feat(tf): proxprovider

2026-02-09 12:29:19 -08:00 · 2024-01-26 14:53:04 -08:00 · 2024-01-26 14:53:04 -08:00 · e37624bb2a
commit e37624bb2a
parent b4cbaf5ee1
9 changed files with 124 additions and 15 deletions
--- a/nixos/base/ssh.nix
+++ b/nixos/base/ssh.nix
@ -4,8 +4,9 @@
  pkgs,
  ...
 }: let
+  inherit (lib.modules) mkDefault;
  publicPort = 62954;
-in with lib; {
+in {
  /*
  security.pam.services.sshd.text = mkDefault (mkAfter ''
    session required pam_exec.so ${katnotify}/bin/notify
@ -13,17 +14,17 @@ in with lib; {
  */

  services.openssh = {
-    enable = true;
-    ports = lib.mkDefault [publicPort 22];
-    openFirewall = false;
+    enable = mkDefault true;
+    ports = mkDefault [publicPort 22];
+    openFirewall = mkDefault false;
    settings = {
-      PasswordAuthentication = false;
-      KbdInteractiveAuthentication = false;
-      PermitRootLogin = lib.mkDefault "prohibit-password";
+      PasswordAuthentication = mkDefault false;
+      KbdInteractiveAuthentication = mkDefault false;
+      PermitRootLogin = mkDefault "prohibit-password";
      KexAlgorithms = ["curve25519-sha256@libssh.org"];
-      PubkeyAcceptedAlgorithms = "+ssh-rsa";
-      StreamLocalBindUnlink = "yes";
-      LogLevel = "VERBOSE";
+      PubkeyAcceptedAlgorithms = mkDefault "+ssh-rsa";
+      StreamLocalBindUnlink = mkDefault "yes";
+      LogLevel = mkDefault "VERBOSE";
    };
  };
  networking.firewall = {
--- a/systems/hakurei/nixos.nix
+++ b/systems/hakurei/nixos.nix
@ -28,6 +28,7 @@ in {
    nixos.access.kanidm
    nixos.access.proxmox
    nixos.access.plex
+    ./reisen-ssh.nix
  ];

  sops.secrets.cloudflared-tunnel-hakurei = {
--- a/systems/hakurei/reisen-ssh.nix
+++ b/systems/hakurei/reisen-ssh.nix
@ -0,0 +1,37 @@
+{
+  pkgs,
+  config,
+  lib,
+  ...
+}: let
+  inherit (lib.modules) mkAfter;
+  username = "tf-proxmox";
+  sshJump = pkgs.writeShellScript "ssh-jump-${username}" ''
+    exec ssh -T \
+      -oUpdateHostKeys=yes \
+      -i ${config.sops.secrets.tf-proxmox-identity.path} \
+      tf@reisen.local.${config.networking.domain} \
+      -- "$SSH_ORIGINAL_COMMAND"
+  '';
+in {
+  users.users.${username} = {
+    hashedPasswordFile = config.sops.secrets.tf-proxmox-passwd.path;
+    isNormalUser = true;
+  };
+  services.openssh = {
+    settings = {
+      KbdInteractiveAuthentication = true;
+      PasswordAuthentication = true;
+    };
+    extraConfig = mkAfter ''
+      Match User ${username}
+        ForceCommand ${sshJump}
+    '';
+  };
+  sops.secrets = {
+    tf-proxmox-passwd = { };
+    tf-proxmox-identity = {
+      owner = username;
+    };
+  };
+}
--- a/systems/hakurei/secrets.yaml
+++ b/systems/hakurei/secrets.yaml
@ -1,5 +1,7 @@
 tailscale-key: ENC[AES256_GCM,data:HmowloL0TsKM/XFI5GDd6Nl+9uSZcYevB6CObq1Eg5cvyhtb4pJgMA2GRxE6mJQXva5cet56Udlj,iv:4gSDgWIAAZLokvJzEW+JF0xoNzHr4zW1Zc9qJdpgcc0=,tag:hWMRNc6Odfi19HnjwQSGgQ==,type:str]
 cloudflared-tunnel-hakurei: ENC[AES256_GCM,data:Pwj8/8RSLrfylwl1Et6SHOJSMWxm+Kn1WpYgZhvWoUQ9GsiuRFf2j0mdu36zid9N+6QC3NK9yv6mMfIgvLJkjXhiYtMidZD4e6a4kQMVbbui+Ohj6wf92Jg5rRdassFHJZSCyZtbaeBXqOzzqF51QrEEWRFxfxt6cvwqZjvSMsbctjltwiD7CehhzQGvDdstZAsVhJC6c+GKDs5pFU3KPTTIHc6b1IzZFijgJZKtNNgKrc4Wqw0=,iv:i2YZq7WMuKiDEHMUJS3QD+SP68Rkpt2fS4X8pkv8s3I=,tag:+0RuoOBf9Vm6aJdCsDfvKg==,type:str]
+tf-proxmox-passwd: ENC[AES256_GCM,data:kLLFPr5jILsUt7yecUc1Eb1V9hXEUFBytT7ehcwLv7W9Vfar/BdMQasNecs8S1Ilt7uAjpiXIkNGr5hkktNanIegJw539B43Pnk=,iv:rOy27QkhMM7LrNgYoHgZCwoZHtzUzDrUnhroLSqbKSw=,tag:HkFBkiws/jlQmXP8SpcUYg==,type:str]
+tf-proxmox-identity: ENC[AES256_GCM,data:DxcMFL9FqeulnxRZZHn4ByuRBPSI3hrAntvtwONDFIJhm7G9X2YPij9K36Sl7pE9oTHu/BQCFQdypt4LJyLVIg2AuTJusf1UCR1YcECEPnjFkJybM2Ggiuo34rrJOZh3b9SzD64ks4fFgv9S5P1JuOW9LewjH75v0iAZHvskznak0QiVgPy24pnRQwpR7znkjrH5Hmx9UHZ4JDIw7y8rXWBl7/HOV8mAsZOWZVwuhtKt+se/CDlaG2AlVJJmCjpAi5bi0yfhXlWXfjSy6cyhVCgiv4Ua+V4F+JSyZHk+wMEmICROWzmUuu5ZT2iHkh1SS9AutH307JNF8muDVzdZUVxdpQQHEFCu+SNjhEdcgJdmSZ3O04glzPZTBTAl2PLFGKXMKq24bLtBQquoWw2wneu1/Gha6bIpMjxJFmmaLaAoL9OPDysBALsTJxpsH38g12sk3t2Lk2EYCluyp313CTmWDVj0O8DT//Daigvk2eFmc72WCTsY4bucof9mF4/mzDAdDZDKOx7EAYVJmYgRW8HJK/nv4MQEidqy,iv:dUUGP+HspbqutGpcGxrVn8071S+h8nobUlfgUuFz9io=,tag:HhgrC6699p36RFzpSwvf0Q==,type:str]
 sops:
    shamir_threshold: 1
    kms: []
@ -16,8 +18,8 @@ sops:
            ZEpzdWJZWGdEaElLZUc1YW5ON0YrM2MKk/dZvaFVzfkMD3poreaDGfJwG5j5fL3L
            kuV/3fEHBf5HszR/VTy/bZ2+abN6x3UG5h0l+QaS9ux+mtwFCyYYjg==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-01-20T00:35:43Z"
-    mac: ENC[AES256_GCM,data:jgsjLzPDdK1v2QpILqpirfnc0keEoIzO9QX0hMm0PK6VO6UMAF5IbQmeR25tZqNpJTRdcZlFb59mFqpazgzfS1S8+zckroefww7jG2oRvZz88DTxOA9quI/kuBhjUMG3oofrLpqu3Mjwu3ZXh7jfZ8HyzdAvqi9vjXXwi9P7zvw=,iv:7tydgr3duSPZXht00ivReS9o4CPa1uyhTRvgHatONKQ=,tag:Ojk/+eTacfWEMiKlNZwExw==,type:str]
+    lastmodified: "2024-01-26T20:09:45Z"
+    mac: ENC[AES256_GCM,data:jVC5XpyzRHHB03ijZlN711qE7D6n+YehrkyFZZ9JmRre+oR7H171Be+BYq3QZl5pp0VGlfFRPmGrBlh3nwxL1FYYIzDMWMmkJrce2pdYKgOwQxRqR5bbW6yH8zYbyD2f1gZ9DIo/UPlPvdWFsFHZOKNWo/gPeDeI1MZQCNmQpnY=,iv:vOoGpsG5FJt+leB7sblkvwyDNa+2TvUg1cqWAzMgRks=,tag:hbpdem+/E042g5IiQa+TFw==,type:str]
    pgp:
        - created_at: "2024-01-19T18:57:37Z"
          enc: |-
--- a/tf/.terraform.lock.hcl
+++ b/tf/.terraform.lock.hcl
@ -1,6 +1,28 @@
 # This file is maintained automatically by "terraform init".
 # Manual edits may be lost in future updates.

+provider "registry.terraform.io/bpg/proxmox" {
+  version     = "0.45.0"
+  constraints = ">= 0.42.1"
+  hashes = [
+    "h1:XNW6hU+tBQ/MbxNCebSiadyFkti6cthOAN/fNKeRlx0=",
+    "zh:0aece4c50580ac7cee9015379b6975292cb6e6f456d47eb73383c53698717951",
+    "zh:1b08c02ec64b28bf1b6e907cd4fb7299acd6ea4586fb75c3dbdf87349b10efdf",
+    "zh:3bd0e40d3a207da607ebbfc27dc9a00efa04bfd360bec186202bd768ae81c9dc",
+    "zh:587cf15a7b4cb05a4a79768705fff02af228b3260c86e3e0108f2cb901bed60e",
+    "zh:5ba8087efb28a420ff252ea9ffc2cc8dc5649c9d3801617a69e14427bf868f7d",
+    "zh:658cebc5eeecbe7de59968526fc22e0cbfd7b339a8547427f19a7f2341d069b5",
+    "zh:68597dd23647a6ce2caca23365a086f01b93e9e7b5f424ba2f5b6cd1c1a3c1e8",
+    "zh:6dfa804fe2b21f0da04bf93379bf84190c645756b4405a4513b68143fe3fa13d",
+    "zh:6e32c64cdda4066ef9145f7ea89a63c0bab1b804f51ffeaabc46ec75e266b9c3",
+    "zh:9209d7854ed79e97ec742484546b90f68bed36181bf91b8605adcfd3c54c7c91",
+    "zh:9cd0d627d8e9754341c1f050bae28f38b0be42815746aa8791e4b2e22eafe458",
+    "zh:9d558b6f41d33ef1b37d1850e52667f07d6ca51902483aa9ef6ca4e3612da220",
+    "zh:9db2cb7c167fdb0c0dd16637025bd0783eaf3a3b38d9edf491a27fd8bb63deb7",
+    "zh:ef4e12fd73669aa792fd1955cb7b3dd2c494734aa2ee3e3f6e1fdc2d062364e6",
+  ]
+}
+
 provider "registry.terraform.io/cloudflare/cloudflare" {
  version     = "4.22.0"
  constraints = ">= 4.22.0"
--- a/tf/proxmox_provider.tf
+++ b/tf/proxmox_provider.tf
@ -0,0 +1,38 @@
+variable "proxmox_reisen_endpoint" {
+  type = string
+}
+
+variable "proxmox_reisen_username" {
+  type = string
+}
+
+variable "proxmox_reisen_password" {
+  type = string
+}
+
+variable "proxmox_reisen_ssh_username" {
+  type = string
+}
+
+variable "proxmox_reisen_ssh_host" {
+  type = string
+}
+
+variable "proxmox_reisen_ssh_port" {
+  type = number
+}
+
+provider "proxmox" {
+  endpoint = var.proxmox_reisen_endpoint
+  username = var.proxmox_reisen_username
+  password = var.proxmox_reisen_password
+
+  ssh {
+    username = var.proxmox_reisen_ssh_username
+    node {
+      name    = "reisen"
+      address = var.proxmox_reisen_ssh_host
+      port    = var.proxmox_reisen_ssh_port
+    }
+  }
+}
--- a/tf/proxmox_vms.tf
+++ b/tf/proxmox_vms.tf
@ -0,0 +1,4 @@
+data "proxmox_virtual_environment_vm" "kubernetes" {
+  node_name = "reisen"
+  vm_id     = 201
+}
--- a/tf/terraform.tf
+++ b/tf/terraform.tf
@ -14,6 +14,10 @@ terraform {
      source  = "hashicorp/tls"
      version = ">= 4.0.5"
    }
+    proxmox = {
+      source  = "bpg/proxmox"
+      version = ">= 0.42.1"
+    }
  }

  cloud {
--- a/tf/terraform.tfvars.sops
+++ b/tf/terraform.tfvars.sops
@ -1,5 +1,5 @@
 {
-	"data": "ENC[AES256_GCM,data:B0yK5oRKy09y+IgkxVQgrTn4J1fD5crc8GPoJQfhaEi0iMmN7QhuVag8dyDAYVSQgeH/689hV5ugD11SKQqGqrpZ6VKMta7sATn4jykf6QD38R4jXbmRrvoEdgLzvCum+SAQ6DWR29uPaAKJt/02aOM5X+D2M+abwMEyW5CRfri2EvlQWlORd0PO/vSCJjgPbsXvXnJkzGj/mOjdMocL8e+d0uIkN57qSqSHdlZ1bFV/tqTjfTBaJ7wjJi1G8NywYl4cA8lyYyHqmTvWCvJ63OvDTfwQ7JjObjhcGAHvF4RyZV6nl9gBSwnYTdSd3aAbIBEPZwc5DQ6hO3i8p31XHcea2RbpHijjCY4CwxxplShlFGu5aYzwXGYQlDT5iOj9eir16Lx2B5wV8k8HP2wWzmo6gGziJDVa3bpeAnHxrWyfxUwVFXy/d5jbWmUkS7fUXqw9h0MdBmhERAylbQGLAEy4/kir74dlCxincIbVuRSpOWqGS4qDEvvBv7vYyWSjcOL/5df/azouMUwfXTb5JP5tZN2dx732SA4/e1nlGG5t+REM7XpXgUNjxoeh06eUN//3FhupEFbz9BnOeRdNNCPRhWZXSvTZjIXWT56bku+1+FJXojrH6y+yp253cVPN+pYKbSXWnqGUsPcr8d/nJgE71ICHNr+p3h2JpTYJM8vvOpdQI6fzz60dLbBcI13M3FC6ocsfPehXFo4n+HVzRNrMrzlrgJ44F2cQ1ZYr7OBKgBIf7i+3BnJ7UXEx9rSQ7RImyXN7i8ocD87vkUvr0og+7+IscYlaIsmhpr1cflI5oHkXsS3rVxBeiPH9P7TOc+5Pf1z5UCABW9Zg9yWBj+DGHS7/OnbrqkM+W8C7oojYDz+5AZSEiZMT0NCHbKp3UJzsn6jBLcdJWFk4t/Fh2+HBpj/5hlCPxh17dI2X6HBbSClPh3z6p37/WrMsnwg3Z5oJTK0wk+YEQv/NhD4VLGW3QvVOSKudQdI0nOcCMXxQ+2SG8pbQqPs86e7lXi8NI/uz6PQ+bT2gaQ==,iv:cdIQxTvksnA5ODSUcey/gWG/lluvFbzYLGkeBpW2vh0=,tag:A3ifsd2SsoS7tzjNsauczg==,type:str]",
+	"data": "ENC[AES256_GCM,data:4Ncjr/OCBYgIibScDOtonfQ1mX24OalkeQYzzdmyNnOsU1bC0fX4q7UdBnK8LwnAVxsAIzvqPq7GTqevb6rYTxj0xyDUo4pS+WwAJPakyJDZXznznzmNNmFgAJa8XTO3yiXmV2kpprLaqJIVshCbwFWmrF1gPC091mZjfrrwnE8+z7I+ehEtef75nkqktRxBqFJjHhjdWRh2yscFAZDfMlITlAOTXgO/zFNKkHiuhrBrcTeNZyNm8w+6AtZECipxAtm56YfA5H2gDmzzb6Dnl3nTHdTPTrVl8Jx05620OE6CQu3zZUsdr8PKT45uKbI9Z24JooudEZoR9dj/CXzQxaDF2ef2Vqwjxb8nd72aYjEY8wFv4J9azzFo4QTk8sUi3FM8bKDFrFmZcu0jCh4tzar7KctXiobeiWQKmeEfNb5YtgA/zyid3vLtJyxOtWaPU11fPNDPTAVc/eBlhzZT3stcydcZRyqHydJUQf37o5TyGt7vVPQhi8zE5Uan11R46yAMiVKuE4IpW8JP/mEpBAf21+yZu6mtQnf4K5k1l//lRTLwIgzBUWdnaylhHjCDo5JqrbQslROPIjWtFEMLcUikL56vEJpeaP05gQkGGn3tmsYiGWI176dKY9xYXeg2OARENToztgnKPsE20gXzTQbziJV9oL8j5kauY8Zs96HMBdMhPyph78P2wLlgnGbrDhZSLW1lL8t1FU5fg2QSjyMeulowxtasjmbhStUNUgNGRFNMxYm1Vo+CeBXVvBbPUfd3VZiGCnHFfSbfeV5sGuDU49MkuweuQS3K+KOZ3qZmnyp9pMMHTgtA/rRlKQ+klT/7g/p0+o9P4jK0n0IxK0fnjBJPpi8sekLE6VL/Yl12BBxu5+Gm280GeY2zwQ6keEARTXt+NLEZ5+LfQXXwH+A8bIH2er9aQYuxHXk9HvbgM8ie2n3QSMb3nKbfG05NWY+30OwyEzPG/v9RJ8sjyBbFBOU0zmZfqrd/koUpL15b24wliXYF42KNwb/IMWpC+uxuLgmrD315P1ehsf6omYe9EjJPtfXBDQ7FGvyQ30zr8m2GrVhFPFzBtl1uOxiqgFZkkiQnnPdtQctvwDZ8ip7GKP/YpFrhK8vgTBVlI0z/xPhQBV/KI3VTEmHsanorIVkvLgzj5x/8jcwwTmbRIJEwgxBs+YwAc4BFo3fZCXg3sMSQiisUQDWBvC+xHf/FtBhkP7k4BW1hUG8B9R2Z0sMsSN+LuUh37sanPGqV95/9W+HhNBKVmmaBBcehykY0YiRp7aOSLNp2JJMrZTCQPy1LssMpXpGyMxdoTuPIHXdsAUD/F3fL6NS1NL8v9zMmy1w0XYFxWWS3+JKtGzYLXhxAIdIHVm3KRl2phsZhWOmcZZ3TLJ4fR5yLRiDj,iv:M1Rvi7SvPUouCfJ2hccBokPj2j/iArEdbT5bU2cvFxQ=,tag:EUNy2oSSTKwuR9S7/Y/zXw==,type:str]",
 	"sops": {
 		"shamir_threshold": 1,
 		"kms": null,
@ -7,8 +7,8 @@
 		"azure_kv": null,
 		"hc_vault": null,
 		"age": null,
-		"lastmodified": "2024-01-23T19:16:29Z",
-		"mac": "ENC[AES256_GCM,data:EiUCkJ3G8I2KzTgiL64ijJf0Xwx5Q+Fau/UfaI/4D3LRRj5/vvl/Y5am80C44Yf19GqX7TxGdaK2vWItVaGzAOBIi7WRG4xjWGUEFUBZjtmL2hsN3fc76VMmaLb1OoSYvTf+CfgUcji8ddBhbj1olB490yROWxKQ5C1YFsr2Ksw=,iv:KR4joteYBKh22U5UkWKeVO8df6k3yCEP6/vcoZE2E0k=,tag:CsfBWCWUtUz+Dyk5pbp43A==,type:str]",
+		"lastmodified": "2024-01-26T22:11:12Z",
+		"mac": "ENC[AES256_GCM,data:ZREia1Dq/74eK6Xs5lfvoFHPM8gBWeAJfNwA1Owk7Uhw95TwmZjDHOhqwPd8L7a0nXkZDzG8wwol4BdXwJ+ad9Qbceha+k29ACc8gQkIGEtmRbd/03ZU5OVzN2cqyK7p8nO9zS+4D0q6HXTboqWn2yc7yJbAXPmmEQY71tl5EGg=,iv:YRYmVj5awWxHgP0cS1q/09p+Al1Xt9yEH3sh8bSopx4=,tag:QbbPY+O1qJN/kT0m8Q/0qg==,type:str]",
 		"pgp": [
 			{
 				"created_at": "2024-01-14T19:49:29Z",