First set up

2025-12-25 01:54:23 +00:00 · 2024-09-14 21:32:05 +02:00
parent c853cf8946
commit bf42c666c7
10 changed files with 89 additions and 59 deletions
--- a/provisioning/cloud-init.yaml
+++ b/provisioning/cloud-init.yaml
@@ -0,0 +1,78 @@
+#cloud-config
+package_update: true
+package_upgrade: true
+package_reboot_if_required: true
+
+users:
+- name: ${username}
+  groups: [ sudo ]
+  shell: /usr/bin/zsh
+  hashed_passwd: ${user_hashed_password}
+  lock_passwd: false
+  ssh_authorized_keys:
+  - ${user_ssh_public_key}
+- name: git
+  lock_passwd: true
+
+packages:
+  - apt-transport-https
+  - ca-certificates
+  - curl
+  - gnupg2
+  - git
+  - zsh
+  - ufw
+  - fail2ban
+  - tmux
+  - bat
+  - unzip
+
+write_files:
+  - content: |
+      #!/bin/sh
+      GITEA_POD=$(kubectl --kubeconfig /home/git/.kube/config get po -n gitea -l app=gitea -o name --no-headers=true | cut -d'/' -f2)
+      kubectl --kubeconfig /home/git/.kube/config exec -i -n gitea $GITEA_POD -c gitea -- env SSH_ORIGINAL_COMMAND="$SSH_ORIGINAL_COMMAND" /bin/sh "$@"      
+    path: /usr/local/bin/gitea-shell
+    permissions: '0755'
+  - content: |
+      #!/bin/sh
+      GITEA_POD=$(kubectl --kubeconfig /home/git/.kube/config get po -n gitea -l app=gitea -o name --no-headers=true | cut -d'/' -f2)
+      kubectl --kubeconfig /home/git/.kube/config exec -i -n gitea $GITEA_POD -c gitea -- /usr/local/bin/gitea keys -e git -u $1 -t $2 -k $3      
+    permissions: '0755'
+    path: /usr/local/bin/gitea-keys
+
+ssh:
+  emit_keys_to_console: false
+ssh_pwauth: false
+disable_root: true
+
+ssh_config:
+  Match User git:
+    AuthorizedKeysCommandUser: git
+    AuthorizedKeysCommand: /usr/local/bin/gitea-keys %u %t %k
+
+runcmd:
+  # UFW
+  - ufw default deny incoming
+  - ufw default allow outgoing
+  - ufw allow ssh
+  - ufw allow http
+  - ufw allow https
+  - ufw logging on
+  - ufw enable
+  # SSH key for user
+  - su ${username} -c 'ssh-keygen -t ed25519 -f /home/${username}/.ssh/id_ed25519 -q -N "" '
+  # Expire password for user
+  - chage -d 0 ${username}
+  # SSH Passthrough for user git
+  - usermod -s /usr/local/bin/gitea-shell git
+  # k3s
+  - curl -sfL https://get.k3s.io | sh -s - --disable=traefik
+  # helm
+  - curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3
+  - chmod 700 get_helm.sh
+  - ./get_helm.sh
+  # Install and bootstrap Flux
+  - curl -s https://fluxcd.io/install.sh | sudo bash
+  - su ${username} -c 'export GITHUB_TOKEN=${github_token} && flux bootstrap github --owner=${github_username} --repository=${github_repo} --personal'
+final_message: "The system is finally up, after $UPTIME seconds"
--- a/provisioning/main.tf
+++ b/provisioning/main.tf
@@ -0,0 +1,103 @@
+# Configure the Hetzner Cloud Provider
+terraform {
+  required_providers {
+    hcloud = {
+      source = "hetznercloud/hcloud"
+    }
+    sops = {
+      source  = "carlpett/sops"
+      version = "~> 0.5"
+    }
+  }
+  required_version = ">= 0.13"
+
+  backend "s3" {
+    bucket = "value"
+    key    = "terraform.tfstate"
+  }
+}
+
+provider "hcloud" {
+  token = var.hcloud_token
+}
+
+provider "sops" {}
+
+data "sops_file" "secrets" {
+  source_file = "secrets.enc.yaml"
+}
+
+data "cloudinit_config" "k8s_node" {
+  gzip = true
+  base64_encode = true
+
+  part {
+    content_type = "text/cloud-config"
+    content = templatefile("${path.module}/cloud-init.yaml", {
+      username = data.sops_file.secrets.data["username"]
+      user_hashed_password = data.sops_file.secrets.data["user_hashed_password"]
+      user_ssh_public_key = data.sops_file.secrets.data["user_ssh_public_key"]
+      github_username = data.sops_file.secrets.data["github_username"]
+      github_repo = data.sops_file.secrets.data["github_repo"]
+      github_token = data.sops_file.secrets.data["github_token"]
+    })
+  }
+}
+
+resource "hcloud_server" "cluster" {
+  name        = "auberon2"
+  image       = "ubuntu-24.04"
+  server_type = "cx22"
+  location    = "nbg1"
+  backups     = true
+  user_data   = data.cloudinit_config.k8s_node.rendered
+}
+
+resource "hcloud_firewall" "cluster-firewall" {
+  name = "cluster-firewall"
+  apply_to {
+    server = hcloud_server.cluster.id
+  }
+  rule {
+    direction = "in"
+    protocol  = "icmp"
+    source_ips = [
+      "0.0.0.0/0",
+      "::/0"
+    ]
+  }
+
+  rule {
+    direction = "in"
+    protocol  = "tcp"
+    port      = "80"
+    source_ips = [
+      "0.0.0.0/0",
+      "::/0"
+    ]
+  }
+
+  rule {
+    direction = "in"
+    protocol  = "tcp"
+    port      = "443"
+    source_ips = [
+      "0.0.0.0/0",
+      "::/0"
+    ]
+  }
+
+  rule {
+    direction = "in"
+    protocol  = "tcp"
+    port      = "22"
+    source_ips = [
+      "0.0.0.0/0",
+      "::/0"
+    ]
+  }
+}
+
+output "server_ip" {
+  value = hcloud_server.cluster.ipv4_address
+}
--- a/provisioning/s3_env.enc.yaml
+++ b/provisioning/s3_env.enc.yaml
@@ -0,0 +1,24 @@
+AWS_ENDPOINT_URL_S3: ENC[AES256_GCM,data:RjiLoq0DoK9dJ/WmISwYg18jZ78MGQ==,iv:Y/IUlxpBgHd7YGbnNCynz3nXvk9Rx2aD6HH8ZOlQNlQ=,tag:Van8YpUF3aWuPPQru0hxBQ==,type:str]
+AWS_REGION: ENC[AES256_GCM,data:0n8uNFr7,iv:9xDqcqhMVRMuCR+3vR6cgT+gJQw/47gSjPGUY7MZJts=,tag:gzdBt+SUyOGFGcUfh1AFzg==,type:str]
+AWS_ACCESS_KEY_ID: ENC[AES256_GCM,data:iWeHSVqQ3IWJLbo62Q5sicULUQo=,iv:je+lGXBvstmd0E1Q3lD4fM4QGoT8Ar2chf4X3tTIgA8=,tag:ku/ziH33flGuEg+2F8GRSw==,type:str]
+AWS_SECRET_ACCESS_KEY: ENC[AES256_GCM,data:jKSQUPsszXKlR4EZS/XSi7lP8c8MRr0soweZo4K8HCMcMAEZ,iv:ZoUwZa7GUURBHpvXeg7NCZGzKkv94limq1sU21iMYdk=,tag:m1Y0wLNHjRjWpyYPw2hcjw==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1jk99rtxq3ep2xj2w886cchddf7jypqpwkr3dszg5dzq93gn8cy9qyc786m
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzOVZmVlloNis2VU40dVRz
+            Q3VFTGw3WWU4d0srTm9oWnVoOVh2bXZBRjAwCktxL0w0WDF2cVp2ME5DeDhDYWJx
+            d2hvbUZUWmtDeDlUdjZNUWtJVFA3dmcKLS0tIGNEYTBib1VoTkIyTWN3UFVjdi9n
+            RHA1UFQ5Q0VOVE9pRitweUV4Y3lTRGsK5fCBfCfNnKyBkFbTnHNr0M9ttLlfX+1i
+            zYKa1NWws2m53qBI8cTI5Y323UvUDsBma1MJeUKD04IT6ulwOHTJzQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-09-14T19:24:55Z"
+    mac: ENC[AES256_GCM,data:lXgbX0BuPpI6W5sHDGCsXYEnGSWq/9kWW/Hdq/420nuFe+cIaTv/oq4kshu9NsHc+2V2Fy/Ub6UdmO2VVaHfcgmu8sD7loe8iEyMIKROTcvDwOpqLjmYCld/jVvFyV2HhFrmYVxmDzwCTR7QQ5VdCFvPzkMqsrARb++8grE78FE=,iv:IEtD6rmzHlyJKR47aMpyvgSIcBbGmPsaMHsk2KYVajw=,tag:SdZxLTPde5T8pt/jB88DhQ==,type:str]
+    pgp: []
+    unencrypted_regex: ^(apiVersion|metadata|kind|type)$
+    version: 3.9.0
--- a/provisioning/secrets.enc.yaml
+++ b/provisioning/secrets.enc.yaml
@@ -0,0 +1,26 @@
+username: ENC[AES256_GCM,data:vh9P5jU=,iv:uAlQixoHU2JoRBBda3EHALsVl04g95vU/zFtylh3h/4=,tag:hNVTFSJixYjiB0wGg6BAzA==,type:str]
+user_hashed_password: ENC[AES256_GCM,data:iUpG+G1JAWuGxE58ZXHYg32N01EK+o3sv/O2HNjs84rapDz0R71/Z0FQPVm2VPA49+SyznW00oBN8Xfls1wfPIM8j4yJV7A9Gg==,iv:8gJvUXG1qeUbd3FAqOORLVJAiUkORBmizTTCRRy7/+o=,tag:7HuFhwd7sSK4ypuXN4kMOQ==,type:str]
+user_ssh_public_key: ENC[AES256_GCM,data:x1PpplSHxCkd5xwnYzBvs6oTAXZl6JEUgrE02lxbRCd1tT57CAzYLuY5a5y7u+00fDjZy4zQQ7wMGux65ZKPcd+0P2ul9jbniJRbFfNTK3EO6tMRzKk9hEapU5BDaNzb,iv:mi0vI+IOOgkdSqe/yrDOcIhk80iiRu6X4uKo8ZqTnWg=,tag:aaOf0SLfznr6ItLXVnKE7g==,type:str]
+github_username: ENC[AES256_GCM,data:IiLU3pCo0jZjyg==,iv:Ry/U4z8XXaU56EDJm1RbPchXTsTpoDAgTRXQ56QoG7M=,tag:uoMZCNn1EJnA0Ihhg1rlZQ==,type:str]
+github_repo: ENC[AES256_GCM,data:BFI04GQEwqHbPkc=,iv:eRdn/ns4YwCSSYfIWH5Xy8NnBYSW3AAQU7iIGDsY+Hw=,tag:4t21BBibBO50kmwFcuXVhw==,type:str]
+github_token: ENC[AES256_GCM,data:4AJFK4bkEy1AjF4OBAF9q1VuU5nYChzxPgn2HhwLcvQuJ4/lfeZDew==,iv:wdr4dPE4Ha2I6bThxi1ATyoA2dAEVPV16Z9YuVX9dSA=,tag:ry8tNToJM94EgZrbDzUQ5A==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1jk99rtxq3ep2xj2w886cchddf7jypqpwkr3dszg5dzq93gn8cy9qyc786m
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBId05BaDBGQnhXYzBsTzRn
+            cmhYdXczMWZZNnJLYS9TU3RBSUcyVDJ6Q1hzCkFONjVqa0h2K09UOXltOExneDND
+            UzJGMnQ1dEkyMHFoRnhYcXdUb3RKclEKLS0tIEpMcENVS1U0MyttUDBobm05ZGd2
+            aGRIR0pBZStOZnBsSUNxanhJSWwzZ3MKk+xUXEcWw8JL7IPVYHi1FNHR3V6xUYtT
+            VeExNy6XK90RL4g+xXjrlQet+RtPoEtiCQ5GHklj24ejOwgLEdg8+Q==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-09-14T19:15:12Z"
+    mac: ENC[AES256_GCM,data:w+sTw5fSwWSmy5SqSLNcSyWIbaKrdEuI8ACaFqF9FaMkI4tPu2BTt+RBVNuPAM0NaK/TypWSgX0gJyMRAvmXwO9Fk3OGYIJa9AqubWdPMILhBPr/cGj5c/3pK/YIOgHnh1brCRWd/R/uOvMRnseN5JF8PfeYQPbg+X9k4XKMuUk=,iv:1DmHXt5+SbO0ATmJe/CjIk8R22m5kAEDeGxjOudQiw8=,tag:YuGOD5OibwM0FRfon/LScA==,type:str]
+    pgp: []
+    unencrypted_regex: ^(apiVersion|metadata|kind|type)$
+    version: 3.9.0
--- a/provisioning/variables.tf
+++ b/provisioning/variables.tf
@@ -0,0 +1,5 @@
+variable "hcloud_token" {
+  description = "Hetzner Cloud API Token"
+  type        = string
+  sensitive   = true
+}