From 308fe73938357b245cd5fec05821e4d46618cc3f Mon Sep 17 00:00:00 2001
From: Tine <tine@tjo.space>
Date: Mon, 11 Nov 2024 21:31:32 +0100
Subject: [PATCH] feat: provision tailscale key for unintended provisioning

---
 README.md                     |  2 +-
 install.sh                    | 45 ++++++++++++++++++++++++++++++-----
 justfile                      |  5 +---
 root/etc/nginx/nginx.conf     | 18 +++++++-------
 terraform/.terraform.lock.hcl | 22 +++++++++++++++++
 terraform/node.tf             | 18 +++++++++++++-
 terraform/terraform.tf        |  8 +++++++
 terraform/variables.tf        |  5 ++++
 8 files changed, 102 insertions(+), 21 deletions(-)

diff --git a/README.md b/README.md
index 4f1468b..efe24b5 100644
--- a/README.md
+++ b/README.md
@@ -1,3 +1,3 @@
 # ingress
 
-Handling all Ingress traffic
\ No newline at end of file
+Handling all Ingress traffic
diff --git a/install.sh b/install.sh
index aa0af93..edddb04 100755
--- a/install.sh
+++ b/install.sh
@@ -21,6 +21,8 @@ CLOUD_REGION="$(hostname -s)"
 SERVICE_ACCOUNT_USERNAME=$(jq -r ".service_account.username" /etc/tjo.cloud/meta.json)
 SERVICE_ACCOUNT_PASSWORD=$(jq -r ".service_account.password" /etc/tjo.cloud/meta.json)
 
+TAILSCALE_AUTH_KEY=$(jq -r ".tailscale.auth_key" /etc/tjo.cloud/meta.json)
+
 ##
 # Dependencies
 apt update -y
@@ -28,6 +30,7 @@ apt update -y
 apt install -y \
   gpg \
   git \
+  ufw \
   nginx \
   nginx-extras \
   libnginx-mod-http-geoip2 \
@@ -69,12 +72,42 @@ systemctl reload alloy
 
 ##
 # Configure Tailscale
-tailscale up \
-  --ssh=true \
-  --accept-routes=true \
-  --accept-dns=false \
-  --advertise-tags="tag:ingress-tjo-cloud" \
-  --hostname="$(hostname -f | sed 's/\./-/g')"
+if tailscale status --json | jq -e -r '.BackendState != "Running"'; then
+  tailscale up \
+    --ssh=true \
+    --accept-routes=true \
+    --accept-dns=false \
+    --advertise-tags="tag:ingress-tjo-cloud" \
+    --hostname="$(hostname -f | sed 's/\./-/g')" \
+    --authkey="${TAILSCALE_AUTH_KEY}"
+fi
+
+##
+# Configure SSH
+cat <<EOF >/etc/ssh/sshd_config.d/port-2222.conf
+Port 2222
+EOF
+systemctl restart ssh
+
+##
+# Configure UFW
+# Should basically match nginx.conf
+ufw default deny incoming
+ufw default allow outgoing
+
+ufw allow in on tailscale0
+
+ufw allow 22   # GIT
+ufw allow 25   # EMAIL
+ufw allow 143  # EMAIL
+ufw allow 443  # HTTPS
+ufw allow 465  # EMAIL
+ufw allow 587  # EMAIL
+ufw allow 993  # EMAIL
+ufw allow 4190 # EMAIL
+
+ufw --force enable
+systemctl enable ufw
 
 ##
 # Configure NGINX
diff --git a/justfile b/justfile
index 9e397ea..986ad97 100644
--- a/justfile
+++ b/justfile
@@ -61,10 +61,7 @@ provision:
   for NODE in $NODES
   do
     echo "Provisioning node ${NODE}"
-
-    ssh ubuntu@${NODE} 'sudo rm -rf /srv && sudo mkdir /srv && sudo chown ubuntu:ubuntu /srv'
-
-    cat install.sh | ssh ubuntu@${NODE} 'sudo bash -s'
+    cat install.sh | ssh -p 2222 ubuntu@${NODE} 'sudo bash -s'
   done
 
 list-servers:
diff --git a/root/etc/nginx/nginx.conf b/root/etc/nginx/nginx.conf
index 4ba32e5..457bfad 100644
--- a/root/etc/nginx/nginx.conf
+++ b/root/etc/nginx/nginx.conf
@@ -96,14 +96,14 @@ stream {
   }
 
   # GIT
-  #server {
-  #  listen         0.0.0.0:22;
-  #  listen         [::]:22;
-  #  proxy_pass     batuu.system.tjo.cloud:22;
-  #  proxy_protocol on;
-  #  include        /etc/nginx/partials/server.conf;
-  #  include        /etc/nginx/partials/blocked.conf;
-  #}
+  server {
+    listen         0.0.0.0:22;
+    listen         [::]:22;
+    proxy_pass     batuu.system.tjo.cloud:22;
+    proxy_protocol off; # Configure downstream first.
+    include        /etc/nginx/partials/server.conf;
+    include        /etc/nginx/partials/blocked.conf;
+  }
 
   # EMAIL
   server {
@@ -120,7 +120,7 @@ stream {
     listen         0.0.0.0:4190;
     listen         [::]:4190;
     proxy_pass     mail.system.tjo.cloud:$server_port;
-    proxy_protocol on;
+    proxy_protocol off; # Configure downstream first.
     include        /etc/nginx/partials/server.conf;
     include        /etc/nginx/partials/blocked.conf;
   }
diff --git a/terraform/.terraform.lock.hcl b/terraform/.terraform.lock.hcl
index 063a06e..1c53f99 100644
--- a/terraform/.terraform.lock.hcl
+++ b/terraform/.terraform.lock.hcl
@@ -45,3 +45,25 @@ provider "registry.opentofu.org/goauthentik/authentik" {
     "zh:f6af0fd2e89ea7b7e692ef893cf5fdcc6f53c37fc0c6e066a28d9c834226c539",
   ]
 }
+
+provider "registry.opentofu.org/tailscale/tailscale" {
+  version     = "0.17.2"
+  constraints = "0.17.2"
+  hashes = [
+    "h1:0bZpffptYi/bXOXEnFjUYD6UwaR4vqUdMULdeeBhz84=",
+    "zh:13d21db507bfb17018005c5c4f19314591a5734c76bcd51ab6e80984164c2a71",
+    "zh:13dbb3d978aca16f66c49596e5a38d236264d10a66879dc0d06839aca9cdad3f",
+    "zh:1589a8b006da14d60e3fcd55fbc465ccdce7a99e833b6a7455fbf81be59f07f3",
+    "zh:1de3673533c0c20c4fc6070822f0c416a64734656f2e181e6bab5e9df5383ed9",
+    "zh:24eaaf37dacb48e26b53a2a0491ffa7bc5c1977d9c27753ada734ed0191f28aa",
+    "zh:2a0890a012829aa370bb930a8155af49accf53832324e8124e123d0679878c3c",
+    "zh:4f8a462d462b0942add33cf376655c0470b6826db34e57aecc9a62742e286283",
+    "zh:5cf38de52c7e2e8f3a5f8e05e1fbef4db4545c5b2dc2f89b0bfb4b8eea293a14",
+    "zh:8bbf0a4c9a6c37b31dda332a8a7436516fc62ce777e0e586772883f39de56e52",
+    "zh:9213bbdea053d1edbeccb51a7e86829e1539b5295fba08bf0eda9af729e8ba60",
+    "zh:9a645a49430297e27304e93ebc699fcb0d1a068ba8b431c4ec0f9ad4a4e134bf",
+    "zh:b3b70b083161cb97ef0618be579453d13b25ba95c785744cd0c4a84eecc7a0f9",
+    "zh:b3e1e5ac6087120ef548d2ceeafef1b0b469aad17a84eb873f0f4d5eaa2bf6f9",
+    "zh:e323626e070442308bcadfcc51a3ce5b0e6ae41a7632f82bb24318706920a9d3",
+  ]
+}
diff --git a/terraform/node.tf b/terraform/node.tf
index 745dd9e..aebb7cd 100644
--- a/terraform/node.tf
+++ b/terraform/node.tf
@@ -12,6 +12,9 @@ locals {
           username = authentik_user.service_account[k].username
           password = authentik_token.service_account[k].key
         }
+        tailscale = {
+          auth_key = tailscale_tailnet_key.key.key
+        }
       }
     })
   }
@@ -24,6 +27,14 @@ locals {
   }
 }
 
+resource "tailscale_tailnet_key" "key" {
+  reusable      = true
+  ephemeral     = false
+  preauthorized = true
+  description   = "ingress-tjo-cloud terraform key"
+  tags          = ["tag:ingress-tjo-cloud"]
+}
+
 resource "proxmox_virtual_environment_download_file" "ubuntu" {
   for_each = local.nodes
 
@@ -44,7 +55,9 @@ resource "proxmox_virtual_environment_file" "userdata" {
   source_raw {
     data      = <<-EOF
     #cloud-config
-    hostname: ${each.value.host}.${each.value.domain}
+    hostname: ${each.value.host}
+    fqdn: ${each.value.host}.${each.value.domain}
+    prefer_fqdn_over_hostname: true
     write_files:
     - path: /etc/tjo.cloud/meta.json
       encoding: base64
@@ -54,6 +67,9 @@ resource "proxmox_virtual_environment_file" "userdata" {
       - qemu-guest-agent
     power_state:
       mode: reboot
+    #runcmd:
+    #  - git clone https://code.tjo.space/tjo-cloud/ingress.git /srv
+    #  - /srv/install.sh
     EOF
     file_name = "${each.value.host}.ingress.tjo.cloud.userconfig.yaml"
   }
diff --git a/terraform/terraform.tf b/terraform/terraform.tf
index 8f61da5..6a3121c 100644
--- a/terraform/terraform.tf
+++ b/terraform/terraform.tf
@@ -8,6 +8,10 @@ terraform {
       source  = "goauthentik/authentik"
       version = "2024.8.3"
     }
+    tailscale = {
+      source  = "tailscale/tailscale"
+      version = "0.17.2"
+    }
   }
 
   required_version = "~> 1.7.3"
@@ -18,6 +22,10 @@ provider "authentik" {
   token = var.authentik_token
 }
 
+provider "tailscale" {
+  api_key = var.tailscale_apikey
+}
+
 provider "proxmox" {
   # FIXME: Traefik/NGINX breaks this! 500 ERROR
   endpoint  = "https://batuu.system.tjo.cloud:8006/api2/json"
diff --git a/terraform/variables.tf b/terraform/variables.tf
index 5ee7a6f..175bf4c 100644
--- a/terraform/variables.tf
+++ b/terraform/variables.tf
@@ -31,3 +31,8 @@ variable "authentik_token" {
   type      = string
   sensitive = true
 }
+
+variable "tailscale_apikey" {
+  type      = string
+  sensitive = true
+}