diff --git a/.gitignore b/.gitignore index 1aa2f02..66ddf8a 100644 --- a/.gitignore +++ b/.gitignore @@ -3,4 +3,5 @@ jafner-net/config/ddns/ddclient/ddclient.conf service-key.json .terraform/ -.terraform.lock.hcl \ No newline at end of file +.terraform.lock.hcl +terraform/infrastructure/.tfvars \ No newline at end of file diff --git a/terraform/infrastructure/digitalocean/birch.tf b/terraform/infrastructure/digitalocean/birch.tf index e76a1f2..7f4cea8 100644 --- a/terraform/infrastructure/digitalocean/birch.tf +++ b/terraform/infrastructure/digitalocean/birch.tf @@ -12,7 +12,11 @@ resource "digitalocean_droplet" "birch" { private_key = file(var.private_key) timeout = "2m" } - provisioner "remote-exec" { # Using a provisioner is not best practice. See: https://developer.hashicorp.com/terraform/language/resources/provisioners/syntax#provisioners-are-a-last-resort + provisioner "file" { + source = "digitalocean/setup.sh" + destination = "/root/setup.sh" + } + provisioner "remote-exec" { inline = [ "curl -fsSL https://get.docker.com -o get-docker.sh", "sudo sh ./get-docker.sh" diff --git a/terraform/infrastructure/digitalocean/cedar.tf b/terraform/infrastructure/digitalocean/cedar.tf index 0ef7ae6..6f32c01 100644 --- a/terraform/infrastructure/digitalocean/cedar.tf +++ b/terraform/infrastructure/digitalocean/cedar.tf @@ -1,4 +1,6 @@ # Provision the host as a Digital Ocean droplet, configure SSH access, run docker install script + +/* resource "digitalocean_droplet" "cedar" { image = "debian-12-x64" name = "cedar" @@ -23,3 +25,4 @@ resource "digitalocean_droplet" "cedar" { output "cedar-address" { value = digitalocean_droplet.cedar.ipv4_address } +*/ \ No newline at end of file diff --git a/terraform/infrastructure/digitalocean/provider.tf b/terraform/infrastructure/digitalocean/provider.tf index 7ac4ebb..8758290 100644 --- a/terraform/infrastructure/digitalocean/provider.tf +++ b/terraform/infrastructure/digitalocean/provider.tf @@ -12,8 +12,6 @@ provider "digitalocean" { } variable "digitalocean_token" { - type = string - default = "var.digitalocean_token" } variable "private_key" { diff --git a/terraform/infrastructure/digitalocean/setup.sh b/terraform/infrastructure/digitalocean/setup.sh new file mode 100644 index 0000000..aeb5624 --- /dev/null +++ b/terraform/infrastructure/digitalocean/setup.sh @@ -0,0 +1,24 @@ +#!/bin/bash + +adduser --disabled-password --gecos "" admin +usermod -aG sudo admin +sed -i 's/PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config +echo -e "ALL\tALL = (ALL) NOPASSWD: ALL" >> /etc/sudoers +apt-get update && apt-get -y install libpam-google-authenticator +sed -i 's/@include common-auth/#@include common-auth/' /etc/pam.d/sshd +sed -i 's/@include common-password/#@include common-password/' /etc/pam.d/sshd +echo "auth required pam_google_authenticator.so nullok" >> /etc/pam.d/sshd +echo "auth required pam_permit.so" >> /etc/pam.d/sshd +sed -i 's/KbdInteractiveAuthentication no/KbdInteractiveAuthentication yes/' /etc/ssh/sshd_config +sed -i 's/ChallengeResponseAuthentication no/ChallengeResponseAuthentication yes/' /etc/ssh/sshd_config +echo "AuthenticationMethods publickey,keyboard-interactive" >> /etc/ssh/sshd_config +mkdir -p /home/admin/.ssh/ +cp /root/.ssh/authorized_keys /home/admin/.ssh/authorized_keys +chown -R admin:admin /home/admin/.ssh +sudo -i -u admin bash << EOF +google-authenticator -t -d -f -r 3 -R 30 -w 3 -C +EOF + +echo "TOTP_KEY=$(head -n 1 /home/admin/.google_authenticator)" + +systemctl restart sshd.service \ No newline at end of file diff --git a/terraform/infrastructure/main.tf b/terraform/infrastructure/main.tf index fbb9b9a..f45da83 100644 --- a/terraform/infrastructure/main.tf +++ b/terraform/infrastructure/main.tf @@ -1,7 +1,17 @@ module "digitalocean" { source = "./digitalocean" + digitalocean_token = var.digitalocean_token } +variable "digitalocean_token" { +} + +/* module "google" { source = "./google" +} +*/ + +output "birch_ip_address" { + value = module.digitalocean.birch-address } \ No newline at end of file diff --git a/terraform/infrastructure/terraform.tfstate b/terraform/infrastructure/terraform.tfstate new file mode 100644 index 0000000..d3a0d0a --- /dev/null +++ b/terraform/infrastructure/terraform.tfstate @@ -0,0 +1,9 @@ +{ + "version": 4, + "terraform_version": "1.5.1", + "serial": 40, + "lineage": "37138f14-4bc0-6bde-ac13-d02a01d95227", + "outputs": {}, + "resources": [], + "check_results": null +} diff --git a/terraform/infrastructure/terraform.tfstate.backup b/terraform/infrastructure/terraform.tfstate.backup new file mode 100644 index 0000000..7a1747b --- /dev/null +++ b/terraform/infrastructure/terraform.tfstate.backup @@ -0,0 +1,63 @@ +{ + "version": 4, + "terraform_version": "1.5.1", + "serial": 38, + "lineage": "37138f14-4bc0-6bde-ac13-d02a01d95227", + "outputs": { + "birch_ip_address": { + "value": "146.190.144.105", + "type": "string" + } + }, + "resources": [ + { + "module": "module.digitalocean", + "mode": "managed", + "type": "digitalocean_droplet", + "name": "birch", + "provider": "module.digitalocean.provider[\"registry.terraform.io/digitalocean/digitalocean\"]", + "instances": [ + { + "schema_version": 1, + "attributes": { + "backups": false, + "created_at": "2023-07-03T21:54:03Z", + "disk": 25, + "droplet_agent": null, + "graceful_shutdown": false, + "id": "363447531", + "image": "debian-12-x64", + "ipv4_address": "146.190.144.105", + "ipv4_address_private": "10.124.0.3", + "ipv6": false, + "ipv6_address": "", + "locked": false, + "memory": 1024, + "monitoring": false, + "name": "birch", + "price_hourly": 0.00893, + "price_monthly": 6, + "private_networking": true, + "region": "sfo3", + "resize_disk": true, + "size": "s-1vcpu-1gb", + "ssh_keys": [ + "04:b4:49:d8:bc:68:73:dd:45:fd:56:1f:d3:ea:37:7a" + ], + "status": "active", + "tags": null, + "timeouts": null, + "urn": "do:droplet:363447531", + "user_data": null, + "vcpus": 1, + "volume_ids": [], + "vpc_uuid": "b2361ace-6f4c-4b33-858d-a800d6f1827a" + }, + "sensitive_attributes": [], + "private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjozNjAwMDAwMDAwMDAwLCJkZWxldGUiOjYwMDAwMDAwMDAwLCJ1cGRhdGUiOjM2MDAwMDAwMDAwMDB9LCJzY2hlbWFfdmVyc2lvbiI6IjEifQ==" + } + ] + } + ], + "check_results": null +}