init push - infra - Terraform IoC for my remote (Hetzner) and local (Incus) servers.
DIR Log
DIR Files
DIR Refs
DIR README
---
DIR commit 1689e2eba4bdb38eac00a4dc51d5f98335431252
HTML Author: Jay Scott <me@jay.scot>
Date: Fri, 27 Jan 2023 22:16:52 +0000
init push
Diffstat:
A .gitignore | 3 +++
A .terraform.lock.hcl | 24 ++++++++++++++++++++++++
A README | 4 ++++
A main.tf | 54 +++++++++++++++++++++++++++++++
A terraform.tfvars | 41 +++++++++++++++++++++++++++++++
A user_data.yml | 58 ++++++++++++++++++++++++++++++
A variables.tf | 25 +++++++++++++++++++++++++
7 files changed, 209 insertions(+), 0 deletions(-)
---
DIR diff --git a/.gitignore b/.gitignore
@@ -0,0 +1,3 @@
+
+.terraform/
+*tfstate*
DIR diff --git a/.terraform.lock.hcl b/.terraform.lock.hcl
@@ -0,0 +1,24 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/hetznercloud/hcloud" {
+ version = "1.36.2"
+ constraints = "1.36.2"
+ hashes = [
+ "h1:VO/dl+g5NfJd436hmT+9NOMQk6oRU4Z9TSJJJrNlN0M=",
+ "zh:0498ef4209924b30ce7b4a232dd6aee08feab2ebbc90064db699adc10c16707e",
+ "zh:292e3c0c55d320cf164cdd431ee31580dd86f435aec99721597204bab5de3970",
+ "zh:3ce8558658baa7c4b9f1eeb92427665b4b930e5b157fbf352977778c90e11aaa",
+ "zh:46abd0bdeeba46b86832ed31338ad837b584f7b2152f8a9bfa6c3802f481a6da",
+ "zh:5804e71d411577f06abc0986c8c2e475c49042a192efce5936e4d5bdd874fc22",
+ "zh:7cef0782e8198346bfe7b61601e1cf8f2158280a5cf665140b72838545ca3127",
+ "zh:be81782af391ff4cc0859d976637aa00e6fe34061fe4f1df1f5ab5d62ef94f82",
+ "zh:bf2660e70edf758305085698fc9d05306b174b99559cd0f3f61c0b705ba22275",
+ "zh:caf727b0a378dc8c9c3594bbf176865f87aa732077820ff045eb352f5a48aeed",
+ "zh:cf95fc3121b358c7b7b667193ab36b8cb6140e2f6dfbf6f1b4c55b7fec1bb6ef",
+ "zh:d6d3119f8b971e982b6421dfa3b86314ccaeceaf047a3b6505f79e1a30f8301e",
+ "zh:e6f7f65dced2e88e3082c57ddcd118412595678cf3c7289bc7e12c724b3bd892",
+ "zh:f41f59ca511ab1a591d5abdc7f6d32d2e03a1d6087d206a741f95b7b0dd2ea17",
+ "zh:fbe59fbb5f272a6b206a380f6dbf49837b199960dd038afca2e89b11f72fdfda",
+ ]
+}
DIR diff --git a/README b/README
@@ -0,0 +1,4 @@
+bootstrap my cloud servers.
+
+ terraform plan -var="hcloud_token=$HCLOUD_TOKEN"
+ terraform apply -var="hcloud_token=$HCLOUD_TOKEN"
DIR diff --git a/main.tf b/main.tf
@@ -0,0 +1,54 @@
+terraform {
+ required_providers {
+ hcloud = {
+ source = "hetznercloud/hcloud"
+ version = "1.36.2"
+ }
+ }
+}
+
+provider "hcloud" {
+ token = var.hcloud_token
+}
+
+
+resource "hcloud_ssh_key" "this" {
+ name = "main_key"
+ public_key = file("~/.ssh/id_rsa.pub")
+}
+
+
+resource "hcloud_firewall" "this" {
+ name = "firewallrules"
+
+ dynamic "rule" {
+ for_each = var.firewall_rules
+
+ content {
+ description = rule.key
+ direction = rule.value.direction
+ protocol = rule.value.protocol
+ source_ips = rule.value.source_ips
+ port = rule.value.port
+ }
+ }
+}
+
+
+resource "hcloud_server" "nodes" {
+ for_each = var.nodes
+
+ name = each.key
+ image = each.value.image
+ server_type = each.value.server_type
+ location = each.value.location
+ labels = each.value.labels
+ ssh_keys = [hcloud_ssh_key.this.id]
+ user_data = file("user_data.yml")
+ firewall_ids = [hcloud_firewall.this.id]
+
+ public_net {
+ ipv4_enabled = each.value.ipv4
+ ipv6_enabled = each.value.ipv6
+ }
+}
DIR diff --git a/terraform.tfvars b/terraform.tfvars
@@ -0,0 +1,41 @@
+nodes = {
+ node1 = {
+ image = "debian-11"
+ location = "hel1",
+ server_type = "cx11",
+ ipv4 = true
+ ipv6 = true
+ labels = {
+ services = "git"
+ }
+ }
+}
+
+firewall_rules = {
+ gopher = {
+ direction = "in"
+ protocol = "tcp"
+ source_ips = ["0.0.0.0/0", "::/0"]
+ port = "70"
+ }
+ ssh = {
+ direction = "in"
+ protocol = "tcp"
+ source_ips = ["0.0.0.0/0", "::/0"]
+ port = "22"
+ }
+ git = {
+ direction = "in"
+ protocol = "tcp"
+ source_ips = ["0.0.0.0/0", "::/0"]
+ port = "9418"
+ }
+ fingerd = {
+ direction = "in"
+ protocol = "tcp"
+ source_ips = ["0.0.0.0/0", "::/0"]
+ port = "79"
+ }
+
+
+}
DIR diff --git a/user_data.yml b/user_data.yml
@@ -0,0 +1,58 @@
+#cloud-config
+users:
+ - name: jay
+ groups: users
+ sudo: ALL=(ALL) NOPASSWD:ALL
+ shell: /bin/bash
+ ssh_authorized_keys:
+ - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDCRWnkYAChsjuT/T/IoENtm8OT18tPereaw6OOqmZ5Kvx2W8wCLL8zaBK1ieYRTeDfNU6cnAEkZdn0B2/twWvDLwyTihkWKa6FxdZ8Pv+4BEDhUS5jpxUhpBbLMOKu1SRTu9cr3jv7CcK90ouMes4d9Mnm76C0yskCBTiXdNKZ0LEYf+7hbRN1UnF9tG+RNHpnqx/3uKSWEjAEwu0lXLzOsJhNZMUXaruoKVohvRS1h9C3CT5SKWjhVX7f0oVWtSt4BhExO9B4lOgfPFZ46Aj+AsFffk2TluQq9ChdJXmSxd6OBRUae4KuX4QykHty9cU+63O45PZp92Ay8Gk5tlSqlFn2DUc4gU68CKcAwQSM018ASQiWou4Gw9Dq8sKa6R1HIi7X3marVJW/wKLu7xFyIiWYddyUGNhuINpj+vx0fk5ET+dE+5i43kM6YVWSAyazyGRhholPFFh7y4+FbdG+lkMnU9ScvnB8j0nTMOptu9HwIAVhVqHK1s+aJgRp4QU= jay@elma.jay.scot
+
+package_update: true
+package_upgrade: true
+
+packages:
+ - openbsd-inetd
+ - efingerd
+ - libgit2-dev
+ - vim
+ - htop
+ - git
+
+runcmd:
+ # SSH config
+ - sed -ie '/^PermitRootLogin/s/^.*$/PermitRootLogin no/' /etc/ssh/sshd_config
+ - sed -ie '/^PasswordAuthentication/s/^.*$/PasswordAuthentication no/' /etc/ssh/sshd_config
+ - sed -ie '/^X11Forwarding/s/^.*$/X11Forwarding no/' /etc/ssh/sshd_config
+ - sed -ie '/^#MaxAuthTries/s/^.*$/MaxAuthTries 2/' /etc/ssh/sshd_config
+ - sed -ie '/^#AllowTcpForwarding/s/^.*$/AllowTcpForwarding no/' /etc/ssh/sshd_config
+ - sed -ie '/^#AllowAgentForwarding/s/^.*$/AllowAgentForwarding no/' /etc/ssh/sshd_config
+ - sed -ie '/^#AuthorizedKeysFile/s/^.*$/AuthorizedKeysFile .ssh/authorized_keys/' /etc/ssh/sshd_config
+ - systemctl restart ssh
+ # Git setup
+ - mkdir -p /srv/git
+ - chown -R git:git /srv/git
+ - systemctl enable git-daemon
+ - systemctl start git-daemon
+
+write_files:
+ - content: |
+ [Unit]
+ Description=Start Git Daemon
+
+ [Service]
+ ExecStart=/usr/bin/git daemon --reuseaddr --base-path=/srv/git/ /srv/git/
+
+ Restart=always
+ RestartSec=500ms
+
+ StandardOutput=syslog
+ StandardError=syslog
+ SyslogIdentifier=git-daemon
+
+ User=git
+ Group=git
+
+ [Install]
+ WantedBy=multi-user.target
+ path: /etc/systemd/system/git-daemon.service
+ permissions: '0644'
DIR diff --git a/variables.tf b/variables.tf
@@ -0,0 +1,25 @@
+variable "hcloud_token" {
+ description = "Hetzner cloud personal API token."
+ type = string
+ sensitive = true
+}
+
+variable "nodes" {
+ type = map(object({
+ image = string
+ location = string
+ server_type = string
+ labels = map(any)
+ ipv4 = bool
+ ipv6 = bool
+ }))
+}
+
+variable "firewall_rules" {
+ type = map(object({
+ direction = string
+ protocol = string
+ source_ips = list(any)
+ port = string
+ }))
+}