diff options
-rw-r--r-- | yandex/firewall/main.tf | 25 | ||||
-rw-r--r-- | yandex/firewall/outputs.tf | 3 | ||||
-rw-r--r-- | yandex/firewall/providers.tf | 7 | ||||
-rw-r--r-- | yandex/firewall/variables.tf | 9 | ||||
-rw-r--r-- | yandex/server/etc/cloud-init.cfg | 13 | ||||
-rw-r--r-- | yandex/server/etc/sshd_config | 39 | ||||
-rw-r--r-- | yandex/server/main.tf | 41 | ||||
-rw-r--r-- | yandex/server/providers.tf | 7 | ||||
-rw-r--r-- | yandex/server/variables.tf | 46 |
9 files changed, 190 insertions, 0 deletions
diff --git a/yandex/firewall/main.tf b/yandex/firewall/main.tf new file mode 100644 index 0000000..81dc26a --- /dev/null +++ b/yandex/firewall/main.tf @@ -0,0 +1,25 @@ +resource "yandex_vpc_security_group" "this" { + network_id = var.vpc_id + + name = var.name + + ingress { + protocol = "ICMP" + v4_cidr_blocks = ["0.0.0.0/0"] + } + + dynamic "ingress" { + for_each = var.open_ports + + content { + protocol = "ANY" + v4_cidr_blocks = ["0.0.0.0/0"] + port = ingress.value + } + } + + egress { + protocol = "ANY" + v4_cidr_blocks = ["0.0.0.0/0"] + } +} diff --git a/yandex/firewall/outputs.tf b/yandex/firewall/outputs.tf new file mode 100644 index 0000000..72058aa --- /dev/null +++ b/yandex/firewall/outputs.tf @@ -0,0 +1,3 @@ +output "id" { + value = yandex_vpc_security_group.this.id +} diff --git a/yandex/firewall/providers.tf b/yandex/firewall/providers.tf new file mode 100644 index 0000000..3a5782f --- /dev/null +++ b/yandex/firewall/providers.tf @@ -0,0 +1,7 @@ +terraform { + required_providers { + yandex = { + source = "yandex-cloud/yandex" + } + } +} diff --git a/yandex/firewall/variables.tf b/yandex/firewall/variables.tf new file mode 100644 index 0000000..04e111a --- /dev/null +++ b/yandex/firewall/variables.tf @@ -0,0 +1,9 @@ +variable "name" { + type = string +} +variable "vpc_id" { + type = string +} +variable "open_ports" { + type = list(number) +} diff --git a/yandex/server/etc/cloud-init.cfg b/yandex/server/etc/cloud-init.cfg new file mode 100644 index 0000000..8ed371c --- /dev/null +++ b/yandex/server/etc/cloud-init.cfg @@ -0,0 +1,13 @@ +#cloud-config + +users: + - name: ${jsonencode(user)} + lock_passwd: false + hashed_passwd: '*' + sudo: ALL=(ALL) NOPASSWD:ALL + ssh_authorized_keys: ${jsonencode(ssh_keys)} + shell: /bin/bash + +write_files: + - path: /etc/ssh/sshd_config + content: ${jsonencode(sshd_config)} diff --git a/yandex/server/etc/sshd_config b/yandex/server/etc/sshd_config new file mode 100644 index 0000000..ae08408 --- /dev/null +++ b/yandex/server/etc/sshd_config @@ -0,0 +1,39 @@ +Protocol 2 +Port ${port} + +# Drop idle sessions: +ClientAliveCountMax 3 +ClientAliveInterval 15 + +# Allow reverse tunnels: +GatewayPorts yes + +# Miscellaneous: +PrintMotd no + +# Hardening. +# Source: https://infosec.mozilla.org/guidelines/openssh.html + +# Only Ed25519: +HostKey /etc/ssh/ssh_host_ed25519_key + +# Only the first choices for ciphers: +KexAlgorithms curve25519-sha256@libssh.org +Ciphers chacha20-poly1305@openssh.com +MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com + +# No password login: +PasswordAuthentication no +AuthenticationMethods publickey +# Whitelist users: +PermitRootLogin no +AllowGroups ${join(" ", users)} + +# Log things: +Subsystem sftp /usr/lib/openssh/sftp-server -f AUTHPRIV -l INFO + +# Whitelist accepted environment variables: +AcceptEnv LANG LC_* + +# Why the fuck would I need X11 forwarding? +X11Forwarding no diff --git a/yandex/server/main.tf b/yandex/server/main.tf new file mode 100644 index 0000000..12d31d9 --- /dev/null +++ b/yandex/server/main.tf @@ -0,0 +1,41 @@ +locals { + sshd_config = templatefile("${path.module}/etc/sshd_config", { + port = var.ssh_port + users = [var.user] + }) +} + +resource "yandex_compute_instance" "this" { + zone = var.zone + name = var.name + hostname = var.name + + resources { + cores = var.cores + core_fraction = var.core_fraction + memory = var.memory + } + + boot_disk { + initialize_params { + size = var.disk_size + image_id = var.image + } + } + + network_interface { + subnet_id = var.subnet_id + nat = true + nat_ip_address = var.ip_address + } + + metadata = { + user-data = templatefile("${path.module}/etc/cloud-init.cfg", { + user = var.user + ssh_keys = var.ssh_keys + sshd_config = local.sshd_config + }) + } + + allow_stopping_for_update = true +} diff --git a/yandex/server/providers.tf b/yandex/server/providers.tf new file mode 100644 index 0000000..3a5782f --- /dev/null +++ b/yandex/server/providers.tf @@ -0,0 +1,7 @@ +terraform { + required_providers { + yandex = { + source = "yandex-cloud/yandex" + } + } +} diff --git a/yandex/server/variables.tf b/yandex/server/variables.tf new file mode 100644 index 0000000..0fca4cb --- /dev/null +++ b/yandex/server/variables.tf @@ -0,0 +1,46 @@ +variable "zone" { + type = string +} + +variable "name" { + type = string +} +variable "image" { + type = string + # Debian 11 + default = "fd8sqojvm458b3jr5nfd" +} +variable "subnet_id" { + type = string +} +variable "ip_address" { + type = string +} + +variable "user" { + type = string +} +variable "ssh_keys" { + type = list(string) +} +variable "ssh_port" { + type = string + default = "22" +} + +variable "cores" { + type = number + default = 2 +} +variable "core_fraction" { + type = number + default = 100 +} +variable "memory" { + type = number + default = 2 +} +variable "disk_size" { + type = number + default = 10 +} |