From 15b9dea7a95765f1f3c09fe0dcb2ea5b5cb669c1 Mon Sep 17 00:00:00 2001
From: Egor Tensin <Egor.Tensin@gmail.com>
Date: Fri, 4 Aug 2023 14:18:08 +0200
Subject: import some common modules

---
 digitalocean/data_volume/main.tf       | 16 +++++++++++++
 digitalocean/data_volume/outputs.tf    |  3 +++
 digitalocean/data_volume/providers.tf  |  8 +++++++
 digitalocean/data_volume/variables.tf  | 14 +++++++++++
 digitalocean/domain/main.tf            | 16 +++++++++++++
 digitalocean/domain/providers.tf       |  8 +++++++
 digitalocean/domain/variables.tf       | 10 ++++++++
 digitalocean/firewall/main.tf          | 34 ++++++++++++++++++++++++++
 digitalocean/firewall/providers.tf     |  8 +++++++
 digitalocean/firewall/variables.tf     | 10 ++++++++
 digitalocean/server/alerts.tf          | 28 ++++++++++++++++++++++
 digitalocean/server/etc/cloud-init.cfg | 13 ++++++++++
 digitalocean/server/etc/sshd_config    | 39 ++++++++++++++++++++++++++++++
 digitalocean/server/main.tf            | 34 ++++++++++++++++++++++++++
 digitalocean/server/outputs.tf         |  3 +++
 digitalocean/server/providers.tf       |  8 +++++++
 digitalocean/server/variables.tf       | 40 +++++++++++++++++++++++++++++++
 s3_state/main.tf                       | 44 ++++++++++++++++++++++++++++++++++
 s3_state/variables.tf                  |  6 +++++
 19 files changed, 342 insertions(+)
 create mode 100644 digitalocean/data_volume/main.tf
 create mode 100644 digitalocean/data_volume/outputs.tf
 create mode 100644 digitalocean/data_volume/providers.tf
 create mode 100644 digitalocean/data_volume/variables.tf
 create mode 100644 digitalocean/domain/main.tf
 create mode 100644 digitalocean/domain/providers.tf
 create mode 100644 digitalocean/domain/variables.tf
 create mode 100644 digitalocean/firewall/main.tf
 create mode 100644 digitalocean/firewall/providers.tf
 create mode 100644 digitalocean/firewall/variables.tf
 create mode 100644 digitalocean/server/alerts.tf
 create mode 100644 digitalocean/server/etc/cloud-init.cfg
 create mode 100644 digitalocean/server/etc/sshd_config
 create mode 100644 digitalocean/server/main.tf
 create mode 100644 digitalocean/server/outputs.tf
 create mode 100644 digitalocean/server/providers.tf
 create mode 100644 digitalocean/server/variables.tf
 create mode 100644 s3_state/main.tf
 create mode 100644 s3_state/variables.tf

diff --git a/digitalocean/data_volume/main.tf b/digitalocean/data_volume/main.tf
new file mode 100644
index 0000000..9a58c50
--- /dev/null
+++ b/digitalocean/data_volume/main.tf
@@ -0,0 +1,16 @@
+resource "digitalocean_volume" "this" {
+  region                   = var.region
+  name                     = var.name
+  size                     = var.size
+  initial_filesystem_type  = "ext4"
+  initial_filesystem_label = "data"
+
+  lifecycle {
+    prevent_destroy = true
+  }
+}
+
+resource "digitalocean_project_resources" "this" {
+  project   = var.project_id
+  resources = [digitalocean_volume.this.urn]
+}
diff --git a/digitalocean/data_volume/outputs.tf b/digitalocean/data_volume/outputs.tf
new file mode 100644
index 0000000..a0393f3
--- /dev/null
+++ b/digitalocean/data_volume/outputs.tf
@@ -0,0 +1,3 @@
+output "volume_id" {
+  value = digitalocean_volume.this.id
+}
diff --git a/digitalocean/data_volume/providers.tf b/digitalocean/data_volume/providers.tf
new file mode 100644
index 0000000..68aba8c
--- /dev/null
+++ b/digitalocean/data_volume/providers.tf
@@ -0,0 +1,8 @@
+terraform {
+  required_providers {
+    digitalocean = {
+      source  = "digitalocean/digitalocean"
+      version = "~> 2.0"
+    }
+  }
+}
diff --git a/digitalocean/data_volume/variables.tf b/digitalocean/data_volume/variables.tf
new file mode 100644
index 0000000..2d96a42
--- /dev/null
+++ b/digitalocean/data_volume/variables.tf
@@ -0,0 +1,14 @@
+variable "region" {
+  type = string
+}
+variable "project_id" {
+  type = string
+}
+
+variable "name" {
+  type = string
+}
+variable "size" {
+  type    = number
+  default = 10
+}
diff --git a/digitalocean/domain/main.tf b/digitalocean/domain/main.tf
new file mode 100644
index 0000000..a5980ea
--- /dev/null
+++ b/digitalocean/domain/main.tf
@@ -0,0 +1,16 @@
+resource "digitalocean_domain" "this" {
+  name = var.name
+}
+
+resource "digitalocean_project_resources" "domain" {
+  project   = var.project_id
+  resources = [digitalocean_domain.this.urn]
+}
+
+resource "digitalocean_record" "a" {
+  type   = "A"
+  domain = digitalocean_domain.this.id
+  value  = var.ip_address
+  name   = "@"
+  ttl    = 3600
+}
diff --git a/digitalocean/domain/providers.tf b/digitalocean/domain/providers.tf
new file mode 100644
index 0000000..68aba8c
--- /dev/null
+++ b/digitalocean/domain/providers.tf
@@ -0,0 +1,8 @@
+terraform {
+  required_providers {
+    digitalocean = {
+      source  = "digitalocean/digitalocean"
+      version = "~> 2.0"
+    }
+  }
+}
diff --git a/digitalocean/domain/variables.tf b/digitalocean/domain/variables.tf
new file mode 100644
index 0000000..bcff122
--- /dev/null
+++ b/digitalocean/domain/variables.tf
@@ -0,0 +1,10 @@
+variable "project_id" {
+  type = string
+}
+
+variable "name" {
+  type = string
+}
+variable "ip_address" {
+  type = string
+}
diff --git a/digitalocean/firewall/main.tf b/digitalocean/firewall/main.tf
new file mode 100644
index 0000000..937a76a
--- /dev/null
+++ b/digitalocean/firewall/main.tf
@@ -0,0 +1,34 @@
+resource "digitalocean_firewall" "this" {
+  name        = var.name
+  droplet_ids = var.droplet_ids
+
+  inbound_rule {
+    protocol         = "icmp"
+    source_addresses = ["0.0.0.0/0", "::/0"]
+  }
+  outbound_rule {
+    protocol              = "icmp"
+    destination_addresses = ["0.0.0.0/0", "::/0"]
+  }
+
+  dynamic "inbound_rule" {
+    for_each = var.open_ports
+
+    content {
+      protocol         = "tcp"
+      port_range       = inbound_rule.value
+      source_addresses = ["0.0.0.0/0", "::/0"]
+    }
+  }
+
+  outbound_rule {
+    protocol              = "tcp"
+    port_range            = "1-65535"
+    destination_addresses = ["0.0.0.0/0", "::/0"]
+  }
+  outbound_rule {
+    protocol              = "udp"
+    port_range            = "1-65535"
+    destination_addresses = ["0.0.0.0/0", "::/0"]
+  }
+}
diff --git a/digitalocean/firewall/providers.tf b/digitalocean/firewall/providers.tf
new file mode 100644
index 0000000..68aba8c
--- /dev/null
+++ b/digitalocean/firewall/providers.tf
@@ -0,0 +1,8 @@
+terraform {
+  required_providers {
+    digitalocean = {
+      source  = "digitalocean/digitalocean"
+      version = "~> 2.0"
+    }
+  }
+}
diff --git a/digitalocean/firewall/variables.tf b/digitalocean/firewall/variables.tf
new file mode 100644
index 0000000..6512f00
--- /dev/null
+++ b/digitalocean/firewall/variables.tf
@@ -0,0 +1,10 @@
+variable "name" {
+  type = string
+}
+variable "open_ports" {
+  type    = list(string)
+  default = ["22"]
+}
+variable "droplet_ids" {
+  type = list(string)
+}
diff --git a/digitalocean/server/alerts.tf b/digitalocean/server/alerts.tf
new file mode 100644
index 0000000..e8a2c19
--- /dev/null
+++ b/digitalocean/server/alerts.tf
@@ -0,0 +1,28 @@
+data "digitalocean_account" "this" {
+}
+
+resource "digitalocean_monitor_alert" "cpu" {
+  alerts {
+    email = [data.digitalocean_account.this.email]
+  }
+  description = "CPU utilization on ${digitalocean_droplet.this.name}"
+  window      = "5m"
+  type        = "v1/insights/droplet/cpu"
+  compare     = "GreaterThan"
+  value       = 70
+  enabled     = true
+  entities    = [digitalocean_droplet.this.id]
+}
+
+resource "digitalocean_monitor_alert" "load1" {
+  alerts {
+    email = [data.digitalocean_account.this.email]
+  }
+  description = "1-min load avg on ${digitalocean_droplet.this.name}"
+  window      = "5m"
+  type        = "v1/insights/droplet/load_1"
+  compare     = "GreaterThan"
+  value       = 5
+  enabled     = true
+  entities    = [digitalocean_droplet.this.id]
+}
diff --git a/digitalocean/server/etc/cloud-init.cfg b/digitalocean/server/etc/cloud-init.cfg
new file mode 100644
index 0000000..8ed371c
--- /dev/null
+++ b/digitalocean/server/etc/cloud-init.cfg
@@ -0,0 +1,13 @@
+#cloud-config
+
+users:
+  - name: ${jsonencode(user)}
+    lock_passwd: false
+    hashed_passwd: '*'
+    sudo: ALL=(ALL) NOPASSWD:ALL
+    ssh_authorized_keys: ${jsonencode(ssh_keys)}
+    shell: /bin/bash
+
+write_files:
+  - path: /etc/ssh/sshd_config
+    content: ${jsonencode(sshd_config)}
diff --git a/digitalocean/server/etc/sshd_config b/digitalocean/server/etc/sshd_config
new file mode 100644
index 0000000..ae08408
--- /dev/null
+++ b/digitalocean/server/etc/sshd_config
@@ -0,0 +1,39 @@
+Protocol 2
+Port ${port}
+
+# Drop idle sessions:
+ClientAliveCountMax 3
+ClientAliveInterval 15
+
+# Allow reverse tunnels:
+GatewayPorts yes
+
+# Miscellaneous:
+PrintMotd no
+
+# Hardening.
+# Source: https://infosec.mozilla.org/guidelines/openssh.html
+
+# Only Ed25519:
+HostKey /etc/ssh/ssh_host_ed25519_key
+
+# Only the first choices for ciphers:
+KexAlgorithms curve25519-sha256@libssh.org
+Ciphers chacha20-poly1305@openssh.com
+MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
+
+# No password login:
+PasswordAuthentication no
+AuthenticationMethods publickey
+# Whitelist users:
+PermitRootLogin no
+AllowGroups ${join(" ", users)}
+
+# Log things:
+Subsystem sftp /usr/lib/openssh/sftp-server -f AUTHPRIV -l INFO
+
+# Whitelist accepted environment variables:
+AcceptEnv LANG LC_*
+
+# Why the fuck would I need X11 forwarding?
+X11Forwarding no
diff --git a/digitalocean/server/main.tf b/digitalocean/server/main.tf
new file mode 100644
index 0000000..78298f4
--- /dev/null
+++ b/digitalocean/server/main.tf
@@ -0,0 +1,34 @@
+locals {
+  sshd_config = templatefile("${path.module}/etc/sshd_config", {
+    port  = var.ssh_port
+    users = [var.user]
+  })
+}
+
+resource "digitalocean_droplet" "this" {
+  image      = var.image
+  name       = var.name
+  region     = var.region
+  size       = var.size
+  monitoring = true
+  ipv6       = false
+  vpc_uuid   = var.vpc_id
+  user_data = templatefile("${path.module}/etc/cloud-init.cfg", {
+    user        = var.user
+    ssh_keys    = var.ssh_keys
+    sshd_config = local.sshd_config
+  })
+  volume_ids        = var.volume_ids
+  droplet_agent     = false
+  graceful_shutdown = true
+}
+
+resource "digitalocean_project_resources" "this" {
+  project   = var.project_id
+  resources = [digitalocean_droplet.this.urn]
+}
+
+resource "digitalocean_floating_ip_assignment" "this" {
+  ip_address = var.ip_address
+  droplet_id = digitalocean_droplet.this.id
+}
diff --git a/digitalocean/server/outputs.tf b/digitalocean/server/outputs.tf
new file mode 100644
index 0000000..3d6a541
--- /dev/null
+++ b/digitalocean/server/outputs.tf
@@ -0,0 +1,3 @@
+output "droplet_id" {
+  value = digitalocean_droplet.this.id
+}
diff --git a/digitalocean/server/providers.tf b/digitalocean/server/providers.tf
new file mode 100644
index 0000000..68aba8c
--- /dev/null
+++ b/digitalocean/server/providers.tf
@@ -0,0 +1,8 @@
+terraform {
+  required_providers {
+    digitalocean = {
+      source  = "digitalocean/digitalocean"
+      version = "~> 2.0"
+    }
+  }
+}
diff --git a/digitalocean/server/variables.tf b/digitalocean/server/variables.tf
new file mode 100644
index 0000000..a3620fc
--- /dev/null
+++ b/digitalocean/server/variables.tf
@@ -0,0 +1,40 @@
+variable "region" {
+  type = string
+}
+variable "project_id" {
+  type = string
+}
+
+variable "name" {
+  type = string
+}
+variable "vpc_id" {
+  type = string
+}
+variable "ip_address" {
+  type = string
+}
+variable "volume_ids" {
+  type    = list(string)
+  default = []
+}
+
+variable "user" {
+  type = string
+}
+variable "ssh_keys" {
+  type = list(string)
+}
+variable "ssh_port" {
+  type    = string
+  default = "22"
+}
+
+variable "image" {
+  type    = string
+  default = "debian-12-x64"
+}
+variable "size" {
+  type    = string
+  default = "s-1vcpu-2gb"
+}
diff --git a/s3_state/main.tf b/s3_state/main.tf
new file mode 100644
index 0000000..1190892
--- /dev/null
+++ b/s3_state/main.tf
@@ -0,0 +1,44 @@
+resource "aws_s3_bucket" "state" {
+  bucket = var.bucket_name
+
+  lifecycle {
+    prevent_destroy = true
+  }
+}
+
+resource "aws_s3_bucket_versioning" "default" {
+  bucket = aws_s3_bucket.state.id
+
+  versioning_configuration {
+    status = "Enabled"
+  }
+}
+
+resource "aws_s3_bucket_server_side_encryption_configuration" "default" {
+  bucket = aws_s3_bucket.state.id
+
+  rule {
+    apply_server_side_encryption_by_default {
+      sse_algorithm = "AES256"
+    }
+  }
+}
+
+resource "aws_s3_bucket_public_access_block" "default" {
+  bucket                  = aws_s3_bucket.state.id
+  block_public_acls       = true
+  block_public_policy     = true
+  ignore_public_acls      = true
+  restrict_public_buckets = true
+}
+
+resource "aws_dynamodb_table" "locks" {
+  name         = var.dynamodb_table_name
+  billing_mode = "PAY_PER_REQUEST"
+  hash_key     = "LockID"
+
+  attribute {
+    name = "LockID"
+    type = "S"
+  }
+}
diff --git a/s3_state/variables.tf b/s3_state/variables.tf
new file mode 100644
index 0000000..861b754
--- /dev/null
+++ b/s3_state/variables.tf
@@ -0,0 +1,6 @@
+variable "bucket_name" {
+  type = string
+}
+variable "dynamodb_table_name" {
+  type = string
+}
-- 
cgit v1.2.3