From cee0826df3781bd389c5de9065d77ba8717ee6ac Mon Sep 17 00:00:00 2001
From: Martin Goik <goik@hdm-stuttgart.de>
Date: Sun, 5 May 2024 17:19:03 +0200
Subject: [PATCH] Generated server authenticating known_hosts file
---
.../Terra/050CloudInitBasic/Readme.md | 6 +++
.../Terra/050CloudInitBasic/network.tf | 1 +
.../Terra/060SshKnownHosts/Readme.md | 5 ++
.../Terra/060SshKnownHosts/bin/.gitignore | 2 +
.../Terra/060SshKnownHosts/gen/.gitignore | 2 +
.../Terra/060SshKnownHosts/main.tf | 48 +++++++++++++++++++
.../Terra/060SshKnownHosts/network.tf | 12 +++++
.../Terra/060SshKnownHosts/outputs.tf | 9 ++++
.../secrets.auto.tfvars.template | 1 +
.../Terra/060SshKnownHosts/tpl/ssh.sh | 5 ++
.../Terra/060SshKnownHosts/tpl/userData.yml | 20 ++++++++
.../Terra/060SshKnownHosts/variables.tf | 4 ++
12 files changed, 115 insertions(+)
create mode 100644 Doc/Sdi/CloudProvider/Terra/050CloudInitBasic/Readme.md
create mode 100644 Doc/Sdi/CloudProvider/Terra/060SshKnownHosts/Readme.md
create mode 100644 Doc/Sdi/CloudProvider/Terra/060SshKnownHosts/bin/.gitignore
create mode 100644 Doc/Sdi/CloudProvider/Terra/060SshKnownHosts/gen/.gitignore
create mode 100644 Doc/Sdi/CloudProvider/Terra/060SshKnownHosts/main.tf
create mode 100644 Doc/Sdi/CloudProvider/Terra/060SshKnownHosts/network.tf
create mode 100644 Doc/Sdi/CloudProvider/Terra/060SshKnownHosts/outputs.tf
create mode 100644 Doc/Sdi/CloudProvider/Terra/060SshKnownHosts/secrets.auto.tfvars.template
create mode 100644 Doc/Sdi/CloudProvider/Terra/060SshKnownHosts/tpl/ssh.sh
create mode 100644 Doc/Sdi/CloudProvider/Terra/060SshKnownHosts/tpl/userData.yml
create mode 100644 Doc/Sdi/CloudProvider/Terra/060SshKnownHosts/variables.tf
diff --git a/Doc/Sdi/CloudProvider/Terra/050CloudInitBasic/Readme.md b/Doc/Sdi/CloudProvider/Terra/050CloudInitBasic/Readme.md
new file mode 100644
index 000000000..4f9b5f16b
--- /dev/null
+++ b/Doc/Sdi/CloudProvider/Terra/050CloudInitBasic/Readme.md
@@ -0,0 +1,6 @@
+# Cloud-init creating a simple http static content server
+
+- File `userData` connecting Terraform and Cloud-init
+- Package Nginx + static content
+- Firewall by `network.tf` allowing incoming 80 and 443 (yet unused) connections
+
diff --git a/Doc/Sdi/CloudProvider/Terra/050CloudInitBasic/network.tf b/Doc/Sdi/CloudProvider/Terra/050CloudInitBasic/network.tf
index a17a78fff..dcfa52d7a 100644
--- a/Doc/Sdi/CloudProvider/Terra/050CloudInitBasic/network.tf
+++ b/Doc/Sdi/CloudProvider/Terra/050CloudInitBasic/network.tf
@@ -27,4 +27,5 @@ resource "hcloud_firewall" "wwwFw" {
"::/0"
]
}
+
}
diff --git a/Doc/Sdi/CloudProvider/Terra/060SshKnownHosts/Readme.md b/Doc/Sdi/CloudProvider/Terra/060SshKnownHosts/Readme.md
new file mode 100644
index 000000000..8893e3ebf
--- /dev/null
+++ b/Doc/Sdi/CloudProvider/Terra/060SshKnownHosts/Readme.md
@@ -0,0 +1,5 @@
+# Improving ssh handling and security
+
+- Creating local `bin/ssh` and related `gen/known_hosts` file from templates
+- Enhancing `sshd` security settings
+
diff --git a/Doc/Sdi/CloudProvider/Terra/060SshKnownHosts/bin/.gitignore b/Doc/Sdi/CloudProvider/Terra/060SshKnownHosts/bin/.gitignore
new file mode 100644
index 000000000..c96a04f00
--- /dev/null
+++ b/Doc/Sdi/CloudProvider/Terra/060SshKnownHosts/bin/.gitignore
@@ -0,0 +1,2 @@
+*
+!.gitignore
\ No newline at end of file
diff --git a/Doc/Sdi/CloudProvider/Terra/060SshKnownHosts/gen/.gitignore b/Doc/Sdi/CloudProvider/Terra/060SshKnownHosts/gen/.gitignore
new file mode 100644
index 000000000..c96a04f00
--- /dev/null
+++ b/Doc/Sdi/CloudProvider/Terra/060SshKnownHosts/gen/.gitignore
@@ -0,0 +1,2 @@
+*
+!.gitignore
\ No newline at end of file
diff --git a/Doc/Sdi/CloudProvider/Terra/060SshKnownHosts/main.tf b/Doc/Sdi/CloudProvider/Terra/060SshKnownHosts/main.tf
new file mode 100644
index 000000000..52c074a63
--- /dev/null
+++ b/Doc/Sdi/CloudProvider/Terra/060SshKnownHosts/main.tf
@@ -0,0 +1,48 @@
+terraform {
+ required_providers {
+ hcloud = {
+ source = "hetznercloud/hcloud"
+ }
+ }
+ required_version = ">= 0.13"
+}
+
+provider "hcloud" {
+ token = var.hcloud_token
+}
+resource "tls_private_key" "host" {
+ algorithm = "ED25519"
+}
+
+resource "hcloud_ssh_key" "loginUser" {
+ name = "goik@hdm-stuttgart.de"
+ public_key = file("~/.ssh/id_ed25519.pub")
+}
+
+resource "hcloud_server" "helloServer" {
+ name = "hello"
+ image = "debian-12"
+ server_type = "cx11"
+ user_data = templatefile("tpl/userData.yml", {
+ host_ed25519_private = indent(4, tls_private_key.host.private_key_openssh) # yaml format parsing quirk, sigh!
+ host_ed25519_public = tls_private_key.host.public_key_openssh
+ devopsSshPublicKey = hcloud_ssh_key.loginUser.public_key
+ })
+ ssh_keys = [hcloud_ssh_key.loginUser.id]
+ firewall_ids = [hcloud_firewall.sshFw.id]
+}
+
+resource "local_file" "known_hosts" {
+ content = "${hcloud_server.helloServer.ipv4_address} ${tls_private_key.host.public_key_openssh}"
+ filename = "gen/known_hosts"
+ file_permission = "644"
+}
+
+resource "local_file" "ssh_script" {
+ content = templatefile("tpl/ssh.sh", {
+ ip = hcloud_server.helloServer.ipv4_address
+ })
+ filename = "bin/ssh"
+ file_permission = "700"
+ depends_on = [local_file.known_hosts]
+}
diff --git a/Doc/Sdi/CloudProvider/Terra/060SshKnownHosts/network.tf b/Doc/Sdi/CloudProvider/Terra/060SshKnownHosts/network.tf
new file mode 100644
index 000000000..0a58ea664
--- /dev/null
+++ b/Doc/Sdi/CloudProvider/Terra/060SshKnownHosts/network.tf
@@ -0,0 +1,12 @@
+resource "hcloud_firewall" "sshFw" {
+ name = "www-firewall"
+ rule {
+ direction = "in"
+ protocol = "tcp"
+ port = "22"
+ source_ips = [
+ "0.0.0.0/0",
+ "::/0"
+ ]
+ }
+}
diff --git a/Doc/Sdi/CloudProvider/Terra/060SshKnownHosts/outputs.tf b/Doc/Sdi/CloudProvider/Terra/060SshKnownHosts/outputs.tf
new file mode 100644
index 000000000..a63f85e52
--- /dev/null
+++ b/Doc/Sdi/CloudProvider/Terra/060SshKnownHosts/outputs.tf
@@ -0,0 +1,9 @@
+output "hello_ip_addr" {
+ value = hcloud_server.helloServer.ipv4_address
+ description = "The server's IPv4 address"
+}
+
+output "hello_datacenter" {
+ value = hcloud_server.helloServer.datacenter
+ description = "The server's datacenter"
+}
diff --git a/Doc/Sdi/CloudProvider/Terra/060SshKnownHosts/secrets.auto.tfvars.template b/Doc/Sdi/CloudProvider/Terra/060SshKnownHosts/secrets.auto.tfvars.template
new file mode 100644
index 000000000..5929da087
--- /dev/null
+++ b/Doc/Sdi/CloudProvider/Terra/060SshKnownHosts/secrets.auto.tfvars.template
@@ -0,0 +1 @@
+hcloud_token="your_api_token_goes_here"
diff --git a/Doc/Sdi/CloudProvider/Terra/060SshKnownHosts/tpl/ssh.sh b/Doc/Sdi/CloudProvider/Terra/060SshKnownHosts/tpl/ssh.sh
new file mode 100644
index 000000000..5de61bbbf
--- /dev/null
+++ b/Doc/Sdi/CloudProvider/Terra/060SshKnownHosts/tpl/ssh.sh
@@ -0,0 +1,5 @@
+#!/usr/bin/env bash
+
+GEN_DIR=$(dirname "$0")/../gen
+
+ssh -o UserKnownHostsFile="$GEN_DIR/known_hosts" devops@${ip} "$@"
diff --git a/Doc/Sdi/CloudProvider/Terra/060SshKnownHosts/tpl/userData.yml b/Doc/Sdi/CloudProvider/Terra/060SshKnownHosts/tpl/userData.yml
new file mode 100644
index 000000000..cd61df8f3
--- /dev/null
+++ b/Doc/Sdi/CloudProvider/Terra/060SshKnownHosts/tpl/userData.yml
@@ -0,0 +1,20 @@
+#cloud-config
+
+ssh_keys:
+ ed25519_private: |
+ ${host_ed25519_private}
+ ed25519_public: ${host_ed25519_public}
+users:
+ - name: devops
+ groups: users, admin
+ sudo: ALL=(ALL) NOPASSWD:ALL
+ shell: /bin/bash
+ ssh_authorized_keys:
+ - ${devopsSshPublicKey}
+
+runcmd:
+ - sed -ie '/^PermitRootLogin/s/^.*$/PermitRootLogin no/' /etc/ssh/sshd_config
+ - sed -ie '/^PasswordAuthentication/s/^.*$/PasswordAuthentication no/' /etc/ssh/sshd_config
+ - sed -ie '/^#AuthorizedKeysFile/s/^.*$/AuthorizedKeysFile .ssh/authorized_keys/' /etc/ssh/sshd_config
+ - sed -i '$a AllowUsers devops' /etc/ssh/sshd_config
+ - systemctl restart ssh
diff --git a/Doc/Sdi/CloudProvider/Terra/060SshKnownHosts/variables.tf b/Doc/Sdi/CloudProvider/Terra/060SshKnownHosts/variables.tf
new file mode 100644
index 000000000..3eefa6804
--- /dev/null
+++ b/Doc/Sdi/CloudProvider/Terra/060SshKnownHosts/variables.tf
@@ -0,0 +1,4 @@
+variable "hcloud_token" { # See secret.auto.tfvars
+ nullable = false
+ sensitive = true
+}
\ No newline at end of file
--
GitLab