michael/IaC
1
0
Fork 0
Code Packages

split resources into multiple tf files

Browse Source
This commit is contained in:
michael 2024-04-17 02:56:53 +12:00
parent c2f7590b44
commit b8c2dae1fa
4 changed files with 214 additions and 217 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

100
terraform/hetzner/firewall.tf Normal file
View File

@ -0,0 +1,100 @@
resource "hcloud_firewall" "opnsense" {
name = "opnsense"
# HTTP
rule {
direction = "in"
protocol = "tcp"
port = "80"
source_ips = [
"0.0.0.0/0",
"::/0"
]
}
# HTTPS
rule {
direction = "in"
protocol = "tcp"
port = "443"
source_ips = [
"0.0.0.0/0",
"::/0"
]
}
# Wireguard
rule {
direction = "in"
protocol = "udp"
port = "51820"
source_ips = [
"0.0.0.0/0"
]
}
# DNS UDP
rule {
direction = "in"
protocol = "udp"
port = "53"
source_ips = [
"0.0.0.0/0",
"::/0"
]
}
# DNS TCP
rule {
direction = "in"
protocol = "tcp"
port = "53"
source_ips = [
"0.0.0.0/0",
"::/0"
]
}
# SMTP
rule {
direction = "in"
protocol = "tcp"
port = "25"
source_ips = [
"0.0.0.0/0",
"::/0"
]
}
# SMTPS
rule {
direction = "in"
protocol = "tcp"
port = "465"
source_ips = [
"0.0.0.0/0",
"::/0"
]
}
# IMAPS
rule {
direction = "in"
protocol = "tcp"
port = "993"
source_ips = [
"0.0.0.0/0",
"::/0"
]
}
# Matrix Federation
rule {
direction = "in"
protocol = "tcp"
port = "8448"
source_ips = [
"0.0.0.0/0",
"::/0"
]
}
# ICMP IPv6
rule {
direction = "in"
protocol = "icmp"
source_ips = [
"::/0"
]
}
}

217
terraform/hetzner/main.tf
View File

@ -28,225 +28,8 @@ provider "hcloud" {
token = data.vault_kv_secret.hcloud.data.token token = data.vault_kv_secret.hcloud.data.token
} }
resource "hcloud_network" "us_east" {
name = "us-east"
ip_range = "10.128.0.0/10"
}
resource "hcloud_network_subnet" "lan" {
network_id = hcloud_network.us_east.id
type = "cloud"
network_zone = "us-east"
ip_range = "10.128.1.0/24"
}
resource "hcloud_network_subnet" "sync" {
network_id = hcloud_network.us_east.id
type = "cloud"
network_zone = "us-east"
ip_range = "10.128.2.0/24"
}
resource "hcloud_network_subnet" "cluster" {
network_id = hcloud_network.us_east.id
type = "cloud"
network_zone = "us-east"
ip_range = "10.128.3.0/24"
}
resource "hcloud_ssh_key" "default" { resource "hcloud_ssh_key" "default" {
name = "default" name = "default"
public_key = data.vault_kv_secret.hcloud.data.ssh_public_key public_key = data.vault_kv_secret.hcloud.data.ssh_public_key
} }
resource "hcloud_placement_group" "firewalls" {
name = "firewalls"
type = "spread"
}
resource "hcloud_placement_group" "nodes" {
name = "nodes"
type = "spread"
}
resource "hcloud_primary_ip" "opnsense_a_v4" {
name = "opnsense-a-v4"
type = "ipv4"
datacenter = "ash-dc1"
auto_delete = false
delete_protection = true
assignee_type = "server"
}
resource "hcloud_primary_ip" "opnsense_b_v4" {
name = "opnsense-b-v4"
type = "ipv4"
datacenter = "ash-dc1"
auto_delete = false
delete_protection = true
assignee_type = "server"
}
resource "hcloud_primary_ip" "opnsense_a_v6" {
name = "opnsense-a-v6"
type = "ipv6"
datacenter = "ash-dc1"
auto_delete = false
delete_protection = true
assignee_type = "server"
}
resource "hcloud_primary_ip" "opnsense_b_v6" {
name = "opnsense-b-v6"
type = "ipv6"
datacenter = "ash-dc1"
auto_delete = false
delete_protection = true
assignee_type = "server"
}
resource "hcloud_floating_ip" "opnsense_float_v4" {
name = "opnsense-float-v4"
type = "ipv4"
home_location = "ash"
delete_protection = true
}
resource "hcloud_floating_ip" "opnsense_float_v6" {
name = "opnsense-float-v6"
type = "ipv6"
home_location = "ash"
delete_protection = true
}
resource "hcloud_firewall" "opnsense" {
name = "opnsense"
# HTTP
rule {
direction = "in"
protocol = "tcp"
port = "80"
source_ips = [
"0.0.0.0/0",
"::/0"
]
}
# HTTPS
rule {
direction = "in"
protocol = "tcp"
port = "443"
source_ips = [
"0.0.0.0/0",
"::/0"
]
}
# Wireguard
rule {
direction = "in"
protocol = "udp"
port = "51820"
source_ips = [
"0.0.0.0/0"
]
}
# DNS UDP
rule {
direction = "in"
protocol = "udp"
port = "53"
source_ips = [
"0.0.0.0/0",
"::/0"
]
}
# DNS TCP
rule {
direction = "in"
protocol = "tcp"
port = "53"
source_ips = [
"0.0.0.0/0",
"::/0"
]
}
# SMTP
rule {
direction = "in"
protocol = "tcp"
port = "25"
source_ips = [
"0.0.0.0/0",
"::/0"
]
}
# SMTPS
rule {
direction = "in"
protocol = "tcp"
port = "465"
source_ips = [
"0.0.0.0/0",
"::/0"
]
}
# IMAPS
rule {
direction = "in"
protocol = "tcp"
port = "993"
source_ips = [
"0.0.0.0/0",
"::/0"
]
}
# Matrix Federation
rule {
direction = "in"
protocol = "tcp"
port = "8448"
source_ips = [
"0.0.0.0/0",
"::/0"
]
}
# ICMP IPv6
rule {
direction = "in"
protocol = "icmp"
source_ips = [
"::/0"
]
}
}
# resource "hcloud_server" "opnsense_b" {
# name = "opnsense-b"
# server_type = "cpx11"
# image = "ubuntu-22.04"
# location = "ash"
# datacenter = "ash-dc1"
# keep_disk = true
# backups = false
# ssh_keys = [
# hcloud_ssh_key.default.id
# ]
# public_net {
# ipv4_enabled = true
# ipv4 = hcloud_primary_ip.opnsense_b_v4.id
# ipv6_enabled = true
# ipv6 = hcloud_primary_ip.opnsense_b_v6.id
# }
# network {
# network_id = hcloud_network_subnet.lan.id
# ip = "10.128.1.240"
# }
# network {
# network_id = hcloud_network_subnet.sync.id
# ip = "10.128.2.20"
# }
# delete_protection = true
# rebuild_protection = true
# placement_group_id = hcloud_placement_group.firewalls.id
# }

75
terraform/hetzner/network.tf Normal file
View File

@ -0,0 +1,75 @@
resource "hcloud_network" "us_east" {
name = "us-east"
ip_range = "10.128.0.0/10"
}
resource "hcloud_network_subnet" "lan" {
network_id = hcloud_network.us_east.id
type = "cloud"
network_zone = "us-east"
ip_range = "10.128.1.0/24"
}
resource "hcloud_network_subnet" "sync" {
network_id = hcloud_network.us_east.id
type = "cloud"
network_zone = "us-east"
ip_range = "10.128.2.0/24"
}
resource "hcloud_network_subnet" "cluster" {
network_id = hcloud_network.us_east.id
type = "cloud"
network_zone = "us-east"
ip_range = "10.128.3.0/24"
}
resource "hcloud_primary_ip" "opnsense_a_v4" {
name = "opnsense-a-v4"
type = "ipv4"
datacenter = "ash-dc1"
auto_delete = false
delete_protection = true
assignee_type = "server"
}
resource "hcloud_primary_ip" "opnsense_b_v4" {
name = "opnsense-b-v4"
type = "ipv4"
datacenter = "ash-dc1"
auto_delete = false
delete_protection = true
assignee_type = "server"
}
resource "hcloud_primary_ip" "opnsense_a_v6" {
name = "opnsense-a-v6"
type = "ipv6"
datacenter = "ash-dc1"
auto_delete = false
delete_protection = true
assignee_type = "server"
}
resource "hcloud_primary_ip" "opnsense_b_v6" {
name = "opnsense-b-v6"
type = "ipv6"
datacenter = "ash-dc1"
auto_delete = false
delete_protection = true
assignee_type = "server"
}
resource "hcloud_floating_ip" "opnsense_float_v4" {
name = "opnsense-float-v4"
type = "ipv4"
home_location = "ash"
delete_protection = true
}
resource "hcloud_floating_ip" "opnsense_float_v6" {
name = "opnsense-float-v6"
type = "ipv6"
home_location = "ash"
delete_protection = true
}

39
terraform/hetzner/servers.tf Normal file
View File

@ -0,0 +1,39 @@
resource "hcloud_placement_group" "firewalls" {
name = "firewalls"
type = "spread"
}
resource "hcloud_placement_group" "nodes" {
name = "nodes"
type = "spread"
}
# resource "hcloud_server" "opnsense_b" {
# name = "opnsense-b"
# server_type = "cpx11"
# image = "ubuntu-22.04"
# location = "ash"
# datacenter = "ash-dc1"
# keep_disk = true
# backups = false
# ssh_keys = [
# hcloud_ssh_key.default.id
# ]
# public_net {
# ipv4_enabled = true
# ipv4 = hcloud_primary_ip.opnsense_b_v4.id
# ipv6_enabled = true
# ipv6 = hcloud_primary_ip.opnsense_b_v6.id
# }
# network {
# network_id = hcloud_network_subnet.lan.id
# ip = "10.128.1.240"
# }
# network {
# network_id = hcloud_network_subnet.sync.id
# ip = "10.128.2.20"
# }
# delete_protection = true
# rebuild_protection = true
# placement_group_id = hcloud_placement_group.firewalls.id
# }