shockrah/infra
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Sec configuration with ssh keys

Browse Source
This commit is contained in:
shockrah 2023-10-20 15:03:05 -07:00
parent 6f8d8abd15
commit 69b8ad8a50
8 changed files with 3233 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

37
infra/email-server/backend.tf Normal file
View File

@ -0,0 +1,37 @@
terraform {
required_version = ">= 0.13"
backend s3 {
bucket = "project-athens"
key = "infra/email-server/state/build.tfstate"
region = "us-west-1"
encrypt = true
}
required_providers {
vultr = {
source = "vultr/vultr"
version = "2.16.4"
}
aws = {
source = "hashicorp/aws"
version = "5.22.0"
}
tls = {
source = "hashicorp/tls"
version = "4.0.4"
}
}
}
provider vultr {
api_key = var.vultr_api_key
rate_limit = 100
retry_limit = 3
}
provider aws {
access_key = var.aws_key
secret_key = var.aws_secret
region = var.aws_region
max_retries = 1
}

2786
infra/email-server/docs/machine-types.json Normal file
View File

File diff suppressed because it is too large Load Diff

293
infra/email-server/docs/os-list.json Normal file
View File

@ -0,0 +1,293 @@
{
"os": [
{
"id": 124,
"name": "Windows 2012 R2 Standard x64",
"arch": "x64",
"family": "windows"
},
{
"id": 159,
"name": "Custom",
"arch": "x64",
"family": "iso"
},
{
"id": 164,
"name": "Snapshot",
"arch": "x64",
"family": "snapshot"
},
{
"id": 167,
"name": "CentOS 7 x64",
"arch": "x64",
"family": "centos"
},
{
"id": 180,
"name": "Backup",
"arch": "x64",
"family": "backup"
},
{
"id": 186,
"name": "Application",
"arch": "x64",
"family": "application"
},
{
"id": 240,
"name": "Windows 2016 Standard x64",
"arch": "x64",
"family": "windows"
},
{
"id": 327,
"name": "FreeBSD 12 x64",
"arch": "x64",
"family": "freebsd"
},
{
"id": 352,
"name": "Debian 10 x64 (buster)",
"arch": "x64",
"family": "debian"
},
{
"id": 371,
"name": "Windows 2019 Standard x64",
"arch": "x64",
"family": "windows"
},
{
"id": 381,
"name": "CentOS 7 SELinux x64",
"arch": "x64",
"family": "centos"
},
{
"id": 387,
"name": "Ubuntu 20.04 LTS x64",
"arch": "x64",
"family": "ubuntu"
},
{
"id": 391,
"name": "Fedora CoreOS Stable",
"arch": "x64",
"family": "fedora-coreos"
},
{
"id": 401,
"name": "CentOS 8 Stream x64",
"arch": "x64",
"family": "centos"
},
{
"id": 424,
"name": "Fedora CoreOS Next",
"arch": "x64",
"family": "fedora-coreos"
},
{
"id": 425,
"name": "Fedora CoreOS Testing",
"arch": "x64",
"family": "fedora-coreos"
},
{
"id": 447,
"name": "FreeBSD 13 x64",
"arch": "x64",
"family": "freebsd"
},
{
"id": 448,
"name": "Rocky Linux x64",
"arch": "x64",
"family": "rockylinux"
},
{
"id": 452,
"name": "AlmaLinux x64",
"arch": "x64",
"family": "almalinux"
},
{
"id": 477,
"name": "Debian 11 x64 (bullseye)",
"arch": "x64",
"family": "debian"
},
{
"id": 501,
"name": "Windows 2022 Standard x64",
"arch": "x64",
"family": "windows"
},
{
"id": 521,
"name": "Windows Core 2022 Standard x64",
"arch": "x64",
"family": "windows"
},
{
"id": 522,
"name": "Windows Core 2016 Standard x64",
"arch": "x64",
"family": "windows"
},
{
"id": 523,
"name": "Windows Core 2019 Standard x64",
"arch": "x64",
"family": "windows"
},
{
"id": 535,
"name": "Arch Linux x64",
"arch": "x64",
"family": "archlinux"
},
{
"id": 542,
"name": "CentOS 9 Stream x64",
"arch": "x64",
"family": "centos"
},
{
"id": 1743,
"name": "Ubuntu 22.04 LTS x64",
"arch": "x64",
"family": "ubuntu"
},
{
"id": 1761,
"name": "Windows Core 2019 Datacenter x64",
"arch": "x64",
"family": "windows"
},
{
"id": 1762,
"name": "Windows Core 2022 Datacenter x64",
"arch": "x64",
"family": "windows"
},
{
"id": 1764,
"name": "Windows 2019 Datacenter x64",
"arch": "x64",
"family": "windows"
},
{
"id": 1765,
"name": "Windows 2022 Datacenter x64",
"arch": "x64",
"family": "windows"
},
{
"id": 1868,
"name": "AlmaLinux 9 x64",
"arch": "x64",
"family": "almalinux"
},
{
"id": 1869,
"name": "Rocky Linux 9 x64",
"arch": "x64",
"family": "rockylinux"
},
{
"id": 1929,
"name": "Fedora 37 x64",
"arch": "x64",
"family": "fedora"
},
{
"id": 2075,
"name": "Flatcar Container Linux LTS x64",
"arch": "x64",
"family": "flatcar"
},
{
"id": 2076,
"name": "Alpine Linux x64",
"arch": "x64",
"family": "alpinelinux"
},
{
"id": 2077,
"name": "Flatcar Container Linux Stable x64",
"arch": "x64",
"family": "flatcar"
},
{
"id": 2078,
"name": "Flatcar Container Linux Beta x64",
"arch": "x64",
"family": "flatcar"
},
{
"id": 2079,
"name": "Flatcar Container Linux Alpha x64",
"arch": "x64",
"family": "flatcar"
},
{
"id": 2104,
"name": "Ubuntu 23.04 x64",
"arch": "x64",
"family": "ubuntu"
},
{
"id": 2105,
"name": "OpenBSD 7.3 x64",
"arch": "x64",
"family": "openbsd"
},
{
"id": 2107,
"name": "Fedora 38 x64",
"arch": "x64",
"family": "fedora"
},
{
"id": 2136,
"name": "Debian 12 x64 (bookworm)",
"arch": "x64",
"family": "debian"
},
{
"id": 2171,
"name": "Vultr GPU Stack Ubuntu 20.04",
"arch": "x64",
"family": "vultr_gpu_stack"
},
{
"id": 2172,
"name": "Vultr GPU Stack Ubuntu 22.04",
"arch": "x64",
"family": "vultr_gpu_stack"
},
{
"id": 2179,
"name": "Ubuntu 23.10 x64",
"arch": "x64",
"family": "ubuntu"
},
{
"id": 2187,
"name": "OpenBSD 7.4 x64",
"arch": "x64",
"family": "openbsd"
}
],
"meta": {
"total": 47,
"links": {
"next": "",
"prev": ""
}
}
}

33
infra/email-server/firewall.tf Normal file
View File

@ -0,0 +1,33 @@
locals {
rules = {
# https://github.com/mail-in-a-box/mailinabox/blob/main/security.md
tcp = [22, 25, 53, 80, 443, 465, 587, 993, 995]
udp = [53]
}
}
resource vultr_firewall_group mail {
description = "Mail server main firewall"
}
# Inbound rules that we need to define for the instance
# Create all the tcp rules of type ipv4
resource vultr_firewall_rule mail_tcp {
for_each = toset([for v in local.rules.tcp: tostring(v)])
firewall_group_id = vultr_instance.mail.id
protocol = "tcp"
ip_type = "v4"
subnet = "0.0.0.0"
subnet_size = 0
port = each.value
}
# Create all the udp rules of type ipv4
resource vultr_firewall_rule mail_udp {
for_each = toset([for v in local.rules.udp: tostring(v)])
firewall_group_id = vultr_instance.mail.id
protocol = "udp"
ip_type = "v4"
subnet = "0.0.0.0"
subnet_size = 0
port = each.value
}

24
infra/email-server/host.tf Normal file
View File

@ -0,0 +1,24 @@
# Basic configuration for the mail server itself
# Monthly cost for this should be about 10$ a month
resource vultr_instance mail {
# Core config
plan = var.mail.plan
region = var.mail.region
os_id = var.mail.os
#
# Enable backups of the server in case we lose something for some reason
backups = "enabled"
backups_schedule {
type = "daily_alt_even"
}
# Metadata
hostname = var.mail.name
label = var.mail.name
tags = [
"Mail server",
var.mail.name,
]
}

5
infra/email-server/readme.md Normal file
View File

@ -0,0 +1,5 @@
# Email server

23
infra/email-server/ssh.tf Normal file
View File

@ -0,0 +1,23 @@
resource tls_private_key mail {
algorithm = "RSA"
rsa_bits = 4096
}
# Ensure we can access the keys when we require it
resource local_sensitive_file mail_private_key {
filename = "${path.module}/mail_pem"
content = tls_private_key.mail.private_key_pem
file_permission = "0600"
}
resource local_sensitive_file mail_public_key {
filename = "${path.module}/mail_pub"
content = tls_private_key.mail.public_key_openssh
file_permission = "0600"
}
resource vultr_ssh_key mail {
name = mail_key
ssh_key = tls_private_key.mail.public_key_openssh
}

32
infra/email-server/variables.tf Normal file
View File

@ -0,0 +1,32 @@
# Provider variables
####################
variable vultr_api_key {
type = string
sensitive = true
}
variable aws_key {
type = string
sensitive = true
}
variable aws_secret {
type = string
sensitive = true
}
variable aws_region {
type = string
default = "us-west-1"
}
variable mail {
type = object({
plan = string
region = string
os = number
name = string
})
}