tjo-cloud/ingress
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat: provision tailscale key for unintended provisioning

Browse source
This commit is contained in:
Tine 2024-11-11 21:31:32 +01:00
parent 95a62b39e3
commit 308fe73938
Signed by: mentos1386
SSH key fingerprint: SHA256:MNtTsLbihYaWF8j1fkOHfkKNlnN1JQfxEU/rBU8nCGw
8 changed files with 102 additions and 21 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

37
install.sh
View file

@ -21,6 +21,8 @@ CLOUD_REGION="$(hostname -s)"
SERVICE_ACCOUNT_USERNAME=$(jq -r ".service_account.username" /etc/tjo.cloud/meta.json)
SERVICE_ACCOUNT_PASSWORD=$(jq -r ".service_account.password" /etc/tjo.cloud/meta.json)
TAILSCALE_AUTH_KEY=$(jq -r ".tailscale.auth_key" /etc/tjo.cloud/meta.json)
##
# Dependencies
apt update -y
@ -28,6 +30,7 @@ apt update -y
apt install -y \
gpg \
git \
ufw \
nginx \
nginx-extras \
libnginx-mod-http-geoip2 \
@ -69,12 +72,42 @@ systemctl reload alloy
##
# Configure Tailscale
tailscale up \
if tailscale status --json | jq -e -r '.BackendState != "Running"'; then
tailscale up \
--ssh=true \
--accept-routes=true \
--accept-dns=false \
--advertise-tags="tag:ingress-tjo-cloud" \
--hostname="$(hostname -f | sed 's/\./-/g')"
--hostname="$(hostname -f | sed 's/\./-/g')" \
--authkey="${TAILSCALE_AUTH_KEY}"
fi
##
# Configure SSH
cat <<EOF >/etc/ssh/sshd_config.d/port-2222.conf
Port 2222
EOF
systemctl restart ssh
##
# Configure UFW
# Should basically match nginx.conf
ufw default deny incoming
ufw default allow outgoing
ufw allow in on tailscale0
ufw allow 22 # GIT
ufw allow 25 # EMAIL
ufw allow 143 # EMAIL
ufw allow 443 # HTTPS
ufw allow 465 # EMAIL
ufw allow 587 # EMAIL
ufw allow 993 # EMAIL
ufw allow 4190 # EMAIL
ufw --force enable
systemctl enable ufw
##
# Configure NGINX

5
justfile
View file

@ -61,10 +61,7 @@ provision:
for NODE in $NODES
do
echo "Provisioning node ${NODE}"
ssh ubuntu@${NODE} 'sudo rm -rf /srv && sudo mkdir /srv && sudo chown ubuntu:ubuntu /srv'
cat install.sh | ssh ubuntu@${NODE} 'sudo bash -s'
cat install.sh | ssh -p 2222 ubuntu@${NODE} 'sudo bash -s'
done
list-servers:

18
root/etc/nginx/nginx.conf
View file

@ -96,14 +96,14 @@ stream {
}
# GIT
#server {
# listen 0.0.0.0:22;
# listen [::]:22;
# proxy_pass batuu.system.tjo.cloud:22;
# proxy_protocol on;
# include /etc/nginx/partials/server.conf;
# include /etc/nginx/partials/blocked.conf;
#}
server {
listen 0.0.0.0:22;
listen [::]:22;
proxy_pass batuu.system.tjo.cloud:22;
proxy_protocol off; # Configure downstream first.
include /etc/nginx/partials/server.conf;
include /etc/nginx/partials/blocked.conf;
}
# EMAIL
server {
@ -120,7 +120,7 @@ stream {
listen 0.0.0.0:4190;
listen [::]:4190;
proxy_pass mail.system.tjo.cloud:$server_port;
proxy_protocol on;
proxy_protocol off; # Configure downstream first.
include /etc/nginx/partials/server.conf;
include /etc/nginx/partials/blocked.conf;
}

22
terraform/.terraform.lock.hcl
View file

@ -45,3 +45,25 @@ provider "registry.opentofu.org/goauthentik/authentik" {
"zh:f6af0fd2e89ea7b7e692ef893cf5fdcc6f53c37fc0c6e066a28d9c834226c539",
]
}
provider "registry.opentofu.org/tailscale/tailscale" {
version = "0.17.2"
constraints = "0.17.2"
hashes = [
"h1:0bZpffptYi/bXOXEnFjUYD6UwaR4vqUdMULdeeBhz84=",
"zh:13d21db507bfb17018005c5c4f19314591a5734c76bcd51ab6e80984164c2a71",
"zh:13dbb3d978aca16f66c49596e5a38d236264d10a66879dc0d06839aca9cdad3f",
"zh:1589a8b006da14d60e3fcd55fbc465ccdce7a99e833b6a7455fbf81be59f07f3",
"zh:1de3673533c0c20c4fc6070822f0c416a64734656f2e181e6bab5e9df5383ed9",
"zh:24eaaf37dacb48e26b53a2a0491ffa7bc5c1977d9c27753ada734ed0191f28aa",
"zh:2a0890a012829aa370bb930a8155af49accf53832324e8124e123d0679878c3c",
"zh:4f8a462d462b0942add33cf376655c0470b6826db34e57aecc9a62742e286283",
"zh:5cf38de52c7e2e8f3a5f8e05e1fbef4db4545c5b2dc2f89b0bfb4b8eea293a14",
"zh:8bbf0a4c9a6c37b31dda332a8a7436516fc62ce777e0e586772883f39de56e52",
"zh:9213bbdea053d1edbeccb51a7e86829e1539b5295fba08bf0eda9af729e8ba60",
"zh:9a645a49430297e27304e93ebc699fcb0d1a068ba8b431c4ec0f9ad4a4e134bf",
"zh:b3b70b083161cb97ef0618be579453d13b25ba95c785744cd0c4a84eecc7a0f9",
"zh:b3e1e5ac6087120ef548d2ceeafef1b0b469aad17a84eb873f0f4d5eaa2bf6f9",
"zh:e323626e070442308bcadfcc51a3ce5b0e6ae41a7632f82bb24318706920a9d3",
]
}

18
terraform/node.tf
View file

@ -12,6 +12,9 @@ locals {
username = authentik_user.service_account[k].username
password = authentik_token.service_account[k].key
}
tailscale = {
auth_key = tailscale_tailnet_key.key.key
}
}
})
}
@ -24,6 +27,14 @@ locals {
}
}
resource "tailscale_tailnet_key" "key" {
reusable = true
ephemeral = false
preauthorized = true
description = "ingress-tjo-cloud terraform key"
tags = ["tag:ingress-tjo-cloud"]
}
resource "proxmox_virtual_environment_download_file" "ubuntu" {
for_each = local.nodes
@ -44,7 +55,9 @@ resource "proxmox_virtual_environment_file" "userdata" {
source_raw {
data = <<-EOF
#cloud-config
hostname: ${each.value.host}.${each.value.domain}
hostname: ${each.value.host}
fqdn: ${each.value.host}.${each.value.domain}
prefer_fqdn_over_hostname: true
write_files:
- path: /etc/tjo.cloud/meta.json
encoding: base64
@ -54,6 +67,9 @@ resource "proxmox_virtual_environment_file" "userdata" {
- qemu-guest-agent
power_state:
mode: reboot
#runcmd:
# - git clone https://code.tjo.space/tjo-cloud/ingress.git /srv
# - /srv/install.sh
EOF
file_name = "${each.value.host}.ingress.tjo.cloud.userconfig.yaml"
}

8
terraform/terraform.tf
View file

@ -8,6 +8,10 @@ terraform {
source = "goauthentik/authentik"
version = "2024.8.3"
}
tailscale = {
source = "tailscale/tailscale"
version = "0.17.2"
}
}
required_version = "~> 1.7.3"
@ -18,6 +22,10 @@ provider "authentik" {
token = var.authentik_token
}
provider "tailscale" {
api_key = var.tailscale_apikey
}
provider "proxmox" {
# FIXME: Traefik/NGINX breaks this! 500 ERROR
endpoint = "https://batuu.system.tjo.cloud:8006/api2/json"

5
terraform/variables.tf
View file

@ -31,3 +31,8 @@ variable "authentik_token" {
type = string
sensitive = true
}
variable "tailscale_apikey" {
type = string
sensitive = true
}