From 0e87875de0f5bbbade1ad3515c72abaadbe46204 Mon Sep 17 00:00:00 2001 From: Egor Tensin Date: Fri, 4 Aug 2023 14:31:08 +0200 Subject: import a couple of Yandex Cloud moduels --- yandex/server/etc/cloud-init.cfg | 13 ++++++++++++ yandex/server/etc/sshd_config | 39 ++++++++++++++++++++++++++++++++++ yandex/server/main.tf | 41 +++++++++++++++++++++++++++++++++++ yandex/server/providers.tf | 7 ++++++ yandex/server/variables.tf | 46 ++++++++++++++++++++++++++++++++++++++++ 5 files changed, 146 insertions(+) create mode 100644 yandex/server/etc/cloud-init.cfg create mode 100644 yandex/server/etc/sshd_config create mode 100644 yandex/server/main.tf create mode 100644 yandex/server/providers.tf create mode 100644 yandex/server/variables.tf (limited to 'yandex/server') diff --git a/yandex/server/etc/cloud-init.cfg b/yandex/server/etc/cloud-init.cfg new file mode 100644 index 0000000..8ed371c --- /dev/null +++ b/yandex/server/etc/cloud-init.cfg @@ -0,0 +1,13 @@ +#cloud-config + +users: + - name: ${jsonencode(user)} + lock_passwd: false + hashed_passwd: '*' + sudo: ALL=(ALL) NOPASSWD:ALL + ssh_authorized_keys: ${jsonencode(ssh_keys)} + shell: /bin/bash + +write_files: + - path: /etc/ssh/sshd_config + content: ${jsonencode(sshd_config)} diff --git a/yandex/server/etc/sshd_config b/yandex/server/etc/sshd_config new file mode 100644 index 0000000..ae08408 --- /dev/null +++ b/yandex/server/etc/sshd_config @@ -0,0 +1,39 @@ +Protocol 2 +Port ${port} + +# Drop idle sessions: +ClientAliveCountMax 3 +ClientAliveInterval 15 + +# Allow reverse tunnels: +GatewayPorts yes + +# Miscellaneous: +PrintMotd no + +# Hardening. +# Source: https://infosec.mozilla.org/guidelines/openssh.html + +# Only Ed25519: +HostKey /etc/ssh/ssh_host_ed25519_key + +# Only the first choices for ciphers: +KexAlgorithms curve25519-sha256@libssh.org +Ciphers chacha20-poly1305@openssh.com +MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com + +# No password login: +PasswordAuthentication no +AuthenticationMethods publickey +# Whitelist users: +PermitRootLogin no +AllowGroups ${join(" ", users)} + +# Log things: +Subsystem sftp /usr/lib/openssh/sftp-server -f AUTHPRIV -l INFO + +# Whitelist accepted environment variables: +AcceptEnv LANG LC_* + +# Why the fuck would I need X11 forwarding? +X11Forwarding no diff --git a/yandex/server/main.tf b/yandex/server/main.tf new file mode 100644 index 0000000..12d31d9 --- /dev/null +++ b/yandex/server/main.tf @@ -0,0 +1,41 @@ +locals { + sshd_config = templatefile("${path.module}/etc/sshd_config", { + port = var.ssh_port + users = [var.user] + }) +} + +resource "yandex_compute_instance" "this" { + zone = var.zone + name = var.name + hostname = var.name + + resources { + cores = var.cores + core_fraction = var.core_fraction + memory = var.memory + } + + boot_disk { + initialize_params { + size = var.disk_size + image_id = var.image + } + } + + network_interface { + subnet_id = var.subnet_id + nat = true + nat_ip_address = var.ip_address + } + + metadata = { + user-data = templatefile("${path.module}/etc/cloud-init.cfg", { + user = var.user + ssh_keys = var.ssh_keys + sshd_config = local.sshd_config + }) + } + + allow_stopping_for_update = true +} diff --git a/yandex/server/providers.tf b/yandex/server/providers.tf new file mode 100644 index 0000000..3a5782f --- /dev/null +++ b/yandex/server/providers.tf @@ -0,0 +1,7 @@ +terraform { + required_providers { + yandex = { + source = "yandex-cloud/yandex" + } + } +} diff --git a/yandex/server/variables.tf b/yandex/server/variables.tf new file mode 100644 index 0000000..0fca4cb --- /dev/null +++ b/yandex/server/variables.tf @@ -0,0 +1,46 @@ +variable "zone" { + type = string +} + +variable "name" { + type = string +} +variable "image" { + type = string + # Debian 11 + default = "fd8sqojvm458b3jr5nfd" +} +variable "subnet_id" { + type = string +} +variable "ip_address" { + type = string +} + +variable "user" { + type = string +} +variable "ssh_keys" { + type = list(string) +} +variable "ssh_port" { + type = string + default = "22" +} + +variable "cores" { + type = number + default = 2 +} +variable "core_fraction" { + type = number + default = 100 +} +variable "memory" { + type = number + default = 2 +} +variable "disk_size" { + type = number + default = 10 +} -- cgit v1.2.3