PermitRootLogin in sshd_config, tls provider

Author: Ujstor

.gitignore

@@ -35,7 +35,6 @@ override.tf.json
 # Ignore CLI configuration files
 .terraformrc
 terraform.rc
-terraform
 .terraform*
 
-.vscode
+logs

README.md

@@ -2,7 +2,10 @@
 
 Infra for utilizing Hetzner low-cost VPS and Docker containers, wrapped in [Coolify](https://coolify.io) as an all-in-one PaaS, to self-host your own applications, databases, or services.
 
-![infra](public/01_infra-diagram.png)
+<p align="center">
+  <img src="public/01_infra-diagram.png" width="600" alt="Infrastructure Diagram">
+</p>
+
 
 ## Prerequisites
 
@@ -47,7 +50,7 @@ Initialize Terraform and apply the configuration:
 cd hetzner-infra
 terraform init --upgrade
 terraform validate
-terraform apply -auto-approve
+terraform apply
 ```
 
 ### 4. Define hosts and run ansible playbook
@@ -103,5 +106,5 @@ ssh root@<server-ip> -i ~/.ssh/self_hosted_hetzner_key.pem
 To destroy the infrastructure run the following command:
 
 ```shell
-terraform destroy -auto-approve
-```
+terraform destroy
+```

ansible/inventory/hosts

@@ -3,4 +3,4 @@
 
 [coolify-worker]
 91.107.208.20
-128.140.0.112
+128.140.0.112

ansible/playbooks/roles/common/tasks/main.yml

@@ -44,11 +44,17 @@
     name: fail2ban
     state: restarted
 
+- name: Ensure no conflicting PermitRootLogin in sshd_config
+  ansible.builtin.lineinfile:
+    path: /etc/ssh/sshd_config
+    regexp: '^PermitRootLogin'
+    state: absent
+
 - name: SSH Hardening for root user
   ansible.builtin.blockinfile:
     path: /etc/ssh/sshd_config
     block: |
-      PermitRootLogin yes
+      PermitRootLogin prohibit-password
       PasswordAuthentication no
       X11Forwarding no
       MaxAuthTries 2
@@ -59,4 +65,4 @@
 - name: Restart sshd
   ansible.builtin.service:
     name: sshd
-    state: restarted
+    state: restarted

hetzner-infra/provider.tf renamed to hetzner-infra/terraform.tf

@@ -1,12 +1,17 @@
 terraform {
   required_providers {
     hcloud = {
-      source = "hetznercloud/hcloud"
+      source  = "hetznercloud/hcloud"
       version = ">=1.36.0"
     }
+    tls = {
+      source  = "hashicorp/tls"
+      version = ">=4.0.5"
+    }
   }
 }
 
 provider "hcloud" {
   token = var.hcloud_token
-}
+}
+

hetzner-infra/variables.tf

@@ -43,6 +43,7 @@ variable "os_type" {
 
 variable "public_net" {
   type        = bool
-  description = "Public network enabled or desabled for all servers besides master_worker and backup"
+  description = "Public network enabled or desabled for all servers besides controler"
   default     = true
-}
+}
+