WIP Terraform

2023-09-18 12:36:20 -07:00 · 2023-09-18 12:36:20 -07:00 · 991fb6d3cc
commit 991fb6d3cc
parent e02d84e58f
8 changed files with 116 additions and 4 deletions
--- a/.gitignore
+++ b/.gitignore
@ -3,4 +3,5 @@
 jafner-net/config/ddns/ddclient/ddclient.conf
 service-key.json
 .terraform/
-.terraform.lock.hcl
+.terraform.lock.hcl
+terraform/infrastructure/.tfvars
--- a/terraform/infrastructure/digitalocean/birch.tf
+++ b/terraform/infrastructure/digitalocean/birch.tf
@ -12,7 +12,11 @@ resource "digitalocean_droplet" "birch" {
    private_key = file(var.private_key)
    timeout = "2m"
  }
-  provisioner "remote-exec" { # Using a provisioner is not best practice. See: https://developer.hashicorp.com/terraform/language/resources/provisioners/syntax#provisioners-are-a-last-resort
+  provisioner "file" {
+    source = "digitalocean/setup.sh"
+    destination = "/root/setup.sh"
+  }
+  provisioner "remote-exec" { 
    inline = [
      "curl -fsSL https://get.docker.com -o get-docker.sh",
      "sudo sh ./get-docker.sh"
--- a/terraform/infrastructure/digitalocean/cedar.tf
+++ b/terraform/infrastructure/digitalocean/cedar.tf
@ -1,4 +1,6 @@
 # Provision the host as a Digital Ocean droplet, configure SSH access, run docker install script
+
+/*
 resource "digitalocean_droplet" "cedar" {
  image  = "debian-12-x64"
  name   = "cedar"
@ -23,3 +25,4 @@ resource "digitalocean_droplet" "cedar" {
 output "cedar-address" {
    value = digitalocean_droplet.cedar.ipv4_address
 }
+*/
--- a/terraform/infrastructure/digitalocean/provider.tf
+++ b/terraform/infrastructure/digitalocean/provider.tf
@ -12,8 +12,6 @@ provider "digitalocean" {
 }

 variable "digitalocean_token" {
-  type = string
-  default = "var.digitalocean_token"
 }

 variable "private_key" {
--- a/terraform/infrastructure/digitalocean/setup.sh
+++ b/terraform/infrastructure/digitalocean/setup.sh
@ -0,0 +1,24 @@
+#!/bin/bash
+
+adduser --disabled-password --gecos "" admin
+usermod -aG sudo admin
+sed -i 's/PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config 
+echo -e "ALL\tALL = (ALL) NOPASSWD: ALL" >> /etc/sudoers 
+apt-get update && apt-get -y install libpam-google-authenticator
+sed -i 's/@include common-auth/#@include common-auth/' /etc/pam.d/sshd
+sed -i 's/@include common-password/#@include common-password/' /etc/pam.d/sshd
+echo "auth required pam_google_authenticator.so nullok" >> /etc/pam.d/sshd
+echo "auth required pam_permit.so" >> /etc/pam.d/sshd
+sed -i 's/KbdInteractiveAuthentication no/KbdInteractiveAuthentication yes/' /etc/ssh/sshd_config
+sed -i 's/ChallengeResponseAuthentication no/ChallengeResponseAuthentication yes/' /etc/ssh/sshd_config
+echo "AuthenticationMethods publickey,keyboard-interactive" >> /etc/ssh/sshd_config
+mkdir -p /home/admin/.ssh/
+cp /root/.ssh/authorized_keys /home/admin/.ssh/authorized_keys
+chown -R admin:admin /home/admin/.ssh
+sudo -i -u admin bash << EOF 
+google-authenticator -t -d -f -r 3 -R 30 -w 3 -C
+EOF
+
+echo "TOTP_KEY=$(head -n 1 /home/admin/.google_authenticator)"
+
+systemctl restart sshd.service
--- a/terraform/infrastructure/main.tf
+++ b/terraform/infrastructure/main.tf
@ -1,7 +1,17 @@
 module "digitalocean" {
    source = "./digitalocean"
+    digitalocean_token = var.digitalocean_token
 }

+variable "digitalocean_token" {
+}
+
+/*
 module "google" {
    source = "./google"
+}
+*/
+
+output "birch_ip_address" {
+    value = module.digitalocean.birch-address
 }
--- a/terraform/infrastructure/terraform.tfstate
+++ b/terraform/infrastructure/terraform.tfstate
@ -0,0 +1,9 @@
+{
+  "version": 4,
+  "terraform_version": "1.5.1",
+  "serial": 40,
+  "lineage": "37138f14-4bc0-6bde-ac13-d02a01d95227",
+  "outputs": {},
+  "resources": [],
+  "check_results": null
+}
--- a/terraform/infrastructure/terraform.tfstate.backup
+++ b/terraform/infrastructure/terraform.tfstate.backup
@ -0,0 +1,63 @@
+{
+  "version": 4,
+  "terraform_version": "1.5.1",
+  "serial": 38,
+  "lineage": "37138f14-4bc0-6bde-ac13-d02a01d95227",
+  "outputs": {
+    "birch_ip_address": {
+      "value": "146.190.144.105",
+      "type": "string"
+    }
+  },
+  "resources": [
+    {
+      "module": "module.digitalocean",
+      "mode": "managed",
+      "type": "digitalocean_droplet",
+      "name": "birch",
+      "provider": "module.digitalocean.provider[\"registry.terraform.io/digitalocean/digitalocean\"]",
+      "instances": [
+        {
+          "schema_version": 1,
+          "attributes": {
+            "backups": false,
+            "created_at": "2023-07-03T21:54:03Z",
+            "disk": 25,
+            "droplet_agent": null,
+            "graceful_shutdown": false,
+            "id": "363447531",
+            "image": "debian-12-x64",
+            "ipv4_address": "146.190.144.105",
+            "ipv4_address_private": "10.124.0.3",
+            "ipv6": false,
+            "ipv6_address": "",
+            "locked": false,
+            "memory": 1024,
+            "monitoring": false,
+            "name": "birch",
+            "price_hourly": 0.00893,
+            "price_monthly": 6,
+            "private_networking": true,
+            "region": "sfo3",
+            "resize_disk": true,
+            "size": "s-1vcpu-1gb",
+            "ssh_keys": [
+              "04:b4:49:d8:bc:68:73:dd:45:fd:56:1f:d3:ea:37:7a"
+            ],
+            "status": "active",
+            "tags": null,
+            "timeouts": null,
+            "urn": "do:droplet:363447531",
+            "user_data": null,
+            "vcpus": 1,
+            "volume_ids": [],
+            "vpc_uuid": "b2361ace-6f4c-4b33-858d-a800d6f1827a"
+          },
+          "sensitive_attributes": [],
+          "private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjozNjAwMDAwMDAwMDAwLCJkZWxldGUiOjYwMDAwMDAwMDAwLCJ1cGRhdGUiOjM2MDAwMDAwMDAwMDB9LCJzY2hlbWFfdmVyc2lvbiI6IjEifQ=="
+        }
+      ]
+    }
+  ],
+  "check_results": null
+}