serguzim/infrastructure
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Refactor firewalls and add descriptions

Browse source
This commit is contained in:
Tobias Reisinger 2024-11-01 03:12:34 +01:00
parent 96b298c0c9
commit fb9d50a86e
Signed by: serguzim
GPG key ID: 13AD60C237A28DFE
4 changed files with 33 additions and 27 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

32
modules/infrastructure/hcloud.tf
View file

@ -49,11 +49,6 @@ resource "hcloud_server" "nodes" {
ipv4 = hcloud_primary_ip.node_ipv4_addresses[each.key].id ipv4 = hcloud_primary_ip.node_ipv4_addresses[each.key].id
ipv6 = hcloud_primary_ip.node_ipv6_addresses[each.key].id ipv6 = hcloud_primary_ip.node_ipv6_addresses[each.key].id
} }
labels = merge({
"serguzim.net" = ""
},
{ for k, v in var.services : "service/${k}" => "" if (v.host == each.key || v.host == "*") }
)
lifecycle { lifecycle {
ignore_changes = [ ignore_changes = [
ssh_keys, ssh_keys,
@ -75,33 +70,28 @@ locals {
} }
# Create firewalls # Create firewalls
resource "hcloud_firewall" "always" { resource "hcloud_firewall" "nodes_services" {
name = "always" for_each = local.hetzner_hosts
name = each.key
apply_to { apply_to {
label_selector = "serguzim.net" server = hcloud_server.nodes[each.key].id
} }
rule { rule {
direction = "in" description = "ICMP"
protocol = "icmp" direction = "in"
source_ips = local.default_firewall_source_ips protocol = "icmp"
} source_ips = local.default_firewall_source_ips
}
resource "hcloud_firewall" "services" {
for_each = { for k, v in var.services : k => v.ports if v.ports != null }
name = each.key
apply_to {
label_selector = "service/${each.key}"
} }
dynamic "rule" { dynamic "rule" {
for_each = each.value for_each = flatten([ for k, v in var.services : v.ports if (v.ports != null && (v.host == each.key || v.host == "*")) ])
content { content {
description = rule.value.description
direction = "in" direction = "in"
protocol = rule.value.protocol protocol = rule.value.protocol
port = rule.value.port port = rule.value.port
source_ips = local.default_firewall_source_ips source_ips = local.default_firewall_source_ips
} }
} }
} }

1
modules/infrastructure/variables.tf
View file

@ -23,6 +23,7 @@ variable "services" {
type = string type = string
}))) })))
ports = optional(list(object({ ports = optional(list(object({
description = string
port = number port = number
protocol = string protocol = string
type = string type = string

26
services.auto.tfvars
View file

@ -10,11 +10,13 @@ services = {
} }
ports = [ ports = [
{ {
description = "DNS"
port = 53 port = 53
protocol = "tcp" protocol = "tcp"
type = "firewall" type = "firewall"
}, },
{ {
description = "DNS"
port = 53 port = 53
protocol = "udp" protocol = "udp"
type = "firewall" type = "firewall"
@ -52,16 +54,19 @@ services = {
host = "*" host = "*"
ports = [ ports = [
{ {
description = "HTTP"
port = 80 port = 80
protocol = "tcp" protocol = "tcp"
type = "reverse_proxy" type = "reverse_proxy"
}, },
{ {
description = "HTTPS"
port = 443 port = 443
protocol = "tcp" protocol = "tcp"
type = "reverse_proxy" type = "reverse_proxy"
}, },
{ {
description = "HTTP/3 QUIC"
port = 443 port = 443
protocol = "udp" protocol = "udp"
type = "reverse_proxy" type = "reverse_proxy"
@ -105,6 +110,7 @@ services = {
} }
ports = [ ports = [
{ {
description = "SSH for dokku"
port = 3022 port = 3022
protocol = "tcp" protocol = "tcp"
type = "firewall" type = "firewall"
@ -137,6 +143,7 @@ services = {
} }
ports = [ ports = [
{ {
description = "SSH for forgejo"
port = 22 port = 22
protocol = "tcp" protocol = "tcp"
type = "firewall" type = "firewall"
@ -313,32 +320,38 @@ services = {
} }
ports = [ ports = [
{ {
port = 25 # SMTP description = "SMTP"
port = 25
protocol = "tcp" protocol = "tcp"
type = "firewall" type = "firewall"
}, },
{ {
port = 465 # SMTP TLS description = "SMTP TLS"
port = 465
protocol = "tcp" protocol = "tcp"
type = "firewall" type = "firewall"
}, },
{ {
port = 587 # SMTP StartTLS description = "SMTP StartTLS"
port = 587
protocol = "tcp" protocol = "tcp"
type = "firewall" type = "firewall"
}, },
{ {
port = 993 # IMAPS description = "IMAPS"
port = 993
protocol = "tcp" protocol = "tcp"
type = "firewall" type = "firewall"
}, },
{ {
port = 995 # POPS description = "POPS"
port = 995
protocol = "tcp" protocol = "tcp"
type = "firewall" type = "firewall"
}, },
{ {
port = 4190 # Sieve description = "Sieve"
port = 4190
protocol = "tcp" protocol = "tcp"
type = "firewall" type = "firewall"
} }
@ -489,6 +502,7 @@ services = {
} }
ports = [ ports = [
{ {
description = "Matrix"
port = 8448 port = 8448
protocol = "tcp" protocol = "tcp"
type = "reverse_proxy" type = "reverse_proxy"

1
variables.tf
View file

@ -151,6 +151,7 @@ variable "services" {
conditions = optional(list(string)) conditions = optional(list(string))
})) }))
ports = optional(list(object({ ports = optional(list(object({
description = string
port = number port = number
protocol = string protocol = string
type = string type = string