module "sftp" { source = "../sshd" base_config_dir = "/var/roothome/sftp" use_socket_activation = true address_family = "inet" listen_port = 22 sftp_only = true chrooted_users = local.chrooted_users host_keys = ["/data/ssh_keys/ssh_host_ed25519_key"] } locals { sftp_keys_filesystem = { device = "${local.data_device_path}-part6" format = "ext4" label = "ssh_keys" } chrooted_users = [ { username = "terraform_dhcp" chroot = "/data/dhcp_config" ssh_public_key = var.ssh_public_key_opentofu_netboot_server }, { username = "terraform_ignition" chroot = "/data/ign_files" ssh_public_key = var.ssh_public_key_opentofu_netboot_server } ] sftp_build_dir = { path = "/var/roothome/sftp" user = {id = 0} group = {id = 0} mode = 448 # 0700 } sftp_containerfile_file = { path = "/var/roothome/sftp/Containerfile" user = {id = 0} group = {id = 0} mode = 420 # 0644 contents = { source = format( "data:text/plain;base64,%s", base64encode(templatefile( "${path.module}/files/sftp/Containerfile.tftpl", { chrooted_users = local.chrooted_users } )) ) } } sftp_keys_volume_file = { path = "/etc/containers/systemd/ssh_keys.volume" user = {id = 0} group = {id = 0} mode = 420 # 0644 contents = { source = format( "data:text/plain;base64,%s", base64encode(file("${path.module}/files/sftp/ssh_keys.volume")) ) } } sftp_init_keys_container_file = { path = "/etc/containers/systemd/sftp_init_keys.container" user = {id = 0} group = {id = 0} mode = 420 # 0644 contents = { source = format( "data:text/plain;base64,%s", base64encode(file("${path.module}/files/sftp/sftp_init_keys.container")) ) } } sftp_container_file = { path = "/etc/containers/systemd/sftp.container" user = {id = 0} group = {id = 0} mode = 420 # 0644 contents = { source = format( "data:text/plain;base64,%s", base64encode(templatefile( "${path.module}/files/sftp/sftp.container.tftpl", { internal_port = 22 external_port = 2222 } )) ) } } dhcp_config_filesystem = { device = "${local.data_device_path}-part2" format = "ext4" label = "dhcp_config" } sftp_dhcp_config_init_container = { path = "/etc/containers/systemd/dhcp_config_init.container" user = {id = 0} group = {id = 0} mode = 420 # 0644 contents = { source = format( "data:text/plain;base64,%s", base64encode(file("${path.module}/files/sftp/dhcp_config_init.container")) ) } } sftp_dhcp_config_volume_file = { path = "/etc/containers/systemd/dhcp_config.volume" user = {id = 0} group = {id = 0} mode = 420 # 0644 contents = { source = format( "data:text/plain;base64,%s", base64encode(file("${path.module}/files/sftp/dhcp_config.volume")) ) } } ignition_files_filesystem = { device = "${local.data_device_path}-part5" format = "ext4" label = "ign_files" } sftp_ignition_files_init_container = { path = "/etc/containers/systemd/ign_files_init.container" user = {id = 0} group = {id = 0} mode = 420 # 0644 contents = { source = format( "data:text/plain;base64,%s", base64encode(file("${path.module}/files/sftp/ign_files_init.container")) ) } } sftp_ignition_files_volume_file = { path = "/etc/containers/systemd/ign_files.volume" user = {id = 0} group = {id = 0} mode = 420 # 0644 contents = { source = format( "data:text/plain;base64,%s", base64encode(file("${path.module}/files/sftp/ign_files.volume")) ) } } sftp_filesystems = [ local.sftp_keys_filesystem, local.dhcp_config_filesystem, local.ignition_files_filesystem, ] sftp_directories = [ local.sftp_build_dir, ] sftp_files = concat( [ local.sftp_keys_volume_file, local.sftp_init_keys_container_file, local.sftp_container_file, local.sftp_containerfile_file, local.sftp_dhcp_config_init_container, local.sftp_dhcp_config_volume_file, local.sftp_ignition_files_init_container, local.sftp_ignition_files_volume_file, ], module.sftp.files ) # we can safely ignore the systemd units and users since all of them go in the container and we already took care of it in the Containerfile }