diff --git a/.env.template b/.env.template new file mode 100644 index 0000000..4bc7837 --- /dev/null +++ b/.env.template @@ -0,0 +1 @@ +export TF_VAR_tailscale_authkey=tskey-auth-XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX diff --git a/.gitignore b/.gitignore index 428b142..9136f95 100644 --- a/.gitignore +++ b/.gitignore @@ -4,3 +4,4 @@ certificates/ *.tfstate *.tfstate.backup .DS_Store +.env diff --git a/README.md b/README.md new file mode 100644 index 0000000..42179d4 --- /dev/null +++ b/README.md @@ -0,0 +1,14 @@ +# Remote Gaming using Azure and Moonlight + +This terraform template sets up the infrastructur to enable remote gaming / streaming using Moonlight and Azure VM. + +# TODO + +- [ ] Remove Tailscale plaintext auth-key from provisioning scripts and registry run entry +- [ ] Replace Tailscale by native VPN +- [ ] Check if public IP is even needed +- [ ] Persist moonlight configuration between deployments +- [ ] Install Steam +- [ ] Integrate budget watcher into terraform config +- [ ] Is there a quicker way to download the installers? Invoke-WebRequest is insanely slow +- [ ] Skip Windows OOTB tracking bullshit \ No newline at end of file diff --git a/main.tf b/main.tf index b539452..6b16d47 100644 --- a/main.tf +++ b/main.tf @@ -26,53 +26,14 @@ resource "azurerm_virtual_network" "vnet" { address_space = var.vnet_address_space } -# IMPORTANT: GatewaySubnet must be named "GatewaySubnet" -resource "azurerm_subnet" "gateway_subnet" { - name = "GatewaySubnet" - resource_group_name = azurerm_resource_group.rg.name - virtual_network_name = azurerm_virtual_network.vnet.name - address_prefixes = var.gateway_subnet_address_prefixes -} - -resource "azurerm_public_ip" "vpn_gateway_pip" { - name = "${var.prefix}-vpn-gw-pip" +resource "azurerm_public_ip" "pip" { + name = "${var.prefix}-pip" resource_group_name = azurerm_resource_group.rg.name location = azurerm_resource_group.rg.location allocation_method = "Static" sku = "Standard" } -data "local_sensitive_file" "root_certificate" { - filename = "${path.module}/certificates/vpn-root.crt" -} - -resource "azurerm_virtual_network_gateway" "vpn_gw" { - name = "${var.prefix}-vpngw" - location = azurerm_resource_group.rg.location - resource_group_name = azurerm_resource_group.rg.name - - type = "Vpn" - vpn_type = "RouteBased" - - sku = var.vpn_gateway_sku - - ip_configuration { - name = "vpngw-ipcfg" - public_ip_address_id = azurerm_public_ip.vpn_gateway_pip.id - subnet_id = azurerm_subnet.gateway_subnet.id - } - - # Point-to-site configuration using certificate auth - vpn_client_configuration { - address_space = var.vpn_client_address_space - - root_certificate { - name = var.root_certificate_name - public_cert_data = data.local_sensitive_file.root_certificate.content - } - } -} - resource "azurerm_subnet" "workload_subnet" { name = "${var.prefix}-workload-subnet" resource_group_name = azurerm_resource_group.rg.name @@ -80,25 +41,6 @@ resource "azurerm_subnet" "workload_subnet" { address_prefixes = var.workload_subnet_address_prefixes } -resource "azurerm_network_security_group" "vm_nsg" { - name = "${var.prefix}-vm-nsg" - location = azurerm_resource_group.rg.location - resource_group_name = azurerm_resource_group.rg.name - - # Allow RDP from VPN client address pool - security_rule { - name = "Allow-RDP-From-VPN" - priority = 100 - direction = "Inbound" - access = "Allow" - protocol = "Tcp" - source_port_range = "*" - destination_port_range = "3389" - source_address_prefixes = var.vpn_client_address_space - destination_address_prefix = "*" - } -} - resource "azurerm_network_interface" "vm_nic" { name = "${var.prefix}-vm-nic" location = azurerm_resource_group.rg.location @@ -108,14 +50,10 @@ resource "azurerm_network_interface" "vm_nic" { name = "internal" subnet_id = azurerm_subnet.workload_subnet.id private_ip_address_allocation = "Dynamic" + public_ip_address_id = azurerm_public_ip.pip.id } } -resource "azurerm_network_interface_security_group_association" "vm_nsg_assoc" { - network_interface_id = azurerm_network_interface.vm_nic.id - network_security_group_id = azurerm_network_security_group.vm_nsg.id -} - resource "random_password" "admin_password" { length = 16 special = false @@ -126,7 +64,7 @@ resource "azurerm_windows_virtual_machine" "vm" { computer_name = var.prefix resource_group_name = azurerm_resource_group.rg.name location = azurerm_resource_group.rg.location - size = "Standard_NG8ads_V620_v1" + size = var.vm_size admin_username = var.vm_admin_username admin_password = random_password.admin_password.result @@ -141,9 +79,23 @@ resource "azurerm_windows_virtual_machine" "vm" { } source_image_reference { - publisher = "MicrosoftWindowsServer" - offer = "WindowsServer" - sku = "2019-Datacenter" + publisher = "MicrosoftWindowsDesktop" + offer = "Windows-10" + sku = "win10-22h2-pro" version = "latest" } } + +resource "azurerm_virtual_machine_extension" "provision_software" { + name = "provision-software" + virtual_machine_id = azurerm_windows_virtual_machine.vm.id + publisher = "Microsoft.Compute" + type = "CustomScriptExtension" + type_handler_version = "1.10" + + protected_settings = <