Last active
December 3, 2021 16:10
-
-
Save johnbabb/e385e10ea9dd06ddc3ea3160e7403dab to your computer and use it in GitHub Desktop.
Azure Ubuntu SFTP Configuration
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
set -Eeo pipefail | |
# shellcheck disable=2154 | |
trap 's=$?; echo "$0: Error on line "$LINENO": $BASH_COMMAND"; exit $s' ERR | |
# Extended regular expression (ERE) for arguments | |
reUser='[A-Za-z0-9._][A-Za-z0-9._-]{0,31}' # POSIX.1-2008 | |
rePass='[^:]{0,255}' | |
reUid='[[:digit:]]*' | |
reGid='[[:digit:]]*' | |
reDir='[^:]*' | |
#reArgs="^($reUser)(:$rePass)(:e)?(:$reUid)?(:$reGid)?(:$reDir)?$" | |
function log() { | |
echo "[$0] $*" | |
} | |
function validateArg() { | |
name="$1" | |
val="$2" | |
re="$3" | |
if [[ "$val" =~ ^$re$ ]]; then | |
return 0 | |
else | |
log "ERROR: Invalid $name \"$val\", do not match required regex pattern: $re" | |
return 1 | |
fi | |
} | |
. /vmsetup/install.keys | |
log "Parsing user data: \"$1\"" | |
IFS=':' read -ra args <<< "$1" | |
skipIndex=0 | |
chpasswdOptions="" | |
useraddOptions=(--no-user-group) | |
user="${args[0]}"; validateArg "username" "$user" "$reUser" || exit 1 | |
pass="${args[1]}"; validateArg "password" "$pass" "$rePass" || exit 1 | |
if [ "${args[2]}" == "e" ]; then | |
chpasswdOptions="-e" | |
skipIndex=1 | |
fi | |
uid="${args[$((skipIndex+2))]}"; validateArg "UID" "$uid" "$reUid" || exit 1 | |
gid="${args[$((skipIndex+3))]}"; validateArg "GID" "$gid" "$reGid" || exit 1 | |
dir="${args[$((skipIndex+4))]}"; validateArg "dirs" "$dir" "$reDir" || exit 1 | |
if getent passwd "$user" > /dev/null; then | |
log "WARNING: User \"$user\" already exists. Skipping." | |
exit 0 | |
fi | |
if [ -n "$uid" ]; then | |
useraddOptions+=(--non-unique --uid "$uid") | |
fi | |
if [ -n "$gid" ]; then | |
if ! getent group "$gid" > /dev/null; then | |
groupadd --gid "$gid" "group_$gid" | |
fi | |
useraddOptions+=(--gid "$gid") | |
fi | |
useradd "${useraddOptions[@]}" "$user" | |
mkdir -p "/home/$user" | |
chown root:root "/home/$user" | |
chmod 755 "/home/$user" | |
# Retrieving user id to use it in chown commands instead of the user name | |
# to avoid problems on alpine when the user name contains a '.' | |
uid="$(id -u "$user")" | |
if [ -n "$pass" ]; then | |
echo "$user:$pass" | chpasswd $chpasswdOptions | |
else | |
usermod -p "*" "$user" # disabled password | |
fi | |
# Add SSH keys to authorized_keys with valid permissions | |
userKeysQueuedDir="/home/$user/.ssh/keys" | |
if [ -d "$userKeysQueuedDir" ]; then | |
userKeysAllowedFileTmp="$(mktemp)" | |
userKeysAllowedFile="/home/$user/.ssh/authorized_keys" | |
for publickey in "$userKeysQueuedDir"/*; do | |
cat "$publickey" >> "$userKeysAllowedFileTmp" | |
done | |
# Remove duplicate keys | |
sort < "$userKeysAllowedFileTmp" | uniq > "$userKeysAllowedFile" | |
chown "$uid" "$userKeysAllowedFile" | |
chmod 600 "$userKeysAllowedFile" | |
fi | |
#https://www.thegeekstuff.com/2012/03/chroot-sftp-setup/ | |
sudo usermod -g sftpusers -s /bin/bash $user | |
sudo mount-user-sftp-path.sh $user | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
resourceGroupName=$1 | |
storageAccountName=$2 | |
storageAccountFileShareName=$3 | |
serviceAccountId=$4 | |
serviceAccountPassword=$5 | |
serviceAccountTenant=$6 | |
gistUrl=$7 | |
sudo mkdir -p /vmsetup && sudo touch /vmsetup/install.keys | |
echo "resourceGroupName=$1" | sudo tee -a /vmsetup/install.keys | |
echo "storageAccountName=$2" | sudo tee -a /vmsetup/install.keys | |
echo "storageAccountFileShareName=$3" | sudo tee -a /vmsetup/install.keys | |
echo "serviceAccountId=$4" | sudo tee -a /vmsetup/install.keys | |
echo "serviceAccountPassword=$5" | sudo tee -a /vmsetup/install.keys | |
echo "serviceAccountTenant=$6" | sudo tee -a /vmsetup/install.keys | |
echo "storageAccountMountPath=/mount/$storageAccountName/$storageAccountFileShareName" | sudo tee -a /vmsetup/install.keys | |
sudo dpkg --configure -a | |
sudo apt-get -y update | |
# install sftp | |
sudo apt-get -y install wget openssh-server net-tools ca-certificates curl apt-transport-https lsb-release gnupg vim | |
sudo apt-get update | |
# install cockpit | |
. /etc/os-release | |
sudo apt -y install -t ${VERSION_CODENAME}-backports cockpit | |
sudo systemctl --now enable cockpit.socket | |
sudo ufw allow 9090/tcp | |
# install azure cli | |
curl -sL https://packages.microsoft.com/keys/microsoft.asc | | |
gpg --dearmor | | |
sudo tee /etc/apt/trusted.gpg.d/microsoft.gpg > /dev/null | |
AZ_REPO=$(lsb_release -cs) | |
echo "deb [arch=amd64] https://packages.microsoft.com/repos/azure-cli/ $AZ_REPO main" | | |
sudo tee /etc/apt/sources.list.d/azure-cli.list | |
sudo apt-get update | |
sudo apt-get -y install azure-cli | |
az login --service-principal -u $serviceAccountId -p $serviceAccountPassword --tenant $serviceAccountTenant | |
# config mounts | |
httpEndpoint=$(az storage account show \ | |
--resource-group $resourceGroupName \ | |
--name $storageAccountName \ | |
--query "primaryEndpoints.file" --output tsv | tr -d '"') | |
smbPath=$(echo $httpEndpoint | cut -c7-$(expr length $httpEndpoint)) | |
fileHost=$(echo $smbPath | tr -d "/") | |
nc -zvw3 $fileHost 445 | |
# Create a folder to store the credentials for this storage account and | |
# any other that you might set up. | |
credentialRoot="/etc/smbcredentials" | |
sudo mkdir -p "/etc/smbcredentials" | |
# Get the storage account key for the indicated storage account. | |
# You must be logged in with az login and your user identity must have | |
# permissions to list the storage account keys for this command to work. | |
storageAccountKey=$(az storage account keys list \ | |
--resource-group $resourceGroupName \ | |
--account-name $storageAccountName \ | |
--query "[0].value" --output tsv | tr -d '"') | |
# Create the credential file for this individual storage account | |
smbCredentialFile="$credentialRoot/$storageAccountName.cred" | |
if [ ! -f $smbCredentialFile ]; then | |
echo "username=$storageAccountName" | sudo tee $smbCredentialFile > /dev/null | |
echo "password=$storageAccountKey" | sudo tee -a $smbCredentialFile > /dev/null | |
else | |
echo "The credential file $smbCredentialFile already exists, and was not modified." | |
fi | |
# Change permissions on the credential file so only root can read or modify the password file. | |
sudo chmod 600 $smbCredentialFile | |
echo "smbCredentialFile=$smbCredentialFile" | sudo tee -a /vmsetup/install.keys | |
sudo mkdir -p $storageAccountMountPath | |
storageAccountSmbPathFileShare="$smbPath$storageAccountFileShareName" | |
echo "$storageAccountSmbPathFileShare $storageAccountMountPath cifs nofail,credentials=$smbCredentialFile,serverino" | sudo tee -a /etc/fstab > /dev/null | |
echo "storageAccountSmbPathFileShare=$storageAccountSmbPathFileShare" | sudo tee -a /vmsetup/install.keys | |
sudo mount $storageAccountSmbPathFileShare | |
sudo chmod 600 /vmsetup/install.keys | |
installScript() { | |
fileName="$1" | |
filePath="$2" | |
sudo touch $filePath$fileName | |
sudo chmod 777 $filePath$fileName | |
sudo curl -sl "${gistUrl}/${fileName}" > $filePath$fileName | |
sudo chown root:root $filePath$fileName | |
sudo chmod 600 $filePath$fileName | |
sudo chmod +x $filePath$fileName | |
} | |
installScript create-sftp-user.sh '/usr/local/bin/' | |
installScript mount-user-sftp-path.sh '/usr/local/bin/' | |
installScript sshd_config '/etc/ssh/' | |
sudo chmod -x '/etc/ssh/sshd_config' | |
sudo systemctl restart ssh | |
sudo groupadd sftpusers |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
set -Eeo pipefail | |
# shellcheck disable=2154 | |
trap 's=$?; echo "$0: Error on line "$LINENO": $BASH_COMMAND"; exit $s' ERR | |
. /vmsetup/install.keys | |
SFTPUSER=$1 | |
STORAGE_ACCOUNT_NAME="${storageAccountName}" | |
FILE_SHARE_NAME="${storageAccountFileShareName}" | |
if [[ -z ${STORAGE_ACCOUNT_NAME} || -z ${SFTPUSER} || -z ${FILE_SHARE_NAME} ]]; then | |
exit 1 | |
fi | |
LOCAL_UID=$(id -u ${SFTPUSER}) | |
LOCAL_GID=$(id -g ${SFTPUSER}) | |
FILE_SHARE_NAME_PATH="//${STORAGE_ACCOUNT_NAME}.file.core.windows.net/${FILE_SHARE_NAME}" | |
CRED_FOLDER=/etc/smbcredentials | |
CRED_FILE=${CRED_FOLDER}/${STORAGE_ACCOUNT_NAME}.cred | |
ROOT_MOUNT_OPTIONS="vers=3.0,credentials=${CRED_FILE},serverino" | |
# Make the user's "local" directory | |
sudo mkdir -p /mount/${STORAGE_ACCOUNT_NAME}/ | |
if grep -qs "/mount/${STORAGE_ACCOUNT_NAME} " /proc/mounts; then | |
echo "Attempt unmount of: /mount/${STORAGE_ACCOUNT_NAME} " | |
sudo umount -a -t cifs -l /mount/${STORAGE_ACCOUNT_NAME} | |
fi | |
sudo mount -t cifs ${FILE_SHARE_NAME_PATH} /mount/${STORAGE_ACCOUNT_NAME} -o ${ROOT_MOUNT_OPTIONS} | |
sudo mkdir -p /mount/${STORAGE_ACCOUNT_NAME}/${SFTPUSER}/downloads | |
sudo mkdir -p /mount/${STORAGE_ACCOUNT_NAME}/${SFTPUSER}/uploads | |
sudo umount /mount/${STORAGE_ACCOUNT_NAME} | |
# Mount the folders | |
USER_MOUNT_OPTIONS="vers=3.0,credentials=${CRED_FILE},uid=${LOCAL_UID},gid=${LOCAL_GID},serverino" | |
if grep -qs "${FILE_SHARE_NAME_PATH}/${SFTPUSER}/uploads " /proc/mounts; then | |
echo "Attempt unmount of: ${FILE_SHARE_NAME_PATH}/${SFTPUSER}/uploads" | |
sudo umount -a -t cifs -l ${FILE_SHARE_NAME_PATH}/${SFTPUSER}/uploads | |
[ -d /home/${SFTPUSER}/uploads ] && rm -fr /home/${SFTPUSER}/uploads && sudo mkdir /home/${SFTPUSER}/uploads | |
fi | |
code=0 && response=$(sudo mkdir /home/${SFTPUSER}/uploads 2>&1) || code=$? | |
if [ $code != 0 ]; then | |
echo "mkdir failed: ${response}" | |
fi | |
sudo mount -t cifs ${FILE_SHARE_NAME_PATH}/${SFTPUSER}/uploads /home/${SFTPUSER}/uploads -o ${USER_MOUNT_OPTIONS} | |
if grep -qs "${FILE_SHARE_NAME_PATH}/${SFTPUSER}/downloads " /proc/mounts; then | |
echo "Unmount: ${FILE_SHARE_NAME_PATH}/${SFTPUSER}/downloads" | |
sudo umount -a -t cifs -l ${FILE_SHARE_NAME_PATH}/${SFTPUSER}/downloads | |
[ -d /home/${SFTPUSER}/downloads ] && rm -fr /home/${SFTPUSER}/downloads && sudo mkdir /home/${SFTPUSER}/downloads | |
fi | |
code=0 && response=$(sudo mkdir /home/${SFTPUSER}/downloads 2>&1) || code=$? | |
if [ $code != 0 ]; then | |
echo "mkdir failed: ${response}" | |
fi | |
sudo mount -t cifs ${FILE_SHARE_NAME_PATH}/${SFTPUSER}/downloads /home/${SFTPUSER}/downloads -o ${USER_MOUNT_OPTIONS} | |
# Add entries to /etc/fstab so that it will survive a reboot | |
if ! grep -qs "${FILE_SHARE_NAME_PATH}/${SFTPUSER}/uploads " /etc/fstab; then | |
echo "Adding entry to sftab for uploads" | |
sudo bash -c "echo \"${FILE_SHARE_NAME_PATH}/${SFTPUSER}/uploads /home/${SFTPUSER}/uploads cifs nofail,${USER_MOUNT_OPTIONS}\" >> /etc/fstab" | |
else | |
echo "Skip fstab for uploads" | |
fi | |
if ! grep -qs "${FILE_SHARE_NAME_PATH}/${SFTPUSER}/downloads " /etc/fstab; then | |
echo "Adding entry to sftab for downloads" | |
sudo bash -c "echo \"${FILE_SHARE_NAME_PATH}/${SFTPUSER}/downloads /home/${SFTPUSER}/downloads cifs nofail,${USER_MOUNT_OPTIONS}\" >> /etc/fstab" | |
else | |
echo "Skip fstab for downloads" | |
fi |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# $OpenBSD: sshd_config,v 1.101 2017/03/14 07:19:07 djm Exp $ | |
# This is the sshd server system-wide configuration file. See | |
# sshd_config(5) for more information. | |
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin | |
# The strategy used for options in the default sshd_config shipped with | |
# OpenSSH is to specify options with their default value where | |
# possible, but leave them commented. Uncommented options override the | |
# default value. | |
#Port 22 | |
#AddressFamily any | |
#ListenAddress 0.0.0.0 | |
#ListenAddress :: | |
Protocol 2 | |
HostKey /etc/ssh/ssh_host_rsa_key | |
HostKey /etc/ssh/ssh_host_ecdsa_key | |
#HostKey /etc/ssh/ssh_host_ed25519_key | |
# Ciphers and keying | |
#RekeyLimit default none | |
# Logging | |
#SyslogFacility AUTH | |
#LogLevel INFO | |
# Authentication: | |
#LoginGraceTime 2m | |
#PermitRootLogin prohibit-password | |
#StrictModes yes | |
#MaxAuthTries 6 | |
#MaxSessions 10 | |
#PubkeyAuthentication yes | |
# Expect .ssh/authorized_keys2 to be disregarded by default in future. | |
#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2 | |
#AuthorizedPrincipalsFile none | |
#AuthorizedKeysCommand none | |
#AuthorizedKeysCommandUser nobody | |
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts | |
#HostbasedAuthentication no | |
# Change to yes if you don't trust ~/.ssh/known_hosts for | |
# HostbasedAuthentication | |
#IgnoreUserKnownHosts no | |
# Don't read the user's ~/.rhosts and ~/.shosts files | |
#IgnoreRhosts yes | |
# To disable tunneled clear text passwords, change to no here! | |
PasswordAuthentication yes | |
#PermitEmptyPasswords no | |
# Change to yes to enable challenge-response passwords (beware issues with | |
# some PAM modules and threads) | |
ChallengeResponseAuthentication no | |
# Kerberos options | |
#KerberosAuthentication no | |
#KerberosOrLocalPasswd yes | |
#KerberosTicketCleanup yes | |
#KerberosGetAFSToken no | |
# GSSAPI options | |
#GSSAPIAuthentication no | |
#GSSAPICleanupCredentials yes | |
#GSSAPIStrictAcceptorCheck yes | |
#GSSAPIKeyExchange no | |
# Set this to 'yes' to enable PAM authentication, account processing, | |
# and session processing. If this is enabled, PAM authentication will | |
# be allowed through the ChallengeResponseAuthentication and | |
# PasswordAuthentication. Depending on your PAM configuration, | |
# PAM authentication via ChallengeResponseAuthentication may bypass | |
# the setting of "PermitRootLogin without-password". | |
# If you just want the PAM account and session checks to run without | |
# PAM authentication, then enable this but set PasswordAuthentication | |
# and ChallengeResponseAuthentication to 'no'. | |
UsePAM yes | |
#AllowAgentForwarding yes | |
AllowTcpForwarding no | |
#GatewayPorts no | |
X11Forwarding no | |
#X11DisplayOffset 10 | |
#X11UseLocalhost yes | |
#PermitTTY yes | |
PrintMotd no | |
#PrintLastLog yes | |
#TCPKeepAlive yes | |
#UseLogin no | |
#PermitUserEnvironment no | |
#Compression delayed | |
#ClientAliveInterval 0 | |
#ClientAliveCountMax 3 | |
UseDNS no | |
#PidFile /var/run/sshd.pid | |
#MaxStartups 10:30:100 | |
#PermitTunnel no | |
#ChrootDirectory none | |
#VersionAddendum none | |
# no default banner path | |
#Banner none | |
# Allow client to pass locale environment variables | |
AcceptEnv LANG LC_* | |
# override default of no subsystems | |
#Subsystem sftp /usr/lib/openssh/sftp-server | |
# Enable this for more logs | |
#LogLevel VERBOSE | |
# Example of overriding settings on a per-user basis | |
#Match User anoncvs | |
# X11Forwarding no | |
# AllowTcpForwarding no | |
# PermitTTY no | |
# ForceCommand cvs server | |
# CLOUD_IMG: This file was created/modified by the Cloud Image build process | |
ClientAliveInterval 120 | |
Subsystem sftp internal-sftp -f LOCAL6 -l INFO | |
Match Group sftpusers | |
ChrootDirectory %h | |
X11Forwarding no | |
AllowTcpForwarding no | |
ForceCommand internal-sftp -f LOCAL6 -l INFO |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
/* | |
This script will: | |
- Depends on gist: https://gist.github.com/johnbabb/e385e10ea9dd06ddc3ea3160e7403dab | |
- This script provides the install script, create user script, mount user sftp drives script, | |
and sshd_confg file. | |
- create user script, mount user sftp drives script are copied to /usr/local/bin | |
- these scripts are used to add sftp users and mount their drives in /home/<user>/<downloads|uploads> | |
- sshd_confg is copied over to /etc/ssh/sshd_config | |
- Creates a virtual network | |
- Creates a Azure Storage account and file service | |
- Creates a network security group name | |
- opens ports 22 and 9090 | |
- Creates a public ip addresses with a defined subdomain | |
- example <dns-prefix-name>.eastus.cloudapp.azure.com | |
- Creates a virtualNetworkName | |
- Creates a networkInterfaces | |
- Creates a VM instance of Ubuntu: | |
- Executes a custom script on the VM | |
- SFTP and SSH | |
- Azure cli | |
- Cockpit | |
- copies scripts from gists | |
############################################################################## | |
# Usage | |
############################################################################## | |
# log into the right azure env where you have owner or contrib rights on | |
# a subscription. This should open a web browser to auth you. | |
az login | |
# create the rsouece group that will hold the vm instance | |
az group create --name "<resource-group>" --location "<location>" --subscription "<subscription-id>" | |
# create the service account | |
az ad sp create-for-rbac ` | |
--name "<resource-group>" ` | |
--role contributor ` | |
--scopes /subscriptions/<subscription-id>/resourceGroups/<resource-group> | |
# capture output of the command to use in the bicep script | |
############################################################################### | |
# { | |
# "appId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", | |
# "displayName": "display-name", | |
# "name": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", | |
# "password": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx, | |
# "tenant": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" | |
# } | |
################################################################################ | |
az deployment group create ` | |
--resource-group <resource-group> ` | |
--template-file "<path to script>ubuntu-vm.bicep" ` | |
--parameters ` | |
resourcePrefix='<prefix-that-will-be-used-on-all-related-resources-this-script-creates>' ` | |
storageAccountName='storage' ` | |
storageAccountFileShareName='sis' ` | |
dnsNameForPublicIP='<dns-prefix-name>' ` | |
ubuntuOSVersion='<version>' ` | |
vmSize='vm-size' ` | |
location=<location>` | |
resourceGroupName=<resouce-group-name>` | |
authenticationType='password' ` | |
adminUsername='<root-level-user-name-used-to-access-the-machine>' ` | |
adminPasswordOrKey='<strong-password>' ` | |
serviceAccountId='xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' ` | |
serviceAccountPassword='xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' ` | |
serviceAccountTenant='xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' ` | |
*/ | |
@description('The resource group prefix. This will be used as a prefix on all resources in this group.') | |
param resourcePrefix string = 'tss' | |
@description('Unique DNS Name for the Storage Account where the Virtual Machine\'s disks will be placed.') | |
param storageAccountName string = 'storage' | |
@description('Unique Bucket Name for the Storage Account where the Virtual Machine\'s disks will be placed.') | |
param storageAccountFileShareName string = 'fileshare' | |
@description('Admin user name for the Virtual Machine.') | |
param adminUsername string | |
@description('Unique DNS prefix for the Public IP used to access the Virtual Machine.') | |
param dnsNameForPublicIP string | |
@allowed([ | |
'18.04-LTS' | |
'16.04.0-LTS' | |
'14.04.5-LTS' | |
]) | |
@description('The Ubuntu version for the VM. This will pick a fully patched image of this given Ubuntu version. Allowed values: 18.04-LTS, 16.04.0-LTS, 14.04.5-LTS.') | |
param ubuntuOSVersion string = '18.04-LTS' | |
@description('Size of the virtual machine') | |
param vmSize string = 'Standard_B2s' | |
@description('Location for all resources.') | |
param location string = resourceGroup().location | |
@description('The resource group name.') | |
param resourceGroupName string = resourceGroup().name | |
@allowed([ | |
'sshPublicKey' | |
'password' | |
]) | |
@description('Type of authentication to use on the Virtual Machine. SSH key is recommended.') | |
param authenticationType string = 'password' | |
@description('SSH Key or password for the Virtual Machine. SSH key is recommended.') | |
@secure() | |
param adminPasswordOrKey string | |
@description('The service account used to connect to azure storage.') | |
@secure() | |
param serviceAccountId string | |
@description('The service account password used to connect to azure storage.') | |
@secure() | |
param serviceAccountPassword string | |
@description('The service account tenant used to connect to azure storage.') | |
@secure() | |
param serviceAccountTenant string | |
@description('This is the path to the version of gist we are using. Example: https://gist.githubusercontent.com/johnbabb/e385e10ea9dd06ddc3ea3160e7403dab/raw/d76809b6c5c5f07984ea131124f9cd093b7cc4f1') | |
param gistUrlPath string = 'https://gist.githubusercontent.com/johnbabb/e385e10ea9dd06ddc3ea3160e7403dab/raw/d76809b6c5c5f07984ea131124f9cd093b7cc4f1' | |
var imagePublisher = 'Canonical' | |
var imageOffer = 'UbuntuServer' | |
var nicName_var = '${resourcePrefix}-vm-nic' | |
var addressPrefix = '10.0.0.0/16' | |
var subnetName = '${resourcePrefix}-subnet' | |
var subnetPrefix = '10.0.0.0/24' | |
var publicIPAddressName_var = '${resourcePrefix}-public-ip' | |
var publicIPAddressType = 'Dynamic' | |
var vmName_var = '${resourcePrefix}-ubuntu-vm' | |
var virtualNetworkName_var = '${resourcePrefix}-vnet' | |
var subnetRef = resourceId('Microsoft.Network/virtualNetworks/subnets', virtualNetworkName_var, subnetName) | |
var linuxConfiguration = { | |
disablePasswordAuthentication: true | |
ssh: { | |
publicKeys: [ | |
{ | |
path: '/home/${adminUsername}/.ssh/authorized_keys' | |
keyData: adminPasswordOrKey | |
} | |
] | |
} | |
} | |
var networkSecurityGroupName_var = '${resourcePrefix}-nsg' | |
var fileShareAccessTier = 'Cool' | |
var fullStorageAccountName=replace('${resourcePrefix}${storageAccountName}', '-', '') | |
resource stg 'Microsoft.Storage/storageAccounts@2021-02-01' = { | |
name: fullStorageAccountName | |
location: location | |
sku: { | |
name: 'Standard_LRS' | |
} | |
kind: 'StorageV2' | |
} | |
resource storageAccountName_default_fileShareName 'Microsoft.Storage/storageAccounts/fileServices/shares@2019-06-01' = { | |
name: '${fullStorageAccountName}/default/${storageAccountFileShareName}' | |
properties: { | |
accessTier: fileShareAccessTier | |
} | |
dependsOn: [ | |
stg | |
] | |
} | |
resource publicIPAddressName 'Microsoft.Network/publicIPAddresses@2020-05-01' = { | |
name: publicIPAddressName_var | |
location: location | |
properties: { | |
publicIPAllocationMethod: publicIPAddressType | |
dnsSettings: { | |
domainNameLabel: dnsNameForPublicIP | |
} | |
} | |
} | |
resource networkSecurityGroupName 'Microsoft.Network/networkSecurityGroups@2020-05-01' = { | |
name: networkSecurityGroupName_var | |
location: location | |
properties: { | |
securityRules: [ | |
{ | |
name: 'default-allow-22' | |
properties: { | |
priority: 1000 | |
access: 'Allow' | |
direction: 'Inbound' | |
destinationPortRange: '22' | |
protocol: 'Tcp' | |
sourceAddressPrefix: '*' | |
sourcePortRange: '*' | |
destinationAddressPrefix: '*' | |
} | |
} | |
{ | |
name: 'default-allow-9090' | |
properties: { | |
priority: 1002 | |
access: 'Allow' | |
direction: 'Inbound' | |
destinationPortRange: '9090' | |
protocol: 'Tcp' | |
sourceAddressPrefix: '*' | |
sourcePortRange: '*' | |
destinationAddressPrefix: '*' | |
} | |
} | |
] | |
} | |
} | |
resource virtualNetworkName 'Microsoft.Network/virtualNetworks@2020-05-01' = { | |
name: virtualNetworkName_var | |
location: location | |
properties: { | |
addressSpace: { | |
addressPrefixes: [ | |
addressPrefix | |
] | |
} | |
subnets: [ | |
{ | |
name: subnetName | |
properties: { | |
addressPrefix: subnetPrefix | |
networkSecurityGroup: { | |
id: networkSecurityGroupName.id | |
} | |
} | |
} | |
] | |
} | |
} | |
resource nicName 'Microsoft.Network/networkInterfaces@2020-05-01' = { | |
name: nicName_var | |
location: location | |
properties: { | |
ipConfigurations: [ | |
{ | |
name: 'ipconfig1' | |
properties: { | |
privateIPAllocationMethod: 'Dynamic' | |
publicIPAddress: { | |
id: publicIPAddressName.id | |
} | |
subnet: { | |
id: subnetRef | |
} | |
} | |
} | |
] | |
} | |
dependsOn: [ | |
virtualNetworkName | |
] | |
} | |
resource vmName 'Microsoft.Compute/virtualMachines@2020-06-01' = { | |
name: vmName_var | |
location: location | |
properties: { | |
hardwareProfile: { | |
vmSize: vmSize | |
} | |
osProfile: { | |
computerName: vmName_var | |
adminUsername: adminUsername | |
adminPassword: adminPasswordOrKey | |
linuxConfiguration: ((authenticationType == 'password') ? json('null') : linuxConfiguration) | |
} | |
storageProfile: { | |
imageReference: { | |
publisher: imagePublisher | |
offer: imageOffer | |
sku: ubuntuOSVersion | |
version: 'latest' | |
} | |
} | |
networkProfile: { | |
networkInterfaces: [ | |
{ | |
id: nicName.id | |
} | |
] | |
} | |
} | |
dependsOn: [ | |
storageAccountName_default_fileShareName | |
] | |
} | |
resource vmName_install_sfpt 'Microsoft.Compute/virtualMachines/extensions@2020-06-01' = { | |
parent: vmName | |
name: 'install_sftp' | |
location: location | |
properties: { | |
publisher: 'Microsoft.Azure.Extensions' | |
type: 'CustomScript' | |
typeHandlerVersion: '2.1' | |
autoUpgradeMinorVersion: true | |
settings: { | |
skipDos2Unix: false | |
fileUris: [ | |
'${gistUrlPath}/install-sftp-server.sh' | |
] | |
} | |
protectedSettings: { | |
commandToExecute: ' sudo mkdir -p /vmsetup && sudo touch /vmsetup/install.log && sh install-sftp-server.sh "${resourceGroupName}" "${fullStorageAccountName}" "${storageAccountFileShareName}" "${serviceAccountId}" "${serviceAccountPassword}" "${serviceAccountTenant}" "${gistUrlPath}" 2>&1 | sudo tee /vmsetup/install.log' | |
} | |
} | |
} | |
output scriptLogs string = reference('${vmName_install_sfpt.id}/logs/default', vmName_install_sfpt.apiVersion, 'Full').properties.log |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment