terraform { required_version = ">= 1.8.0" required_providers { vault = { source = "hashicorp/vault" version = ">= 4.2.0" } hcloud = { source = "hetznercloud/hcloud" version = ">= 1.45" } } backend "local" { path = "/home/michael/Nextcloud/Backups/tfstate/hetzner.tfstate" } } provider "vault" { # Export the vault token to the environment variable VAULT_TOKEN address = "https://vault.balsillie.house" } data "vault_kv_secret" "hcloud" { path = "kv/hcloud" } provider "hcloud" { token = data.vault_kv_secret.hcloud.data.token } resource "hcloud_network" "us_east" { name = "us-east" ip_range = "10.128.0.0/10" } resource "hcloud_network_subnet" "lan" { network_id = hcloud_network.us_east.id type = "cloud" network_zone = "us-east" ip_range = "10.128.1.0/24" } resource "hcloud_network_subnet" "sync" { network_id = hcloud_network.us_east.id type = "cloud" network_zone = "us-east" ip_range = "10.128.2.0/24" } resource "hcloud_network_subnet" "cluster" { network_id = hcloud_network.us_east.id type = "cloud" network_zone = "us-east" ip_range = "10.128.3.0/24" } resource "hcloud_ssh_key" "default" { name = "default" public_key = data.vault_kv_secret.hcloud.data.ssh_public_key } resource "hcloud_placement_group" "firewalls" { name = "firewalls" type = "spread" } resource "hcloud_placement_group" "nodes" { name = "nodes" type = "spread" } resource "hcloud_primary_ip" "opnsense_a_v4" { name = "opnsense-a-v4" type = "ipv4" datacenter = "ash-dc1" auto_delete = false delete_protection = true assignee_type = "server" } resource "hcloud_primary_ip" "opnsense_b_v4" { name = "opnsense-b-v4" type = "ipv4" datacenter = "ash-dc1" auto_delete = false delete_protection = true assignee_type = "server" } resource "hcloud_primary_ip" "opnsense_a_v6" { name = "opnsense-a-v6" type = "ipv6" datacenter = "ash-dc1" auto_delete = false delete_protection = true assignee_type = "server" } resource "hcloud_primary_ip" "opnsense_b_v6" { name = "opnsense-b-v6" type = "ipv6" datacenter = "ash-dc1" auto_delete = false delete_protection = true assignee_type = "server" } resource "hcloud_floating_ip" "opnsense_float_v4" { name = "opnsense-float-v4" type = "ipv4" home_location = "ash" delete_protection = true } resource "hcloud_floating_ip" "opnsense_float_v6" { name = "opnsense-float-v6" type = "ipv6" home_location = "ash" delete_protection = true } resource "hcloud_firewall" "opnsense" { name = "opnsense" # HTTP rule { direction = "in" protocol = "tcp" port = "80" source_ips = [ "0.0.0.0/0", "::/0" ] } # HTTPS rule { direction = "in" protocol = "tcp" port = "443" source_ips = [ "0.0.0.0/0", "::/0" ] } # Wireguard rule { direction = "in" protocol = "udp" port = "51820" source_ips = [ "0.0.0.0/0" ] } # DNS UDP rule { direction = "in" protocol = "udp" port = "53" source_ips = [ "0.0.0.0/0", "::/0" ] } # DNS TCP rule { direction = "in" protocol = "tcp" port = "53" source_ips = [ "0.0.0.0/0", "::/0" ] } # SMTP rule { direction = "in" protocol = "tcp" port = "25" source_ips = [ "0.0.0.0/0", "::/0" ] } # SMTPS rule { direction = "in" protocol = "tcp" port = "465" source_ips = [ "0.0.0.0/0", "::/0" ] } # IMAPS rule { direction = "in" protocol = "tcp" port = "993" source_ips = [ "0.0.0.0/0", "::/0" ] } # Matrix Federation rule { direction = "in" protocol = "tcp" port = "8448" source_ips = [ "0.0.0.0/0", "::/0" ] } # ICMP IPv6 rule { direction = "in" protocol = "icmp" source_ips = [ "::/0" ] } } # resource "hcloud_server" "opnsense_b" { # name = "opnsense-b" # server_type = "cpx11" # image = "ubuntu-22.04" # location = "ash" # datacenter = "ash-dc1" # keep_disk = true # backups = false # ssh_keys = [ # hcloud_ssh_key.default.id # ] # public_net { # ipv4_enabled = true # ipv4 = hcloud_primary_ip.opnsense_b_v4.id # ipv6_enabled = true # ipv6 = hcloud_primary_ip.opnsense_b_v6.id # } # network { # network_id = hcloud_network_subnet.lan.id # ip = "10.128.1.240" # } # network { # network_id = hcloud_network_subnet.sync.id # ip = "10.128.2.20" # } # delete_protection = true # rebuild_protection = true # placement_group_id = hcloud_placement_group.firewalls.id # }