Use Tailscale and Moonlight to enable remote gaming
This commit is contained in:
@@ -0,0 +1 @@
|
|||||||
|
export TF_VAR_tailscale_authkey=tskey-auth-XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
|
||||||
@@ -4,3 +4,4 @@ certificates/
|
|||||||
*.tfstate
|
*.tfstate
|
||||||
*.tfstate.backup
|
*.tfstate.backup
|
||||||
.DS_Store
|
.DS_Store
|
||||||
|
.env
|
||||||
|
|||||||
@@ -0,0 +1,14 @@
|
|||||||
|
# Remote Gaming using Azure and Moonlight
|
||||||
|
|
||||||
|
This terraform template sets up the infrastructur to enable remote gaming / streaming using Moonlight and Azure VM.
|
||||||
|
|
||||||
|
# TODO
|
||||||
|
|
||||||
|
- [ ] Remove Tailscale plaintext auth-key from provisioning scripts and registry run entry
|
||||||
|
- [ ] Replace Tailscale by native VPN
|
||||||
|
- [ ] Check if public IP is even needed
|
||||||
|
- [ ] Persist moonlight configuration between deployments
|
||||||
|
- [ ] Install Steam
|
||||||
|
- [ ] Integrate budget watcher into terraform config
|
||||||
|
- [ ] Is there a quicker way to download the installers? Invoke-WebRequest is insanely slow
|
||||||
|
- [ ] Skip Windows OOTB tracking bullshit
|
||||||
@@ -26,53 +26,14 @@ resource "azurerm_virtual_network" "vnet" {
|
|||||||
address_space = var.vnet_address_space
|
address_space = var.vnet_address_space
|
||||||
}
|
}
|
||||||
|
|
||||||
# IMPORTANT: GatewaySubnet must be named "GatewaySubnet"
|
resource "azurerm_public_ip" "pip" {
|
||||||
resource "azurerm_subnet" "gateway_subnet" {
|
name = "${var.prefix}-pip"
|
||||||
name = "GatewaySubnet"
|
|
||||||
resource_group_name = azurerm_resource_group.rg.name
|
|
||||||
virtual_network_name = azurerm_virtual_network.vnet.name
|
|
||||||
address_prefixes = var.gateway_subnet_address_prefixes
|
|
||||||
}
|
|
||||||
|
|
||||||
resource "azurerm_public_ip" "vpn_gateway_pip" {
|
|
||||||
name = "${var.prefix}-vpn-gw-pip"
|
|
||||||
resource_group_name = azurerm_resource_group.rg.name
|
resource_group_name = azurerm_resource_group.rg.name
|
||||||
location = azurerm_resource_group.rg.location
|
location = azurerm_resource_group.rg.location
|
||||||
allocation_method = "Static"
|
allocation_method = "Static"
|
||||||
sku = "Standard"
|
sku = "Standard"
|
||||||
}
|
}
|
||||||
|
|
||||||
data "local_sensitive_file" "root_certificate" {
|
|
||||||
filename = "${path.module}/certificates/vpn-root.crt"
|
|
||||||
}
|
|
||||||
|
|
||||||
resource "azurerm_virtual_network_gateway" "vpn_gw" {
|
|
||||||
name = "${var.prefix}-vpngw"
|
|
||||||
location = azurerm_resource_group.rg.location
|
|
||||||
resource_group_name = azurerm_resource_group.rg.name
|
|
||||||
|
|
||||||
type = "Vpn"
|
|
||||||
vpn_type = "RouteBased"
|
|
||||||
|
|
||||||
sku = var.vpn_gateway_sku
|
|
||||||
|
|
||||||
ip_configuration {
|
|
||||||
name = "vpngw-ipcfg"
|
|
||||||
public_ip_address_id = azurerm_public_ip.vpn_gateway_pip.id
|
|
||||||
subnet_id = azurerm_subnet.gateway_subnet.id
|
|
||||||
}
|
|
||||||
|
|
||||||
# Point-to-site configuration using certificate auth
|
|
||||||
vpn_client_configuration {
|
|
||||||
address_space = var.vpn_client_address_space
|
|
||||||
|
|
||||||
root_certificate {
|
|
||||||
name = var.root_certificate_name
|
|
||||||
public_cert_data = data.local_sensitive_file.root_certificate.content
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
resource "azurerm_subnet" "workload_subnet" {
|
resource "azurerm_subnet" "workload_subnet" {
|
||||||
name = "${var.prefix}-workload-subnet"
|
name = "${var.prefix}-workload-subnet"
|
||||||
resource_group_name = azurerm_resource_group.rg.name
|
resource_group_name = azurerm_resource_group.rg.name
|
||||||
@@ -80,25 +41,6 @@ resource "azurerm_subnet" "workload_subnet" {
|
|||||||
address_prefixes = var.workload_subnet_address_prefixes
|
address_prefixes = var.workload_subnet_address_prefixes
|
||||||
}
|
}
|
||||||
|
|
||||||
resource "azurerm_network_security_group" "vm_nsg" {
|
|
||||||
name = "${var.prefix}-vm-nsg"
|
|
||||||
location = azurerm_resource_group.rg.location
|
|
||||||
resource_group_name = azurerm_resource_group.rg.name
|
|
||||||
|
|
||||||
# Allow RDP from VPN client address pool
|
|
||||||
security_rule {
|
|
||||||
name = "Allow-RDP-From-VPN"
|
|
||||||
priority = 100
|
|
||||||
direction = "Inbound"
|
|
||||||
access = "Allow"
|
|
||||||
protocol = "Tcp"
|
|
||||||
source_port_range = "*"
|
|
||||||
destination_port_range = "3389"
|
|
||||||
source_address_prefixes = var.vpn_client_address_space
|
|
||||||
destination_address_prefix = "*"
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
resource "azurerm_network_interface" "vm_nic" {
|
resource "azurerm_network_interface" "vm_nic" {
|
||||||
name = "${var.prefix}-vm-nic"
|
name = "${var.prefix}-vm-nic"
|
||||||
location = azurerm_resource_group.rg.location
|
location = azurerm_resource_group.rg.location
|
||||||
@@ -108,14 +50,10 @@ resource "azurerm_network_interface" "vm_nic" {
|
|||||||
name = "internal"
|
name = "internal"
|
||||||
subnet_id = azurerm_subnet.workload_subnet.id
|
subnet_id = azurerm_subnet.workload_subnet.id
|
||||||
private_ip_address_allocation = "Dynamic"
|
private_ip_address_allocation = "Dynamic"
|
||||||
|
public_ip_address_id = azurerm_public_ip.pip.id
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
resource "azurerm_network_interface_security_group_association" "vm_nsg_assoc" {
|
|
||||||
network_interface_id = azurerm_network_interface.vm_nic.id
|
|
||||||
network_security_group_id = azurerm_network_security_group.vm_nsg.id
|
|
||||||
}
|
|
||||||
|
|
||||||
resource "random_password" "admin_password" {
|
resource "random_password" "admin_password" {
|
||||||
length = 16
|
length = 16
|
||||||
special = false
|
special = false
|
||||||
@@ -126,7 +64,7 @@ resource "azurerm_windows_virtual_machine" "vm" {
|
|||||||
computer_name = var.prefix
|
computer_name = var.prefix
|
||||||
resource_group_name = azurerm_resource_group.rg.name
|
resource_group_name = azurerm_resource_group.rg.name
|
||||||
location = azurerm_resource_group.rg.location
|
location = azurerm_resource_group.rg.location
|
||||||
size = "Standard_NG8ads_V620_v1"
|
size = var.vm_size
|
||||||
|
|
||||||
admin_username = var.vm_admin_username
|
admin_username = var.vm_admin_username
|
||||||
admin_password = random_password.admin_password.result
|
admin_password = random_password.admin_password.result
|
||||||
@@ -141,9 +79,23 @@ resource "azurerm_windows_virtual_machine" "vm" {
|
|||||||
}
|
}
|
||||||
|
|
||||||
source_image_reference {
|
source_image_reference {
|
||||||
publisher = "MicrosoftWindowsServer"
|
publisher = "MicrosoftWindowsDesktop"
|
||||||
offer = "WindowsServer"
|
offer = "Windows-10"
|
||||||
sku = "2019-Datacenter"
|
sku = "win10-22h2-pro"
|
||||||
version = "latest"
|
version = "latest"
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
resource "azurerm_virtual_machine_extension" "provision_software" {
|
||||||
|
name = "provision-software"
|
||||||
|
virtual_machine_id = azurerm_windows_virtual_machine.vm.id
|
||||||
|
publisher = "Microsoft.Compute"
|
||||||
|
type = "CustomScriptExtension"
|
||||||
|
type_handler_version = "1.10"
|
||||||
|
|
||||||
|
protected_settings = <<SETTINGS
|
||||||
|
{
|
||||||
|
"commandToExecute": "powershell -command \"[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('${base64encode(templatefile("${path.module}/scripts/provision-software.ps1.tpl", {tailscale_authkey = var.tailscale_authkey}))}')) | Out-File -filepath provision-software.ps1\" && powershell -ExecutionPolicy Unrestricted -File provision-software.ps1"
|
||||||
|
}
|
||||||
|
SETTINGS
|
||||||
|
}
|
||||||
@@ -0,0 +1,77 @@
|
|||||||
|
$TailscaleUri = 'https://pkgs.tailscale.com/stable/tailscale-setup-1.88.3-amd64.msi'
|
||||||
|
$TailscaleMsi = 'tailscale.msi'
|
||||||
|
$TailscaleInstalledExe = 'C:\Program Files\Tailscale\tailscale.exe'
|
||||||
|
$TailscaleInstallLog = 'tailscale-install.log'
|
||||||
|
# FIXME(jona): Tailscale auth-key should not be stored in plain text!
|
||||||
|
$TailscaleAuthKey = '${tailscale_authkey}'
|
||||||
|
|
||||||
|
$AmdDriverUri = 'https://download.microsoft.com/download/44ee0d6c-74dd-4214-b6d5-24fbf2eac33b/whql-amd-software-cloud-edition-25.1.1-win10-win11-azure-ngads-v620.exe'
|
||||||
|
$AmdDriverExe = 'amd-gpu-driver.exe'
|
||||||
|
$AmdDriverInstallLog = "$PWD\amd-gpu-driver-install.log"
|
||||||
|
|
||||||
|
$SunshineInstallerUri = 'https://github.com/LizardByte/Sunshine/releases/latest/download/Sunshine-Windows-AMD64-installer.exe'
|
||||||
|
$SunshineInstallerExe = 'sunshine-installer.exe'
|
||||||
|
|
||||||
|
$SteamInstallerUri = 'https://cdn.fastly.steamstatic.com/client/installer/SteamSetup.exe'
|
||||||
|
$SteamInstallerExe = 'steam-installer.exe'
|
||||||
|
|
||||||
|
Write-Host "Provisioning software"
|
||||||
|
|
||||||
|
##
|
||||||
|
# Tailscale
|
||||||
|
Write-Host 'Setting up tailscale'
|
||||||
|
|
||||||
|
Write-Host "Downloading Tailscale MSI from $TailscaleUri to $TailscaleMsi"
|
||||||
|
Invoke-WebRequest -UseBasicParsing -Uri $TailscaleUri -OutFile $TailscaleMsi
|
||||||
|
|
||||||
|
Write-Host "Installing Tailscale from MSI to $TailscaleInstalledExe, see log at $TailscaleInstallLog"
|
||||||
|
Start-Process msiexec.exe -ArgumentList '/i', $TailscaleMsi, '/qn', '/l*v', $TailscaleInstallLog -Wait -NoNewWindow -PassThru
|
||||||
|
|
||||||
|
Write-Host 'Joining host to tailscale network'
|
||||||
|
Start-Process $TailscaleInstalledExe -ArgumentList 'up', '--authkey', $TailscaleAuthKey, '--accept-dns=false', '--accept-routes', '--unattended' -NoNewWindow -PassThru -Wait
|
||||||
|
|
||||||
|
# FIXME(jona): Tailscale auth key should not be stored in registry in plain text
|
||||||
|
Write-Host 'Creating login script to authenticate to tailscale'
|
||||||
|
$TailscaleLoginCmd = ('"{0}" login --auth-key "{1}"' -f $TailscaleInstalledExe, $TailscaleAuthKey)
|
||||||
|
New-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" `
|
||||||
|
-Name "TailscaleLogin" `
|
||||||
|
-Value "cmd /c $TailscaleLoginCmd" `
|
||||||
|
-PropertyType String -Force
|
||||||
|
|
||||||
|
Write-Host 'Done setting up tailscale'
|
||||||
|
|
||||||
|
##
|
||||||
|
# AMD GPU driver
|
||||||
|
Write-Host 'Installing AMD GPU driver'
|
||||||
|
|
||||||
|
Write-Host "Downloading AMD GPU driver installer from $AndDriverUri to $AmdDriverExe"
|
||||||
|
Invoke-WebRequest -UseBasicParsing -Uri $AmdDriverUri -OutFile $AmdDriverExe
|
||||||
|
|
||||||
|
Write-Host "Installing AMD GPU driver from, see log at $AmdDriverInstallLog"
|
||||||
|
Start-Process $AmdDriverExe -ArgumentList '-install', '-log', $AmdDriverInstallLog -Wait -NoNewWindow -PassThru
|
||||||
|
|
||||||
|
Write-Host 'Done installing AMD GPU driver'
|
||||||
|
|
||||||
|
##
|
||||||
|
# Sunshine
|
||||||
|
Write-Host "Installing Sunshine"
|
||||||
|
Write-Host "Downloading sunshine installer from $SunshineInstallerUri to $SunshineInstallerExe"
|
||||||
|
Invoke-WebRequest -UseBasicParsing -Uri $SunshineInstallerUri -OutFile $SunshineInstallerExe
|
||||||
|
|
||||||
|
Write-Host "Installing Sunshine from $SunshineInstallerExe"
|
||||||
|
Start-Process $SunshineInstallerExe -ArgumentList '/S' -Wait -NoNewWindow -PassThru
|
||||||
|
|
||||||
|
Write-Host 'Done installing Sunshine, configure at https://localhost:47990/'
|
||||||
|
|
||||||
|
##
|
||||||
|
# Steam
|
||||||
|
Write-Host "Installing Steam"
|
||||||
|
Write-Host "Downloading Steam installer from $SteamInstallerUri to $SteamInstallerExe"
|
||||||
|
Invoke-WebRequest -UseBasicParsing -Uri $SteamInstallerUri -OutFile $SteamInstallerExe
|
||||||
|
|
||||||
|
Write-Host "Installing Steam from $SteamInstallerExe"
|
||||||
|
Start-Process $SteamInstallerExe -ArgumentList '/S' -Wait -NoNewWindow -PassThru
|
||||||
|
|
||||||
|
Write-Host 'Done installing Steam'
|
||||||
|
|
||||||
|
Write-Host 'Done provisioning software'
|
||||||
+14
-1
@@ -4,6 +4,7 @@ variable "subscription_id" {
|
|||||||
default = "90aed1cc-9b7f-4d3d-b2b9-b3654b49835e"
|
default = "90aed1cc-9b7f-4d3d-b2b9-b3654b49835e"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# The prefix must not be changed, sice the budget watcher deletes the resource group wa5p-gaming-rg when budget is exceeded
|
||||||
variable "prefix" {
|
variable "prefix" {
|
||||||
description = "Prefix for gaming related ressources"
|
description = "Prefix for gaming related ressources"
|
||||||
type = string
|
type = string
|
||||||
@@ -11,7 +12,7 @@ variable "prefix" {
|
|||||||
}
|
}
|
||||||
|
|
||||||
variable "location" {
|
variable "location" {
|
||||||
description = "Locatino for gaming related ressources, should be as close as possible for low latency"
|
description = "Location for gaming related ressources, should be as close as possible for low latency"
|
||||||
type = string
|
type = string
|
||||||
default = "westeurope"
|
default = "westeurope"
|
||||||
}
|
}
|
||||||
@@ -52,8 +53,20 @@ variable "workload_subnet_address_prefixes" {
|
|||||||
default = ["10.0.1.128/25"]
|
default = ["10.0.1.128/25"]
|
||||||
}
|
}
|
||||||
|
|
||||||
|
variable "vm_size" {
|
||||||
|
description = "SKU of the vm to be deployed, should be a GPU optimized vm"
|
||||||
|
type = string
|
||||||
|
default = "Standard_NG16ads_V620_v1"
|
||||||
|
}
|
||||||
|
|
||||||
variable "vm_admin_username" {
|
variable "vm_admin_username" {
|
||||||
description = "VM admin username, password will be generated randomly"
|
description = "VM admin username, password will be generated randomly"
|
||||||
type = string
|
type = string
|
||||||
default = "jona"
|
default = "jona"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
variable "tailscale_authkey" {
|
||||||
|
description = "Tailscale auth key for unattended login"
|
||||||
|
type = string
|
||||||
|
sensitive = true
|
||||||
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user