Skip to content

Commit

Permalink
feat(terraform): ovh stable
Browse files Browse the repository at this point in the history
  • Loading branch information
@Darkness4
Darkness4 committed Nov 16, 2022
1 parent 51a09b4 commit 662c312
Show file tree
Hide file tree
Showing 31 changed files with 528 additions and 267 deletions.
5 changes: 2 additions & 3 deletions terraform/exoscale/examples/de-fra/versions.tf
View file
Original file line number Diff line number Diff line change
@@ -1,10 +1,9 @@
terraform {
required_version = ">= 1.2.0"
required_version = ">= 1.3.0"
required_providers {
exoscale = {
source = "exoscale/exoscale"
version = "~> 0.40.0"
version = "~> 0.41.0"
}
}
experiments = [module_variable_optional_attrs]
}
2 changes: 1 addition & 1 deletion terraform/exoscale/modules/k0s_instances/main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@

locals {
user_datas = [
for instance in var.k0s_instances : templatefile("templates/user_data.tftpl", {
for instance in var.k0s_instances : templatefile("${path.module}/templates/user_data.tftpl", {
ssh_keys = var.ssh_keys
ostype = instance.ostype
addresses = instance.addresses
Expand Down
6 changes: 0 additions & 6 deletions terraform/exoscale/modules/k0s_instances/templates/user_data.tftpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -42,12 +42,6 @@ write_files:
search ${search}
%{ endif }

%{ if is_storage ~}
- path: /etc/exports
content: |
/srv/nfs *(rw,sync,no_root_squash,no_subtree_check)
%{ endif ~}

runcmd:
%{ if ostype == "ubuntu" ~}
- [ netplan, apply ]
Expand Down
3 changes: 1 addition & 2 deletions terraform/exoscale/modules/k0s_instances/versions.tf
View file
Original file line number Diff line number Diff line change
@@ -1,10 +1,9 @@
terraform {
required_version = ">= 1.2.0"
required_version = ">= 1.3.0"
required_providers {
exoscale = {
source = "exoscale/exoscale"
version = "~> 0.41.0"
}
}
experiments = [module_variable_optional_attrs]
}
118 changes: 67 additions & 51 deletions terraform/exoscale/modules/router/templates/user_data.tftpl
View file
Original file line number Diff line number Diff line change
@@ -1,56 +1,75 @@
#cloud-config
disable_root: false

ssh_authorized_keys:
${indent(2, yamlencode(ssh_keys))}
users:
- name: vyos
ssh_authorized_keys:
${indent(6, yamlencode(ssh_keys))}

vyos_config_commands:
- set service ssh port 22
- set interfaces loopback lo address ${public_ip}
- set interfaces ethernet eth1 address ${addresses}
- delete system login user vyos authentication encrypted-password
- delete system login user vyos authentication plaintext-password
- set service ssh port '22'
- set interfaces ethernet eth0 address 'dhcp'
- set interfaces ethernet eth0 description 'Outside Network'
- set interfaces ethernet eth0 mtu '1500'
- set interfaces ethernet eth0 address '${public_ip}/32'
- set interfaces ethernet eth1 address '${addresses}'
- set interfaces ethernet eth1 mtu '9000'
- set interfaces ethernet eth1 description 'LAN Private Network'
- set firewall name OUTSIDE_LOCAL rule 10 action accept
- set firewall name OUTSIDE_LOCAL rule 10 description 'Allow established/related'
- set firewall name OUTSIDE_LOCAL rule 10 state established enable
- set firewall name OUTSIDE_LOCAL rule 10 state related enable
- set firewall name OUTSIDE_LOCAL rule 20 action accept
- set firewall name OUTSIDE_LOCAL rule 20 description WireGuard_IN
- set firewall name OUTSIDE_LOCAL rule 20 log enable
- set firewall name OUTSIDE_LOCAL rule 20 protocol udp
- set firewall name OUTSIDE_LOCAL rule 20 source
- set interfaces ethernet eth0 firewall local name 'OUTSIDE-LOCAL'

- set firewall name OUTSIDE-IN default-action 'drop'
- set firewall name OUTSIDE-IN rule 10 action 'accept'
- set firewall name OUTSIDE-IN rule 10 description 'Allow established/related'
- set firewall name OUTSIDE-IN rule 10 state established 'enable'
- set firewall name OUTSIDE-IN rule 10 state related 'enable'
- set firewall name OUTSIDE-LOCAL default-action 'drop'
- set firewall name OUTSIDE-LOCAL rule 10 action 'accept'
- set firewall name OUTSIDE-LOCAL rule 10 description 'Allow established/related'
- set firewall name OUTSIDE-LOCAL rule 10 state established 'enable'
- set firewall name OUTSIDE-LOCAL rule 10 state related 'enable'
- set firewall name OUTSIDE-LOCAL rule 20 action 'accept'
- set firewall name OUTSIDE-LOCAL rule 20 description 'Allow ICMP'
- set firewall name OUTSIDE-LOCAL rule 20 icmp type-name 'echo-request'
- set firewall name OUTSIDE-LOCAL rule 20 protocol 'icmp'
- set firewall name OUTSIDE-LOCAL rule 20 state new 'enable'
- set firewall name OUTSIDE-LOCAL rule 30 action 'accept'
- set firewall name OUTSIDE-LOCAL rule 30 description 'Allow SSH'
- set firewall name OUTSIDE-LOCAL rule 30 destination port '22'
- set firewall name OUTSIDE-LOCAL rule 30 protocol 'tcp'
- set firewall name OUTSIDE-LOCAL rule 30 state new 'enable'
- set firewall name OUTSIDE-LOCAL rule 40 action 'accept'
- set firewall name OUTSIDE-LOCAL rule 40 description 'Allow WireGuard-IN'
- set firewall name OUTSIDE-LOCAL rule 40 destination port '51820'
- set firewall name OUTSIDE-LOCAL rule 40 log 'enable'
- set firewall name OUTSIDE-LOCAL rule 40 protocol 'udp'
- set firewall name OUTSIDE-LOCAL rule 40 source
- set firewall interface eth0 in name 'OUTSIDE-IN'
- set firewall interface eth0 local name 'OUTSIDE-LOCAL'
- set protocols bgp system-as '${bgp_asn}'

%{~ for vpn in wireguard_vpns ~}
- set interfaces wireguard ${vpn.interface} port '${vpn.port}'
- set firewall name OUTSIDE_LOCAL rule 20 destination port ${vpn.port}
- set interfaces wireguard ${vpn.interface} private-key '${vpn.private_key}'
- set interfaces wireguard ${vpn.interface} address '${vpn.address}'
- set interfaces wireguard ${vpn.interface} description 'VPN-to-${vpn.peer.name}'
- set interfaces wireguard ${vpn.interface} peer ${vpn.peer.name} allowed-ips '0.0.0.0/0'
- set interfaces wireguard ${vpn.interface} peer ${vpn.peer.name} endpoint '${vpn.peer.endpoint}'
- set interfaces wireguard ${vpn.interface} peer ${vpn.peer.name} public-key '${vpn.peer.public_key}'
- set interfaces wireguard ${vpn.interface} peer ${vpn.peer.name} preshared-key '${vpn.peer.preshared_key}'

- set interfaces wireguard '${vpn.interface}' port '${vpn.port}'
- set firewall name OUTSIDE_LOCAL rule 20 destination port '${vpn.port}'
- set interfaces wireguard '${vpn.interface}' private-key '${vpn.private_key}'
- set interfaces wireguard '${vpn.interface}' address '${vpn.address}'
- set interfaces wireguard '${vpn.interface}' description 'VPN-to-${vpn.peer.name}'
- set interfaces wireguard '${vpn.interface}' peer '${vpn.peer.name}' allowed-ips '0.0.0.0/0'
- set interfaces wireguard '${vpn.interface}' peer '${vpn.peer.name}' endpoint '${vpn.peer.endpoint}'
- set interfaces wireguard '${vpn.interface}' peer '${vpn.peer.name}' public-key '${vpn.peer.public_key}'
- set interfaces wireguard '${vpn.interface}' peer '${vpn.peer.name}' preshared-key '${vpn.peer.preshared_key}'
%{~ for index, prefix in vpn.bgp.exports ~}
- set policy prefix-list 'BGP-${vpn.peer.name}-OUT' rule ${index} prefix '${prefix}'
- set policy prefix-list 'BGP-${vpn.peer.name}-OUT' rule ${index} action 'allow'
%{~ endfor ~}
- set policy prefix-list 'BGP-${vpn.peer.name}-OUT' rule 1000 prefix '0.0.0.0/0'
- set policy prefix-list 'BGP-${vpn.peer.name}-OUT' rule 1000 action 'deny'

- set protocols bgp neighbor ${vpn.bgp.peer.address} remote-as '${vpn.bgp.peer.asn}'
- set protocols bgp neighbor ${vpn.bgp.peer.address} description 'BGP-with-${vpn.peer.name}'
- set protocols bgp neighbor ${vpn.bgp.peer.address} address-family ipv4-unicast prefix-list export 'BGP-${vpn.peer.name}-OUT'
- set protocols bgp neighbor '${vpn.bgp.peer.address}' remote-as '${vpn.bgp.peer.asn}'
- set protocols bgp neighbor '${vpn.bgp.peer.address}' description 'BGP-with-${vpn.peer.name}'
- set protocols bgp neighbor '${vpn.bgp.peer.address}' address-family ipv4-unicast prefix-list export 'BGP-${vpn.peer.name}-OUT'
%{~ endfor ~}

- set vpn ipsec esp-group ESP_DEFAULT compression 'disable'
- set vpn ipsec esp-group ESP_DEFAULT lifetime '1800'
- set vpn ipsec esp-group ESP_DEFAULT lifetime '3600'
- set vpn ipsec esp-group ESP_DEFAULT mode 'tunnel'
- set vpn ipsec esp-group ESP_DEFAULT pfs 'enable'
- set vpn ipsec esp-group ESP_DEFAULT proposal 1 encryption 'aes256gcm128'
- set vpn ipsec esp-group ESP_DEFAULT proposal 1 dh-group 14
- set vpn ipsec esp-group ESP_DEFAULT proposal 1 hash 'sha512'
- set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection action 'clear'
- set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection interval '30'
Expand All @@ -61,29 +80,26 @@ vyos_config_commands:
- set vpn ipsec ike-group IKEv2_DEFAULT proposal 1 encryption 'aes256gcm128'
- set vpn ipsec ike-group IKEv2_DEFAULT proposal 1 dh-group '14'
- set vpn ipsec ike-group IKEv2_DEFAULT proposal 1 hash 'sha512'

%{~ for vpn_index,vpn in ipsec_vpns ~}
- set interfaces vti vti${vpn_index} address '${vpn.address}'
- set vpn ipsec interface 'eth0.${vpn_index}'
- set vpn ipsec site-to-site peer ${vpn.peer.address} authentication id '${public_ip}'
- set vpn ipsec site-to-site peer ${vpn.peer.address} authentication mode 'pre-shared-secret'
- set vpn ipsec site-to-site peer ${vpn.peer.address} authentication pre-shared-secret '${vpn.peer.shared_key}'
- set vpn ipsec site-to-site peer ${vpn.peer.address} authentication remote-id '${vpn.peer.address}'
- set vpn ipsec site-to-site peer ${vpn.peer.address} connection-type 'initiate'
- set vpn ipsec site-to-site peer ${vpn.peer.address} ike-group 'IKEv2_DEFAULT'
- set vpn ipsec site-to-site peer ${vpn.peer.address} ikev2-reauth 'inherit'
- set vpn ipsec site-to-site peer ${vpn.peer.address} local-address '${public_ip}'
- set vpn ipsec site-to-site peer ${vpn.peer.address} vti bind 'vti${vpn_index}'
- set vpn ipsec site-to-site peer ${vpn.peer.address} vti esp-group 'ESP_DEFAULT'

- set vpn ipsec site-to-site peer '${vpn.peer.address}' authentication id '${public_ip}'
- set vpn ipsec site-to-site peer '${vpn.peer.address}' authentication mode 'pre-shared-secret'
- set vpn ipsec site-to-site peer '${vpn.peer.address}' authentication pre-shared-secret '${vpn.peer.shared_key}'
- set vpn ipsec site-to-site peer '${vpn.peer.address}' authentication remote-id '${vpn.peer.address}'
- set vpn ipsec site-to-site peer '${vpn.peer.address}' connection-type 'initiate'
- set vpn ipsec site-to-site peer '${vpn.peer.address}' ike-group 'IKEv2_DEFAULT'
- set vpn ipsec site-to-site peer '${vpn.peer.address}' ikev2-reauth 'inherit'
- set vpn ipsec site-to-site peer '${vpn.peer.address}' local-address '${public_ip}'
- set vpn ipsec site-to-site peer '${vpn.peer.address}' vti bind 'vti${vpn_index}'
- set vpn ipsec site-to-site peer '${vpn.peer.address}' vti esp-group 'ESP_DEFAULT'
%{~ for index, prefix in vpn.bgp.exports ~}
- set policy prefix-list 'BGP-${vpn.peer.address}-OUT' rule ${index} prefix '${prefix}'
- set policy prefix-list 'BGP-${vpn.peer.address}-OUT' rule ${index} action 'allow'
%{~ endfor ~}
- set policy prefix-list 'BGP-${vpn.peer.address}-OUT' rule 1000 prefix '0.0.0.0/0'
- set policy prefix-list 'BGP-${vpn.peer.address}-OUT' rule 1000 action 'deny'

- set protocols bgp neighbor ${vpn.bgp.peer.address} remote-as '${vpn.bgp.peer.asn}'
- set protocols bgp neighbor ${vpn.bgp.peer.address} description 'BGP-with-${vpn.peer.address}'
- set protocols bgp neighbor ${vpn.bgp.peer.address} address-family ipv4-unicast prefix-list export 'BGP-${vpn.peer.address}-OUT'
- set protocols bgp neighbor '${vpn.bgp.peer.address}' remote-as '${vpn.bgp.peer.asn}'
- set protocols bgp neighbor '${vpn.bgp.peer.address}' description 'BGP-with-${vpn.peer.address}'
- set protocols bgp neighbor '${vpn.bgp.peer.address}' address-family ipv4-unicast prefix-list export 'BGP-${vpn.peer.address}-OUT'
%{~ endfor ~}
3 changes: 1 addition & 2 deletions terraform/exoscale/modules/router/versions.tf
View file
Original file line number Diff line number Diff line change
@@ -1,10 +1,9 @@
terraform {
required_version = ">= 1.2.0"
required_version = ">= 1.3.0"
required_providers {
exoscale = {
source = "exoscale/exoscale"
version = "~> 0.41.0"
}
}
experiments = [module_variable_optional_attrs]
}
2 changes: 1 addition & 1 deletion terraform/exoscale/modules/storage/main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@ resource "exoscale_compute_instance" "storage" {
disk_size = var.root_disk_size
labels = local.labels
network_interface {
network_id = var.network_id
network_id = var.network_id
}

user_data = local.user_data
Expand Down
3 changes: 1 addition & 2 deletions terraform/exoscale/modules/storage/versions.tf
View file
Original file line number Diff line number Diff line change
@@ -1,10 +1,9 @@
terraform {
required_version = ">= 1.2.0"
required_version = ">= 1.3.0"
required_providers {
exoscale = {
source = "exoscale/exoscale"
version = "~> 0.41.0"
}
}
experiments = [module_variable_optional_attrs]
}
3 changes: 1 addition & 2 deletions terraform/exoscale/versions.tf
View file
Original file line number Diff line number Diff line change
@@ -1,10 +1,9 @@
terraform {
required_version = ">= 1.2.0"
required_version = ">= 1.3.0"
required_providers {
exoscale = {
source = "exoscale/exoscale"
version = "~> 0.41.0"
}
}
experiments = [module_variable_optional_attrs]
}
44 changes: 0 additions & 44 deletions terraform/ovh/.terraform.lock.hcl
View file

This file was deleted.

75 changes: 58 additions & 17 deletions terraform/ovh/examples/gra9/.terraform.lock.hcl
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading

0 comments on commit 662c312

Please sign in to comment.