Add hetzner terraform project

.gitignore

@@ -1,3 +1,28 @@
+# Local .terraform directories
+**/.terraform/*
+**/.terraform
+
+# .tfstate files
+*.tfstate
+*.tfstate.*
+
+# Terraform lock file
+**/.terraform.lock.hcl
+
+# Crash log files
+crash.log
+crash.*.log
+
+# Include override files you do wish to add to version control using negated pattern
+# !example_override.tf
+
+# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
+# example: *tfplan*
+
+# Ignore CLI configuration files
+.terraformrc
+terraform.rc
+
 **/vault_password
 **/vault.yaml
 **/*secrets.yaml

terraform/hetzner/main.tf

@@ -0,0 +1,252 @@
+terraform {
+  required_version = ">= 1.8.0"
+  required_providers {
+    vault = {
+      source = "hashicorp/vault"
+      version = ">= 4.2.0"
+    }
+    hcloud = {
+      source = "hetznercloud/hcloud"
+      version = ">= 1.45"
+    }
+  }
+  backend "local" {
+    path = "/home/michael/Nextcloud/Backups/tfstate/hetzner.tfstate"
+  }
+}
+
+provider "vault" {
+  # Export the vault token to the environment variable VAULT_TOKEN
+  address = "https://vault.balsillie.house"
+}
+
+data "vault_kv_secret" "hcloud" {
+  path = "kv/hcloud"
+}
+
+provider "hcloud" {
+  token = data.vault_kv_secret.hcloud.data.token
+}
+
+resource "hcloud_network" "us_east" {
+  name     = "us-east"
+  ip_range = "10.128.0.0/10"
+}
+
+resource "hcloud_network_subnet" "lan" {
+  network_id   = hcloud_network.us_east.id
+  type         = "cloud"
+  network_zone = "us-east"
+  ip_range     = "10.128.1.0/24"
+}
+
+resource "hcloud_network_subnet" "sync" {
+  network_id   = hcloud_network.us_east.id
+  type         = "cloud"
+  network_zone = "us-east"
+  ip_range     = "10.128.2.0/24"
+}
+
+resource "hcloud_network_subnet" "cluster" {
+  network_id   = hcloud_network.us_east.id
+  type         = "cloud"
+  network_zone = "us-east"
+  ip_range     = "10.128.3.0/24"
+}
+
+resource "hcloud_ssh_key" "default" {
+  name       = "default"
+  public_key = data.vault_kv_secret.hcloud.data.ssh_public_key
+
+}
+
+resource "hcloud_placement_group" "firewalls" {
+  name = "firewalls"
+  type = "spread"
+}
+
+resource "hcloud_placement_group" "nodes" {
+  name = "nodes"
+  type = "spread"
+}
+
+resource "hcloud_primary_ip" "opnsense_a_v4" {
+  name = "opnsense-a-v4"
+  type = "ipv4"
+  datacenter = "ash-dc1"
+  auto_delete = false
+  delete_protection = true
+  assignee_type = "server"
+}
+
+resource "hcloud_primary_ip" "opnsense_b_v4" {
+  name = "opnsense-b-v4"
+  type = "ipv4"
+  datacenter = "ash-dc1"
+  auto_delete = false
+  delete_protection = true
+  assignee_type = "server"
+}
+
+resource "hcloud_primary_ip" "opnsense_a_v6" {
+  name = "opnsense-a-v6"
+  type = "ipv6"
+  datacenter = "ash-dc1"
+  auto_delete = false
+  delete_protection = true
+  assignee_type = "server"
+}
+
+resource "hcloud_primary_ip" "opnsense_b_v6" {
+  name = "opnsense-b-v6"
+  type = "ipv6"
+  datacenter = "ash-dc1"
+  auto_delete = false
+  delete_protection = true
+  assignee_type = "server"
+}
+
+resource "hcloud_floating_ip" "opnsense_float_v4" {
+  name = "opnsense-float-v4"
+  type = "ipv4"
+  home_location = "ash"
+  delete_protection = true
+}
+
+resource "hcloud_floating_ip" "opnsense_float_v6" {
+  name = "opnsense-float-v6"
+  type = "ipv6"
+  home_location = "ash"
+  delete_protection = true
+}
+
+resource "hcloud_firewall" "opnsense" {
+  name = "opnsense"
+  # HTTP
+  rule {
+    direction = "in"
+    protocol  = "tcp"
+    port      = "80"
+    source_ips = [
+      "0.0.0.0/0",
+      "::/0"
+    ]
+  }
+  # HTTPS
+  rule {
+    direction = "in"
+    protocol  = "tcp"
+    port      = "443"
+    source_ips = [
+      "0.0.0.0/0",
+      "::/0"
+    ]
+  }
+  # Wireguard
+  rule {
+    direction = "in"
+    protocol  = "udp"
+    port      = "51820"
+    source_ips = [
+      "0.0.0.0/0"
+    ]
+  }
+  # DNS UDP
+  rule {
+    direction = "in"
+    protocol  = "udp"
+    port      = "53"
+    source_ips = [
+      "0.0.0.0/0",
+      "::/0"
+    ]
+  }
+  # DNS TCP
+  rule {
+    direction = "in"
+    protocol  = "tcp"
+    port      = "53"
+    source_ips = [
+      "0.0.0.0/0",
+      "::/0"
+    ]
+  }
+  # SMTP
+  rule {
+    direction = "in"
+    protocol  = "tcp"
+    port      = "25"
+    source_ips = [
+      "0.0.0.0/0",
+      "::/0"
+    ]
+  }
+  # SMTPS
+  rule {
+    direction = "in"
+    protocol  = "tcp"
+    port      = "465"
+    source_ips = [
+      "0.0.0.0/0",
+      "::/0"
+    ]
+  }
+  # IMAPS
+  rule {
+    direction = "in"
+    protocol  = "tcp"
+    port      = "993"
+    source_ips = [
+      "0.0.0.0/0",
+      "::/0"
+    ]
+  }  
+  # Matrix Federation
+  rule {
+    direction = "in"
+    protocol  = "tcp"
+    port      = "8448"
+    source_ips = [
+      "0.0.0.0/0",
+      "::/0"
+    ]
+  }  
+  # ICMP IPv6
+  rule {
+    direction = "in"
+    protocol  = "icmp"
+    source_ips = [
+      "::/0"
+    ]
+  }   
+}
+
+# resource "hcloud_server" "opnsense_b" {
+#   name        = "opnsense-b"
+#   server_type = "cpx11"
+#   image       = "ubuntu-22.04"
+#   location    = "ash"
+#   datacenter  = "ash-dc1"
+#   keep_disk   = true
+#   backups     = false
+#   ssh_keys    = [
+#     hcloud_ssh_key.default.id
+#   ]
+#   public_net {
+#     ipv4_enabled = true
+#     ipv4 = hcloud_primary_ip.opnsense_b_v4.id
+#     ipv6_enabled = true
+#     ipv6 = hcloud_primary_ip.opnsense_b_v6.id
+#   }
+#   network {
+#     network_id = hcloud_network_subnet.lan.id
+#     ip = "10.128.1.240"
+#   }
+#   network {
+#     network_id = hcloud_network_subnet.sync.id
+#     ip = "10.128.2.20"
+#   }
+#   delete_protection   = true
+#   rebuild_protection  = true
+#   placement_group_id  = hcloud_placement_group.firewalls.id
+# }

terraform/hetzner/variables.tf

@@ -0,0 +1,2 @@
+
+