aboutsummaryrefslogtreecommitdiffstatshomepage
path: root/yandex
diff options
context:
space:
mode:
authorEgor Tensin <Egor.Tensin@gmail.com>2023-08-09 09:36:56 +0200
committerEgor Tensin <Egor.Tensin@gmail.com>2023-08-09 09:36:56 +0200
commitb89df1a61a2bae8b1f4de4c6d238c9034c2cf326 (patch)
treefb4fd1097c3cdecf66470941a2131c186f563bf7 /yandex
parentadd README.md (diff)
downloadinfra-terraform-b89df1a61a2bae8b1f4de4c6d238c9034c2cf326.tar.gz
infra-terraform-b89df1a61a2bae8b1f4de4c6d238c9034c2cf326.zip
move common config files to etc/
Diffstat (limited to 'yandex')
-rw-r--r--yandex/server/etc/cloud-init.cfg13
-rw-r--r--yandex/server/etc/sshd_config39
-rw-r--r--yandex/server/main.tf4
3 files changed, 2 insertions, 54 deletions
diff --git a/yandex/server/etc/cloud-init.cfg b/yandex/server/etc/cloud-init.cfg
deleted file mode 100644
index 8ed371c..0000000
--- a/yandex/server/etc/cloud-init.cfg
+++ /dev/null
@@ -1,13 +0,0 @@
-#cloud-config
-
-users:
- - name: ${jsonencode(user)}
- lock_passwd: false
- hashed_passwd: '*'
- sudo: ALL=(ALL) NOPASSWD:ALL
- ssh_authorized_keys: ${jsonencode(ssh_keys)}
- shell: /bin/bash
-
-write_files:
- - path: /etc/ssh/sshd_config
- content: ${jsonencode(sshd_config)}
diff --git a/yandex/server/etc/sshd_config b/yandex/server/etc/sshd_config
deleted file mode 100644
index ae08408..0000000
--- a/yandex/server/etc/sshd_config
+++ /dev/null
@@ -1,39 +0,0 @@
-Protocol 2
-Port ${port}
-
-# Drop idle sessions:
-ClientAliveCountMax 3
-ClientAliveInterval 15
-
-# Allow reverse tunnels:
-GatewayPorts yes
-
-# Miscellaneous:
-PrintMotd no
-
-# Hardening.
-# Source: https://infosec.mozilla.org/guidelines/openssh.html
-
-# Only Ed25519:
-HostKey /etc/ssh/ssh_host_ed25519_key
-
-# Only the first choices for ciphers:
-KexAlgorithms curve25519-sha256@libssh.org
-Ciphers chacha20-poly1305@openssh.com
-MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
-
-# No password login:
-PasswordAuthentication no
-AuthenticationMethods publickey
-# Whitelist users:
-PermitRootLogin no
-AllowGroups ${join(" ", users)}
-
-# Log things:
-Subsystem sftp /usr/lib/openssh/sftp-server -f AUTHPRIV -l INFO
-
-# Whitelist accepted environment variables:
-AcceptEnv LANG LC_*
-
-# Why the fuck would I need X11 forwarding?
-X11Forwarding no
diff --git a/yandex/server/main.tf b/yandex/server/main.tf
index 12d31d9..b9d4650 100644
--- a/yandex/server/main.tf
+++ b/yandex/server/main.tf
@@ -1,5 +1,5 @@
locals {
- sshd_config = templatefile("${path.module}/etc/sshd_config", {
+ sshd_config = templatefile("${path.module}/../../etc/sshd_config", {
port = var.ssh_port
users = [var.user]
})
@@ -30,7 +30,7 @@ resource "yandex_compute_instance" "this" {
}
metadata = {
- user-data = templatefile("${path.module}/etc/cloud-init.cfg", {
+ user-data = templatefile("${path.module}/../../etc/cloud-init.cfg", {
user = var.user
ssh_keys = var.ssh_keys
sshd_config = local.sshd_config