cirno: Block port 22, deploy via Tailscale instead

Current xz library contains a backdoor that permits unauthorized access via affected ssh. This commit blocks port 22 via AWS firewall and instead deploys via Tailscale's private network. This commit also modifies ssh to prefer Tailscale's private network over the public IP reported by Terraform. See: - https://www.openwall.com/lists/oss-security/2024/03/29/4 - https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27
acmcsufoss · Mar 30, 2024 · a49ab30 · a49ab30
1 parent 51485d3
commit a49ab30
Show file tree

Hide file tree

Showing 5 changed files with 24 additions and 17 deletions.
diff --git a/main.tf b/main.tf
@@ -37,6 +37,7 @@ resource "aws_key_pair" "secrets_ssh" {
 }
 
 module "cirno" {
+	host = "cirno.${var.tailnet_name}.ts.net"
 	source = "./servers/cirno"
 	key_name = aws_key_pair.secrets_ssh.key_name
 	ssh_private_key_file = local.ssh.private_key

diff --git a/scripts/ip b/scripts/ip
@@ -22,16 +22,6 @@ ip::find() {
 	local name
 	name="$1"
 
-	local awsIP
-	awsIP=$(jq -r \
-		--arg name "$name" \
-		'.resources[] | select(.type == "aws_instance") | select(.name == $name) | .instances[].attributes.public_ip // empty' \
-		./secrets/terraform.tfstate)
-	if [[ "$awsIP" != "" ]]; then
-		echo "$awsIP"
-		return
-	fi
-
 	if [[ -z "$TAILNET_NAME" ]]; then
 		echo "TAILNET_NAME is not set" >&2
 		return 1
@@ -42,6 +32,16 @@ ip::find() {
 		return
 	fi
 
+	local awsIP
+	awsIP=$(jq -r \
+		--arg name "$name" \
+		'.resources[] | select(.type == "aws_instance") | select(.name == $name) | .instances[].attributes.public_ip // empty' \
+		./secrets/terraform.tfstate)
+	if [[ "$awsIP" != "" ]]; then
+		echo "$awsIP"
+		return
+	fi
+
 	return 1
 }
 

diff --git a/secrets/terraform.tfstate b/secrets/terraform.tfstate
diff --git a/secrets/terraform.tfstate.backup b/secrets/terraform.tfstate.backup
diff --git a/servers/cirno/main.tf b/servers/cirno/main.tf
@@ -13,13 +13,19 @@ variable "ssh_private_key_file" {
 	type = string
 }
 
+variable "host" {
+	description = "The host to use, otherwise the AWS public IP is used"
+	type = string
+	default = null
+}
+
 resource "aws_security_group" "cirno" {
-	ingress {
-		from_port = 22
-		to_port = 22
-		protocol = "tcp"
-		cidr_blocks = [ "0.0.0.0/0" ]
-	}
+	# ingress {
+	# 	from_port = 22
+	# 	to_port = 22
+	# 	protocol = "tcp"
+	# 	cidr_blocks = [ "0.0.0.0/0" ]
+	# }
 	ingress {
 		from_port = 80
 		to_port = 80
@@ -67,7 +73,7 @@ resource "aws_instance" "cirno" {
 module "deployment" {
 	source = "git::https://github.com/diamondburned/terraform-nixos.git//deploy_nixos?ref=9d26ace355b2ed7d64a253b11ab12395a1395030"
 	nixos_config = "${path.module}"
-	target_host = aws_instance.cirno.public_ip
+	target_host = var.host != null ? var.host : aws_instance.cirno.public_ip
 	ssh_private_key_file = var.ssh_private_key_file
 	ssh_agent = false
 	hermetic = true