From 23bf44120bda76db612d93006817016a4cba7d33 Mon Sep 17 00:00:00 2001 From: jdormit Date: Sat, 17 Aug 2024 13:50:23 -0400 Subject: [PATCH] Update DigitalOcean SSH keys & configure Gitea server Consolidated SSH keys definitions by removing redundant entries and moving a key to a more appropriate resource. Updated SSH service configuration for improved security and management. Applied changes to Packer build, including updating the OS version to Ubuntu 24-04 and configuring SSH and necessary dependencies. Adjusted certbot-renew service and related Packer scripts. --- .../do-ssh-keys/terraform/.terraform.lock.hcl | 1 + mgmt/do-ssh-keys/terraform/main.tf | 15 +-- mgmt/do-ssh-keys/terraform/outputs.tf | 8 -- prod/gitea/packer/files/certbot-renew.service | 3 +- prod/gitea/packer/files/sshd_config | 122 ++++++++++++++++++ prod/gitea/packer/gitea.json | 7 +- prod/gitea/packer/packer-manifest.json | 11 +- prod/gitea/packer/scripts/dependencies.sh | 2 + prod/gitea/packer/scripts/nginx.sh | 3 + terraform-modules/packer_droplet/main.tf | 3 +- 10 files changed, 152 insertions(+), 23 deletions(-) create mode 100644 prod/gitea/packer/files/sshd_config diff --git a/mgmt/do-ssh-keys/terraform/.terraform.lock.hcl b/mgmt/do-ssh-keys/terraform/.terraform.lock.hcl index 2a8e640..6b8787e 100644 --- a/mgmt/do-ssh-keys/terraform/.terraform.lock.hcl +++ b/mgmt/do-ssh-keys/terraform/.terraform.lock.hcl @@ -5,6 +5,7 @@ provider "registry.terraform.io/digitalocean/digitalocean" { version = "2.19.0" constraints = "~> 2.19.0" hashes = [ + "h1:XcLoKA2a1MR4foSFeFbJgCADRvsXtN9SyIiJX0fSGys=", "h1:z3FmDpOuKq+bOYgFE5MtFpXjOL2gAbtutL4jeAd9rJE=", "zh:01cee85343dee2dfc01499e19ef4e56b0c9260eee0a47329231cf500c07b4386", "zh:099eeddf9baf9c282430231da501a8b96b3fb28507ce3b78e3a185cc9d4b3860", diff --git a/mgmt/do-ssh-keys/terraform/main.tf b/mgmt/do-ssh-keys/terraform/main.tf index f720f6f..0a51fbb 100644 --- a/mgmt/do-ssh-keys/terraform/main.tf +++ b/mgmt/do-ssh-keys/terraform/main.tf @@ -9,17 +9,12 @@ resource "digitalocean_ssh_key" "jdormit_laptop" { public_key = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCmtwCuxI8xP6fN9p1y+Kx7tG2appxLUTRD3yfuSiCpHEqyGy7uyY6ImbvgEc5+ZAUSwRWChFdsjUyYAq1nG2fuEyGMJxfYNyp2tJKRuJ0qBHZ8TjF4gpM5aieC6WI4Ja7x5tN+oAqQBx0UJBXQ7y3SQ9tx2rVEKGi9i9+biDFID3cukcaCVti8CEm47Z6ahJlcWQpdHxQG8SXWiL6cG89WZnkZHScuCAgEdGjq4LAYfw8XkEdphGUnqQ8Zq4PK6b8jf/F7YuhwJquRjSgXfq5amyjq6YRNIbpcq/NRnZKd1HKybAntswMz1o9vRMbx6/pt4HruE56IZA6s1t85iOPEsnYpIXd6SgHvHsN2eBhK2h0ER31YOxIzycJ8ql4OiQJMEawfkt6Bc84y1gznNqbK81R7Wgl6J7GMyl5dPlTwy3BIguFj4UcSSh5eH9jHO7wly81WzWz9M7/pYfaBaJ5au1hF423qPro9wLDmjPlOlfa9X3+C57RuVESC3KFEyutxkPye/SEKUpB526iHRYZ5F/SiqA6Zd7b9rZbT71AMwWjG2BKGImyXfKlenCRMuexsEkninJ4rPCU557/ThwFgiWtp1EHruSO26YqyJnJqXkcxpe6yk1uGneVEUAHJd1mHSie8/fTZYu9q9LqxWixdTEjOaqN9ZkZC9YsZr3iySQ== jeremy.dormitzer@gmail.com" } +moved { + from = digitalocean_ssh_key.jdormit_macbook_lola + to = digitalocean_ssh_key.jdormit_macbook +} + resource "digitalocean_ssh_key" "jdormit_macbook" { name = "jdormit-macbook" - public_key = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQClncYn+vgTz6n6C99l0YMJn8PpRJGGmyvu3zje0RZeXrO+Y/7FvxWMGmVeH0oGCvDq698Rac+5JC6pZlPayqSdn56Tef7CVJsHCI9hKntTY7H3uLAJ3QjI8MbrvWUsNgBcxMkmMjx2/G/B/rDcva0yv5AOQgTYT6rC7qRQrT+jaraTVny3qTC8T+DQiLMH9tkrLySCuxm1WKf5eNg+S8VuY6iD7rXWqa5tMV+B7WY1zAa/LMkp3DBm4+NbIRgjUaWVEjIywNVgvYb+SHCwvfzM5Bx9kVi8tfiAcIZ8jDsDljTmJrtDhWiIvALfWSdjOLwCFRGp823Hbp83DIKtxnF+q/3ND4hdZd6cpy3WSfaVLR2DmFjEwVkaIBq5/8zzSfogWHjAVFDYbIhEYprg9g9lhirbLInZVpfcQgscLGvILvlyIHyAajIC3M0ZjTOn5BJ6vQYAbGtEpkGBPPc4LW/WXfNdFXGCWSzthDMPKhYlr4MxBi3rHXi1UWy5t3kb3yRHeNijd98wJLIVFMDoC5Vu/FmJDusghS+quishCj2nKFPKvNFkILLI6oPWWjnLGPQvk+KaWrsnRLeJtA7JBAemVbQWO9Nj1GGIJxfF9AGT9f320oVtEe1eJWaV9Ls49IP9dASosjZgeZgq4jjPfNbgCQOod6+0g4GE4wjZFpLvWQ== jdormitzer@BOSMM2T13LQH03Q" -} - -resource "digitalocean_ssh_key" "jdormit_macbook_lola" { - name = "jdormit-macbook-lola" public_key = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDgtweszDBXhSW3ceaTWmCc/2M6tqCNClooaOWCubdfGxw+n7mJwKmH/zXvlJaW3FYIZw9oX04FkqPPfBOP58Tr/csyjIrkbVQ4Ns1ajVvavmF3+XuzFAzJnBXHLdPdQg6ajyOWljQMr6cQYpAsEp5iMwfU4CQiUkAM3gF5Dw+Xl8uqrnhwhJmDxiSVPfdpx5eW7U07twVGYFJG6GMnEfSX6xn5b2fYqGu3wxiDrydeVHgEjc/CnrIqtEM8XFTmOjeoHpPzcDPjfE0bHOp3h2vuyWX02pJGZUFew3E883iuxutPSIQvDD+fRrWbfJ5XlGwV5lyrFe68xXU8grCWJlOZ jdormit@Jeremys-MacBook-Pro.local" } - -resource "digitalocean_ssh_key" "jdormit_macbook_spotify" { - name = "jdormit-macbook-spotify" - public_key = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDrgeJ5M+8R5KHjMOFuBotZf2hOpX7+fYs+ut9F5KwSsKs1yxV9M9PHsaD+JKrBBJPcxHgkMFgdwQ/jSZ+aQiLdKWcegCIELF8e4m1YhF6DKn/WWgpeQ2AoA2k7REfWm6ZIZ8fKefvOmz2CVa4S+4IPq+EWuknOtJLI5RPoVu31AohIpTQQ5Bx0nTVVwdtazwTEBSpf5hZG8Yhf6ixGhteIOWvp0nYMKyXHxamtW6vNZJ/BBU73CWpvJfbj+iXPIXItLxjypJ47boio54bcnIGrnOjMg/+B+Kvle0D3Yjw2NuaPGKSIeAD73UqlnrpUcOLb5u0GYyc2YXdwNmTHnqZJ5qXd/j1sPHcmKFM4rj3IldAutIW1SBMPHTJMjBbhttg1yBUf471Fqd+wnCytiVdFvqLS6mOGRRMDEKuZ/r7mql2nY7RGpK7vXGGXjxLrIwOSEXifwNIsyBMbnYgWEZn+HxXGCe3mfY5GSZh+tqSP0LM39+0GFHXF2kLcJ+6KWo0= jdormitzer@MM2NY6LN94" -} diff --git a/mgmt/do-ssh-keys/terraform/outputs.tf b/mgmt/do-ssh-keys/terraform/outputs.tf index 2d5e31c..f2e9e42 100644 --- a/mgmt/do-ssh-keys/terraform/outputs.tf +++ b/mgmt/do-ssh-keys/terraform/outputs.tf @@ -5,11 +5,3 @@ output "jdormit_laptop_ssh_key_id" { output "jdormit_macbook_ssh_key_id" { value = digitalocean_ssh_key.jdormit_macbook.id } - -output "jdormit_macbook_lola_ssh_key_id" { - value = digitalocean_ssh_key.jdormit_macbook_lola.id -} - -output "jdormit_macbook_spotify_ssh_key_id" { - value = digitalocean_ssh_key.jdormit_macbook_spotify.id -} diff --git a/prod/gitea/packer/files/certbot-renew.service b/prod/gitea/packer/files/certbot-renew.service index 8c4c0e1..ff4d519 100644 --- a/prod/gitea/packer/files/certbot-renew.service +++ b/prod/gitea/packer/files/certbot-renew.service @@ -3,5 +3,6 @@ Description=Renew certbot certificates Wants=cerbot-renew.timer [Service] -Type=simple +Type=oneshot ExecStart=/usr/bin/env certbot renew +ExecStartPost=/usr/bin/env systemctl restart nginx diff --git a/prod/gitea/packer/files/sshd_config b/prod/gitea/packer/files/sshd_config new file mode 100644 index 0000000..f82ba81 --- /dev/null +++ b/prod/gitea/packer/files/sshd_config @@ -0,0 +1,122 @@ +# $OpenBSD: sshd_config,v 1.101 2017/03/14 07:19:07 djm Exp $ + +# This is the sshd server system-wide configuration file. See +# sshd_config(5) for more information. + +# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin + +# The strategy used for options in the default sshd_config shipped with +# OpenSSH is to specify options with their default value where +# possible, but leave them commented. Uncommented options override the +# default value. + +Port 222 +#AddressFamily any +#ListenAddress 0.0.0.0 +#ListenAddress :: + +#HostKey /etc/ssh/ssh_host_rsa_key +#HostKey /etc/ssh/ssh_host_ecdsa_key +#HostKey /etc/ssh/ssh_host_ed25519_key + +# Ciphers and keying +#RekeyLimit default none + +# Logging +#SyslogFacility AUTH +#LogLevel INFO + +# Authentication: + +#LoginGraceTime 2m +PermitRootLogin yes +#StrictModes yes +#MaxAuthTries 6 +#MaxSessions 10 + +#PubkeyAuthentication yes + +# Expect .ssh/authorized_keys2 to be disregarded by default in future. +#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2 + +#AuthorizedPrincipalsFile none + +#AuthorizedKeysCommand none +#AuthorizedKeysCommandUser nobody + +# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts +#HostbasedAuthentication no +# Change to yes if you don't trust ~/.ssh/known_hosts for +# HostbasedAuthentication +#IgnoreUserKnownHosts no +# Don't read the user's ~/.rhosts and ~/.shosts files +#IgnoreRhosts yes + +# To disable tunneled clear text passwords, change to no here! +PasswordAuthentication no +#PermitEmptyPasswords no + +# Change to yes to enable challenge-response passwords (beware issues with +# some PAM modules and threads) +ChallengeResponseAuthentication no + +# Kerberos options +#KerberosAuthentication no +#KerberosOrLocalPasswd yes +#KerberosTicketCleanup yes +#KerberosGetAFSToken no + +# GSSAPI options +#GSSAPIAuthentication no +#GSSAPICleanupCredentials yes +#GSSAPIStrictAcceptorCheck yes +#GSSAPIKeyExchange no + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the ChallengeResponseAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via ChallengeResponseAuthentication may bypass +# the setting of "PermitRootLogin yes +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and ChallengeResponseAuthentication to 'no'. +UsePAM yes + +#AllowAgentForwarding yes +#AllowTcpForwarding yes +#GatewayPorts no +X11Forwarding yes +#X11DisplayOffset 10 +#X11UseLocalhost yes +#PermitTTY yes +PrintMotd no +#PrintLastLog yes +#TCPKeepAlive yes +#UseLogin no +#PermitUserEnvironment no +#Compression delayed +#ClientAliveInterval 0 +#ClientAliveCountMax 3 +#UseDNS no +#PidFile /var/run/sshd.pid +#MaxStartups 10:30:100 +#PermitTunnel no +#ChrootDirectory none +#VersionAddendum none + +# no default banner path +#Banner none + +# Allow client to pass locale environment variables +AcceptEnv LANG LC_* + +# override default of no subsystems +Subsystem sftp /usr/lib/openssh/sftp-server + +# Example of overriding settings on a per-user basis +#Match User anoncvs +# X11Forwarding no +# AllowTcpForwarding no +# PermitTTY no +# ForceCommand cvs server diff --git a/prod/gitea/packer/gitea.json b/prod/gitea/packer/gitea.json index 1b154ec..eb5f203 100644 --- a/prod/gitea/packer/gitea.json +++ b/prod/gitea/packer/gitea.json @@ -2,7 +2,7 @@ "builders": [ { "type": "digitalocean", - "image": "ubuntu-23-10-x64", + "image": "ubuntu-24-04-x64", "region": "nyc1", "size": "s-1vcpu-1gb", "snapshot_name": "packer-gitea-{{timestamp}}", @@ -52,6 +52,11 @@ "source": "files/certbot-renew.service", "destination": "/tmp/certbot-renew.service" }, + { + "type": "file", + "source": "files/sshd_config", + "destination": "/tmp/sshd_config" + }, { "type": "shell", "script": "scripts/nginx.sh" diff --git a/prod/gitea/packer/packer-manifest.json b/prod/gitea/packer/packer-manifest.json index 883e1d4..0fa4fb7 100644 --- a/prod/gitea/packer/packer-manifest.json +++ b/prod/gitea/packer/packer-manifest.json @@ -152,7 +152,16 @@ "artifact_id": "nyc1:149969417", "packer_run_uuid": "293e17d9-aa9f-292c-eed6-7117c5f34479", "custom_data": null + }, + { + "name": "digitalocean", + "builder_type": "digitalocean", + "build_time": 1723915250, + "files": null, + "artifact_id": "nyc1:163229340", + "packer_run_uuid": "7eb25857-c225-7ca3-499f-0ca2b6777a86", + "custom_data": null } ], - "last_run_uuid": "293e17d9-aa9f-292c-eed6-7117c5f34479" + "last_run_uuid": "7eb25857-c225-7ca3-499f-0ca2b6777a86" } \ No newline at end of file diff --git a/prod/gitea/packer/scripts/dependencies.sh b/prod/gitea/packer/scripts/dependencies.sh index 7e2e3da..9f0c7f1 100644 --- a/prod/gitea/packer/scripts/dependencies.sh +++ b/prod/gitea/packer/scripts/dependencies.sh @@ -2,6 +2,8 @@ set -ex +sudo apt-get clean +sudo add-apt-repository universe sudo apt-get update sleep 2 sudo apt-get install -y \ diff --git a/prod/gitea/packer/scripts/nginx.sh b/prod/gitea/packer/scripts/nginx.sh index 5a3cb9d..e133b75 100644 --- a/prod/gitea/packer/scripts/nginx.sh +++ b/prod/gitea/packer/scripts/nginx.sh @@ -22,3 +22,6 @@ sudo ln -s /etc/nginx/sites-available/gitea.conf \ sudo unlink /etc/nginx/sites-enabled/default sudo systemctl enable nginx + +sudo mv /tmp/sshd_config /etc/ssh/sshd_config +sudo systemctl restart ssh diff --git a/terraform-modules/packer_droplet/main.tf b/terraform-modules/packer_droplet/main.tf index 32c4c49..98f4e8d 100644 --- a/terraform-modules/packer_droplet/main.tf +++ b/terraform-modules/packer_droplet/main.tf @@ -39,7 +39,6 @@ resource "digitalocean_droplet" "droplet" { tags = var.tags ssh_keys = [ data.terraform_remote_state.do_ssh_keys.outputs.jdormit_laptop_ssh_key_id, - data.terraform_remote_state.do_ssh_keys.outputs.jdormit_macbook_lola_ssh_key_id, - data.terraform_remote_state.do_ssh_keys.outputs.jdormit_macbook_spotify_ssh_key_id + data.terraform_remote_state.do_ssh_keys.outputs.jdormit_macbook_ssh_key_id, ] }