feat: provision tailscale key for unintended provisioning
This commit is contained in:
parent
95a62b39e3
commit
308fe73938
8 changed files with 102 additions and 21 deletions
35
install.sh
35
install.sh
|
@ -21,6 +21,8 @@ CLOUD_REGION="$(hostname -s)"
|
|||
SERVICE_ACCOUNT_USERNAME=$(jq -r ".service_account.username" /etc/tjo.cloud/meta.json)
|
||||
SERVICE_ACCOUNT_PASSWORD=$(jq -r ".service_account.password" /etc/tjo.cloud/meta.json)
|
||||
|
||||
TAILSCALE_AUTH_KEY=$(jq -r ".tailscale.auth_key" /etc/tjo.cloud/meta.json)
|
||||
|
||||
##
|
||||
# Dependencies
|
||||
apt update -y
|
||||
|
@ -28,6 +30,7 @@ apt update -y
|
|||
apt install -y \
|
||||
gpg \
|
||||
git \
|
||||
ufw \
|
||||
nginx \
|
||||
nginx-extras \
|
||||
libnginx-mod-http-geoip2 \
|
||||
|
@ -69,12 +72,42 @@ systemctl reload alloy
|
|||
|
||||
##
|
||||
# Configure Tailscale
|
||||
if tailscale status --json | jq -e -r '.BackendState != "Running"'; then
|
||||
tailscale up \
|
||||
--ssh=true \
|
||||
--accept-routes=true \
|
||||
--accept-dns=false \
|
||||
--advertise-tags="tag:ingress-tjo-cloud" \
|
||||
--hostname="$(hostname -f | sed 's/\./-/g')"
|
||||
--hostname="$(hostname -f | sed 's/\./-/g')" \
|
||||
--authkey="${TAILSCALE_AUTH_KEY}"
|
||||
fi
|
||||
|
||||
##
|
||||
# Configure SSH
|
||||
cat <<EOF >/etc/ssh/sshd_config.d/port-2222.conf
|
||||
Port 2222
|
||||
EOF
|
||||
systemctl restart ssh
|
||||
|
||||
##
|
||||
# Configure UFW
|
||||
# Should basically match nginx.conf
|
||||
ufw default deny incoming
|
||||
ufw default allow outgoing
|
||||
|
||||
ufw allow in on tailscale0
|
||||
|
||||
ufw allow 22 # GIT
|
||||
ufw allow 25 # EMAIL
|
||||
ufw allow 143 # EMAIL
|
||||
ufw allow 443 # HTTPS
|
||||
ufw allow 465 # EMAIL
|
||||
ufw allow 587 # EMAIL
|
||||
ufw allow 993 # EMAIL
|
||||
ufw allow 4190 # EMAIL
|
||||
|
||||
ufw --force enable
|
||||
systemctl enable ufw
|
||||
|
||||
##
|
||||
# Configure NGINX
|
||||
|
|
5
justfile
5
justfile
|
@ -61,10 +61,7 @@ provision:
|
|||
for NODE in $NODES
|
||||
do
|
||||
echo "Provisioning node ${NODE}"
|
||||
|
||||
ssh ubuntu@${NODE} 'sudo rm -rf /srv && sudo mkdir /srv && sudo chown ubuntu:ubuntu /srv'
|
||||
|
||||
cat install.sh | ssh ubuntu@${NODE} 'sudo bash -s'
|
||||
cat install.sh | ssh -p 2222 ubuntu@${NODE} 'sudo bash -s'
|
||||
done
|
||||
|
||||
list-servers:
|
||||
|
|
|
@ -96,14 +96,14 @@ stream {
|
|||
}
|
||||
|
||||
# GIT
|
||||
#server {
|
||||
# listen 0.0.0.0:22;
|
||||
# listen [::]:22;
|
||||
# proxy_pass batuu.system.tjo.cloud:22;
|
||||
# proxy_protocol on;
|
||||
# include /etc/nginx/partials/server.conf;
|
||||
# include /etc/nginx/partials/blocked.conf;
|
||||
#}
|
||||
server {
|
||||
listen 0.0.0.0:22;
|
||||
listen [::]:22;
|
||||
proxy_pass batuu.system.tjo.cloud:22;
|
||||
proxy_protocol off; # Configure downstream first.
|
||||
include /etc/nginx/partials/server.conf;
|
||||
include /etc/nginx/partials/blocked.conf;
|
||||
}
|
||||
|
||||
# EMAIL
|
||||
server {
|
||||
|
@ -120,7 +120,7 @@ stream {
|
|||
listen 0.0.0.0:4190;
|
||||
listen [::]:4190;
|
||||
proxy_pass mail.system.tjo.cloud:$server_port;
|
||||
proxy_protocol on;
|
||||
proxy_protocol off; # Configure downstream first.
|
||||
include /etc/nginx/partials/server.conf;
|
||||
include /etc/nginx/partials/blocked.conf;
|
||||
}
|
||||
|
|
|
@ -45,3 +45,25 @@ provider "registry.opentofu.org/goauthentik/authentik" {
|
|||
"zh:f6af0fd2e89ea7b7e692ef893cf5fdcc6f53c37fc0c6e066a28d9c834226c539",
|
||||
]
|
||||
}
|
||||
|
||||
provider "registry.opentofu.org/tailscale/tailscale" {
|
||||
version = "0.17.2"
|
||||
constraints = "0.17.2"
|
||||
hashes = [
|
||||
"h1:0bZpffptYi/bXOXEnFjUYD6UwaR4vqUdMULdeeBhz84=",
|
||||
"zh:13d21db507bfb17018005c5c4f19314591a5734c76bcd51ab6e80984164c2a71",
|
||||
"zh:13dbb3d978aca16f66c49596e5a38d236264d10a66879dc0d06839aca9cdad3f",
|
||||
"zh:1589a8b006da14d60e3fcd55fbc465ccdce7a99e833b6a7455fbf81be59f07f3",
|
||||
"zh:1de3673533c0c20c4fc6070822f0c416a64734656f2e181e6bab5e9df5383ed9",
|
||||
"zh:24eaaf37dacb48e26b53a2a0491ffa7bc5c1977d9c27753ada734ed0191f28aa",
|
||||
"zh:2a0890a012829aa370bb930a8155af49accf53832324e8124e123d0679878c3c",
|
||||
"zh:4f8a462d462b0942add33cf376655c0470b6826db34e57aecc9a62742e286283",
|
||||
"zh:5cf38de52c7e2e8f3a5f8e05e1fbef4db4545c5b2dc2f89b0bfb4b8eea293a14",
|
||||
"zh:8bbf0a4c9a6c37b31dda332a8a7436516fc62ce777e0e586772883f39de56e52",
|
||||
"zh:9213bbdea053d1edbeccb51a7e86829e1539b5295fba08bf0eda9af729e8ba60",
|
||||
"zh:9a645a49430297e27304e93ebc699fcb0d1a068ba8b431c4ec0f9ad4a4e134bf",
|
||||
"zh:b3b70b083161cb97ef0618be579453d13b25ba95c785744cd0c4a84eecc7a0f9",
|
||||
"zh:b3e1e5ac6087120ef548d2ceeafef1b0b469aad17a84eb873f0f4d5eaa2bf6f9",
|
||||
"zh:e323626e070442308bcadfcc51a3ce5b0e6ae41a7632f82bb24318706920a9d3",
|
||||
]
|
||||
}
|
||||
|
|
|
@ -12,6 +12,9 @@ locals {
|
|||
username = authentik_user.service_account[k].username
|
||||
password = authentik_token.service_account[k].key
|
||||
}
|
||||
tailscale = {
|
||||
auth_key = tailscale_tailnet_key.key.key
|
||||
}
|
||||
}
|
||||
})
|
||||
}
|
||||
|
@ -24,6 +27,14 @@ locals {
|
|||
}
|
||||
}
|
||||
|
||||
resource "tailscale_tailnet_key" "key" {
|
||||
reusable = true
|
||||
ephemeral = false
|
||||
preauthorized = true
|
||||
description = "ingress-tjo-cloud terraform key"
|
||||
tags = ["tag:ingress-tjo-cloud"]
|
||||
}
|
||||
|
||||
resource "proxmox_virtual_environment_download_file" "ubuntu" {
|
||||
for_each = local.nodes
|
||||
|
||||
|
@ -44,7 +55,9 @@ resource "proxmox_virtual_environment_file" "userdata" {
|
|||
source_raw {
|
||||
data = <<-EOF
|
||||
#cloud-config
|
||||
hostname: ${each.value.host}.${each.value.domain}
|
||||
hostname: ${each.value.host}
|
||||
fqdn: ${each.value.host}.${each.value.domain}
|
||||
prefer_fqdn_over_hostname: true
|
||||
write_files:
|
||||
- path: /etc/tjo.cloud/meta.json
|
||||
encoding: base64
|
||||
|
@ -54,6 +67,9 @@ resource "proxmox_virtual_environment_file" "userdata" {
|
|||
- qemu-guest-agent
|
||||
power_state:
|
||||
mode: reboot
|
||||
#runcmd:
|
||||
# - git clone https://code.tjo.space/tjo-cloud/ingress.git /srv
|
||||
# - /srv/install.sh
|
||||
EOF
|
||||
file_name = "${each.value.host}.ingress.tjo.cloud.userconfig.yaml"
|
||||
}
|
||||
|
|
|
@ -8,6 +8,10 @@ terraform {
|
|||
source = "goauthentik/authentik"
|
||||
version = "2024.8.3"
|
||||
}
|
||||
tailscale = {
|
||||
source = "tailscale/tailscale"
|
||||
version = "0.17.2"
|
||||
}
|
||||
}
|
||||
|
||||
required_version = "~> 1.7.3"
|
||||
|
@ -18,6 +22,10 @@ provider "authentik" {
|
|||
token = var.authentik_token
|
||||
}
|
||||
|
||||
provider "tailscale" {
|
||||
api_key = var.tailscale_apikey
|
||||
}
|
||||
|
||||
provider "proxmox" {
|
||||
# FIXME: Traefik/NGINX breaks this! 500 ERROR
|
||||
endpoint = "https://batuu.system.tjo.cloud:8006/api2/json"
|
||||
|
|
|
@ -31,3 +31,8 @@ variable "authentik_token" {
|
|||
type = string
|
||||
sensitive = true
|
||||
}
|
||||
|
||||
variable "tailscale_apikey" {
|
||||
type = string
|
||||
sensitive = true
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue