252 lines
4.7 KiB
HCL
252 lines
4.7 KiB
HCL
terraform {
|
|
required_version = ">= 1.8.0"
|
|
required_providers {
|
|
vault = {
|
|
source = "hashicorp/vault"
|
|
version = ">= 4.2.0"
|
|
}
|
|
hcloud = {
|
|
source = "hetznercloud/hcloud"
|
|
version = ">= 1.45"
|
|
}
|
|
}
|
|
backend "local" {
|
|
path = "/home/michael/Nextcloud/Backups/tfstate/hetzner.tfstate"
|
|
}
|
|
}
|
|
|
|
provider "vault" {
|
|
# Export the vault token to the environment variable VAULT_TOKEN
|
|
address = "https://vault.balsillie.house"
|
|
}
|
|
|
|
data "vault_kv_secret" "hcloud" {
|
|
path = "kv/hcloud"
|
|
}
|
|
|
|
provider "hcloud" {
|
|
token = data.vault_kv_secret.hcloud.data.token
|
|
}
|
|
|
|
resource "hcloud_network" "us_east" {
|
|
name = "us-east"
|
|
ip_range = "10.128.0.0/10"
|
|
}
|
|
|
|
resource "hcloud_network_subnet" "lan" {
|
|
network_id = hcloud_network.us_east.id
|
|
type = "cloud"
|
|
network_zone = "us-east"
|
|
ip_range = "10.128.1.0/24"
|
|
}
|
|
|
|
resource "hcloud_network_subnet" "sync" {
|
|
network_id = hcloud_network.us_east.id
|
|
type = "cloud"
|
|
network_zone = "us-east"
|
|
ip_range = "10.128.2.0/24"
|
|
}
|
|
|
|
resource "hcloud_network_subnet" "cluster" {
|
|
network_id = hcloud_network.us_east.id
|
|
type = "cloud"
|
|
network_zone = "us-east"
|
|
ip_range = "10.128.3.0/24"
|
|
}
|
|
|
|
resource "hcloud_ssh_key" "default" {
|
|
name = "default"
|
|
public_key = data.vault_kv_secret.hcloud.data.ssh_public_key
|
|
|
|
}
|
|
|
|
resource "hcloud_placement_group" "firewalls" {
|
|
name = "firewalls"
|
|
type = "spread"
|
|
}
|
|
|
|
resource "hcloud_placement_group" "nodes" {
|
|
name = "nodes"
|
|
type = "spread"
|
|
}
|
|
|
|
resource "hcloud_primary_ip" "opnsense_a_v4" {
|
|
name = "opnsense-a-v4"
|
|
type = "ipv4"
|
|
datacenter = "ash-dc1"
|
|
auto_delete = false
|
|
delete_protection = true
|
|
assignee_type = "server"
|
|
}
|
|
|
|
resource "hcloud_primary_ip" "opnsense_b_v4" {
|
|
name = "opnsense-b-v4"
|
|
type = "ipv4"
|
|
datacenter = "ash-dc1"
|
|
auto_delete = false
|
|
delete_protection = true
|
|
assignee_type = "server"
|
|
}
|
|
|
|
resource "hcloud_primary_ip" "opnsense_a_v6" {
|
|
name = "opnsense-a-v6"
|
|
type = "ipv6"
|
|
datacenter = "ash-dc1"
|
|
auto_delete = false
|
|
delete_protection = true
|
|
assignee_type = "server"
|
|
}
|
|
|
|
resource "hcloud_primary_ip" "opnsense_b_v6" {
|
|
name = "opnsense-b-v6"
|
|
type = "ipv6"
|
|
datacenter = "ash-dc1"
|
|
auto_delete = false
|
|
delete_protection = true
|
|
assignee_type = "server"
|
|
}
|
|
|
|
resource "hcloud_floating_ip" "opnsense_float_v4" {
|
|
name = "opnsense-float-v4"
|
|
type = "ipv4"
|
|
home_location = "ash"
|
|
delete_protection = true
|
|
}
|
|
|
|
resource "hcloud_floating_ip" "opnsense_float_v6" {
|
|
name = "opnsense-float-v6"
|
|
type = "ipv6"
|
|
home_location = "ash"
|
|
delete_protection = true
|
|
}
|
|
|
|
resource "hcloud_firewall" "opnsense" {
|
|
name = "opnsense"
|
|
# HTTP
|
|
rule {
|
|
direction = "in"
|
|
protocol = "tcp"
|
|
port = "80"
|
|
source_ips = [
|
|
"0.0.0.0/0",
|
|
"::/0"
|
|
]
|
|
}
|
|
# HTTPS
|
|
rule {
|
|
direction = "in"
|
|
protocol = "tcp"
|
|
port = "443"
|
|
source_ips = [
|
|
"0.0.0.0/0",
|
|
"::/0"
|
|
]
|
|
}
|
|
# Wireguard
|
|
rule {
|
|
direction = "in"
|
|
protocol = "udp"
|
|
port = "51820"
|
|
source_ips = [
|
|
"0.0.0.0/0"
|
|
]
|
|
}
|
|
# DNS UDP
|
|
rule {
|
|
direction = "in"
|
|
protocol = "udp"
|
|
port = "53"
|
|
source_ips = [
|
|
"0.0.0.0/0",
|
|
"::/0"
|
|
]
|
|
}
|
|
# DNS TCP
|
|
rule {
|
|
direction = "in"
|
|
protocol = "tcp"
|
|
port = "53"
|
|
source_ips = [
|
|
"0.0.0.0/0",
|
|
"::/0"
|
|
]
|
|
}
|
|
# SMTP
|
|
rule {
|
|
direction = "in"
|
|
protocol = "tcp"
|
|
port = "25"
|
|
source_ips = [
|
|
"0.0.0.0/0",
|
|
"::/0"
|
|
]
|
|
}
|
|
# SMTPS
|
|
rule {
|
|
direction = "in"
|
|
protocol = "tcp"
|
|
port = "465"
|
|
source_ips = [
|
|
"0.0.0.0/0",
|
|
"::/0"
|
|
]
|
|
}
|
|
# IMAPS
|
|
rule {
|
|
direction = "in"
|
|
protocol = "tcp"
|
|
port = "993"
|
|
source_ips = [
|
|
"0.0.0.0/0",
|
|
"::/0"
|
|
]
|
|
}
|
|
# Matrix Federation
|
|
rule {
|
|
direction = "in"
|
|
protocol = "tcp"
|
|
port = "8448"
|
|
source_ips = [
|
|
"0.0.0.0/0",
|
|
"::/0"
|
|
]
|
|
}
|
|
# ICMP IPv6
|
|
rule {
|
|
direction = "in"
|
|
protocol = "icmp"
|
|
source_ips = [
|
|
"::/0"
|
|
]
|
|
}
|
|
}
|
|
|
|
# resource "hcloud_server" "opnsense_b" {
|
|
# name = "opnsense-b"
|
|
# server_type = "cpx11"
|
|
# image = "ubuntu-22.04"
|
|
# location = "ash"
|
|
# datacenter = "ash-dc1"
|
|
# keep_disk = true
|
|
# backups = false
|
|
# ssh_keys = [
|
|
# hcloud_ssh_key.default.id
|
|
# ]
|
|
# public_net {
|
|
# ipv4_enabled = true
|
|
# ipv4 = hcloud_primary_ip.opnsense_b_v4.id
|
|
# ipv6_enabled = true
|
|
# ipv6 = hcloud_primary_ip.opnsense_b_v6.id
|
|
# }
|
|
# network {
|
|
# network_id = hcloud_network_subnet.lan.id
|
|
# ip = "10.128.1.240"
|
|
# }
|
|
# network {
|
|
# network_id = hcloud_network_subnet.sync.id
|
|
# ip = "10.128.2.20"
|
|
# }
|
|
# delete_protection = true
|
|
# rebuild_protection = true
|
|
# placement_group_id = hcloud_placement_group.firewalls.id
|
|
# } |