# You need to replace these hcloud_token = "xxxxxxxxxxxxxxxxxxYYYYYYYYYYYYYYYYYYYzzzzzzzzzzzzzzzzzzzzz" public_key = "/home/username/.ssh/id_ed25519.pub" # Must be "private_key = null" when you want to use ssh-agent, for a Yubikey like device auth or an SSH key-pair with passphrase private_key = "/home/username/.ssh/id_ed25519" # These can be customized, or left with the default values # For Hetzner locations see https://docs.hetzner.com/general/others/data-centers-and-connection/ # For Hetzner server types see https://www.hetzner.com/cloud location = "fsn1" # change to `ash` for us-east Ashburn, Virginia location network_region = "eu-central" # change to `us-east` if location is ash # It's best to leave the network range as is, unless you know what you are doing. The default is "10.0.0.0/8". # network_ipv4_range = "10.0.0.0/8" # You can have up to as many subnets as you want (preferably if the form of 10.X.0.0/16), # their primary use is to logically separate the nodes. # The control_plane network is mandatory. network_ipv4_subnets = { control_plane = "10.1.0.0/16" agent_big = "10.2.0.0/16" agent_small = "10.3.0.0/16" } # At least 3 server nodes is recommended for HA, otherwise you need to turn off automatic upgrade (see ReadMe). control_plane_count = 3 control_plane_server_type = "cpx11" load_balancer_type = "lb11" # As for the agent nodepools, below is just an example, if you do not want nodepools, just use one, # and change the name to what you want, it need not be "agent-big" or "agent-small", also give them the subnet prefer. agent_nodepools = { agent-big = { server_type = "cpx21", count = 1, subnet = "agent_big", } agent-small = { server_type = "cpx11", count = 2, subnet = "agent_small", } } # If you want to use a specific Hetzner CCM and CSI version, set them below, otherwise leave as is for the latest versions # hetzner_ccm_version = "" # hetzner_csi_version = "" # If you want to use letsencrypt with tls Challenge, the email address is used to send you certificates expiration notices # traefik_acme_tls = true # traefik_acme_email = "mail@example.com" # If you want to allow non-control-plane workloads to run on the control-plane nodes set "true" below. The default is "false". # allow_scheduling_on_control_plane = true # If you want to disable automatic upgrade of k3s, you can set this to false, default is "true". # automatically_upgrade_k3s = false # Allows you to specify either stable, latest, or testing (defaults to stable), see https://rancher.com/docs/k3s/latest/en/upgrades/basic/ # initial_k3s_channel = "latest" # Adding extra firewall rules, like opening a port # In this example with allow port TCP 5432 for a Postgres service we will open via a nodeport # More info on the format here https://registry.terraform.io/providers/hetznercloud/hcloud/latest/docs/resources/firewall # extra_firewall_rules = [ # { # direction = "in" # protocol = "tcp" # port = "5432" # source_ips = [ # "0.0.0.0/0" # ] # }, # ]