Repository URL: https://github.com/jaredrhine/oci-freedigs
Author: Jared Rhine [email protected]
Keywords: Terraform, Oracle Cloud Infrastructure, OCI, Tailscale, free, cloud computing, ARM
The code in this repository uses Terraform to build a small server cluster hosted by Oracle Cloud Infrastructure (OCI). The configuration is opinionated and tailored to the goals of Jared Rhine, the author. The cluster resources are designed to fit within OCI's free tier, and so uses their ARM-based servers to unlock the attractive 24GB RAM allocation. The cluster connects to a Tailscale virtual network instance.
- Use OCI's free services efficiently
- Provide commercial-cloud grade network edge services including HTTP and ssh proxying, suitable for connection to private backend hosting
- Connect to Tailscale (Wireguard) automatically
- No-hands provisioning, low-hassle, and resilient to being deleted
- Encode knowledge about how to build a useful OCI-based network appliance, to minimize relearning later (Infrastructure as Code)
- Match the author's preferred configuration. Not intended to be generally reusable or highly configurable for multiple use cases.
Oracle provides generous (when compared to competitors' offerings) free networking services. In particular, their free RAM allocation of 24GB for ARM-based servers is attractive.
Oracle provides a free pricing tier supporting a single always-on arm64 server with 4x CPU, 24 GB RAM, 200 GB disk, and healthy bandwidth allotment. You can create up to four smaller servers that add up to these limits, which can include 2x "micro" sized (2 core, 1GB RAM) Intel servers and various other cloud services.
Running ARM servers adds some hassles and limitations depending on your hosting use case (particular around running Intel-built Docker containers and workloads), but this repo provides a basic hosting pattern for those willing to admin such a cluster.
Standards:
- ARM (arm64/aarch64) for primary CPU architecture (amd64 free resources also created)
- Ubuntu 20.04 for OS
- Bash for shell
- Tailscale (Wireguard) for VPN. Tailscale DNS integration supported.
ufw
for firewall rules. TCP open on ports 22 (all interfaces) for ssh inbound. UDP open on 41641 for tailscale. Provider network passes all traffic.- Minimal language frameworks installed: go, java, lua, nodejs, perl, python2, python3, ruby, rust
- Extra packages installed: ag, autossh, awscli, aws-shell, bmon, buffer, build-essential, ctop, direnv, docker, dstat, emacs-nox, fakeroot, fswatch, fzf, git, hwinfo, iotop, jq, keychain, kubeadm, kubectl, mosh, netcat, nmap, p7zip, procps, psutils, pv, pwgen, rclone, runit, s3cmd, s3fuse, s4cmd, socat, sshfs, ssh-tools, swaks, tig, tmux, tree, tshark, unicorn, unintended-upgrades, uuid, zip, zsh. Libraries for bz, curl, readline, sqlite, openssl.
Terraform components:
- Compute instance (
oci_core_instance.freedigs_compute
)- Shape: CPU arch, core count, RAM size
- Boot volume
- Block device size
- Initial image
- Network interface (VNIC)
- cloud-init
user_data
- User account
- Username
- SSH public key
- Network
- VCN (
oci_core_vcn.freedigs_vcn_main
) - Subnet (
oci_core_subnet.freedigs_subnet_main
) - Gateway (
oci_core_internet_gateway.freedigs_gateway_main
) - Routes (
oci_core_default_route_table.freedigs_routes_main
) - Security groups (
oci_core_network_security_group.freedigs_security_group
) - Network rule (
oci_core_network_security_group_security_rule.freedigs_rules_ingress
)
- VCN (
This repo's Terraform code does not use the oci
CLI tool or its
configuration files. Instead, this procedure uses the OCI web
interface to lookup the needed config. This is done to minimize the
number of external dependencies and the need for the user to interact
more deeply with the OCI stack.
The following procedures assume you log into the OCI web console using an administrator account. Some steps will be different if you are an OCI regular user. You can also create a dedicated IAM user for use by Terraform.
- Set up accounts with hosted services
- Oracle
- Create Oracle account
- Create Oracle Cloud account
- Set up a payment method. If you don't, your first VM will be deleted after 30 days.
- Tailscale
- Create a Tailscale account
- Set up Tailscale. Use it to connect your computer or phone or whatever. Further details are outside the scope of this document.
- Create a Tailscale auth key from the Tailscale admin console. Use this when asked for
tailscale_auth_key
later.
- Oracle
- Install Terraform
- Use your own Terraform procedures if you'd like. Otherwise:
- Install and configure
asdf
for your shell. - Install
terraform
asdf
plugin:asdf plugin-add terraform https://github.com/asdf-community/asdf-hashicorp.git
- Run
asdf
to install Terraform:asdf install
- Create an OCI signing key (docs)
- You can use
openssl
or other CLI approaches to creating a 2048 bit RSA key pair in PEM format. If you do that, modify these steps as needed. - Visit the OCI web console
- Under the hamburger menu, "Identity & Security" --> "Identity" --> "Users". Click on the link for the federated account to reach the "User Details" page. In the lower left, switch to the "API Keys" section.
- Click "Add API Key". Confirm the "Generate API Key Pair" option is selected.
- Click "Download Private Key" and put the result into a local file (the
oci
CLI tool uses~/.oci/ORACLESOMETHING.pem
). Remove public permissions usingchmod 600 ORACLESOMETHING.pem
. - Click "Add".
- From the "Configuration File Preview". Extract the "user", "tenancy", and "fingerprint" values. Optionally, place the entire contents into a
~/.oci/config
file. - Upload the public key to the OCI web console
- You can use
- Create an OCI compartment to isolate resources
- Visit the OCI web console
- Under the upper-left-hand hamburger menu, "Identity & Security" --> "Identity" --> "Compartments".
- Click "Create Compartment". Give it a name such as "oci-freedigs" and a description. Click the "Create Compartment" button.
- Wait a few seconds, as the new compartment is not shown immediately.
- Click into the new compartment.
- Under the "OCID" field, select "show" or "copy".
- Put secrets into Terraform file
- Copy the
secrets.auto.tfvars.example
file tosecrets.auto.tfvars
- Create
key = "value"
lines insecrets.auto.tfvars
for each of the required configuration variables. Paste the correct value between the quotes.tenancy_ocid
user_ocid
compartment_ocid
signing_key_fingerprint
signing_key_private_path
compute_username
compute_ssh_public_key
tailscale_auth_key
- Copy the
- Configure the cluster
- Copy the
config.auto.tfvars.example
file toconfig.auto.tfvars
. - Visit the OCI web console and look up your availability domain for your region.
- Set the
availability_domain_map
variable to match your OCI-provided availability group. - Configure the
compute_hosts
variable. See the example. Include at least one entry. Give each entry a label. Set all ofhostname
,arch
,cores
,ram_gb
,disk_gb
parameters for each block.
- Copy the
- Run
terraform init -upgrade; terraform destroy; while ! terraform apply -auto-approve; do echo again; done
- ...or any Terraform plan management and rollout scheme you prefer
- You may very well have to apply multiple times to successfully create all resources. Oracle can return an "Out of host capacity" error.
- Copy the IP address shown at the end of the Terraform run and ssh to it:
ssh [email protected]
- OCI free Terraform projects
- OCI documentation
- Terraform
- Tailscale
- Kubernetes
- Document use of URL-based configuration
- Support multiple ssh keys
- OCI budget monitoring
- HTTP/S edge server, Letsencrypt for Caddy
- Persistent block volumes would be great
- Add hostname override for tailscaled setup
- OCI NAT setup