From 406ba988bfcf9d8526a646fb38cd17ef41ef07d8 Mon Sep 17 00:00:00 2001
From: phaer <hello@phaer.org>
Date: Sat, 19 Feb 2022 15:07:39 +0100
Subject: [PATCH 1/2] use jsonencode, not template for config.ign

---
 agents.tf                |  5 +----
 locals.tf                | 29 +++++++++++++++++++++++++++++
 master.tf                |  5 +----
 servers.tf               |  5 +----
 templates/config.ign.tpl | 31 -------------------------------
 5 files changed, 32 insertions(+), 43 deletions(-)
 delete mode 100644 templates/config.ign.tpl

diff --git a/agents.tf b/agents.tf
index 39562e6..7e9724e 100644
--- a/agents.tf
+++ b/agents.tf
@@ -24,10 +24,7 @@ resource "hcloud_server" "agents" {
   }
 
   provisioner "file" {
-    content = templatefile("${path.module}/templates/config.ign.tpl", {
-      name           = self.name
-      ssh_public_key = local.ssh_public_key
-    })
+    content     = local.ignition_config
     destination = "/root/config.ign"
   }
 
diff --git a/locals.tf b/locals.tf
index 6c5a399..675935d 100644
--- a/locals.tf
+++ b/locals.tf
@@ -38,6 +38,34 @@ locals {
     "umount /mnt"
   ]
 
+  ignition_config = jsonencode({
+    ignition = {
+      version = "3.0.0"
+    }
+    passwd = {
+      users = [{
+        name              = "root"
+        sshAuthorizedKeys = [local.ssh_public_key]
+      }]
+    }
+    storage = {
+      files = [
+        {
+          path      = "/etc/sysconfig/network/ifcfg-eth1"
+          mode      = 420
+          overwrite = true
+          contents  = { "source" = "data:,BOOTPROTO%3D%27dhcp%27%0ASTARTMODE%3D%27auto%27" }
+        },
+        {
+          path      = "/etc/ssh/sshd_config.d/kube-hetzner.conf"
+          mode      = 420
+          overwrite = true
+          contents  = { "source" = "data:,PasswordAuthentication%20no%0AX11Forwarding%20no%0AMaxAuthTries%202%0AAllowTcpForwarding%20no%0AAllowAgentForwarding%20no%0AAuthorizedKeysFile%20.ssh%2Fauthorized_keys" }
+        }
+      ]
+    }
+  })
+
   combustion_script = <<EOF
 #!/bin/bash
 # combustion: network
@@ -60,4 +88,5 @@ udevadm settle
   install_k3s_server = concat(local.common_commands_install_k3s, ["curl -sfL https://get.k3s.io | INSTALL_K3S_SKIP_SELINUX_RPM=true INSTALL_K3S_SKIP_START=true INSTALL_K3S_EXEC=server sh -"])
 
   install_k3s_agent = concat(local.common_commands_install_k3s, ["curl -sfL https://get.k3s.io | INSTALL_K3S_SKIP_SELINUX_RPM=true INSTALL_K3S_EXEC=agent sh -"])
+
 }
diff --git a/master.tf b/master.tf
index fb1acd0..9096ab1 100644
--- a/master.tf
+++ b/master.tf
@@ -22,10 +22,7 @@ resource "hcloud_server" "first_control_plane" {
   }
 
   provisioner "file" {
-    content = templatefile("${path.module}/templates/config.ign.tpl", {
-      name           = self.name
-      ssh_public_key = local.ssh_public_key
-    })
+    content     = local.ignition_config
     destination = "/root/config.ign"
   }
 
diff --git a/servers.tf b/servers.tf
index e574a7e..18b48b7 100644
--- a/servers.tf
+++ b/servers.tf
@@ -23,10 +23,7 @@ resource "hcloud_server" "control_planes" {
   }
 
   provisioner "file" {
-    content = templatefile("${path.module}/templates/config.ign.tpl", {
-      name           = self.name
-      ssh_public_key = local.ssh_public_key
-    })
+    content     = local.ignition_config
     destination = "/root/config.ign"
   }
 
diff --git a/templates/config.ign.tpl b/templates/config.ign.tpl
deleted file mode 100644
index 009807e..0000000
--- a/templates/config.ign.tpl
+++ /dev/null
@@ -1,31 +0,0 @@
-{
-  "ignition": {
-    "version": "3.0.0"
-  },
-  "passwd": {
-    "users": [
-      {
-        "name": "root",
-        "sshAuthorizedKeys": [
-          "${ssh_public_key}"
-        ]
-      }
-    ]
-  },
-  "storage": {
-    "files": [
-      {
-        "path": "/etc/sysconfig/network/ifcfg-eth1",
-        "mode": 420,
-        "overwrite": true,
-        "contents": { "source": "data:,BOOTPROTO%3D%27dhcp%27%0ASTARTMODE%3D%27auto%27" }
-      },
-      {
-        "path": "/etc/ssh/sshd_config.d/kube-hetzner.conf",
-        "mode": 420,
-        "overwrite": true,
-        "contents": { "source": "data:,PasswordAuthentication%20no%0AX11Forwarding%20no%0AMaxAuthTries%202%0AAllowTcpForwarding%20no%0AAllowAgentForwarding%20no%0AAuthorizedKeysFile%20.ssh%2Fauthorized_keys" }
-      }
-    ]
-  }
-}

From 2fa1b17ac6e9fa1e9ebd75db43c1d062b1443a8d Mon Sep 17 00:00:00 2001
From: phaer <hello@phaer.org>
Date: Sat, 19 Feb 2022 15:12:04 +0100
Subject: [PATCH 2/2] allow additional ssh public keys

---
 locals.tf    | 2 +-
 variables.tf | 6 ++++++
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/locals.tf b/locals.tf
index 675935d..ce74971 100644
--- a/locals.tf
+++ b/locals.tf
@@ -45,7 +45,7 @@ locals {
     passwd = {
       users = [{
         name              = "root"
-        sshAuthorizedKeys = [local.ssh_public_key]
+        sshAuthorizedKeys = concat([local.ssh_public_key], var.additional_public_keys)
       }]
     }
     storage = {
diff --git a/variables.tf b/variables.tf
index e23c2bc..9346e5d 100644
--- a/variables.tf
+++ b/variables.tf
@@ -14,6 +14,12 @@ variable "private_key" {
   type        = string
 }
 
+variable "additional_public_keys" {
+  description = "Additional SSH public Keys. Use them to grant other team members root access to your cluster nodes"
+  type        = list(string)
+  default     = []
+}
+
 variable "location" {
   description = "Default server location"
   type        = string