From e37624bb2a91ad80daf1fde1e9c0f3242779db2b Mon Sep 17 00:00:00 2001 From: arcnmx Date: Fri, 26 Jan 2024 14:53:04 -0800 Subject: [PATCH] feat(tf): proxprovider --- nixos/base/ssh.nix | 21 ++++++++++--------- systems/hakurei/nixos.nix | 1 + systems/hakurei/reisen-ssh.nix | 37 +++++++++++++++++++++++++++++++++ systems/hakurei/secrets.yaml | 6 ++++-- tf/.terraform.lock.hcl | 22 ++++++++++++++++++++ tf/proxmox_provider.tf | 38 ++++++++++++++++++++++++++++++++++ tf/proxmox_vms.tf | 4 ++++ tf/terraform.tf | 4 ++++ tf/terraform.tfvars.sops | 6 +++--- 9 files changed, 124 insertions(+), 15 deletions(-) create mode 100644 systems/hakurei/reisen-ssh.nix create mode 100644 tf/proxmox_provider.tf create mode 100644 tf/proxmox_vms.tf diff --git a/nixos/base/ssh.nix b/nixos/base/ssh.nix index 4e7af42a..f2fbee17 100644 --- a/nixos/base/ssh.nix +++ b/nixos/base/ssh.nix @@ -4,8 +4,9 @@ pkgs, ... }: let + inherit (lib.modules) mkDefault; publicPort = 62954; -in with lib; { +in { /* security.pam.services.sshd.text = mkDefault (mkAfter '' session required pam_exec.so ${katnotify}/bin/notify @@ -13,17 +14,17 @@ in with lib; { */ services.openssh = { - enable = true; - ports = lib.mkDefault [publicPort 22]; - openFirewall = false; + enable = mkDefault true; + ports = mkDefault [publicPort 22]; + openFirewall = mkDefault false; settings = { - PasswordAuthentication = false; - KbdInteractiveAuthentication = false; - PermitRootLogin = lib.mkDefault "prohibit-password"; + PasswordAuthentication = mkDefault false; + KbdInteractiveAuthentication = mkDefault false; + PermitRootLogin = mkDefault "prohibit-password"; KexAlgorithms = ["curve25519-sha256@libssh.org"]; - PubkeyAcceptedAlgorithms = "+ssh-rsa"; - StreamLocalBindUnlink = "yes"; - LogLevel = "VERBOSE"; + PubkeyAcceptedAlgorithms = mkDefault "+ssh-rsa"; + StreamLocalBindUnlink = mkDefault "yes"; + LogLevel = mkDefault "VERBOSE"; }; }; networking.firewall = { diff --git a/systems/hakurei/nixos.nix b/systems/hakurei/nixos.nix index d1cc1b4c..54fed05d 100644 --- a/systems/hakurei/nixos.nix +++ b/systems/hakurei/nixos.nix @@ -28,6 +28,7 @@ in { nixos.access.kanidm nixos.access.proxmox nixos.access.plex + ./reisen-ssh.nix ]; sops.secrets.cloudflared-tunnel-hakurei = { diff --git a/systems/hakurei/reisen-ssh.nix b/systems/hakurei/reisen-ssh.nix new file mode 100644 index 00000000..44b59f12 --- /dev/null +++ b/systems/hakurei/reisen-ssh.nix @@ -0,0 +1,37 @@ +{ + pkgs, + config, + lib, + ... +}: let + inherit (lib.modules) mkAfter; + username = "tf-proxmox"; + sshJump = pkgs.writeShellScript "ssh-jump-${username}" '' + exec ssh -T \ + -oUpdateHostKeys=yes \ + -i ${config.sops.secrets.tf-proxmox-identity.path} \ + tf@reisen.local.${config.networking.domain} \ + -- "$SSH_ORIGINAL_COMMAND" + ''; +in { + users.users.${username} = { + hashedPasswordFile = config.sops.secrets.tf-proxmox-passwd.path; + isNormalUser = true; + }; + services.openssh = { + settings = { + KbdInteractiveAuthentication = true; + PasswordAuthentication = true; + }; + extraConfig = mkAfter '' + Match User ${username} + ForceCommand ${sshJump} + ''; + }; + sops.secrets = { + tf-proxmox-passwd = { }; + tf-proxmox-identity = { + owner = username; + }; + }; +} diff --git a/systems/hakurei/secrets.yaml b/systems/hakurei/secrets.yaml index 9d1299fd..2387979c 100644 --- a/systems/hakurei/secrets.yaml +++ b/systems/hakurei/secrets.yaml @@ -1,5 +1,7 @@ tailscale-key: ENC[AES256_GCM,data:HmowloL0TsKM/XFI5GDd6Nl+9uSZcYevB6CObq1Eg5cvyhtb4pJgMA2GRxE6mJQXva5cet56Udlj,iv:4gSDgWIAAZLokvJzEW+JF0xoNzHr4zW1Zc9qJdpgcc0=,tag:hWMRNc6Odfi19HnjwQSGgQ==,type:str] cloudflared-tunnel-hakurei: ENC[AES256_GCM,data:Pwj8/8RSLrfylwl1Et6SHOJSMWxm+Kn1WpYgZhvWoUQ9GsiuRFf2j0mdu36zid9N+6QC3NK9yv6mMfIgvLJkjXhiYtMidZD4e6a4kQMVbbui+Ohj6wf92Jg5rRdassFHJZSCyZtbaeBXqOzzqF51QrEEWRFxfxt6cvwqZjvSMsbctjltwiD7CehhzQGvDdstZAsVhJC6c+GKDs5pFU3KPTTIHc6b1IzZFijgJZKtNNgKrc4Wqw0=,iv:i2YZq7WMuKiDEHMUJS3QD+SP68Rkpt2fS4X8pkv8s3I=,tag:+0RuoOBf9Vm6aJdCsDfvKg==,type:str] +tf-proxmox-passwd: ENC[AES256_GCM,data:kLLFPr5jILsUt7yecUc1Eb1V9hXEUFBytT7ehcwLv7W9Vfar/BdMQasNecs8S1Ilt7uAjpiXIkNGr5hkktNanIegJw539B43Pnk=,iv:rOy27QkhMM7LrNgYoHgZCwoZHtzUzDrUnhroLSqbKSw=,tag:HkFBkiws/jlQmXP8SpcUYg==,type:str] +tf-proxmox-identity: ENC[AES256_GCM,data:DxcMFL9FqeulnxRZZHn4ByuRBPSI3hrAntvtwONDFIJhm7G9X2YPij9K36Sl7pE9oTHu/BQCFQdypt4LJyLVIg2AuTJusf1UCR1YcECEPnjFkJybM2Ggiuo34rrJOZh3b9SzD64ks4fFgv9S5P1JuOW9LewjH75v0iAZHvskznak0QiVgPy24pnRQwpR7znkjrH5Hmx9UHZ4JDIw7y8rXWBl7/HOV8mAsZOWZVwuhtKt+se/CDlaG2AlVJJmCjpAi5bi0yfhXlWXfjSy6cyhVCgiv4Ua+V4F+JSyZHk+wMEmICROWzmUuu5ZT2iHkh1SS9AutH307JNF8muDVzdZUVxdpQQHEFCu+SNjhEdcgJdmSZ3O04glzPZTBTAl2PLFGKXMKq24bLtBQquoWw2wneu1/Gha6bIpMjxJFmmaLaAoL9OPDysBALsTJxpsH38g12sk3t2Lk2EYCluyp313CTmWDVj0O8DT//Daigvk2eFmc72WCTsY4bucof9mF4/mzDAdDZDKOx7EAYVJmYgRW8HJK/nv4MQEidqy,iv:dUUGP+HspbqutGpcGxrVn8071S+h8nobUlfgUuFz9io=,tag:HhgrC6699p36RFzpSwvf0Q==,type:str] sops: shamir_threshold: 1 kms: [] @@ -16,8 +18,8 @@ sops: ZEpzdWJZWGdEaElLZUc1YW5ON0YrM2MKk/dZvaFVzfkMD3poreaDGfJwG5j5fL3L kuV/3fEHBf5HszR/VTy/bZ2+abN6x3UG5h0l+QaS9ux+mtwFCyYYjg== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-01-20T00:35:43Z" - mac: ENC[AES256_GCM,data:jgsjLzPDdK1v2QpILqpirfnc0keEoIzO9QX0hMm0PK6VO6UMAF5IbQmeR25tZqNpJTRdcZlFb59mFqpazgzfS1S8+zckroefww7jG2oRvZz88DTxOA9quI/kuBhjUMG3oofrLpqu3Mjwu3ZXh7jfZ8HyzdAvqi9vjXXwi9P7zvw=,iv:7tydgr3duSPZXht00ivReS9o4CPa1uyhTRvgHatONKQ=,tag:Ojk/+eTacfWEMiKlNZwExw==,type:str] + lastmodified: "2024-01-26T20:09:45Z" + mac: ENC[AES256_GCM,data:jVC5XpyzRHHB03ijZlN711qE7D6n+YehrkyFZZ9JmRre+oR7H171Be+BYq3QZl5pp0VGlfFRPmGrBlh3nwxL1FYYIzDMWMmkJrce2pdYKgOwQxRqR5bbW6yH8zYbyD2f1gZ9DIo/UPlPvdWFsFHZOKNWo/gPeDeI1MZQCNmQpnY=,iv:vOoGpsG5FJt+leB7sblkvwyDNa+2TvUg1cqWAzMgRks=,tag:hbpdem+/E042g5IiQa+TFw==,type:str] pgp: - created_at: "2024-01-19T18:57:37Z" enc: |- diff --git a/tf/.terraform.lock.hcl b/tf/.terraform.lock.hcl index dcff8702..4b62107d 100644 --- a/tf/.terraform.lock.hcl +++ b/tf/.terraform.lock.hcl @@ -1,6 +1,28 @@ # This file is maintained automatically by "terraform init". # Manual edits may be lost in future updates. +provider "registry.terraform.io/bpg/proxmox" { + version = "0.45.0" + constraints = ">= 0.42.1" + hashes = [ + "h1:XNW6hU+tBQ/MbxNCebSiadyFkti6cthOAN/fNKeRlx0=", + "zh:0aece4c50580ac7cee9015379b6975292cb6e6f456d47eb73383c53698717951", + "zh:1b08c02ec64b28bf1b6e907cd4fb7299acd6ea4586fb75c3dbdf87349b10efdf", + "zh:3bd0e40d3a207da607ebbfc27dc9a00efa04bfd360bec186202bd768ae81c9dc", + "zh:587cf15a7b4cb05a4a79768705fff02af228b3260c86e3e0108f2cb901bed60e", + "zh:5ba8087efb28a420ff252ea9ffc2cc8dc5649c9d3801617a69e14427bf868f7d", + "zh:658cebc5eeecbe7de59968526fc22e0cbfd7b339a8547427f19a7f2341d069b5", + "zh:68597dd23647a6ce2caca23365a086f01b93e9e7b5f424ba2f5b6cd1c1a3c1e8", + "zh:6dfa804fe2b21f0da04bf93379bf84190c645756b4405a4513b68143fe3fa13d", + "zh:6e32c64cdda4066ef9145f7ea89a63c0bab1b804f51ffeaabc46ec75e266b9c3", + "zh:9209d7854ed79e97ec742484546b90f68bed36181bf91b8605adcfd3c54c7c91", + "zh:9cd0d627d8e9754341c1f050bae28f38b0be42815746aa8791e4b2e22eafe458", + "zh:9d558b6f41d33ef1b37d1850e52667f07d6ca51902483aa9ef6ca4e3612da220", + "zh:9db2cb7c167fdb0c0dd16637025bd0783eaf3a3b38d9edf491a27fd8bb63deb7", + "zh:ef4e12fd73669aa792fd1955cb7b3dd2c494734aa2ee3e3f6e1fdc2d062364e6", + ] +} + provider "registry.terraform.io/cloudflare/cloudflare" { version = "4.22.0" constraints = ">= 4.22.0" diff --git a/tf/proxmox_provider.tf b/tf/proxmox_provider.tf new file mode 100644 index 00000000..c0030db7 --- /dev/null +++ b/tf/proxmox_provider.tf @@ -0,0 +1,38 @@ +variable "proxmox_reisen_endpoint" { + type = string +} + +variable "proxmox_reisen_username" { + type = string +} + +variable "proxmox_reisen_password" { + type = string +} + +variable "proxmox_reisen_ssh_username" { + type = string +} + +variable "proxmox_reisen_ssh_host" { + type = string +} + +variable "proxmox_reisen_ssh_port" { + type = number +} + +provider "proxmox" { + endpoint = var.proxmox_reisen_endpoint + username = var.proxmox_reisen_username + password = var.proxmox_reisen_password + + ssh { + username = var.proxmox_reisen_ssh_username + node { + name = "reisen" + address = var.proxmox_reisen_ssh_host + port = var.proxmox_reisen_ssh_port + } + } +} diff --git a/tf/proxmox_vms.tf b/tf/proxmox_vms.tf new file mode 100644 index 00000000..2b203745 --- /dev/null +++ b/tf/proxmox_vms.tf @@ -0,0 +1,4 @@ +data "proxmox_virtual_environment_vm" "kubernetes" { + node_name = "reisen" + vm_id = 201 +} diff --git a/tf/terraform.tf b/tf/terraform.tf index 3991fe86..04dd6dad 100644 --- a/tf/terraform.tf +++ b/tf/terraform.tf @@ -14,6 +14,10 @@ terraform { source = "hashicorp/tls" version = ">= 4.0.5" } + proxmox = { + source = "bpg/proxmox" + version = ">= 0.42.1" + } } cloud { diff --git a/tf/terraform.tfvars.sops b/tf/terraform.tfvars.sops index 7fe0bef0..e912e6cc 100644 --- a/tf/terraform.tfvars.sops +++ b/tf/terraform.tfvars.sops @@ -1,5 +1,5 @@ { - "data": "ENC[AES256_GCM,data:B0yK5oRKy09y+IgkxVQgrTn4J1fD5crc8GPoJQfhaEi0iMmN7QhuVag8dyDAYVSQgeH/689hV5ugD11SKQqGqrpZ6VKMta7sATn4jykf6QD38R4jXbmRrvoEdgLzvCum+SAQ6DWR29uPaAKJt/02aOM5X+D2M+abwMEyW5CRfri2EvlQWlORd0PO/vSCJjgPbsXvXnJkzGj/mOjdMocL8e+d0uIkN57qSqSHdlZ1bFV/tqTjfTBaJ7wjJi1G8NywYl4cA8lyYyHqmTvWCvJ63OvDTfwQ7JjObjhcGAHvF4RyZV6nl9gBSwnYTdSd3aAbIBEPZwc5DQ6hO3i8p31XHcea2RbpHijjCY4CwxxplShlFGu5aYzwXGYQlDT5iOj9eir16Lx2B5wV8k8HP2wWzmo6gGziJDVa3bpeAnHxrWyfxUwVFXy/d5jbWmUkS7fUXqw9h0MdBmhERAylbQGLAEy4/kir74dlCxincIbVuRSpOWqGS4qDEvvBv7vYyWSjcOL/5df/azouMUwfXTb5JP5tZN2dx732SA4/e1nlGG5t+REM7XpXgUNjxoeh06eUN//3FhupEFbz9BnOeRdNNCPRhWZXSvTZjIXWT56bku+1+FJXojrH6y+yp253cVPN+pYKbSXWnqGUsPcr8d/nJgE71ICHNr+p3h2JpTYJM8vvOpdQI6fzz60dLbBcI13M3FC6ocsfPehXFo4n+HVzRNrMrzlrgJ44F2cQ1ZYr7OBKgBIf7i+3BnJ7UXEx9rSQ7RImyXN7i8ocD87vkUvr0og+7+IscYlaIsmhpr1cflI5oHkXsS3rVxBeiPH9P7TOc+5Pf1z5UCABW9Zg9yWBj+DGHS7/OnbrqkM+W8C7oojYDz+5AZSEiZMT0NCHbKp3UJzsn6jBLcdJWFk4t/Fh2+HBpj/5hlCPxh17dI2X6HBbSClPh3z6p37/WrMsnwg3Z5oJTK0wk+YEQv/NhD4VLGW3QvVOSKudQdI0nOcCMXxQ+2SG8pbQqPs86e7lXi8NI/uz6PQ+bT2gaQ==,iv:cdIQxTvksnA5ODSUcey/gWG/lluvFbzYLGkeBpW2vh0=,tag:A3ifsd2SsoS7tzjNsauczg==,type:str]", + "data": "ENC[AES256_GCM,data:4Ncjr/OCBYgIibScDOtonfQ1mX24OalkeQYzzdmyNnOsU1bC0fX4q7UdBnK8LwnAVxsAIzvqPq7GTqevb6rYTxj0xyDUo4pS+WwAJPakyJDZXznznzmNNmFgAJa8XTO3yiXmV2kpprLaqJIVshCbwFWmrF1gPC091mZjfrrwnE8+z7I+ehEtef75nkqktRxBqFJjHhjdWRh2yscFAZDfMlITlAOTXgO/zFNKkHiuhrBrcTeNZyNm8w+6AtZECipxAtm56YfA5H2gDmzzb6Dnl3nTHdTPTrVl8Jx05620OE6CQu3zZUsdr8PKT45uKbI9Z24JooudEZoR9dj/CXzQxaDF2ef2Vqwjxb8nd72aYjEY8wFv4J9azzFo4QTk8sUi3FM8bKDFrFmZcu0jCh4tzar7KctXiobeiWQKmeEfNb5YtgA/zyid3vLtJyxOtWaPU11fPNDPTAVc/eBlhzZT3stcydcZRyqHydJUQf37o5TyGt7vVPQhi8zE5Uan11R46yAMiVKuE4IpW8JP/mEpBAf21+yZu6mtQnf4K5k1l//lRTLwIgzBUWdnaylhHjCDo5JqrbQslROPIjWtFEMLcUikL56vEJpeaP05gQkGGn3tmsYiGWI176dKY9xYXeg2OARENToztgnKPsE20gXzTQbziJV9oL8j5kauY8Zs96HMBdMhPyph78P2wLlgnGbrDhZSLW1lL8t1FU5fg2QSjyMeulowxtasjmbhStUNUgNGRFNMxYm1Vo+CeBXVvBbPUfd3VZiGCnHFfSbfeV5sGuDU49MkuweuQS3K+KOZ3qZmnyp9pMMHTgtA/rRlKQ+klT/7g/p0+o9P4jK0n0IxK0fnjBJPpi8sekLE6VL/Yl12BBxu5+Gm280GeY2zwQ6keEARTXt+NLEZ5+LfQXXwH+A8bIH2er9aQYuxHXk9HvbgM8ie2n3QSMb3nKbfG05NWY+30OwyEzPG/v9RJ8sjyBbFBOU0zmZfqrd/koUpL15b24wliXYF42KNwb/IMWpC+uxuLgmrD315P1ehsf6omYe9EjJPtfXBDQ7FGvyQ30zr8m2GrVhFPFzBtl1uOxiqgFZkkiQnnPdtQctvwDZ8ip7GKP/YpFrhK8vgTBVlI0z/xPhQBV/KI3VTEmHsanorIVkvLgzj5x/8jcwwTmbRIJEwgxBs+YwAc4BFo3fZCXg3sMSQiisUQDWBvC+xHf/FtBhkP7k4BW1hUG8B9R2Z0sMsSN+LuUh37sanPGqV95/9W+HhNBKVmmaBBcehykY0YiRp7aOSLNp2JJMrZTCQPy1LssMpXpGyMxdoTuPIHXdsAUD/F3fL6NS1NL8v9zMmy1w0XYFxWWS3+JKtGzYLXhxAIdIHVm3KRl2phsZhWOmcZZ3TLJ4fR5yLRiDj,iv:M1Rvi7SvPUouCfJ2hccBokPj2j/iArEdbT5bU2cvFxQ=,tag:EUNy2oSSTKwuR9S7/Y/zXw==,type:str]", "sops": { "shamir_threshold": 1, "kms": null, @@ -7,8 +7,8 @@ "azure_kv": null, "hc_vault": null, "age": null, - "lastmodified": "2024-01-23T19:16:29Z", - "mac": "ENC[AES256_GCM,data:EiUCkJ3G8I2KzTgiL64ijJf0Xwx5Q+Fau/UfaI/4D3LRRj5/vvl/Y5am80C44Yf19GqX7TxGdaK2vWItVaGzAOBIi7WRG4xjWGUEFUBZjtmL2hsN3fc76VMmaLb1OoSYvTf+CfgUcji8ddBhbj1olB490yROWxKQ5C1YFsr2Ksw=,iv:KR4joteYBKh22U5UkWKeVO8df6k3yCEP6/vcoZE2E0k=,tag:CsfBWCWUtUz+Dyk5pbp43A==,type:str]", + "lastmodified": "2024-01-26T22:11:12Z", + "mac": "ENC[AES256_GCM,data:ZREia1Dq/74eK6Xs5lfvoFHPM8gBWeAJfNwA1Owk7Uhw95TwmZjDHOhqwPd8L7a0nXkZDzG8wwol4BdXwJ+ad9Qbceha+k29ACc8gQkIGEtmRbd/03ZU5OVzN2cqyK7p8nO9zS+4D0q6HXTboqWn2yc7yJbAXPmmEQY71tl5EGg=,iv:YRYmVj5awWxHgP0cS1q/09p+Al1Xt9yEH3sh8bSopx4=,tag:QbbPY+O1qJN/kT0m8Q/0qg==,type:str]", "pgp": [ { "created_at": "2024-01-14T19:49:29Z",