From d22f7a52a0e1b5b609cdbf08bae12015ac7c1b6b Mon Sep 17 00:00:00 2001 From: "Rasmus \"Pez\" Wejlgaard" Date: Sat, 2 May 2026 14:46:03 +0100 Subject: [PATCH] fix: clean up of terraform (#92) --- terraform/hetzner_dns.tf | 1 - terraform/hetzner_firewall.tf | 217 ++++++---------------------------- terraform/providers.tf | 10 -- terraform/secrets.enc.yaml | 24 ++-- 4 files changed, 46 insertions(+), 206 deletions(-) diff --git a/terraform/hetzner_dns.tf b/terraform/hetzner_dns.tf index fba99c8..24f7bb5 100644 --- a/terraform/hetzner_dns.tf +++ b/terraform/hetzner_dns.tf @@ -60,7 +60,6 @@ resource "hcloud_zone_rrset" "MX_root" { ttl = 300 records = [ { value = "10 mail.pez.sh." }, - { value = "20 mail.pez.sh." }, ] } diff --git a/terraform/hetzner_firewall.tf b/terraform/hetzner_firewall.tf index 4b492a8..2f49253 100644 --- a/terraform/hetzner_firewall.tf +++ b/terraform/hetzner_firewall.tf @@ -1,192 +1,45 @@ -resource "hcloud_firewall" "nuremberg-a" { - name = "nuremberg-a" +locals { + all_ips = ["0.0.0.0/0", "::/0"] - rule { - direction = "in" - protocol = "tcp" - port = "22" - source_ips = [ - "0.0.0.0/0", - "::/0" - ] - } - - # poste.io mail server ports - rule { - direction = "in" - protocol = "tcp" - port = "25" - source_ips = [ - "0.0.0.0/0", - "::/0" - ] - } - - rule { - direction = "in" - protocol = "tcp" - port = "80" - source_ips = [ - "0.0.0.0/0", - "::/0" - ] - } - - rule { - direction = "in" - protocol = "tcp" - port = "110" - source_ips = [ - "0.0.0.0/0", - "::/0" - ] - } - - rule { - direction = "in" - protocol = "tcp" - port = "143" - source_ips = [ - "0.0.0.0/0", - "::/0" - ] - } - - rule { - direction = "in" - protocol = "tcp" - port = "443" - source_ips = [ - "0.0.0.0/0", - "::/0" - ] - } - - rule { - direction = "in" - protocol = "tcp" - port = "465" - source_ips = [ - "0.0.0.0/0", - "::/0" - ] - } - - rule { - direction = "in" - protocol = "tcp" - port = "587" - source_ips = [ - "0.0.0.0/0", - "::/0" - ] - } - - rule { - direction = "in" - protocol = "tcp" - port = "993" - source_ips = [ - "0.0.0.0/0", - "::/0" - ] - } - - rule { - direction = "in" - protocol = "tcp" - port = "995" - source_ips = [ - "0.0.0.0/0", - "::/0" - ] - } - - rule { - direction = "out" - protocol = "tcp" - port = "any" - destination_ips = [ - "0.0.0.0/0", - "::/0" - ] - } - - rule { - direction = "out" - protocol = "udp" - port = "any" - destination_ips = [ - "0.0.0.0/0", - "::/0" - ] + machines = { + "nuremberg-a" = { + tcp_in = ["22", "25", "80", "110", "143", "443", "465", "587", "993", "995"] + server_id = hcloud_server.nuremberg-a.id + } + "helsinki-a" = { + tcp_in = ["22", "80", "443"] + server_id = hcloud_server.helsinki-a.id + } } } -resource "hcloud_firewall_attachment" "nuremberg-a" { - firewall_id = hcloud_firewall.nuremberg-a.id - server_ids = [ - hcloud_server.nuremberg-a.id - ] -} +resource "hcloud_firewall" "machine" { + for_each = local.machines + name = each.key -resource "hcloud_firewall" "helsinki-a" { - name = "helsinki-a" - - rule { - direction = "in" - protocol = "tcp" - port = "22" - source_ips = [ - "0.0.0.0/0", - "::/0" - ] + dynamic "rule" { + for_each = each.value.tcp_in + content { + direction = "in" + protocol = "tcp" + port = rule.value + source_ips = local.all_ips + } } - rule { - direction = "in" - protocol = "tcp" - port = "80" - source_ips = [ - "0.0.0.0/0", - "::/0" - ] - } - - rule { - direction = "in" - protocol = "tcp" - port = "443" - source_ips = [ - "0.0.0.0/0", - "::/0" - ] - } - - rule { - direction = "out" - protocol = "tcp" - port = "any" - destination_ips = [ - "0.0.0.0/0", - "::/0" - ] - } - - rule { - direction = "out" - protocol = "udp" - port = "any" - destination_ips = [ - "0.0.0.0/0", - "::/0" - ] + dynamic "rule" { + for_each = ["tcp", "udp"] + content { + direction = "out" + protocol = rule.value + port = "any" + destination_ips = local.all_ips + } } } -resource "hcloud_firewall_attachment" "helsinki-a" { - firewall_id = hcloud_firewall.helsinki-a.id - server_ids = [ - hcloud_server.helsinki-a.id - ] -} \ No newline at end of file +resource "hcloud_firewall_attachment" "machine" { + for_each = local.machines + firewall_id = hcloud_firewall.machine[each.key].id + server_ids = [each.value.server_id] +} diff --git a/terraform/providers.tf b/terraform/providers.tf index 16addd0..04ed809 100644 --- a/terraform/providers.tf +++ b/terraform/providers.tf @@ -2,11 +2,6 @@ terraform { required_version = ">= 1.6.0" required_providers { - cloudflare = { - source = "cloudflare/cloudflare" - version = "~> 5.19" - } - hcloud = { source = "hetznercloud/hcloud" version = "~> 1.45" @@ -25,11 +20,6 @@ terraform { } } -provider "cloudflare" { - email = local.secrets["cloudflare_email"] - api_token = local.secrets["cloudflare_api_key"] -} - provider "hcloud" { token = local.secrets["hetzner_token"] } diff --git a/terraform/secrets.enc.yaml b/terraform/secrets.enc.yaml index 884c7cc..9057dfa 100644 --- a/terraform/secrets.enc.yaml +++ b/terraform/secrets.enc.yaml @@ -1,21 +1,19 @@ -cloudflare_email: ENC[AES256_GCM,data:kzVXRWRT7/RUBg==,iv:g9r2gP1BxrBoAighKUIKgO1ZVgfATywSe8I5CX/SJ3A=,tag:TmWfgAfIuQVoz7ddc/7ykQ==,type:str] -cloudflare_api_key: ENC[AES256_GCM,data:E5ZjsAQ0toXauqGkkQDR2/OqOKNaObkTlK8tnGS2nXYX4gQZaDrRhi5ufklxxO0yzZD9qHE=,iv:5JwQOIuhx1cK1jns2eIR+N1tkc4m7Ydeiya4DRoYRVg=,tag:9ojmEiG8Dlxe1EuNiv1A2w==,type:str] -backblaze_keyID: ENC[AES256_GCM,data:mwAeG2OuxSZ95jZZ5qhJGjePtNbo5wUa2w==,iv:uRSZQsMA6sUCvaQOnRZxgdQWS/TpyjFC8nBksOH2yQE=,tag:yhjjiivBkJkhb42nfPju1A==,type:str] -backblaze_keyName: ENC[AES256_GCM,data:HIxN7kPJPnJDp/pR/yWdayU=,iv:fk9lrFJmlZTnb1lk4AdERS+YPics1XXDOq3McBMhSGU=,tag:Sa3Z+qFs8yBmGA5FLRC/xA==,type:str] -backblaze_applicationKey: ENC[AES256_GCM,data:0J/NTaQe+uvJXc9FgGLN4xl4EHKOxKeSjXya+wC0pA==,iv:f8w7Ir+pVs/0yD/5FFLTnlYFrw95aq73Q+r1eBZedho=,tag:cz9aMPiHWE8iIKBEA3G6xw==,type:str] -hetzner_token: ENC[AES256_GCM,data:kUi0EJlK8xuILT7dp8ql2VQCT/t2DJCtQoXrnC52sr2y73uH4QlSGbYwrJbE+0ZgAeB2l43i8cSvW6MWUt/lrA==,iv:zrshjeeb1oQV6OHhLdXQwwhW8ssN0yHvjbjPxgYgOJk=,tag:hOy8bJuDjNJkQ0URfVwoQA==,type:str] +backblaze_keyID: ENC[AES256_GCM,data:7u0zAFOt1uKDNK/jFl+HLVBUVWd06fiQjQ==,iv:f+Mh38+Vo0JI1tLByjL3we3hOCXLhDtPZim/QIsO1vQ=,tag:WOHEj0ND3xnIOANwBj2y/g==,type:str] +backblaze_keyName: ENC[AES256_GCM,data:dt0YrkYmG+qIFlDMWsugvpU=,iv:Z8pZ38Wr5RxrI/LczeE3OMdTfPcfsOeTa/q2wdd3cc8=,tag:i2qlvue4tbVTuwwZli/qUA==,type:str] +backblaze_applicationKey: ENC[AES256_GCM,data:uo7tQmDsunxuCd9nhATy/4rOjgDfz5Lhpn9wsyZdKA==,iv:RTsSAkU9X7IcpMYu+Qa/+lQ/H1ICp2BBFKGA8C9bl9Y=,tag:YnJRmQ/C2AAbzmkuS1lFpA==,type:str] +hetzner_token: ENC[AES256_GCM,data:9oBDjMvpiiiY1+vN3cTdoPCbTHRIjvWQDFDg5fw6eWmhQGJ81BkXCF1FKqSpOUhbkMCPkU7yzMlE8wKt8JQIAw==,iv:VQMYUTFssyN6tyYbqiio+nlqLifULs6gqiwg1p51Z+0=,tag:c0phnxXoACk4vtoakugrxw==,type:str] sops: age: - recipient: age1r8uh2w2qad2z5sgq9q7l73962q2sp8zz9hdnh6sjuvanxl565vmswn8squ enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtWTFiajV2cThSN240YVEr - SlpOZUV1WVZkeXdOUXJJNnRpOXlOVnNCRGg4Cklxam1uaFgwMy9UU01STlBBSFhT - ZXNQSU1jQXJUZW5HWDEvVWdEUnhzS2MKLS0tIHBYMWJFYStyZVpMMXQ5MUowMy80 - ZTdhWjkzTzRDZy8rM2J4TzhmRFFnaUkKt50w9Oq2O5qdo2NMlWo9S8V4m3X6MQG6 - Jx/Oit+4DOCFHpL7yxggdD83NJw+0c6kMSB968J/M0EmRAzoYHqFBw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtUmhhbUpST2xJNVYxTFYx + bXVic1VTTmhwVHJjay9VSUhMN1hyQjVuVVhNCmd2YVJIY3E4WWZtdFg2ZUhycEpR + aHNxbTc2amYyRGxJVEFJeTVlU1o4QzQKLS0tIHVkUGVwNDVFVk9seEgzSTZiVVhv + MDNISS9UWjdSR3Q2TnBoYTgyNjFlUUEK1vsRrHA6WQDyUO6UJSywBXCnJbgLogwc + JeLReyACLqUyDaxtaJwvBA29IguJLLTDdPV4aqZ/uhZxxMB3Yc5hYw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2026-03-29T18:58:01Z" - mac: ENC[AES256_GCM,data:q9lEwaxcWAquQP+Dzg1J5WqM2cwcync9EUSVHxtc0peGAxJzg4afHlJi35mC5PZbzv/4wOpdxFR89r9jF3isvvZ6icHcRKmWmlNEl2YCI7VAKIZXZHPx56xXZoj1pOQwNNmEZgAwcreskAINjNIkP6+eIzUDCZ2QRMEK3ok9cHE=,iv:LxtYfXnwfrLmH5w7N36GGRvy1+MpgcoEzm8+KA+QjjI=,tag:/2fIIlNmJcBAXJOyZuotug==,type:str] + lastmodified: "2026-05-02T13:12:18Z" + mac: ENC[AES256_GCM,data:XSm141YbD/KglqujQ2y0vm6U0F/uFuBfBr0G3IxzuYKa6Y/pCPTG3CdzuuUpGsMzZM4PtffH9jVnPAF5MyN7lTH2CKmeRWErJJTkPUQ2Iep+7p28AL46J0sy6YPwh7iZz1NUjvGNCNLWDtIbR/ygL2oibTv9btYBExQVrElAD9I=,iv:6h7ZJW4GQKJEu+zmBnrXnJ7AVIf767UneH7nRCC36gg=,tag:4YKOBolrmaqDdo1v3VTBCg==,type:str] unencrypted_suffix: _unencrypted version: 3.12.2