From fb9d50a86e86c841a426228a1c4924b6a3c3aae6 Mon Sep 17 00:00:00 2001 From: Tobias Reisinger Date: Fri, 1 Nov 2024 03:12:34 +0100 Subject: [PATCH] Refactor firewalls and add descriptions --- modules/infrastructure/hcloud.tf | 32 ++++++++++------------------- modules/infrastructure/variables.tf | 1 + services.auto.tfvars | 26 +++++++++++++++++------ variables.tf | 1 + 4 files changed, 33 insertions(+), 27 deletions(-) diff --git a/modules/infrastructure/hcloud.tf b/modules/infrastructure/hcloud.tf index bd67ac8..8dc6029 100644 --- a/modules/infrastructure/hcloud.tf +++ b/modules/infrastructure/hcloud.tf @@ -49,11 +49,6 @@ resource "hcloud_server" "nodes" { ipv4 = hcloud_primary_ip.node_ipv4_addresses[each.key].id ipv6 = hcloud_primary_ip.node_ipv6_addresses[each.key].id } - labels = merge({ - "serguzim.net" = "" - }, - { for k, v in var.services : "service/${k}" => "" if (v.host == each.key || v.host == "*") } - ) lifecycle { ignore_changes = [ ssh_keys, @@ -75,33 +70,28 @@ locals { } # Create firewalls -resource "hcloud_firewall" "always" { - name = "always" +resource "hcloud_firewall" "nodes_services" { + for_each = local.hetzner_hosts + name = each.key apply_to { - label_selector = "serguzim.net" + server = hcloud_server.nodes[each.key].id } rule { - direction = "in" - protocol = "icmp" - source_ips = local.default_firewall_source_ips - } -} - -resource "hcloud_firewall" "services" { - for_each = { for k, v in var.services : k => v.ports if v.ports != null } - name = each.key - apply_to { - label_selector = "service/${each.key}" + description = "ICMP" + direction = "in" + protocol = "icmp" + source_ips = local.default_firewall_source_ips } dynamic "rule" { - for_each = each.value + for_each = flatten([ for k, v in var.services : v.ports if (v.ports != null && (v.host == each.key || v.host == "*")) ]) content { + description = rule.value.description direction = "in" protocol = rule.value.protocol port = rule.value.port source_ips = local.default_firewall_source_ips } } -} +} diff --git a/modules/infrastructure/variables.tf b/modules/infrastructure/variables.tf index ba6ffe6..8889653 100644 --- a/modules/infrastructure/variables.tf +++ b/modules/infrastructure/variables.tf @@ -23,6 +23,7 @@ variable "services" { type = string }))) ports = optional(list(object({ + description = string port = number protocol = string type = string diff --git a/services.auto.tfvars b/services.auto.tfvars index 121bd6e..4a6ada5 100644 --- a/services.auto.tfvars +++ b/services.auto.tfvars @@ -10,11 +10,13 @@ services = { } ports = [ { + description = "DNS" port = 53 protocol = "tcp" type = "firewall" }, { + description = "DNS" port = 53 protocol = "udp" type = "firewall" @@ -52,16 +54,19 @@ services = { host = "*" ports = [ { + description = "HTTP" port = 80 protocol = "tcp" type = "reverse_proxy" }, { + description = "HTTPS" port = 443 protocol = "tcp" type = "reverse_proxy" }, { + description = "HTTP/3 QUIC" port = 443 protocol = "udp" type = "reverse_proxy" @@ -105,6 +110,7 @@ services = { } ports = [ { + description = "SSH for dokku" port = 3022 protocol = "tcp" type = "firewall" @@ -137,6 +143,7 @@ services = { } ports = [ { + description = "SSH for forgejo" port = 22 protocol = "tcp" type = "firewall" @@ -313,32 +320,38 @@ services = { } ports = [ { - port = 25 # SMTP + description = "SMTP" + port = 25 protocol = "tcp" type = "firewall" }, { - port = 465 # SMTP TLS + description = "SMTP TLS" + port = 465 protocol = "tcp" type = "firewall" }, { - port = 587 # SMTP StartTLS + description = "SMTP StartTLS" + port = 587 protocol = "tcp" type = "firewall" }, { - port = 993 # IMAPS + description = "IMAPS" + port = 993 protocol = "tcp" type = "firewall" }, { - port = 995 # POPS + description = "POPS" + port = 995 protocol = "tcp" type = "firewall" }, { - port = 4190 # Sieve + description = "Sieve" + port = 4190 protocol = "tcp" type = "firewall" } @@ -489,6 +502,7 @@ services = { } ports = [ { + description = "Matrix" port = 8448 protocol = "tcp" type = "reverse_proxy" diff --git a/variables.tf b/variables.tf index 17d9a6d..d49b584 100644 --- a/variables.tf +++ b/variables.tf @@ -151,6 +151,7 @@ variable "services" { conditions = optional(list(string)) })) ports = optional(list(object({ + description = string port = number protocol = string type = string