RWejlgaard/pez-infra
1
0
Fork 0
mirror of https://github.com/RWejlgaard/pez-infra.git synced 2026-05-06 04:14:43 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

fix: clean up of terraform

Browse source
This commit is contained in:
Rasmus Wejlgaard 2026-05-02 14:37:11 +01:00
parent 03ad9b476d
commit 08d719db2f
4 changed files with 46 additions and 206 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
terraform/hetzner_dns.tf
View file

@ -60,7 +60,6 @@ resource "hcloud_zone_rrset" "MX_root" {
ttl = 300
records = [
{ value = "10 mail.pez.sh." },
{ value = "20 mail.pez.sh." },
]
}

201
terraform/hetzner_firewall.tf
View file

@ -1,192 +1,45 @@
resource "hcloud_firewall" "nuremberg-a" {
name = "nuremberg-a"
locals {
all_ips = ["0.0.0.0/0", "::/0"]
rule {
direction = "in"
protocol = "tcp"
port = "22"
source_ips = [
"0.0.0.0/0",
"::/0"
]
machines = {
"nuremberg-a" = {
tcp_in = ["22", "25", "80", "110", "143", "443", "465", "587", "993", "995"]
server_id = hcloud_server.nuremberg-a.id
}
# poste.io mail server ports
rule {
direction = "in"
protocol = "tcp"
port = "25"
source_ips = [
"0.0.0.0/0",
"::/0"
]
"helsinki-a" = {
tcp_in = ["22", "80", "443"]
server_id = hcloud_server.helsinki-a.id
}
rule {
direction = "in"
protocol = "tcp"
port = "80"
source_ips = [
"0.0.0.0/0",
"::/0"
]
}
rule {
direction = "in"
protocol = "tcp"
port = "110"
source_ips = [
"0.0.0.0/0",
"::/0"
]
}
rule {
direction = "in"
protocol = "tcp"
port = "143"
source_ips = [
"0.0.0.0/0",
"::/0"
]
}
rule {
direction = "in"
protocol = "tcp"
port = "443"
source_ips = [
"0.0.0.0/0",
"::/0"
]
}
rule {
direction = "in"
protocol = "tcp"
port = "465"
source_ips = [
"0.0.0.0/0",
"::/0"
]
}
rule {
direction = "in"
protocol = "tcp"
port = "587"
source_ips = [
"0.0.0.0/0",
"::/0"
]
}
rule {
direction = "in"
protocol = "tcp"
port = "993"
source_ips = [
"0.0.0.0/0",
"::/0"
]
}
rule {
direction = "in"
protocol = "tcp"
port = "995"
source_ips = [
"0.0.0.0/0",
"::/0"
]
}
rule {
direction = "out"
protocol = "tcp"
port = "any"
destination_ips = [
"0.0.0.0/0",
"::/0"
]
}
rule {
direction = "out"
protocol = "udp"
port = "any"
destination_ips = [
"0.0.0.0/0",
"::/0"
]
}
}
resource "hcloud_firewall_attachment" "nuremberg-a" {
firewall_id = hcloud_firewall.nuremberg-a.id
server_ids = [
hcloud_server.nuremberg-a.id
]
}
resource "hcloud_firewall" "machine" {
for_each = local.machines
name = each.key
resource "hcloud_firewall" "helsinki-a" {
name = "helsinki-a"
rule {
dynamic "rule" {
for_each = each.value.tcp_in
content {
direction = "in"
protocol = "tcp"
port = "22"
source_ips = [
"0.0.0.0/0",
"::/0"
]
port = rule.value
source_ips = local.all_ips
}
}
rule {
direction = "in"
protocol = "tcp"
port = "80"
source_ips = [
"0.0.0.0/0",
"::/0"
]
}
rule {
direction = "in"
protocol = "tcp"
port = "443"
source_ips = [
"0.0.0.0/0",
"::/0"
]
}
rule {
dynamic "rule" {
for_each = ["tcp", "udp"]
content {
direction = "out"
protocol = "tcp"
protocol = rule.value
port = "any"
destination_ips = [
"0.0.0.0/0",
"::/0"
]
destination_ips = local.all_ips
}
rule {
direction = "out"
protocol = "udp"
port = "any"
destination_ips = [
"0.0.0.0/0",
"::/0"
]
}
}
resource "hcloud_firewall_attachment" "helsinki-a" {
firewall_id = hcloud_firewall.helsinki-a.id
server_ids = [
hcloud_server.helsinki-a.id
]
resource "hcloud_firewall_attachment" "machine" {
for_each = local.machines
firewall_id = hcloud_firewall.machine[each.key].id
server_ids = [each.value.server_id]
}

10
terraform/providers.tf
View file

@ -2,11 +2,6 @@ terraform {
required_version = ">= 1.6.0"
required_providers {
cloudflare = {
source = "cloudflare/cloudflare"
version = "~> 5.19"
}
hcloud = {
source = "hetznercloud/hcloud"
version = "~> 1.45"
@ -25,11 +20,6 @@ terraform {
}
}
provider "cloudflare" {
email = local.secrets["cloudflare_email"]
api_token = local.secrets["cloudflare_api_key"]
}
provider "hcloud" {
token = local.secrets["hetzner_token"]
}

24
terraform/secrets.enc.yaml
View file

@ -1,21 +1,19 @@
cloudflare_email: ENC[AES256_GCM,data:kzVXRWRT7/RUBg==,iv:g9r2gP1BxrBoAighKUIKgO1ZVgfATywSe8I5CX/SJ3A=,tag:TmWfgAfIuQVoz7ddc/7ykQ==,type:str]
cloudflare_api_key: ENC[AES256_GCM,data:E5ZjsAQ0toXauqGkkQDR2/OqOKNaObkTlK8tnGS2nXYX4gQZaDrRhi5ufklxxO0yzZD9qHE=,iv:5JwQOIuhx1cK1jns2eIR+N1tkc4m7Ydeiya4DRoYRVg=,tag:9ojmEiG8Dlxe1EuNiv1A2w==,type:str]
backblaze_keyID: ENC[AES256_GCM,data:mwAeG2OuxSZ95jZZ5qhJGjePtNbo5wUa2w==,iv:uRSZQsMA6sUCvaQOnRZxgdQWS/TpyjFC8nBksOH2yQE=,tag:yhjjiivBkJkhb42nfPju1A==,type:str]
backblaze_keyName: ENC[AES256_GCM,data:HIxN7kPJPnJDp/pR/yWdayU=,iv:fk9lrFJmlZTnb1lk4AdERS+YPics1XXDOq3McBMhSGU=,tag:Sa3Z+qFs8yBmGA5FLRC/xA==,type:str]
backblaze_applicationKey: ENC[AES256_GCM,data:0J/NTaQe+uvJXc9FgGLN4xl4EHKOxKeSjXya+wC0pA==,iv:f8w7Ir+pVs/0yD/5FFLTnlYFrw95aq73Q+r1eBZedho=,tag:cz9aMPiHWE8iIKBEA3G6xw==,type:str]
hetzner_token: ENC[AES256_GCM,data:kUi0EJlK8xuILT7dp8ql2VQCT/t2DJCtQoXrnC52sr2y73uH4QlSGbYwrJbE+0ZgAeB2l43i8cSvW6MWUt/lrA==,iv:zrshjeeb1oQV6OHhLdXQwwhW8ssN0yHvjbjPxgYgOJk=,tag:hOy8bJuDjNJkQ0URfVwoQA==,type:str]
backblaze_keyID: ENC[AES256_GCM,data:7u0zAFOt1uKDNK/jFl+HLVBUVWd06fiQjQ==,iv:f+Mh38+Vo0JI1tLByjL3we3hOCXLhDtPZim/QIsO1vQ=,tag:WOHEj0ND3xnIOANwBj2y/g==,type:str]
backblaze_keyName: ENC[AES256_GCM,data:dt0YrkYmG+qIFlDMWsugvpU=,iv:Z8pZ38Wr5RxrI/LczeE3OMdTfPcfsOeTa/q2wdd3cc8=,tag:i2qlvue4tbVTuwwZli/qUA==,type:str]
backblaze_applicationKey: ENC[AES256_GCM,data:uo7tQmDsunxuCd9nhATy/4rOjgDfz5Lhpn9wsyZdKA==,iv:RTsSAkU9X7IcpMYu+Qa/+lQ/H1ICp2BBFKGA8C9bl9Y=,tag:YnJRmQ/C2AAbzmkuS1lFpA==,type:str]
hetzner_token: ENC[AES256_GCM,data:9oBDjMvpiiiY1+vN3cTdoPCbTHRIjvWQDFDg5fw6eWmhQGJ81BkXCF1FKqSpOUhbkMCPkU7yzMlE8wKt8JQIAw==,iv:VQMYUTFssyN6tyYbqiio+nlqLifULs6gqiwg1p51Z+0=,tag:c0phnxXoACk4vtoakugrxw==,type:str]
sops:
age:
- recipient: age1r8uh2w2qad2z5sgq9q7l73962q2sp8zz9hdnh6sjuvanxl565vmswn8squ
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtWTFiajV2cThSN240YVEr
SlpOZUV1WVZkeXdOUXJJNnRpOXlOVnNCRGg4Cklxam1uaFgwMy9UU01STlBBSFhT
ZXNQSU1jQXJUZW5HWDEvVWdEUnhzS2MKLS0tIHBYMWJFYStyZVpMMXQ5MUowMy80
ZTdhWjkzTzRDZy8rM2J4TzhmRFFnaUkKt50w9Oq2O5qdo2NMlWo9S8V4m3X6MQG6
Jx/Oit+4DOCFHpL7yxggdD83NJw+0c6kMSB968J/M0EmRAzoYHqFBw==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtUmhhbUpST2xJNVYxTFYx
bXVic1VTTmhwVHJjay9VSUhMN1hyQjVuVVhNCmd2YVJIY3E4WWZtdFg2ZUhycEpR
aHNxbTc2amYyRGxJVEFJeTVlU1o4QzQKLS0tIHVkUGVwNDVFVk9seEgzSTZiVVhv
MDNISS9UWjdSR3Q2TnBoYTgyNjFlUUEK1vsRrHA6WQDyUO6UJSywBXCnJbgLogwc
JeLReyACLqUyDaxtaJwvBA29IguJLLTDdPV4aqZ/uhZxxMB3Yc5hYw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-03-29T18:58:01Z"
mac: ENC[AES256_GCM,data:q9lEwaxcWAquQP+Dzg1J5WqM2cwcync9EUSVHxtc0peGAxJzg4afHlJi35mC5PZbzv/4wOpdxFR89r9jF3isvvZ6icHcRKmWmlNEl2YCI7VAKIZXZHPx56xXZoj1pOQwNNmEZgAwcreskAINjNIkP6+eIzUDCZ2QRMEK3ok9cHE=,iv:LxtYfXnwfrLmH5w7N36GGRvy1+MpgcoEzm8+KA+QjjI=,tag:/2fIIlNmJcBAXJOyZuotug==,type:str]
lastmodified: "2026-05-02T13:12:18Z"
mac: ENC[AES256_GCM,data:XSm141YbD/KglqujQ2y0vm6U0F/uFuBfBr0G3IxzuYKa6Y/pCPTG3CdzuuUpGsMzZM4PtffH9jVnPAF5MyN7lTH2CKmeRWErJJTkPUQ2Iep+7p28AL46J0sy6YPwh7iZz1NUjvGNCNLWDtIbR/ygL2oibTv9btYBExQVrElAD9I=,iv:6h7ZJW4GQKJEu+zmBnrXnJ7AVIf767UneH7nRCC36gg=,tag:4YKOBolrmaqDdo1v3VTBCg==,type:str]
unencrypted_suffix: _unencrypted
version: 3.12.2