Add hcloud firewall

modules/infrastructure/hcloud.tf

@@ -49,6 +49,11 @@ resource "hcloud_server" "nodes" {
     ipv4 = hcloud_primary_ip.node_ipv4_addresses[each.key].id
     ipv6 = hcloud_primary_ip.node_ipv6_addresses[each.key].id
   }
+  labels = merge({
+    "serguzim.net" = ""
+  },
+    { for k, v in var.services : "service/${k}" => "" if (v.host == each.key || v.host == "*") }
+  )
   lifecycle {
     ignore_changes = [
       ssh_keys,
@@ -64,3 +69,39 @@ resource "hcloud_rdns" "nodes_rdns" {
   ip_address = hcloud_server.nodes[each.key].ipv4_address
   dns_ptr    = each.value.rdns
 }
+
+locals {
+  default_firewall_source_ips = [ "0.0.0.0/0", "::/0" ]
+}
+
+# Create firewalls
+resource "hcloud_firewall" "always" {
+  name = "always"
+  apply_to {
+    label_selector = "serguzim.net"
+  }
+
+  rule {
+    direction = "in"
+    protocol  = "icmp"
+    source_ips = local.default_firewall_source_ips
+  }
+}
+
+resource "hcloud_firewall" "services" {
+  for_each = { for k, v in var.services : k => v.ports if v.ports != null }
+  name = each.key
+  apply_to {
+    label_selector = "service/${each.key}"
+  }
+
+  dynamic "rule" {
+    for_each = each.value
+    content {
+      direction   = "in"
+      protocol    = rule.value.protocol
+      port        = rule.value.port
+      source_ips  = local.default_firewall_source_ips
+    }
+  }
+}  

modules/infrastructure/variables.tf

@@ -22,6 +22,11 @@ variable "services" {
       name = string
       type = string
     })))
+    ports = optional(list(object({
+      port = number
+      protocol = string
+      type = string
+    })))
     auth = bool
     auth_cert = optional(string)
     auth_redirects = optional(list(string))