tjo-cloud/ingress
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat: provision tailscale key for unintended provisioning

Browse source
This commit is contained in:
Tine 2024-11-11 21:31:32 +01:00
parent 95a62b39e3
commit 308fe73938
Signed by: mentos1386
SSH key fingerprint: SHA256:MNtTsLbihYaWF8j1fkOHfkKNlnN1JQfxEU/rBU8nCGw
8 changed files with 102 additions and 21 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
README.md
View file

@ -1,3 +1,3 @@
# ingress # ingress
Handling all Ingress traffic Handling all Ingress traffic

45
install.sh
View file

@ -21,6 +21,8 @@ CLOUD_REGION="$(hostname -s)"
SERVICE_ACCOUNT_USERNAME=$(jq -r ".service_account.username" /etc/tjo.cloud/meta.json) SERVICE_ACCOUNT_USERNAME=$(jq -r ".service_account.username" /etc/tjo.cloud/meta.json)
SERVICE_ACCOUNT_PASSWORD=$(jq -r ".service_account.password" /etc/tjo.cloud/meta.json) SERVICE_ACCOUNT_PASSWORD=$(jq -r ".service_account.password" /etc/tjo.cloud/meta.json)
TAILSCALE_AUTH_KEY=$(jq -r ".tailscale.auth_key" /etc/tjo.cloud/meta.json)
## ##
# Dependencies # Dependencies
apt update -y apt update -y
@ -28,6 +30,7 @@ apt update -y
apt install -y \ apt install -y \
gpg \ gpg \
git \ git \
ufw \
nginx \ nginx \
nginx-extras \ nginx-extras \
libnginx-mod-http-geoip2 \ libnginx-mod-http-geoip2 \
@ -69,12 +72,42 @@ systemctl reload alloy
## ##
# Configure Tailscale # Configure Tailscale
tailscale up \ if tailscale status --json | jq -e -r '.BackendState != "Running"'; then
--ssh=true \ tailscale up \
--accept-routes=true \ --ssh=true \
--accept-dns=false \ --accept-routes=true \
--advertise-tags="tag:ingress-tjo-cloud" \ --accept-dns=false \
--hostname="$(hostname -f | sed 's/\./-/g')" --advertise-tags="tag:ingress-tjo-cloud" \
--hostname="$(hostname -f | sed 's/\./-/g')" \
--authkey="${TAILSCALE_AUTH_KEY}"
fi
##
# Configure SSH
cat <<EOF >/etc/ssh/sshd_config.d/port-2222.conf
Port 2222
EOF
systemctl restart ssh
##
# Configure UFW
# Should basically match nginx.conf
ufw default deny incoming
ufw default allow outgoing
ufw allow in on tailscale0
ufw allow 22 # GIT
ufw allow 25 # EMAIL
ufw allow 143 # EMAIL
ufw allow 443 # HTTPS
ufw allow 465 # EMAIL
ufw allow 587 # EMAIL
ufw allow 993 # EMAIL
ufw allow 4190 # EMAIL
ufw --force enable
systemctl enable ufw
## ##
# Configure NGINX # Configure NGINX

5
justfile
View file

@ -61,10 +61,7 @@ provision:
for NODE in $NODES for NODE in $NODES
do do
echo "Provisioning node ${NODE}" echo "Provisioning node ${NODE}"
cat install.sh | ssh -p 2222 ubuntu@${NODE} 'sudo bash -s'
ssh ubuntu@${NODE} 'sudo rm -rf /srv && sudo mkdir /srv && sudo chown ubuntu:ubuntu /srv'
cat install.sh | ssh ubuntu@${NODE} 'sudo bash -s'
done done
list-servers: list-servers:

18
root/etc/nginx/nginx.conf
View file

@ -96,14 +96,14 @@ stream {
} }
# GIT # GIT
#server { server {
# listen 0.0.0.0:22; listen 0.0.0.0:22;
# listen [::]:22; listen [::]:22;
# proxy_pass batuu.system.tjo.cloud:22; proxy_pass batuu.system.tjo.cloud:22;
# proxy_protocol on; proxy_protocol off; # Configure downstream first.
# include /etc/nginx/partials/server.conf; include /etc/nginx/partials/server.conf;
# include /etc/nginx/partials/blocked.conf; include /etc/nginx/partials/blocked.conf;
#} }
# EMAIL # EMAIL
server { server {
@ -120,7 +120,7 @@ stream {
listen 0.0.0.0:4190; listen 0.0.0.0:4190;
listen [::]:4190; listen [::]:4190;
proxy_pass mail.system.tjo.cloud:$server_port; proxy_pass mail.system.tjo.cloud:$server_port;
proxy_protocol on; proxy_protocol off; # Configure downstream first.
include /etc/nginx/partials/server.conf; include /etc/nginx/partials/server.conf;
include /etc/nginx/partials/blocked.conf; include /etc/nginx/partials/blocked.conf;
} }

22
terraform/.terraform.lock.hcl
View file

@ -45,3 +45,25 @@ provider "registry.opentofu.org/goauthentik/authentik" {
"zh:f6af0fd2e89ea7b7e692ef893cf5fdcc6f53c37fc0c6e066a28d9c834226c539", "zh:f6af0fd2e89ea7b7e692ef893cf5fdcc6f53c37fc0c6e066a28d9c834226c539",
] ]
} }
provider "registry.opentofu.org/tailscale/tailscale" {
version = "0.17.2"
constraints = "0.17.2"
hashes = [
"h1:0bZpffptYi/bXOXEnFjUYD6UwaR4vqUdMULdeeBhz84=",
"zh:13d21db507bfb17018005c5c4f19314591a5734c76bcd51ab6e80984164c2a71",
"zh:13dbb3d978aca16f66c49596e5a38d236264d10a66879dc0d06839aca9cdad3f",
"zh:1589a8b006da14d60e3fcd55fbc465ccdce7a99e833b6a7455fbf81be59f07f3",
"zh:1de3673533c0c20c4fc6070822f0c416a64734656f2e181e6bab5e9df5383ed9",
"zh:24eaaf37dacb48e26b53a2a0491ffa7bc5c1977d9c27753ada734ed0191f28aa",
"zh:2a0890a012829aa370bb930a8155af49accf53832324e8124e123d0679878c3c",
"zh:4f8a462d462b0942add33cf376655c0470b6826db34e57aecc9a62742e286283",
"zh:5cf38de52c7e2e8f3a5f8e05e1fbef4db4545c5b2dc2f89b0bfb4b8eea293a14",
"zh:8bbf0a4c9a6c37b31dda332a8a7436516fc62ce777e0e586772883f39de56e52",
"zh:9213bbdea053d1edbeccb51a7e86829e1539b5295fba08bf0eda9af729e8ba60",
"zh:9a645a49430297e27304e93ebc699fcb0d1a068ba8b431c4ec0f9ad4a4e134bf",
"zh:b3b70b083161cb97ef0618be579453d13b25ba95c785744cd0c4a84eecc7a0f9",
"zh:b3e1e5ac6087120ef548d2ceeafef1b0b469aad17a84eb873f0f4d5eaa2bf6f9",
"zh:e323626e070442308bcadfcc51a3ce5b0e6ae41a7632f82bb24318706920a9d3",
]
}

18
terraform/node.tf
View file

@ -12,6 +12,9 @@ locals {
username = authentik_user.service_account[k].username username = authentik_user.service_account[k].username
password = authentik_token.service_account[k].key password = authentik_token.service_account[k].key
} }
tailscale = {
auth_key = tailscale_tailnet_key.key.key
}
} }
}) })
} }
@ -24,6 +27,14 @@ locals {
} }
} }
resource "tailscale_tailnet_key" "key" {
reusable = true
ephemeral = false
preauthorized = true
description = "ingress-tjo-cloud terraform key"
tags = ["tag:ingress-tjo-cloud"]
}
resource "proxmox_virtual_environment_download_file" "ubuntu" { resource "proxmox_virtual_environment_download_file" "ubuntu" {
for_each = local.nodes for_each = local.nodes
@ -44,7 +55,9 @@ resource "proxmox_virtual_environment_file" "userdata" {
source_raw { source_raw {
data = <<-EOF data = <<-EOF
#cloud-config #cloud-config
hostname: ${each.value.host}.${each.value.domain} hostname: ${each.value.host}
fqdn: ${each.value.host}.${each.value.domain}
prefer_fqdn_over_hostname: true
write_files: write_files:
- path: /etc/tjo.cloud/meta.json - path: /etc/tjo.cloud/meta.json
encoding: base64 encoding: base64
@ -54,6 +67,9 @@ resource "proxmox_virtual_environment_file" "userdata" {
- qemu-guest-agent - qemu-guest-agent
power_state: power_state:
mode: reboot mode: reboot
#runcmd:
# - git clone https://code.tjo.space/tjo-cloud/ingress.git /srv
# - /srv/install.sh
EOF EOF
file_name = "${each.value.host}.ingress.tjo.cloud.userconfig.yaml" file_name = "${each.value.host}.ingress.tjo.cloud.userconfig.yaml"
} }

8
terraform/terraform.tf
View file

@ -8,6 +8,10 @@ terraform {
source = "goauthentik/authentik" source = "goauthentik/authentik"
version = "2024.8.3" version = "2024.8.3"
} }
tailscale = {
source = "tailscale/tailscale"
version = "0.17.2"
}
} }
required_version = "~> 1.7.3" required_version = "~> 1.7.3"
@ -18,6 +22,10 @@ provider "authentik" {
token = var.authentik_token token = var.authentik_token
} }
provider "tailscale" {
api_key = var.tailscale_apikey
}
provider "proxmox" { provider "proxmox" {
# FIXME: Traefik/NGINX breaks this! 500 ERROR # FIXME: Traefik/NGINX breaks this! 500 ERROR
endpoint = "https://batuu.system.tjo.cloud:8006/api2/json" endpoint = "https://batuu.system.tjo.cloud:8006/api2/json"

5
terraform/variables.tf
View file

@ -31,3 +31,8 @@ variable "authentik_token" {
type = string type = string
sensitive = true sensitive = true
} }
variable "tailscale_apikey" {
type = string
sensitive = true
}