terraform { required_version = ">=1.6.2" } locals { sshd_config_file = { path = "${var.base_config_dir}/sshd_config" overwrite = true user = {id = 0} group = {id = 0} mode = 384 # "0600" contents = { source = format( "data:text/plain;base64,%s", base64encode(templatefile( "${path.module}/files/sshd_config.tftpl", { use_socket_activation = var.use_socket_activation listen_unix = var.listen_unix address_family = var.address_family listen_addresses = var.listen_addresses listen_port = var.listen_port allow_users = join(" ", var.allow_users) allow_groups = join(" ", var.allow_groups) sftp_only = tostring(var.sftp_only) allow_tcp_forwarding = tostring(var.allow_tcp_forwarding) ciphers_algos = join(",", var.ciphers_algos) macs_algos = join(",", var.macs_algos) key_exchange_algos = join(",", var.key_exchange_algos) host_key_algorithms = join(",", var.host_key_algorithms) pub_key_accepted_algorithms = join(",", var.pub_key_accepted_algorithms) host_keys = var.host_keys rekey_limit = var.rekey_limit client_alive_count_max = tostring(var.client_alive_count_max) client_alive_interval = tostring(var.client_alive_interval) max_auth_tries = tostring(var.max_auth_tries) max_sessions = tostring(var.max_sessions) max_startups = tostring(var.max_startup) chrooted_users = var.chrooted_users } )) ) } } disable_sshd_socket_systemd_unit = { name = "sshd.socket" enabled = false } enable_sshd_socket_systemd_unit = { name = "sshd.socket" enabled = true dropins = [ { name = "listen.conf" contents = templatefile( "${path.module}/files/sshd.socket", { listen_addresses = var.listen_addresses listen_port = var.listen_port listen_unix = var.listen_unix } ) } ] } unix_socket_tmpfile_file = { path = "/etc/tmpfiles.d/sshd.conf" user = {id = 0} group = {id = 0} mode = 420 # 0644 contents = { source = format( "data:text/plain;base64,%s", base64encode(file("${path.module}/files/tmpfiles.conf")) ) } } use_unix_socket_files = { false = [] true = [local.unix_socket_tmpfile_file] } disable_sshd_service_systemd_unit = { name = "sshd.service" enabled = false } enable_sshd_service_systemd_unit = { name = "sshd.service" enabled = true } systemd_units_on_socket_activation = { false = [ local.disable_sshd_socket_systemd_unit, local.enable_sshd_service_systemd_unit, ] true = [ local.enable_sshd_socket_systemd_unit, local.disable_sshd_service_systemd_unit, ] } chrooted_users = [ for idx, user in var.chrooted_users: { name = user.username uid = 2000 + idx primaryGroup = user.username noUserGroup = true sshAuthorizedKeys = [ user.ssh_public_key ] } ] chrooted_groups = [ for idx, user in var.chrooted_users: { name = user.username gid = 2000 + idx } ] }