diff --git a/.gitignore b/.gitignore index 53cc264..2e1bf13 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,28 @@ +# Local .terraform directories +**/.terraform/* +**/.terraform + +# .tfstate files +*.tfstate +*.tfstate.* + +# Terraform lock file +**/.terraform.lock.hcl + +# Crash log files +crash.log +crash.*.log + +# Include override files you do wish to add to version control using negated pattern +# !example_override.tf + +# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan +# example: *tfplan* + +# Ignore CLI configuration files +.terraformrc +terraform.rc + **/vault_password **/vault.yaml **/*secrets.yaml diff --git a/ansible/playbooks/hetzner/hetzner_k8s.yaml b/ansible/playbooks/hetzner/hetzner_k8s.yaml new file mode 100644 index 0000000..e69de29 diff --git a/terraform/hetzner/main.tf b/terraform/hetzner/main.tf new file mode 100644 index 0000000..fb6418f --- /dev/null +++ b/terraform/hetzner/main.tf @@ -0,0 +1,252 @@ +terraform { + required_version = ">= 1.8.0" + required_providers { + vault = { + source = "hashicorp/vault" + version = ">= 4.2.0" + } + hcloud = { + source = "hetznercloud/hcloud" + version = ">= 1.45" + } + } + backend "local" { + path = "/home/michael/Nextcloud/Backups/tfstate/hetzner.tfstate" + } +} + +provider "vault" { + # Export the vault token to the environment variable VAULT_TOKEN + address = "https://vault.balsillie.house" +} + +data "vault_kv_secret" "hcloud" { + path = "kv/hcloud" +} + +provider "hcloud" { + token = data.vault_kv_secret.hcloud.data.token +} + +resource "hcloud_network" "us_east" { + name = "us-east" + ip_range = "10.128.0.0/10" +} + +resource "hcloud_network_subnet" "lan" { + network_id = hcloud_network.us_east.id + type = "cloud" + network_zone = "us-east" + ip_range = "10.128.1.0/24" +} + +resource "hcloud_network_subnet" "sync" { + network_id = hcloud_network.us_east.id + type = "cloud" + network_zone = "us-east" + ip_range = "10.128.2.0/24" +} + +resource "hcloud_network_subnet" "cluster" { + network_id = hcloud_network.us_east.id + type = "cloud" + network_zone = "us-east" + ip_range = "10.128.3.0/24" +} + +resource "hcloud_ssh_key" "default" { + name = "default" + public_key = data.vault_kv_secret.hcloud.data.ssh_public_key + +} + +resource "hcloud_placement_group" "firewalls" { + name = "firewalls" + type = "spread" +} + +resource "hcloud_placement_group" "nodes" { + name = "nodes" + type = "spread" +} + +resource "hcloud_primary_ip" "opnsense_a_v4" { + name = "opnsense-a-v4" + type = "ipv4" + datacenter = "ash-dc1" + auto_delete = false + delete_protection = true + assignee_type = "server" +} + +resource "hcloud_primary_ip" "opnsense_b_v4" { + name = "opnsense-b-v4" + type = "ipv4" + datacenter = "ash-dc1" + auto_delete = false + delete_protection = true + assignee_type = "server" +} + +resource "hcloud_primary_ip" "opnsense_a_v6" { + name = "opnsense-a-v6" + type = "ipv6" + datacenter = "ash-dc1" + auto_delete = false + delete_protection = true + assignee_type = "server" +} + +resource "hcloud_primary_ip" "opnsense_b_v6" { + name = "opnsense-b-v6" + type = "ipv6" + datacenter = "ash-dc1" + auto_delete = false + delete_protection = true + assignee_type = "server" +} + +resource "hcloud_floating_ip" "opnsense_float_v4" { + name = "opnsense-float-v4" + type = "ipv4" + home_location = "ash" + delete_protection = true +} + +resource "hcloud_floating_ip" "opnsense_float_v6" { + name = "opnsense-float-v6" + type = "ipv6" + home_location = "ash" + delete_protection = true +} + +resource "hcloud_firewall" "opnsense" { + name = "opnsense" + # HTTP + rule { + direction = "in" + protocol = "tcp" + port = "80" + source_ips = [ + "0.0.0.0/0", + "::/0" + ] + } + # HTTPS + rule { + direction = "in" + protocol = "tcp" + port = "443" + source_ips = [ + "0.0.0.0/0", + "::/0" + ] + } + # Wireguard + rule { + direction = "in" + protocol = "udp" + port = "51820" + source_ips = [ + "0.0.0.0/0" + ] + } + # DNS UDP + rule { + direction = "in" + protocol = "udp" + port = "53" + source_ips = [ + "0.0.0.0/0", + "::/0" + ] + } + # DNS TCP + rule { + direction = "in" + protocol = "tcp" + port = "53" + source_ips = [ + "0.0.0.0/0", + "::/0" + ] + } + # SMTP + rule { + direction = "in" + protocol = "tcp" + port = "25" + source_ips = [ + "0.0.0.0/0", + "::/0" + ] + } + # SMTPS + rule { + direction = "in" + protocol = "tcp" + port = "465" + source_ips = [ + "0.0.0.0/0", + "::/0" + ] + } + # IMAPS + rule { + direction = "in" + protocol = "tcp" + port = "993" + source_ips = [ + "0.0.0.0/0", + "::/0" + ] + } + # Matrix Federation + rule { + direction = "in" + protocol = "tcp" + port = "8448" + source_ips = [ + "0.0.0.0/0", + "::/0" + ] + } + # ICMP IPv6 + rule { + direction = "in" + protocol = "icmp" + source_ips = [ + "::/0" + ] + } +} + +# resource "hcloud_server" "opnsense_b" { +# name = "opnsense-b" +# server_type = "cpx11" +# image = "ubuntu-22.04" +# location = "ash" +# datacenter = "ash-dc1" +# keep_disk = true +# backups = false +# ssh_keys = [ +# hcloud_ssh_key.default.id +# ] +# public_net { +# ipv4_enabled = true +# ipv4 = hcloud_primary_ip.opnsense_b_v4.id +# ipv6_enabled = true +# ipv6 = hcloud_primary_ip.opnsense_b_v6.id +# } +# network { +# network_id = hcloud_network_subnet.lan.id +# ip = "10.128.1.240" +# } +# network { +# network_id = hcloud_network_subnet.sync.id +# ip = "10.128.2.20" +# } +# delete_protection = true +# rebuild_protection = true +# placement_group_id = hcloud_placement_group.firewalls.id +# } \ No newline at end of file diff --git a/terraform/hetzner/terraform.tfvars b/terraform/hetzner/terraform.tfvars new file mode 100644 index 0000000..e69de29 diff --git a/terraform/hetzner/variables.tf b/terraform/hetzner/variables.tf new file mode 100644 index 0000000..139597f --- /dev/null +++ b/terraform/hetzner/variables.tf @@ -0,0 +1,2 @@ + +