feat(tf): open Caddy 80/443 + NetBird 3478 on askari (public_web)
hetzner_vm gains a public_web bool (default false); offsite sets it true. Firewall adds 80/443 tcp + 3478 udp from anywhere (SSH-from-ubongo preserved). For M4 Caddy + NetBird. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
parent
50b6445bdd
commit
1ee343dfca
3 changed files with 32 additions and 4 deletions
|
|
@ -5,13 +5,14 @@
|
||||||
module "askari" {
|
module "askari" {
|
||||||
source = "../../modules/hetzner_vm"
|
source = "../../modules/hetzner_vm"
|
||||||
|
|
||||||
name = "askari"
|
name = "askari"
|
||||||
server_type = "cx23" # x86, 2 vCPU / 4 GB / 40 GB (CAX11/ARM was out of stock in
|
server_type = "cx23" # x86, 2 vCPU / 4 GB / 40 GB (CAX11/ARM was out of stock in
|
||||||
# every EU location 2026-06-14; cx23 is same-spec + cheaper)
|
# every EU location 2026-06-14; cx23 is same-spec + cheaper)
|
||||||
location = "hel1" # Helsinki
|
location = "hel1" # Helsinki
|
||||||
image = "debian-13"
|
image = "debian-13"
|
||||||
ansible_ssh_pubkey = var.ansible_ssh_pubkey
|
ansible_ssh_pubkey = var.ansible_ssh_pubkey
|
||||||
ssh_admin_cidrs = var.ssh_admin_cidrs
|
ssh_admin_cidrs = var.ssh_admin_cidrs
|
||||||
|
public_web = true # Caddy 80/443 + NetBird 3478 (M4)
|
||||||
labels = {
|
labels = {
|
||||||
env = "offsite"
|
env = "offsite"
|
||||||
group = "offsite_hosts"
|
group = "offsite_hosts"
|
||||||
|
|
|
||||||
|
|
@ -26,14 +26,35 @@ resource "hcloud_ssh_key" "ansible" {
|
||||||
resource "hcloud_firewall" "this" {
|
resource "hcloud_firewall" "this" {
|
||||||
name = "${var.name}-fw"
|
name = "${var.name}-fw"
|
||||||
|
|
||||||
# SSH from the control node only. NetBird ports (UDP 3478, TCP 80/443) are added
|
# SSH from the control node only.
|
||||||
# in M4 when the coordinator deploys (ADR-020); host nftables stays catalog-driven.
|
|
||||||
rule {
|
rule {
|
||||||
direction = "in"
|
direction = "in"
|
||||||
protocol = "tcp"
|
protocol = "tcp"
|
||||||
port = "22"
|
port = "22"
|
||||||
source_ips = var.ssh_admin_cidrs
|
source_ips = var.ssh_admin_cidrs
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# Public web (Caddy 80/443) + NetBird STUN/TURN (3478/udp) — only when public_web
|
||||||
|
# (ADR-024, M4). Host nftables stays catalog-driven (ADR-020).
|
||||||
|
dynamic "rule" {
|
||||||
|
for_each = var.public_web ? ["80", "443"] : []
|
||||||
|
content {
|
||||||
|
direction = "in"
|
||||||
|
protocol = "tcp"
|
||||||
|
port = rule.value
|
||||||
|
source_ips = ["0.0.0.0/0", "::/0"]
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
dynamic "rule" {
|
||||||
|
for_each = var.public_web ? ["3478"] : []
|
||||||
|
content {
|
||||||
|
direction = "in"
|
||||||
|
protocol = "udp"
|
||||||
|
port = rule.value
|
||||||
|
source_ips = ["0.0.0.0/0", "::/0"]
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
resource "hcloud_server" "this" {
|
resource "hcloud_server" "this" {
|
||||||
|
|
|
||||||
|
|
@ -28,6 +28,12 @@ variable "ssh_admin_cidrs" {
|
||||||
type = list(string)
|
type = list(string)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
variable "public_web" {
|
||||||
|
description = "Open the public web/NetBird ports (80/443 TCP, 3478 UDP) to the internet"
|
||||||
|
type = bool
|
||||||
|
default = false
|
||||||
|
}
|
||||||
|
|
||||||
variable "labels" {
|
variable "labels" {
|
||||||
description = "Hetzner resource labels (metadata only)"
|
description = "Hetzner resource labels (metadata only)"
|
||||||
type = map(string)
|
type = map(string)
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue