iac/modules/netboot_server/sftp.tf

192 lines
5.3 KiB
Terraform
Raw Normal View History

2024-06-04 09:25:59 +00:00
module "sftp" {
source = "../sshd"
base_config_dir = "/var/roothome/sftp"
use_socket_activation = true
address_family = "inet"
listen_port = 22
sftp_only = true
chrooted_users = local.chrooted_users
host_keys = ["/data/ssh_keys/ssh_host_ed25519_key"]
}
locals {
sftp_keys_filesystem = {
device = "${local.data_device_path}-part6"
format = "ext4"
label = "ssh_keys"
}
chrooted_users = [
{
username = "terraform_dhcp"
chroot = "/data/dhcp_config"
ssh_public_key = var.ssh_public_key_opentofu_netboot_server
},
{
username = "terraform_ignition"
chroot = "/data/ign_files"
ssh_public_key = var.ssh_public_key_opentofu_netboot_server
}
]
sftp_build_dir = {
path = "/var/roothome/sftp"
user = {id = 0}
group = {id = 0}
mode = 448 # 0700
}
sftp_containerfile_file = {
path = "/var/roothome/sftp/Containerfile"
user = {id = 0}
group = {id = 0}
mode = 420 # 0644
contents = {
source = format(
"data:text/plain;base64,%s",
base64encode(templatefile(
"${path.module}/files/sftp/Containerfile.tftpl",
{
chrooted_users = local.chrooted_users
}
))
)
}
}
sftp_keys_volume_file = {
path = "/etc/containers/systemd/ssh_keys.volume"
user = {id = 0}
group = {id = 0}
mode = 420 # 0644
contents = {
source = format(
"data:text/plain;base64,%s",
base64encode(file("${path.module}/files/sftp/ssh_keys.volume"))
)
}
}
sftp_init_keys_container_file = {
path = "/etc/containers/systemd/sftp_init_keys.container"
user = {id = 0}
group = {id = 0}
mode = 420 # 0644
contents = {
source = format(
"data:text/plain;base64,%s",
base64encode(file("${path.module}/files/sftp/sftp_init_keys.container"))
)
}
}
sftp_container_file = {
path = "/etc/containers/systemd/sftp.container"
user = {id = 0}
group = {id = 0}
mode = 420 # 0644
contents = {
source = format(
"data:text/plain;base64,%s",
base64encode(templatefile(
"${path.module}/files/sftp/sftp.container.tftpl",
{
internal_port = 22
external_port = 2222
}
))
)
}
}
dhcp_config_filesystem = {
device = "${local.data_device_path}-part2"
format = "ext4"
label = "dhcp_config"
}
sftp_dhcp_config_init_container = {
path = "/etc/containers/systemd/dhcp_config_init.container"
user = {id = 0}
group = {id = 0}
mode = 420 # 0644
contents = {
source = format(
"data:text/plain;base64,%s",
base64encode(file("${path.module}/files/sftp/dhcp_config_init.container"))
)
}
}
sftp_dhcp_config_volume_file = {
path = "/etc/containers/systemd/dhcp_config.volume"
user = {id = 0}
group = {id = 0}
mode = 420 # 0644
contents = {
source = format(
"data:text/plain;base64,%s",
base64encode(file("${path.module}/files/sftp/dhcp_config.volume"))
)
}
}
ignition_files_filesystem = {
device = "${local.data_device_path}-part5"
format = "ext4"
label = "ign_files"
}
sftp_ignition_files_init_container = {
path = "/etc/containers/systemd/ign_files_init.container"
user = {id = 0}
group = {id = 0}
mode = 420 # 0644
contents = {
source = format(
"data:text/plain;base64,%s",
base64encode(file("${path.module}/files/sftp/ign_files_init.container"))
)
}
}
sftp_ignition_files_volume_file = {
path = "/etc/containers/systemd/ign_files.volume"
user = {id = 0}
group = {id = 0}
mode = 420 # 0644
contents = {
source = format(
"data:text/plain;base64,%s",
base64encode(file("${path.module}/files/sftp/ign_files.volume"))
)
}
}
sftp_filesystems = [
local.sftp_keys_filesystem,
local.dhcp_config_filesystem,
local.ignition_files_filesystem,
]
sftp_directories = [
local.sftp_build_dir,
]
sftp_files = concat(
[
local.sftp_keys_volume_file,
local.sftp_init_keys_container_file,
local.sftp_container_file,
local.sftp_containerfile_file,
local.sftp_dhcp_config_init_container,
local.sftp_dhcp_config_volume_file,
local.sftp_ignition_files_init_container,
local.sftp_ignition_files_volume_file,
],
module.sftp.files
)
# we can safely ignore the systemd units and users since all of them go in the container and we already took care of it in the Containerfile
}