129 lines
4 KiB
Terraform
129 lines
4 KiB
Terraform
|
terraform {
|
||
|
|
required_version = ">=1.6.2"
|
||
|
|
}
|
||
|
|
|
||
|
|
locals {
|
||
|
|
sshd_config_file = {
|
||
|
|
path = "${var.base_config_dir}/sshd_config"
|
||
|
|
overwrite = true
|
||
|
|
user = {id = 0}
|
||
|
|
group = {id = 0}
|
||
|
|
mode = 384 # "0600"
|
||
|
|
contents = {
|
||
|
|
source = format(
|
||
|
|
"data:text/plain;base64,%s",
|
||
|
|
base64encode(templatefile(
|
||
|
|
"${path.module}/files/sshd_config.tftpl",
|
||
|
|
{
|
||
|
|
use_socket_activation = var.use_socket_activation
|
||
|
|
listen_unix = var.listen_unix
|
||
|
|
address_family = var.address_family
|
||
|
|
listen_addresses = var.listen_addresses
|
||
|
|
listen_port = var.listen_port
|
||
|
|
allow_users = join(" ", var.allow_users)
|
||
|
|
allow_groups = join(" ", var.allow_groups)
|
||
|
|
sftp_only = tostring(var.sftp_only)
|
||
|
|
allow_tcp_forwarding = tostring(var.allow_tcp_forwarding)
|
||
|
|
ciphers_algos = join(",", var.ciphers_algos)
|
||
|
|
macs_algos = join(",", var.macs_algos)
|
||
|
|
key_exchange_algos = join(",", var.key_exchange_algos)
|
||
|
|
host_key_algorithms = join(",", var.host_key_algorithms)
|
||
|
|
pub_key_accepted_algorithms = join(",", var.pub_key_accepted_algorithms)
|
||
|
|
host_keys = var.host_keys
|
||
|
|
rekey_limit = var.rekey_limit
|
||
|
|
client_alive_count_max = tostring(var.client_alive_count_max)
|
||
|
|
client_alive_interval = tostring(var.client_alive_interval)
|
||
|
|
max_auth_tries = tostring(var.max_auth_tries)
|
||
|
|
max_sessions = tostring(var.max_sessions)
|
||
|
|
max_startups = tostring(var.max_startup)
|
||
|
|
chrooted_users = var.chrooted_users
|
||
|
|
}
|
||
|
|
))
|
||
|
|
)
|
||
|
|
}
|
||
|
|
}
|
||
|
|
|
||
|
|
disable_sshd_socket_systemd_unit = {
|
||
|
|
name = "sshd.socket"
|
||
|
|
enabled = false
|
||
|
|
}
|
||
|
|
|
||
|
|
enable_sshd_socket_systemd_unit = {
|
||
|
|
name = "sshd.socket"
|
||
|
|
enabled = true
|
||
|
|
dropins = [
|
||
|
|
{
|
||
|
|
name = "listen.conf"
|
||
|
|
contents = templatefile(
|
||
|
|
"${path.module}/files/sshd.socket",
|
||
|
|
{
|
||
|
|
listen_addresses = var.listen_addresses
|
||
|
|
listen_port = var.listen_port
|
||
|
|
listen_unix = var.listen_unix
|
||
|
|
}
|
||
|
|
)
|
||
|
|
}
|
||
|
|
]
|
||
|
|
}
|
||
|
|
|
||
|
|
unix_socket_tmpfile_file = {
|
||
|
|
path = "/etc/tmpfiles.d/sshd.conf"
|
||
|
|
user = {id = 0}
|
||
|
|
group = {id = 0}
|
||
|
|
mode = 420 # 0644
|
||
|
|
contents = {
|
||
|
|
source = format(
|
||
|
|
"data:text/plain;base64,%s",
|
||
|
|
base64encode(file("${path.module}/files/tmpfiles.conf"))
|
||
|
|
)
|
||
|
|
}
|
||
|
|
}
|
||
|
|
|
||
|
|
use_unix_socket_files = {
|
||
|
|
false = []
|
||
|
|
true = [local.unix_socket_tmpfile_file]
|
||
|
|
}
|
||
|
|
|
||
|
|
disable_sshd_service_systemd_unit = {
|
||
|
|
name = "sshd.service"
|
||
|
|
enabled = false
|
||
|
|
}
|
||
|
|
|
||
|
|
enable_sshd_service_systemd_unit = {
|
||
|
|
name = "sshd.service"
|
||
|
|
enabled = true
|
||
|
|
}
|
||
|
|
|
||
|
|
systemd_units_on_socket_activation = {
|
||
|
|
false = [
|
||
|
|
local.disable_sshd_socket_systemd_unit,
|
||
|
|
local.enable_sshd_service_systemd_unit,
|
||
|
|
]
|
||
|
|
true = [
|
||
|
|
local.enable_sshd_socket_systemd_unit,
|
||
|
|
local.disable_sshd_service_systemd_unit,
|
||
|
|
]
|
||
|
|
}
|
||
|
|
|
||
|
|
chrooted_users = [
|
||
|
|
for idx, user in var.chrooted_users:
|
||
|
|
{
|
||
|
|
name = user.username
|
||
|
|
uid = 2000 + idx
|
||
|
|
primaryGroup = user.username
|
||
|
|
noUserGroup = true
|
||
|
|
sshAuthorizedKeys = [
|
||
|
|
user.ssh_public_key
|
||
|
|
]
|
||
|
|
}
|
||
|
|
]
|
||
|
|
|
||
|
|
chrooted_groups = [
|
||
|
|
for idx, user in var.chrooted_users:
|
||
|
|
{
|
||
|
|
name = user.username
|
||
|
|
gid = 2000 + idx
|
||
|
|
}
|
||
|
|
]
|
||
|
|
}
|