sjat/boma
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
boma/terraform/environments/offsite/main.tf

22 lines
929 B
Terraform
Raw Normal View History

feat(tf): offsite environment — askari (CAX11/hel1/debian-13) Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-14 12:03:31 +02:00
# offsite/main.tf — off-site Hetzner hosts. Terraform owns VM existence (ADR-006,
# generalized to Hetzner). ALWAYS `make tf-plan TF_ENV=offsite` and review before
# `make tf-apply TF_ENV=offsite`.
module "askari" {
source = "../../modules/hetzner_vm"
feat(tf): open Caddy 80/443 + NetBird 3478 on askari (public_web) hetzner_vm gains a public_web bool (default false); offsite sets it true. Firewall adds 80/443 tcp + 3478 udp from anywhere (SSH-from-ubongo preserved). For M4 Caddy + NetBird. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-14 17:38:51 +02:00
name = "askari"
server_type = "cx23" # x86, 2 vCPU / 4 GB / 40 GB (CAX11/ARM was out of stock in
feat(tf): provision askari — cx23/hel1 (CAX11 ARM was out of stock) ARM (cax11) unavailable in all EU locations 2026-06-14; fell back to cx23 (x86, same 2/4/40 spec, cheaper in hel1). Server created (id 141153963); offsite.yml generated into the directory inventory. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-14 16:23:01 +02:00
# every EU location 2026-06-14; cx23 is same-spec + cheaper)
location = "hel1" # Helsinki
feat(tf): offsite environment — askari (CAX11/hel1/debian-13) Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-14 12:03:31 +02:00
image = "debian-13"
ansible_ssh_pubkey = var.ansible_ssh_pubkey
revert: back out mesh-hardening 1/3 on askari after it broke the Docker host Incident 2026-06-17: applying base's nftables default-deny (forward policy drop) to askari — a Docker host — broke container forwarding/NAT on reboot, and the wt0-only sshd ListenAddress left no break-glass (ip_nonlocal_bind did NOT beat the boot race). Recovery: disable nftables + restart docker (restore the wiped NAT masquerade) + force-recreate the coordinator (it FATAL-looped unable to download its GeoLite2 DB with no egress) -> mesh re-formed. Back out the enablement so a future deploy can't re-break askari: - offsite_hosts: base__ssh_listen_mesh_only=false, base__firewall_apply=false - remove host_vars/askari.yml (manage over the WAN again, not wt0) - tf/offsite: re-open WAN :22 to ubongo only (break-glass; already applied) askari now: sshd on all interfaces (Ansible-managed), nftables disabled, WAN :22 open -> stable + reboot-survivable. The base feature code (sshd ListenAddress option, firewall public zone) stays; it's just not enabled on Docker hosts. Mesh-hardening 1/3 to be re-spec'd before any retry. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-17 22:16:17 +02:00
ssh_admin_cidrs = ["91.226.145.80/32"] # TEMP (incident recovery 2026-06-17): re-open WAN :22 to ubongo only; re-close once the firewall/Docker + boot-race issues are fixed
feat(tf): open Caddy 80/443 + NetBird 3478 on askari (public_web) hetzner_vm gains a public_web bool (default false); offsite sets it true. Firewall adds 80/443 tcp + 3478 udp from anywhere (SSH-from-ubongo preserved). For M4 Caddy + NetBird. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-14 17:38:51 +02:00
public_web = true # Caddy 80/443 + NetBird 3478 (M4)
feat(tf): offsite environment — askari (CAX11/hel1/debian-13) Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-14 12:03:31 +02:00
labels = {
env = "offsite"
group = "offsite_hosts"
managed-by = "terraform"
}
}
Reference in a new issue Copy permalink