feat: provision tailscale key for unintended provisioning
This commit is contained in:
parent
95a62b39e3
commit
308fe73938
8 changed files with 102 additions and 21 deletions
37
install.sh
37
install.sh
|
@ -21,6 +21,8 @@ CLOUD_REGION="$(hostname -s)"
|
||||||
SERVICE_ACCOUNT_USERNAME=$(jq -r ".service_account.username" /etc/tjo.cloud/meta.json)
|
SERVICE_ACCOUNT_USERNAME=$(jq -r ".service_account.username" /etc/tjo.cloud/meta.json)
|
||||||
SERVICE_ACCOUNT_PASSWORD=$(jq -r ".service_account.password" /etc/tjo.cloud/meta.json)
|
SERVICE_ACCOUNT_PASSWORD=$(jq -r ".service_account.password" /etc/tjo.cloud/meta.json)
|
||||||
|
|
||||||
|
TAILSCALE_AUTH_KEY=$(jq -r ".tailscale.auth_key" /etc/tjo.cloud/meta.json)
|
||||||
|
|
||||||
##
|
##
|
||||||
# Dependencies
|
# Dependencies
|
||||||
apt update -y
|
apt update -y
|
||||||
|
@ -28,6 +30,7 @@ apt update -y
|
||||||
apt install -y \
|
apt install -y \
|
||||||
gpg \
|
gpg \
|
||||||
git \
|
git \
|
||||||
|
ufw \
|
||||||
nginx \
|
nginx \
|
||||||
nginx-extras \
|
nginx-extras \
|
||||||
libnginx-mod-http-geoip2 \
|
libnginx-mod-http-geoip2 \
|
||||||
|
@ -69,12 +72,42 @@ systemctl reload alloy
|
||||||
|
|
||||||
##
|
##
|
||||||
# Configure Tailscale
|
# Configure Tailscale
|
||||||
tailscale up \
|
if tailscale status --json | jq -e -r '.BackendState != "Running"'; then
|
||||||
|
tailscale up \
|
||||||
--ssh=true \
|
--ssh=true \
|
||||||
--accept-routes=true \
|
--accept-routes=true \
|
||||||
--accept-dns=false \
|
--accept-dns=false \
|
||||||
--advertise-tags="tag:ingress-tjo-cloud" \
|
--advertise-tags="tag:ingress-tjo-cloud" \
|
||||||
--hostname="$(hostname -f | sed 's/\./-/g')"
|
--hostname="$(hostname -f | sed 's/\./-/g')" \
|
||||||
|
--authkey="${TAILSCALE_AUTH_KEY}"
|
||||||
|
fi
|
||||||
|
|
||||||
|
##
|
||||||
|
# Configure SSH
|
||||||
|
cat <<EOF >/etc/ssh/sshd_config.d/port-2222.conf
|
||||||
|
Port 2222
|
||||||
|
EOF
|
||||||
|
systemctl restart ssh
|
||||||
|
|
||||||
|
##
|
||||||
|
# Configure UFW
|
||||||
|
# Should basically match nginx.conf
|
||||||
|
ufw default deny incoming
|
||||||
|
ufw default allow outgoing
|
||||||
|
|
||||||
|
ufw allow in on tailscale0
|
||||||
|
|
||||||
|
ufw allow 22 # GIT
|
||||||
|
ufw allow 25 # EMAIL
|
||||||
|
ufw allow 143 # EMAIL
|
||||||
|
ufw allow 443 # HTTPS
|
||||||
|
ufw allow 465 # EMAIL
|
||||||
|
ufw allow 587 # EMAIL
|
||||||
|
ufw allow 993 # EMAIL
|
||||||
|
ufw allow 4190 # EMAIL
|
||||||
|
|
||||||
|
ufw --force enable
|
||||||
|
systemctl enable ufw
|
||||||
|
|
||||||
##
|
##
|
||||||
# Configure NGINX
|
# Configure NGINX
|
||||||
|
|
5
justfile
5
justfile
|
@ -61,10 +61,7 @@ provision:
|
||||||
for NODE in $NODES
|
for NODE in $NODES
|
||||||
do
|
do
|
||||||
echo "Provisioning node ${NODE}"
|
echo "Provisioning node ${NODE}"
|
||||||
|
cat install.sh | ssh -p 2222 ubuntu@${NODE} 'sudo bash -s'
|
||||||
ssh ubuntu@${NODE} 'sudo rm -rf /srv && sudo mkdir /srv && sudo chown ubuntu:ubuntu /srv'
|
|
||||||
|
|
||||||
cat install.sh | ssh ubuntu@${NODE} 'sudo bash -s'
|
|
||||||
done
|
done
|
||||||
|
|
||||||
list-servers:
|
list-servers:
|
||||||
|
|
|
@ -96,14 +96,14 @@ stream {
|
||||||
}
|
}
|
||||||
|
|
||||||
# GIT
|
# GIT
|
||||||
#server {
|
server {
|
||||||
# listen 0.0.0.0:22;
|
listen 0.0.0.0:22;
|
||||||
# listen [::]:22;
|
listen [::]:22;
|
||||||
# proxy_pass batuu.system.tjo.cloud:22;
|
proxy_pass batuu.system.tjo.cloud:22;
|
||||||
# proxy_protocol on;
|
proxy_protocol off; # Configure downstream first.
|
||||||
# include /etc/nginx/partials/server.conf;
|
include /etc/nginx/partials/server.conf;
|
||||||
# include /etc/nginx/partials/blocked.conf;
|
include /etc/nginx/partials/blocked.conf;
|
||||||
#}
|
}
|
||||||
|
|
||||||
# EMAIL
|
# EMAIL
|
||||||
server {
|
server {
|
||||||
|
@ -120,7 +120,7 @@ stream {
|
||||||
listen 0.0.0.0:4190;
|
listen 0.0.0.0:4190;
|
||||||
listen [::]:4190;
|
listen [::]:4190;
|
||||||
proxy_pass mail.system.tjo.cloud:$server_port;
|
proxy_pass mail.system.tjo.cloud:$server_port;
|
||||||
proxy_protocol on;
|
proxy_protocol off; # Configure downstream first.
|
||||||
include /etc/nginx/partials/server.conf;
|
include /etc/nginx/partials/server.conf;
|
||||||
include /etc/nginx/partials/blocked.conf;
|
include /etc/nginx/partials/blocked.conf;
|
||||||
}
|
}
|
||||||
|
|
|
@ -45,3 +45,25 @@ provider "registry.opentofu.org/goauthentik/authentik" {
|
||||||
"zh:f6af0fd2e89ea7b7e692ef893cf5fdcc6f53c37fc0c6e066a28d9c834226c539",
|
"zh:f6af0fd2e89ea7b7e692ef893cf5fdcc6f53c37fc0c6e066a28d9c834226c539",
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
|
|
||||||
|
provider "registry.opentofu.org/tailscale/tailscale" {
|
||||||
|
version = "0.17.2"
|
||||||
|
constraints = "0.17.2"
|
||||||
|
hashes = [
|
||||||
|
"h1:0bZpffptYi/bXOXEnFjUYD6UwaR4vqUdMULdeeBhz84=",
|
||||||
|
"zh:13d21db507bfb17018005c5c4f19314591a5734c76bcd51ab6e80984164c2a71",
|
||||||
|
"zh:13dbb3d978aca16f66c49596e5a38d236264d10a66879dc0d06839aca9cdad3f",
|
||||||
|
"zh:1589a8b006da14d60e3fcd55fbc465ccdce7a99e833b6a7455fbf81be59f07f3",
|
||||||
|
"zh:1de3673533c0c20c4fc6070822f0c416a64734656f2e181e6bab5e9df5383ed9",
|
||||||
|
"zh:24eaaf37dacb48e26b53a2a0491ffa7bc5c1977d9c27753ada734ed0191f28aa",
|
||||||
|
"zh:2a0890a012829aa370bb930a8155af49accf53832324e8124e123d0679878c3c",
|
||||||
|
"zh:4f8a462d462b0942add33cf376655c0470b6826db34e57aecc9a62742e286283",
|
||||||
|
"zh:5cf38de52c7e2e8f3a5f8e05e1fbef4db4545c5b2dc2f89b0bfb4b8eea293a14",
|
||||||
|
"zh:8bbf0a4c9a6c37b31dda332a8a7436516fc62ce777e0e586772883f39de56e52",
|
||||||
|
"zh:9213bbdea053d1edbeccb51a7e86829e1539b5295fba08bf0eda9af729e8ba60",
|
||||||
|
"zh:9a645a49430297e27304e93ebc699fcb0d1a068ba8b431c4ec0f9ad4a4e134bf",
|
||||||
|
"zh:b3b70b083161cb97ef0618be579453d13b25ba95c785744cd0c4a84eecc7a0f9",
|
||||||
|
"zh:b3e1e5ac6087120ef548d2ceeafef1b0b469aad17a84eb873f0f4d5eaa2bf6f9",
|
||||||
|
"zh:e323626e070442308bcadfcc51a3ce5b0e6ae41a7632f82bb24318706920a9d3",
|
||||||
|
]
|
||||||
|
}
|
||||||
|
|
|
@ -12,6 +12,9 @@ locals {
|
||||||
username = authentik_user.service_account[k].username
|
username = authentik_user.service_account[k].username
|
||||||
password = authentik_token.service_account[k].key
|
password = authentik_token.service_account[k].key
|
||||||
}
|
}
|
||||||
|
tailscale = {
|
||||||
|
auth_key = tailscale_tailnet_key.key.key
|
||||||
|
}
|
||||||
}
|
}
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
|
@ -24,6 +27,14 @@ locals {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
resource "tailscale_tailnet_key" "key" {
|
||||||
|
reusable = true
|
||||||
|
ephemeral = false
|
||||||
|
preauthorized = true
|
||||||
|
description = "ingress-tjo-cloud terraform key"
|
||||||
|
tags = ["tag:ingress-tjo-cloud"]
|
||||||
|
}
|
||||||
|
|
||||||
resource "proxmox_virtual_environment_download_file" "ubuntu" {
|
resource "proxmox_virtual_environment_download_file" "ubuntu" {
|
||||||
for_each = local.nodes
|
for_each = local.nodes
|
||||||
|
|
||||||
|
@ -44,7 +55,9 @@ resource "proxmox_virtual_environment_file" "userdata" {
|
||||||
source_raw {
|
source_raw {
|
||||||
data = <<-EOF
|
data = <<-EOF
|
||||||
#cloud-config
|
#cloud-config
|
||||||
hostname: ${each.value.host}.${each.value.domain}
|
hostname: ${each.value.host}
|
||||||
|
fqdn: ${each.value.host}.${each.value.domain}
|
||||||
|
prefer_fqdn_over_hostname: true
|
||||||
write_files:
|
write_files:
|
||||||
- path: /etc/tjo.cloud/meta.json
|
- path: /etc/tjo.cloud/meta.json
|
||||||
encoding: base64
|
encoding: base64
|
||||||
|
@ -54,6 +67,9 @@ resource "proxmox_virtual_environment_file" "userdata" {
|
||||||
- qemu-guest-agent
|
- qemu-guest-agent
|
||||||
power_state:
|
power_state:
|
||||||
mode: reboot
|
mode: reboot
|
||||||
|
#runcmd:
|
||||||
|
# - git clone https://code.tjo.space/tjo-cloud/ingress.git /srv
|
||||||
|
# - /srv/install.sh
|
||||||
EOF
|
EOF
|
||||||
file_name = "${each.value.host}.ingress.tjo.cloud.userconfig.yaml"
|
file_name = "${each.value.host}.ingress.tjo.cloud.userconfig.yaml"
|
||||||
}
|
}
|
||||||
|
|
|
@ -8,6 +8,10 @@ terraform {
|
||||||
source = "goauthentik/authentik"
|
source = "goauthentik/authentik"
|
||||||
version = "2024.8.3"
|
version = "2024.8.3"
|
||||||
}
|
}
|
||||||
|
tailscale = {
|
||||||
|
source = "tailscale/tailscale"
|
||||||
|
version = "0.17.2"
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
required_version = "~> 1.7.3"
|
required_version = "~> 1.7.3"
|
||||||
|
@ -18,6 +22,10 @@ provider "authentik" {
|
||||||
token = var.authentik_token
|
token = var.authentik_token
|
||||||
}
|
}
|
||||||
|
|
||||||
|
provider "tailscale" {
|
||||||
|
api_key = var.tailscale_apikey
|
||||||
|
}
|
||||||
|
|
||||||
provider "proxmox" {
|
provider "proxmox" {
|
||||||
# FIXME: Traefik/NGINX breaks this! 500 ERROR
|
# FIXME: Traefik/NGINX breaks this! 500 ERROR
|
||||||
endpoint = "https://batuu.system.tjo.cloud:8006/api2/json"
|
endpoint = "https://batuu.system.tjo.cloud:8006/api2/json"
|
||||||
|
|
|
@ -31,3 +31,8 @@ variable "authentik_token" {
|
||||||
type = string
|
type = string
|
||||||
sensitive = true
|
sensitive = true
|
||||||
}
|
}
|
||||||
|
|
||||||
|
variable "tailscale_apikey" {
|
||||||
|
type = string
|
||||||
|
sensitive = true
|
||||||
|
}
|
||||||
|
|
Loading…
Reference in a new issue