51 lines
1.3 KiB
HCL
51 lines
1.3 KiB
HCL
# cloud-init: create the unprivileged `ansible` user with ubongo's key + sudo.
|
|
# (Mirrors the proxmox_vm module's user_account; Hetzner has no structured field.)
|
|
locals {
|
|
user_data = <<-EOT
|
|
#cloud-config
|
|
users:
|
|
- name: ansible
|
|
groups: [sudo]
|
|
sudo: "ALL=(ALL) NOPASSWD:ALL"
|
|
shell: /bin/bash
|
|
ssh_authorized_keys:
|
|
- ${var.ansible_ssh_pubkey}
|
|
package_update: true
|
|
packages:
|
|
- python3
|
|
EOT
|
|
}
|
|
|
|
resource "hcloud_ssh_key" "ansible" {
|
|
name = "${var.name}-ansible"
|
|
public_key = var.ansible_ssh_pubkey
|
|
}
|
|
|
|
resource "hcloud_firewall" "this" {
|
|
name = "${var.name}-fw"
|
|
|
|
# SSH from the control node only. NetBird ports (UDP 3478, TCP 80/443) are added
|
|
# in M4 when the coordinator deploys (ADR-020); host nftables stays catalog-driven.
|
|
rule {
|
|
direction = "in"
|
|
protocol = "tcp"
|
|
port = "22"
|
|
source_ips = var.ssh_admin_cidrs
|
|
}
|
|
}
|
|
|
|
resource "hcloud_server" "this" {
|
|
name = var.name
|
|
server_type = var.server_type
|
|
location = var.location
|
|
image = var.image
|
|
ssh_keys = [hcloud_ssh_key.ansible.id]
|
|
user_data = local.user_data
|
|
firewall_ids = [hcloud_firewall.this.id]
|
|
labels = var.labels
|
|
|
|
public_net {
|
|
ipv4_enabled = true
|
|
ipv6_enabled = true
|
|
}
|
|
}
|