From cef90d0c33ea1c264dcbae320c5b0fcfbab6a869 Mon Sep 17 00:00:00 2001
From: Martin Goik <goik@hdm-stuttgart.de>
Date: Sun, 5 May 2024 22:55:42 +0200
Subject: [PATCH] Adding cloud-init exercises, fixing fail2ban
---
Doc/Common/glossary.xml | 9 +
.../Readme.md | 0
.../main.tf | 9 -
.../outputs.tf | 2 +-
.../secrets.auto.tfvars.template | 0
.../variables.tf | 0
.../Terra/050CloudInitBasic/userData.yml | 7 -
.../Readme.md | 0
.../main.tf | 0
.../network.tf | 1 -
.../Terra/050CloudInitHelloWorld/outputs.tf | 9 +
.../secrets.auto.tfvars.template | 0
.../Terra/050CloudInitHelloWorld/userData.yml | 9 +
.../variables.tf | 0
.../Terra/060SshKnownHosts/outputs.tf | 2 +-
.../Terra/060SshKnownHosts/tpl/userData.yml | 4 +-
.../CloudProvider/Terra/070Upgrade/outputs.tf | 2 +-
.../Terra/070Upgrade/tpl/userData.yml | 9 +-
Doc/Sdi/CloudProvider/gettingStarted.xml | 333 +++++++++++++++++-
19 files changed, 356 insertions(+), 40 deletions(-)
rename Doc/Sdi/CloudProvider/Terra/{040ServerNameIpOutput => 040ServerIpLocationOutput}/Readme.md (100%)
rename Doc/Sdi/CloudProvider/Terra/{040ServerNameIpOutput => 040ServerIpLocationOutput}/main.tf (79%)
rename Doc/Sdi/CloudProvider/Terra/{050CloudInitBasic => 040ServerIpLocationOutput}/outputs.tf (81%)
rename Doc/Sdi/CloudProvider/Terra/{040ServerNameIpOutput => 040ServerIpLocationOutput}/secrets.auto.tfvars.template (100%)
rename Doc/Sdi/CloudProvider/Terra/{040ServerNameIpOutput => 040ServerIpLocationOutput}/variables.tf (100%)
delete mode 100644 Doc/Sdi/CloudProvider/Terra/050CloudInitBasic/userData.yml
rename Doc/Sdi/CloudProvider/Terra/{050CloudInitBasic => 050CloudInitHelloWorld}/Readme.md (100%)
rename Doc/Sdi/CloudProvider/Terra/{050CloudInitBasic => 050CloudInitHelloWorld}/main.tf (100%)
rename Doc/Sdi/CloudProvider/Terra/{050CloudInitBasic => 050CloudInitHelloWorld}/network.tf (99%)
create mode 100644 Doc/Sdi/CloudProvider/Terra/050CloudInitHelloWorld/outputs.tf
rename Doc/Sdi/CloudProvider/Terra/{050CloudInitBasic => 050CloudInitHelloWorld}/secrets.auto.tfvars.template (100%)
create mode 100644 Doc/Sdi/CloudProvider/Terra/050CloudInitHelloWorld/userData.yml
rename Doc/Sdi/CloudProvider/Terra/{050CloudInitBasic => 050CloudInitHelloWorld}/variables.tf (100%)
diff --git a/Doc/Common/glossary.xml b/Doc/Common/glossary.xml
index 0dc21dce5..05e9ba2fb 100644
--- a/Doc/Common/glossary.xml
+++ b/Doc/Common/glossary.xml
@@ -822,6 +822,15 @@
</glossdef>
</glossentry>
+ <glossentry xml:id="glo_Terraform">
+ <glossterm><productname>Terraform</productname></glossterm>
+
+ <glossdef>
+ <para><link xlink:href="https://www.terraform.io">Terraform by
+ HashiCorp</link></para>
+ </glossdef>
+ </glossentry>
+
<glossentry xml:id="glo_Ubuntu">
<glossterm><productname>Ubuntu</productname></glossterm>
diff --git a/Doc/Sdi/CloudProvider/Terra/040ServerNameIpOutput/Readme.md b/Doc/Sdi/CloudProvider/Terra/040ServerIpLocationOutput/Readme.md
similarity index 100%
rename from Doc/Sdi/CloudProvider/Terra/040ServerNameIpOutput/Readme.md
rename to Doc/Sdi/CloudProvider/Terra/040ServerIpLocationOutput/Readme.md
diff --git a/Doc/Sdi/CloudProvider/Terra/040ServerNameIpOutput/main.tf b/Doc/Sdi/CloudProvider/Terra/040ServerIpLocationOutput/main.tf
similarity index 79%
rename from Doc/Sdi/CloudProvider/Terra/040ServerNameIpOutput/main.tf
rename to Doc/Sdi/CloudProvider/Terra/040ServerIpLocationOutput/main.tf
index 34be491e9..d7ad0feda 100644
--- a/Doc/Sdi/CloudProvider/Terra/040ServerNameIpOutput/main.tf
+++ b/Doc/Sdi/CloudProvider/Terra/040ServerIpLocationOutput/main.tf
@@ -35,12 +35,3 @@ resource "hcloud_server" "helloServer" {
ssh_keys = [hcloud_ssh_key.loginUser.id]
firewall_ids = [hcloud_firewall.sshFw.id]
}
-
-output "hello_id" {
- value = hcloud_server.helloServer.id
-}
-output "hello_ip_addr" {
- value = hcloud_server.helloServer.ipv4_address
- description = "The server's IPv4 address"
-}
-
diff --git a/Doc/Sdi/CloudProvider/Terra/050CloudInitBasic/outputs.tf b/Doc/Sdi/CloudProvider/Terra/040ServerIpLocationOutput/outputs.tf
similarity index 81%
rename from Doc/Sdi/CloudProvider/Terra/050CloudInitBasic/outputs.tf
rename to Doc/Sdi/CloudProvider/Terra/040ServerIpLocationOutput/outputs.tf
index fb93fbb76..0d54a6fc2 100644
--- a/Doc/Sdi/CloudProvider/Terra/050CloudInitBasic/outputs.tf
+++ b/Doc/Sdi/CloudProvider/Terra/040ServerIpLocationOutput/outputs.tf
@@ -5,5 +5,5 @@ output "hello_ip_addr" {
output "hello_datacenter" {
value = hcloud_server.helloServer.datacenter
- description = "The server's datacenter"
+ description = "The server hosting datacenter"
}
\ No newline at end of file
diff --git a/Doc/Sdi/CloudProvider/Terra/040ServerNameIpOutput/secrets.auto.tfvars.template b/Doc/Sdi/CloudProvider/Terra/040ServerIpLocationOutput/secrets.auto.tfvars.template
similarity index 100%
rename from Doc/Sdi/CloudProvider/Terra/040ServerNameIpOutput/secrets.auto.tfvars.template
rename to Doc/Sdi/CloudProvider/Terra/040ServerIpLocationOutput/secrets.auto.tfvars.template
diff --git a/Doc/Sdi/CloudProvider/Terra/040ServerNameIpOutput/variables.tf b/Doc/Sdi/CloudProvider/Terra/040ServerIpLocationOutput/variables.tf
similarity index 100%
rename from Doc/Sdi/CloudProvider/Terra/040ServerNameIpOutput/variables.tf
rename to Doc/Sdi/CloudProvider/Terra/040ServerIpLocationOutput/variables.tf
diff --git a/Doc/Sdi/CloudProvider/Terra/050CloudInitBasic/userData.yml b/Doc/Sdi/CloudProvider/Terra/050CloudInitBasic/userData.yml
deleted file mode 100644
index 89e3a181e..000000000
--- a/Doc/Sdi/CloudProvider/Terra/050CloudInitBasic/userData.yml
+++ /dev/null
@@ -1,7 +0,0 @@
-#cloud-config
-packages:
- - nginx
-runcmd:
- - systemctl enable nginx
- - rm /var/www/html/*
- - echo "Hello! I am Nginx @ $(curl -s ipinfo.io/ip)! This record added at $(date -u)." >>/var/www/html/index.html
diff --git a/Doc/Sdi/CloudProvider/Terra/050CloudInitBasic/Readme.md b/Doc/Sdi/CloudProvider/Terra/050CloudInitHelloWorld/Readme.md
similarity index 100%
rename from Doc/Sdi/CloudProvider/Terra/050CloudInitBasic/Readme.md
rename to Doc/Sdi/CloudProvider/Terra/050CloudInitHelloWorld/Readme.md
diff --git a/Doc/Sdi/CloudProvider/Terra/050CloudInitBasic/main.tf b/Doc/Sdi/CloudProvider/Terra/050CloudInitHelloWorld/main.tf
similarity index 100%
rename from Doc/Sdi/CloudProvider/Terra/050CloudInitBasic/main.tf
rename to Doc/Sdi/CloudProvider/Terra/050CloudInitHelloWorld/main.tf
diff --git a/Doc/Sdi/CloudProvider/Terra/050CloudInitBasic/network.tf b/Doc/Sdi/CloudProvider/Terra/050CloudInitHelloWorld/network.tf
similarity index 99%
rename from Doc/Sdi/CloudProvider/Terra/050CloudInitBasic/network.tf
rename to Doc/Sdi/CloudProvider/Terra/050CloudInitHelloWorld/network.tf
index dcfa52d7a..a17a78fff 100644
--- a/Doc/Sdi/CloudProvider/Terra/050CloudInitBasic/network.tf
+++ b/Doc/Sdi/CloudProvider/Terra/050CloudInitHelloWorld/network.tf
@@ -27,5 +27,4 @@ resource "hcloud_firewall" "wwwFw" {
"::/0"
]
}
-
}
diff --git a/Doc/Sdi/CloudProvider/Terra/050CloudInitHelloWorld/outputs.tf b/Doc/Sdi/CloudProvider/Terra/050CloudInitHelloWorld/outputs.tf
new file mode 100644
index 000000000..0d54a6fc2
--- /dev/null
+++ b/Doc/Sdi/CloudProvider/Terra/050CloudInitHelloWorld/outputs.tf
@@ -0,0 +1,9 @@
+output "hello_ip_addr" {
+ value = hcloud_server.helloServer.ipv4_address
+ description = "The server's IPv4 address"
+}
+
+output "hello_datacenter" {
+ value = hcloud_server.helloServer.datacenter
+ description = "The server hosting datacenter"
+}
\ No newline at end of file
diff --git a/Doc/Sdi/CloudProvider/Terra/050CloudInitBasic/secrets.auto.tfvars.template b/Doc/Sdi/CloudProvider/Terra/050CloudInitHelloWorld/secrets.auto.tfvars.template
similarity index 100%
rename from Doc/Sdi/CloudProvider/Terra/050CloudInitBasic/secrets.auto.tfvars.template
rename to Doc/Sdi/CloudProvider/Terra/050CloudInitHelloWorld/secrets.auto.tfvars.template
diff --git a/Doc/Sdi/CloudProvider/Terra/050CloudInitHelloWorld/userData.yml b/Doc/Sdi/CloudProvider/Terra/050CloudInitHelloWorld/userData.yml
new file mode 100644
index 000000000..4b2bfb266
--- /dev/null
+++ b/Doc/Sdi/CloudProvider/Terra/050CloudInitHelloWorld/userData.yml
@@ -0,0 +1,9 @@
+#cloud-config
+packages:
+ - nginx
+runcmd:
+ - systemctl enable nginx
+ - rm /var/www/html/*
+ - >
+ echo "I'm Nginx @ $(dig -4 TXT +short o-o.myaddr.l.google.com @ns1.google.com)
+ created $(date -u)" >> /var/www/html/index.html
diff --git a/Doc/Sdi/CloudProvider/Terra/050CloudInitBasic/variables.tf b/Doc/Sdi/CloudProvider/Terra/050CloudInitHelloWorld/variables.tf
similarity index 100%
rename from Doc/Sdi/CloudProvider/Terra/050CloudInitBasic/variables.tf
rename to Doc/Sdi/CloudProvider/Terra/050CloudInitHelloWorld/variables.tf
diff --git a/Doc/Sdi/CloudProvider/Terra/060SshKnownHosts/outputs.tf b/Doc/Sdi/CloudProvider/Terra/060SshKnownHosts/outputs.tf
index a63f85e52..658991641 100644
--- a/Doc/Sdi/CloudProvider/Terra/060SshKnownHosts/outputs.tf
+++ b/Doc/Sdi/CloudProvider/Terra/060SshKnownHosts/outputs.tf
@@ -5,5 +5,5 @@ output "hello_ip_addr" {
output "hello_datacenter" {
value = hcloud_server.helloServer.datacenter
- description = "The server's datacenter"
+ description = "The server hosting datacenter"
}
diff --git a/Doc/Sdi/CloudProvider/Terra/060SshKnownHosts/tpl/userData.yml b/Doc/Sdi/CloudProvider/Terra/060SshKnownHosts/tpl/userData.yml
index deae75e27..d08cd9461 100644
--- a/Doc/Sdi/CloudProvider/Terra/060SshKnownHosts/tpl/userData.yml
+++ b/Doc/Sdi/CloudProvider/Terra/060SshKnownHosts/tpl/userData.yml
@@ -6,7 +6,7 @@ ssh_keys:
ed25519_public: ${host_ed25519_public}
users:
- name: devops
- groups: users, admin
+ groups: sudo
sudo: ALL=(ALL) NOPASSWD:ALL
shell: /bin/bash
ssh_authorized_keys:
@@ -15,7 +15,7 @@ users:
runcmd:
# ssh daemon defaults
- sed -ie '/^PermitRootLogin/s/^.*$/PermitRootLogin no/' /etc/ssh/sshd_config
- - sed -ie '/^PasswordAuthentication/s/^.*$/PasswordAuthentication no/' /etc/ssh/sshd_config
+ - sed -ie '/^#PasswordAuthentication/s/^.*$/PasswordAuthentication no/' /etc/ssh/sshd_config
- sed -ie '/^#AuthorizedKeysFile/s/^.*$/AuthorizedKeysFile .ssh/authorized_keys/' /etc/ssh/sshd_config
- sed -i '$a AllowUsers devops' /etc/ssh/sshd_config
- systemctl restart ssh
diff --git a/Doc/Sdi/CloudProvider/Terra/070Upgrade/outputs.tf b/Doc/Sdi/CloudProvider/Terra/070Upgrade/outputs.tf
index a63f85e52..658991641 100644
--- a/Doc/Sdi/CloudProvider/Terra/070Upgrade/outputs.tf
+++ b/Doc/Sdi/CloudProvider/Terra/070Upgrade/outputs.tf
@@ -5,5 +5,5 @@ output "hello_ip_addr" {
output "hello_datacenter" {
value = hcloud_server.helloServer.datacenter
- description = "The server's datacenter"
+ description = "The server hosting datacenter"
}
diff --git a/Doc/Sdi/CloudProvider/Terra/070Upgrade/tpl/userData.yml b/Doc/Sdi/CloudProvider/Terra/070Upgrade/tpl/userData.yml
index e9d65aaed..284bd0997 100644
--- a/Doc/Sdi/CloudProvider/Terra/070Upgrade/tpl/userData.yml
+++ b/Doc/Sdi/CloudProvider/Terra/070Upgrade/tpl/userData.yml
@@ -6,7 +6,7 @@ ssh_keys:
ed25519_public: ${host_ed25519_public}
users:
- name: devops
- groups: users, admin
+ groups: sudo
sudo: ALL=(ALL) NOPASSWD:ALL
shell: /bin/bash
ssh_authorized_keys:
@@ -18,16 +18,19 @@ package_reboot_if_required: true
packages:
- fail2ban
+ - python3-systemd # See https://superuser.com/questions/1830245/i-cant-get-fail2ban-working-on-debian-12#answer-1830273
- vim # Enhanced vi command
- mlocate
runcmd:
# Fail2ban activation
- - printf "[sshd]\nenabled = true\nbanaction = iptables-multiport" > /etc/fail2ban/jail.local
+ - >
+ printf "[sshd]\nenabled = true\nbackend = systemd\nbanaction = iptables-multiport" >
+ /etc/fail2ban/jail.d/defaults-debian.conf
- systemctl enable fail2ban
- systemctl start fail2ban
# ssh daemon defaults
- sed -ie '/^PermitRootLogin/s/^.*$/PermitRootLogin no/' /etc/ssh/sshd_config
- - sed -ie '/^PasswordAuthentication/s/^.*$/PasswordAuthentication no/' /etc/ssh/sshd_config
+ - sed -ie '/^#PasswordAuthentication/s/^.*$/PasswordAuthentication no/' /etc/ssh/sshd_config
- sed -ie '/^#AuthorizedKeysFile/s/^.*$/AuthorizedKeysFile .ssh/authorized_keys/' /etc/ssh/sshd_config
- sed -i '$a AllowUsers devops' /etc/ssh/sshd_config
- systemctl restart ssh
diff --git a/Doc/Sdi/CloudProvider/gettingStarted.xml b/Doc/Sdi/CloudProvider/gettingStarted.xml
index 174c7c29f..2a7aa0319 100644
--- a/Doc/Sdi/CloudProvider/gettingStarted.xml
+++ b/Doc/Sdi/CloudProvider/gettingStarted.xml
@@ -334,7 +334,7 @@ terraform {
# Configure the Hetzner Cloud API token
provider "hcloud" {
- token = "your_api_token_goes_here"
+ token = "<emphasis role="red">your_api_token_goes_here</emphasis>"
}
# Create a server
@@ -342,7 +342,6 @@ resource "hcloud_server" "helloServer" {
name = "hello"
image = "debian-12"
server_type = "cx11"
- location = "nbg1"
}</programlisting>
</figure>
@@ -493,14 +492,14 @@ resource "hcloud_server" "helloServer" {
public key</title>
<programlisting language="terraform">resource "hcloud_ssh_key" "<emphasis
- role="red">goik</emphasis>" {
+ role="red">loginUser</emphasis>" {
name = "goik@hdm-stuttgart.de"
public_key = file("~/.ssh/id_ed25519.pub")
}
...
resource "hcloud_server" "helloServer" {
...
- ssh_keys = [hcloud_ssh_key.<emphasis role="red">goik</emphasis>.id]
+ ssh_keys = [hcloud_ssh_key.<emphasis role="red">loginUser</emphasis>.id]
}</programlisting>
</figure>
@@ -518,7 +517,7 @@ resource "hcloud_server" "helloServer" {
+ resource "hcloud_server" "helloServer" {
...
# hcloud_ssh_key.goik will be created
- + resource "hcloud_ssh_key" "goik" {
+ + resource "hcloud_ssh_key" "loginUser" {
...
Plan: 3 to add, 0 to change, 0 to destroy.
...
@@ -666,16 +665,87 @@ provider "hcloud" { token = "<emphasis role="red">xdaGfz9LmwO8SWkg ... </emphasi
</informaltable>
</figure>
- <figure xml:id="sdi_cloudProvider_terra_hello_kownHostsDuplicateProblem">
- <title>Duplicate known_hosts entry on re-creating server</title>
+ <qandaset defaultlabel="qanda"
+ xml:id="sdi_cloudProvider_terra_qandaBasicSystem">
+ <title>Incrementally creating a base system</title>
- <screen>$ ssh root@128.140.108.60
-@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
-@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
-@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
-IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
-Someone could be eavesdropping on you right now (<emphasis role="red">man-in-the-middle attack</emphasis>)!</screen>
- </figure>
+ <qandadiv>
+ <qandaentry>
+ <question>
+ <para>Follow the subsequent steps creating basic server based on
+ <xref linkend="glo_Terraform"/>:</para>
+
+ <orderedlist>
+ <listitem>
+ <para>Start from <xref
+ linkend="sdi_cloudProvider_terra_minimalConfig"/> adding a
+ <xref linkend="glo_ssh"/> inbound firewall rule. Enter your
+ <orgname>Hetzner</orgname> provider token and create the
+ server.</para>
+
+ <para>On success you'll receive an e-mail containing your
+ server's IP address and the <code>root</code> user's password
+ for <xref linkend="glo_ssh"/> login.</para>
+ </listitem>
+
+ <listitem>
+ <para>Subject your configuration to a
+ <productname>Gitlab</productname> project. Versioning the
+ previous <xref linkend="glo_Terraform"/> configuration might
+ expose your cloud provider's API token. To circumvent this
+ problem follow the steps outlined in <xref
+ linkend="sdi_cloudProvider_terra_hello_sshProblemApiTokenSolve"/>.</para>
+ </listitem>
+
+ <listitem>
+ <para> Ditch unsafe (and tedious) <xref linkend="glo_ssh"/>
+ password login in favour of public/private key access. </para>
+
+ <tip>
+ <para>Create a <link
+ xlink:href="https://registry.terraform.io/providers/hetznercloud/hcloud/latest/docs/resources/ssh_key">resource
+ "hcloud_ssh_key" ...</link> and read your <link
+ xlink:href="https://registry.terraform.io/providers/hetznercloud/hcloud/latest/docs/resources/server">hcloud_server</link>
+ documentation regarding <xref linkend="glo_ssh"/> public key
+ configuration.</para>
+ </tip>
+
+ <para>On success you should be able to log in using your <xref
+ linkend="glo_ssh"/> private key.</para>
+ </listitem>
+
+ <listitem>
+ <para>Currently when executing <command
+ linkend="glo_Terraform">terraform</command>
+ <option>apply</option> both your server's IP and <link
+ xlink:href="https://registry.terraform.io/providers/hetznercloud/hcloud/latest/docs/resources/server#datacenter">data
+ center location</link> are not being shown explicitly. Add an
+ <filename>outputs.tf</filename> file containing two
+ corresponding <code
+ xlink:href="https://developer.hashicorp.com/terraform/language/values/outputs">output</code>
+ entries.</para>
+
+ <para>On success when executing <command
+ linkend="glo_Terraform">terraform</command>
+ <option>apply</option> you should see something like:</para>
+
+ <screen>terraform apply
+...
+hcloud_server.helloServer: Still creating... [10s elapsed]
+hcloud_server.helloServer: Creation complete after 14s [id=46961197]
+
+Apply complete! Resources: 3 added, 0 changed, 0 destroyed.
+
+Outputs:
+
+hello_datacenter = "hel1-dc2"
+hello_ip_addr = "95.217.154.104"</screen>
+ </listitem>
+ </orderedlist>
+ </question>
+ </qandaentry>
+ </qandadiv>
+ </qandaset>
</section>
<section xml:id="sdi_cloudProvider_cloudInit">
@@ -762,8 +832,241 @@ Someone could be eavesdropping on you right now (<emphasis role="red">man-in-the
<programlisting language="terraform">resource "hcloud_server" "web" {
name = var.server_name
...
- user_data = file("Server/web/web.yml")
+ user_data = file("userData.yml")
}</programlisting>
</figure>
+
+ <figure xml:id="sdi_cloudProvider_cloudInit_helloWorld">
+ <title> »hello, world ...« <filename>userData.yml</filename>
+ file</title>
+
+ <programlisting language="yaml">#cloud-config
+packages:
+ - nginx
+runcmd:
+ - systemctl enable nginx
+ - rm /var/www/html/*
+ - >
+ echo "I'm Nginx @ $(dig -4 TXT +short o-o.myaddr.l.google.com @ns1.google.com)
+ created $(date -u)" >> /var/www/html/index.html</programlisting>
+ </figure>
+
+ <figure xml:id="sdi_cloudProvider_cloudInit_kownHostsDuplicateProblem">
+ <title>Duplicate known_hosts entry on re-creating server</title>
+
+ <para>Problem of repeated <command
+ linkend="glo_Terraform">terraform</command>
+ <option>apply</option>:</para>
+
+ <screen>$ ssh root@128.140.108.60
+@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
+@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
+@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
+IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
+Someone could be eavesdropping on you right now (<emphasis role="red">man-in-the-middle attack</emphasis>)!</screen>
+ </figure>
+
+ <qandaset defaultlabel="qanda"
+ xml:id="sdi_cloudProvider_cloudInit_qanda_gettingStarted">
+ <title>Working on <productname>Cloud-init</productname></title>
+
+ <qandadiv>
+ <qandaentry>
+ <question>
+ <para>We continue our exercise series <xref
+ linkend="sdi_cloudProvider_terra_qandaBasicSystem"/> by adding a
+ <productname>Cloud-init</productname> configuration. Follow the
+ subsequent steps:</para>
+
+ <orderedlist>
+ <listitem>
+ <para>Follow <xref
+ linkend="sdi_cloudProvider_cloudInit_terraformInterfaceCloudinit"/>
+ and <xref linkend="sdi_cloudProvider_cloudInit_helloWorld"/>
+ to create simple web server.</para>
+
+ <tip>
+ <para>You will have to extend your current firewall
+ configuration allowing inbound traffic to port 80.</para>
+ </tip>
+
+ <para>On success pointing your web browser of choice to
+ <uri>http://<your server's IP></uri> you should see
+ something like:</para>
+
+ <screen>I'm Nginx @ "95.217.154.104" created Sun May 5 06:58:37 PM UTC 2024</screen>
+ </listitem>
+
+ <listitem>
+ <para>Working on security modify your current configuration
+ by:</para>
+
+ <itemizedlist>
+ <listitem>
+ <para>Disallow <xref linkend="glo_ssh"/> password
+ logins</para>
+ </listitem>
+
+ <listitem>
+ <para>Disallow <code>root</code> login</para>
+ </listitem>
+
+ <listitem>
+ <para>Create a user <code>devops</code> eligible for both
+ <xref linkend="glo_ssh"/> login and
+ <command>sudo</command> execution.</para>
+ </listitem>
+ </itemizedlist>
+
+ <tip>
+ <itemizedlist>
+ <listitem>
+ <para><link
+ xlink:href="https://www.digitalocean.com/community/tutorials/how-to-use-cloud-config-for-your-initial-server-setup#configuring-the-ssh-daemon-through-focused-changes">Modifying
+ ssh configuration files</link></para>
+ </listitem>
+
+ <listitem>
+ <para><link
+ xlink:href="https://www.digitalocean.com/community/tutorials/how-to-use-cloud-config-for-your-initial-server-setup#set-up-sudo-access">Set
+ up sudo access</link></para>
+ </listitem>
+ </itemizedlist>
+ </tip>
+
+ <para>On success the following sequence should be
+ possible:</para>
+
+ <screen>$ ssh -v devops@95.217.154.104
+...
+debug1: SSH2_MSG_SERVICE_ACCEPT received
+debug1: <emphasis role="red">Authentications that can continue: publickey</emphasis> <co
+ linkends="sdi_cloudProvider_cloudInit_qanda_gettingStarted_ssh-1"
+ xml:id="sdi_cloudProvider_cloudInit_qanda_gettingStarted_ssh-1-co"/>
+debug1: Next authentication method: publickey
+...
+Last login: Sun May 5 19:21:12 2024 from 217.245.243.187
+devops@hello:~$ sudo su - <co
+ linkends="sdi_cloudProvider_cloudInit_qanda_gettingStarted_ssh-2"
+ xml:id="sdi_cloudProvider_cloudInit_qanda_gettingStarted_ssh-2-co"/>
+root@hello:~# hostname
+hello</screen>
+
+ <calloutlist>
+ <callout arearefs="sdi_cloudProvider_cloudInit_qanda_gettingStarted_ssh-1-co"
+ xml:id="sdi_cloudProvider_cloudInit_qanda_gettingStarted_ssh-1">
+ <para><code>password</code> is not among the list of
+ allowed authentication methods.</para>
+ </callout>
+
+ <callout arearefs="sdi_cloudProvider_cloudInit_qanda_gettingStarted_ssh-2-co"
+ xml:id="sdi_cloudProvider_cloudInit_qanda_gettingStarted_ssh-2">
+ <para>User <code>devops</code> may execute
+ <command>sudo</command> commands by virtue of his
+ membership in group <code>sudo</code>.</para>
+ </callout>
+ </calloutlist>
+
+ <para>On contrary <xref linkend="glo_ssh"/> root login must be
+ prohibited:</para>
+
+ <screen>$ ssh root@95.217.154.104
+root@95.217.154.104: Permission denied (publickey).</screen>
+ </listitem>
+
+ <listitem>
+ <para>Read the <link
+ xlink:href="https://cloudinit.readthedocs.io/en/latest">cloud-init
+ documentation</link> and/or related tutorials to:</para>
+
+ <itemizedlist>
+ <listitem>
+ <para>Upgrade all distribution packages at server creation
+ time. If so required your system should reboot.</para>
+ </listitem>
+
+ <listitem>
+ <para>Install and configure fail2ban limiting <xref
+ linkend="glo_ssh"/> failed connection attempts.</para>
+
+ <tip>
+ <para>Answer <link
+ xlink:href="https://superuser.com/questions/1830245/i-cant-get-fail2ban-working-on-debian-12#answer-1830273">On
+ Debian 12 there are a couple of things you have to do to
+ make it work</link>.</para>
+ </tip>
+ </listitem>
+
+ <listitem>
+ <para>Install the <code>mlocate</code> file indexer
+ package and initialize it</para>
+ </listitem>
+ </itemizedlist>
+
+ <para>On success all packages should be up to date:</para>
+
+ <screen>$ ./bin/ssh
+...
+devops@hello:~$ sudo su -
+root@hello:~# apt update
+Hit:1 http://security.debian.org/debian-security bookworm-security InRelease
+Hit:2 http://deb.debian.org/debian bookworm InRelease
+...
+Reading package lists... Done
+Building dependency tree... Done
+Reading state information... Done
+<emphasis role="red">All packages are up to date.</emphasis></screen>
+
+ <para>On contrary a failure of updating packages during
+ installation time results in an output similar to:</para>
+
+ <screen>$ ./bin/ssh
+...
+devops@hello:~$ sudo su -
+root@hello:~# apt update
+Hit:1 http://security.debian.org/debian-security bookworm-security InRelease
+Hit:2 http://deb.debian.org/debian bookworm InRelease
+...
+Reading package lists... Done
+Building dependency tree... Done
+Reading state information... Done
+<emphasis role="red">6 packages can be upgraded. Run 'apt list --upgradable' to see them.</emphasis>
+
+# apt list --upgradable
+Listing... Done
+less/stable-security,stable-security 590-2.1~deb12u2 amd64 [upgradable from: 590-2]
+libc-bin/stable-security,stable-security 2.36-9+deb12u7 amd64 [upgradable from: 2.36-9+deb12u6]
+libc-l10n/stable-security,stable-security 2.36-9+deb12u7 all [upgradable from: 2.36-9+deb12u6]
+libc6/stable-security,stable-security 2.36-9+deb12u7 amd64 [upgradable from: 2.36-9+deb12u6]
+locales-all/stable-security,stable-security 2.36-9+deb12u7 amd64 [upgradable from: 2.36-9+deb12u6]
+locales/stable-security,stable-security 2.36-9+deb12u7 all [upgradable from: 2.36-9+deb12u6]</screen>
+
+ <para>Failed login attempts should be banned: Keep a second
+ login open in advance when trying to simulate login failures!
+ You might then see a report similar to:</para>
+
+ <screen>root@hello:~# fail2ban-client status sshd
+Status for the jail: sshd
+|- Filter
+| |- Currently failed: 2
+| |- Total failed: 14
+| `- Journal matches: _SYSTEMD_UNIT=sshd.service + _COMM=sshd
+`- Actions
+ |- Currently banned: 2
+ |- Total banned: 2
+ `- <emphasis role="red">Banned IP list: 170.64.133.30 213.136.94.219</emphasis></screen>
+
+ <para>Searching for file name components should work like
+ e.g.:</para>
+
+ <screen>root@hello:~# locate <emphasis role="red">ssh_host</emphasis>
+/etc/ssh/<emphasis role="red">ssh_host</emphasis>_ed25519_key
+/etc/ssh/<emphasis role="red">ssh_host</emphasis>_ed25519_key.pub</screen>
+ </listitem>
+ </orderedlist>
+ </question>
+ </qandaentry>
+ </qandadiv>
+ </qandaset>
</section>
</chapter>
--
GitLab