5b5cb669c1.tar.gz infra-terraform-15b9dea7a95765f1f3c09fe0dcb2ea5b5cb669c1.zip |
import some common modulesv0.0.1
Diffstat (limited to '')
-rw-r--r-- | digitalocean/server/alerts.tf | 28 | ||||
-rw-r--r-- | digitalocean/server/etc/cloud-init.cfg | 13 | ||||
-rw-r--r-- | digitalocean/server/etc/sshd_config | 39 | ||||
-rw-r--r-- | digitalocean/server/main.tf | 34 | ||||
-rw-r--r-- | digitalocean/server/outputs.tf | 3 | ||||
-rw-r--r-- | digitalocean/server/providers.tf | 8 | ||||
-rw-r--r-- | digitalocean/server/variables.tf | 40 |
7 files changed, 165 insertions, 0 deletions
diff --git a/digitalocean/server/alerts.tf b/digitalocean/server/alerts.tf new file mode 100644 index 0000000..e8a2c19 --- /dev/null +++ b/digitalocean/server/alerts.tf @@ -0,0 +1,28 @@ +data "digitalocean_account" "this" { +} + +resource "digitalocean_monitor_alert" "cpu" { + alerts { + email = [data.digitalocean_account.this.email] + } + description = "CPU utilization on ${digitalocean_droplet.this.name}" + window = "5m" + type = "v1/insights/droplet/cpu" + compare = "GreaterThan" + value = 70 + enabled = true + entities = [digitalocean_droplet.this.id] +} + +resource "digitalocean_monitor_alert" "load1" { + alerts { + email = [data.digitalocean_account.this.email] + } + description = "1-min load avg on ${digitalocean_droplet.this.name}" + window = "5m" + type = "v1/insights/droplet/load_1" + compare = "GreaterThan" + value = 5 + enabled = true + entities = [digitalocean_droplet.this.id] +} diff --git a/digitalocean/server/etc/cloud-init.cfg b/digitalocean/server/etc/cloud-init.cfg new file mode 100644 index 0000000..8ed371c --- /dev/null +++ b/digitalocean/server/etc/cloud-init.cfg @@ -0,0 +1,13 @@ +#cloud-config + +users: + - name: ${jsonencode(user)} + lock_passwd: false + hashed_passwd: '*' + sudo: ALL=(ALL) NOPASSWD:ALL + ssh_authorized_keys: ${jsonencode(ssh_keys)} + shell: /bin/bash + +write_files: + - path: /etc/ssh/sshd_config + content: ${jsonencode(sshd_config)} diff --git a/digitalocean/server/etc/sshd_config b/digitalocean/server/etc/sshd_config new file mode 100644 index 0000000..ae08408 --- /dev/null +++ b/digitalocean/server/etc/sshd_config @@ -0,0 +1,39 @@ +Protocol 2 +Port ${port} + +# Drop idle sessions: +ClientAliveCountMax 3 +ClientAliveInterval 15 + +# Allow reverse tunnels: +GatewayPorts yes + +# Miscellaneous: +PrintMotd no + +# Hardening. +# Source: https://infosec.mozilla.org/guidelines/openssh.html + +# Only Ed25519: +HostKey /etc/ssh/ssh_host_ed25519_key + +# Only the first choices for ciphers: +KexAlgorithms curve25519-sha256@libssh.org +Ciphers chacha20-poly1305@openssh.com +MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com + +# No password login: +PasswordAuthentication no +AuthenticationMethods publickey +# Whitelist users: +PermitRootLogin no +AllowGroups ${join(" ", users)} + +# Log things: +Subsystem sftp /usr/lib/openssh/sftp-server -f AUTHPRIV -l INFO + +# Whitelist accepted environment variables: +AcceptEnv LANG LC_* + +# Why the fuck would I need X11 forwarding? +X11Forwarding no diff --git a/digitalocean/server/main.tf b/digitalocean/server/main.tf new file mode 100644 index 0000000..78298f4 --- /dev/null +++ b/digitalocean/server/main.tf @@ -0,0 +1,34 @@ +locals { + sshd_config = templatefile("${path.module}/etc/sshd_config", { + port = var.ssh_port + users = [var.user] + }) +} + +resource "digitalocean_droplet" "this" { + image = var.image + name = var.name + region = var.region + size = var.size + monitoring = true + ipv6 = false + vpc_uuid = var.vpc_id + user_data = templatefile("${path.module}/etc/cloud-init.cfg", { + user = var.user + ssh_keys = var.ssh_keys + sshd_config = local.sshd_config + }) + volume_ids = var.volume_ids + droplet_agent = false + graceful_shutdown = true +} + +resource "digitalocean_project_resources" "this" { + project = var.project_id + resources = [digitalocean_droplet.this.urn] +} + +resource "digitalocean_floating_ip_assignment" "this" { + ip_address = var.ip_address + droplet_id = digitalocean_droplet.this.id +} diff --git a/digitalocean/server/outputs.tf b/digitalocean/server/outputs.tf new file mode 100644 index 0000000..3d6a541 --- /dev/null +++ b/digitalocean/server/outputs.tf @@ -0,0 +1,3 @@ +output "droplet_id" { + value = digitalocean_droplet.this.id +} diff --git a/digitalocean/server/providers.tf b/digitalocean/server/providers.tf new file mode 100644 index 0000000..68aba8c --- /dev/null +++ b/digitalocean/server/providers.tf @@ -0,0 +1,8 @@ +terraform { + required_providers { + digitalocean = { + source = "digitalocean/digitalocean" + version = "~> 2.0" + } + } +} diff --git a/digitalocean/server/variables.tf b/digitalocean/server/variables.tf new file mode 100644 index 0000000..a3620fc --- /dev/null +++ b/digitalocean/server/variables.tf @@ -0,0 +1,40 @@ +variable "region" { + type = string +} +variable "project_id" { + type = string +} + +variable "name" { + type = string +} +variable "vpc_id" { + type = string +} +variable "ip_address" { + type = string +} +variable "volume_ids" { + type = list(string) + default = [] +} + +variable "user" { + type = string +} +variable "ssh_keys" { + type = list(string) +} +variable "ssh_port" { + type = string + default = "22" +} + +variable "image" { + type = string + default = "debian-12-x64" +} +variable "size" { + type = string + default = "s-1vcpu-2gb" +} |