diff options
author | Egor Tensin <Egor.Tensin@gmail.com> | 2023-08-09 09:36:56 +0200 |
---|---|---|
committer | Egor Tensin <Egor.Tensin@gmail.com> | 2023-08-09 09:36:56 +0200 |
commit | b89df1a61a2bae8b1f4de4c6d238c9034c2cf326 (patch) | |
tree | fb4fd1097c3cdecf66470941a2131c186f563bf7 /yandex | |
parent | add README.md (diff) | |
download | infra-terraform-b89df1a61a2bae8b1f4de4c6d238c9034c2cf326.tar.gz infra-terraform-b89df1a61a2bae8b1f4de4c6d238c9034c2cf326.zip |
move common config files to etc/
Diffstat (limited to '')
-rw-r--r-- | yandex/server/etc/cloud-init.cfg | 13 | ||||
-rw-r--r-- | yandex/server/etc/sshd_config | 39 | ||||
-rw-r--r-- | yandex/server/main.tf | 4 |
3 files changed, 2 insertions, 54 deletions
diff --git a/yandex/server/etc/cloud-init.cfg b/yandex/server/etc/cloud-init.cfg deleted file mode 100644 index 8ed371c..0000000 --- a/yandex/server/etc/cloud-init.cfg +++ /dev/null @@ -1,13 +0,0 @@ -#cloud-config - -users: - - name: ${jsonencode(user)} - lock_passwd: false - hashed_passwd: '*' - sudo: ALL=(ALL) NOPASSWD:ALL - ssh_authorized_keys: ${jsonencode(ssh_keys)} - shell: /bin/bash - -write_files: - - path: /etc/ssh/sshd_config - content: ${jsonencode(sshd_config)} diff --git a/yandex/server/etc/sshd_config b/yandex/server/etc/sshd_config deleted file mode 100644 index ae08408..0000000 --- a/yandex/server/etc/sshd_config +++ /dev/null @@ -1,39 +0,0 @@ -Protocol 2 -Port ${port} - -# Drop idle sessions: -ClientAliveCountMax 3 -ClientAliveInterval 15 - -# Allow reverse tunnels: -GatewayPorts yes - -# Miscellaneous: -PrintMotd no - -# Hardening. -# Source: https://infosec.mozilla.org/guidelines/openssh.html - -# Only Ed25519: -HostKey /etc/ssh/ssh_host_ed25519_key - -# Only the first choices for ciphers: -KexAlgorithms curve25519-sha256@libssh.org -Ciphers chacha20-poly1305@openssh.com -MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com - -# No password login: -PasswordAuthentication no -AuthenticationMethods publickey -# Whitelist users: -PermitRootLogin no -AllowGroups ${join(" ", users)} - -# Log things: -Subsystem sftp /usr/lib/openssh/sftp-server -f AUTHPRIV -l INFO - -# Whitelist accepted environment variables: -AcceptEnv LANG LC_* - -# Why the fuck would I need X11 forwarding? -X11Forwarding no diff --git a/yandex/server/main.tf b/yandex/server/main.tf index 12d31d9..b9d4650 100644 --- a/yandex/server/main.tf +++ b/yandex/server/main.tf @@ -1,5 +1,5 @@ locals { - sshd_config = templatefile("${path.module}/etc/sshd_config", { + sshd_config = templatefile("${path.module}/../../etc/sshd_config", { port = var.ssh_port users = [var.user] }) @@ -30,7 +30,7 @@ resource "yandex_compute_instance" "this" { } metadata = { - user-data = templatefile("${path.module}/etc/cloud-init.cfg", { + user-data = templatefile("${path.module}/../../etc/cloud-init.cfg", { user = var.user ssh_keys = var.ssh_keys sshd_config = local.sshd_config |