First set up

2025-12-23 00:54:26 +00:00 · 2024-09-14 21:32:05 +02:00
parent c853cf8946
commit bf42c666c7
10 changed files with 89 additions and 59 deletions
--- a/infrastructure/cloud-init.yaml
+++ b/infrastructure/cloud-init.yaml
@@ -1,80 +0,0 @@
-#cloud-config
-package_update: true
-package_upgrade: true
-package_reboot_if_required: true
-
-users:
- name: ${username}
-  groups: [ sudo ]
-  shell: /usr/bin/zsh
-  hashed_passwd: ${user_hashed_password}
-  lock_passwd: false
-  ssh_authorized_keys:
-  - ${user_ssh_public_key}
- name: git
-  lock_passwd: true
-
-packages:
-  - apt-transport-https
-  - ca-certificates
-  - curl
-  - gnupg2
-  - git
-  - zsh
-  - ufw
-  - fail2ban
-  - tmux
-  - bat
-  - unzip
-
-write_files:
-  - content: |
-      #!/bin/sh
-      GITEA_POD=$(kubectl --kubeconfig /home/git/.kube/config get po -n gitea -l app=gitea -o name --no-headers=true | cut -d'/' -f2)
-      kubectl --kubeconfig /home/git/.kube/config exec -i -n gitea $GITEA_POD -c gitea -- env SSH_ORIGINAL_COMMAND="$SSH_ORIGINAL_COMMAND" /bin/sh "$@"      
-    path: /usr/local/bin/gitea-shell
-    permissions: '0755'
-  - content: |
-      #!/bin/sh
-      GITEA_POD=$(kubectl --kubeconfig /home/git/.kube/config get po -n gitea -l app=gitea -o name --no-headers=true | cut -d'/' -f2)
-      kubectl --kubeconfig /home/git/.kube/config exec -i -n gitea $GITEA_POD -c gitea -- /usr/local/bin/gitea keys -e git -u $1 -t $2 -k $3      
-    permissions: '0755'
-    path: /usr/local/bin/gitea-keys
-
-ssh:
-  emit_keys_to_console: false
-ssh_pwauth: false
-disable_root: true
-
-ssh_config:
-  Match User git:
-    AuthorizedKeysCommandUser: git
-    AuthorizedKeysCommand: /usr/local/bin/gitea-keys %u %t %k
-
-runcmd:
-  # UFW
-  - ufw default deny incoming
-  - ufw default allow outgoing
-  - ufw allow ssh
-  - ufw allow http
-  - ufw allow https
-  - ufw logging on
-  - ufw enable
-  # SSH key for user
-  - su ${username} -c 'ssh-keygen -t ed25519 -f /home/${username}/.ssh/id_ed25519 -q -N "" '
-  # Expire password for user
-  - chage -d 0 ${username}
-  # SSH Passthrough for user git
-  - usermod -s /usr/local/bin/gitea-shell git
-  # k3s
-  - curl -sfL https://get.k3s.io | sh -s - --disable=traefik
-  # helm
-  - curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3
-  - chmod 700 get_helm.sh
-  - ./get_helm.sh
-  # Install Flux
-  - curl -s https://fluxcd.io/install.sh | sudo bash
-  # Bootstrap Flux (adjust the GitHub details as needed)
-  - su ${username} -c 'flux bootstrap github --owner=${github_username} --repository=${github_repo} --path=cluster-config --personal'
-
-final_message: "The system is finally up, after $UPTIME seconds"
--- a/infrastructure/main.tf
+++ b/infrastructure/main.tf
@@ -1,97 +0,0 @@
-# Configure the Hetzner Cloud Provider
-terraform {
-  required_providers {
-    hcloud = {
-      source = "hetznercloud/hcloud"
-    }
-    sops = {
-      source  = "carlpett/sops"
-      version = "~> 0.5"
-    }
-  }
-  required_version = ">= 0.13"
-}
-
-provider "hcloud" {
-  token = var.hcloud_token
-}
-
-provider "sops" {}
-
-data "sops_file" "secrets" {
-  source_file = "secrets.enc.yaml"
-}
-
-data "cloudinit_config" "k8s_node" {
-  gzip = true
-  base64_encode = true
-
-  part {
-    content_type = "text/cloud-config"
-    content = templatefile("${path.module}/cloud-init.yaml", {
-      username = data.sops_file.secrets.data["username"]
-      user_hashed_password = data.sops_file.secrets.data["user_hashed_password"]
-      user_ssh_public_key = data.sops_file.secrets.data["user_ssh_public_key"]
-      github_username = data.sops_file.secrets.data["github_username"]
-      github_repo = data.sops_file.secrets.data["github_repo"]
-    })
-  }
-}
-
-resource "hcloud_server" "cluster" {
-  name        = "auberon"
-  image       = "ubuntu-24.04"
-  server_type = "cx22"
-  location    = "nbg1"
-  backups     = true
-  user_data   = data.cloudinit_config.k8s_node.rendered
-}
-
-resource "hcloud_firewall" "cluster-firewall" {
-  name = "cluster-firewall"
-  apply_to {
-    server = hcloud_server.cluster.id
-  }
-  rule {
-    direction = "in"
-    protocol  = "icmp"
-    source_ips = [
-      "0.0.0.0/0",
-      "::/0"
-    ]
-  }
-
-  rule {
-    direction = "in"
-    protocol  = "tcp"
-    port      = "80"
-    source_ips = [
-      "0.0.0.0/0",
-      "::/0"
-    ]
-  }
-
-  rule {
-    direction = "in"
-    protocol  = "tcp"
-    port      = "443"
-    source_ips = [
-      "0.0.0.0/0",
-      "::/0"
-    ]
-  }
-
-  rule {
-    direction = "in"
-    protocol  = "tcp"
-    port      = "22"
-    source_ips = [
-      "0.0.0.0/0",
-      "::/0"
-    ]
-  }
-}
-
-output "server_ip" {
-  value = hcloud_server.cluster.ipv4_address
-}
--- a/infrastructure/variables.tf
+++ b/infrastructure/variables.tf
@@ -1,5 +0,0 @@
-variable "hcloud_token" {
-  description = "Hetzner Cloud API Token"
-  type        = string
-  sensitive   = true
-}