Deploy firewall

This commit is contained in:
Héctor Molinero Fernández 2021-11-21 16:21:05 +01:00
parent 6796067e18
commit 2718ea4106
4 changed files with 98 additions and 28 deletions

View File

@ -0,0 +1,24 @@
# This file is maintained automatically by "terraform init".
# Manual edits may be lost in future updates.
provider "registry.terraform.io/hetznercloud/hcloud" {
version = "1.32.1"
constraints = "~> 1.32.1"
hashes = [
"h1:RfLu8m+y3fKf5FrDJarSp06KS4R75yZxPy9n+Df5PjM=",
"zh:043e941caf46b3a37cae5f2f9c1b7ce2b30f0b492bada6f3d8d6a7384f5cb7b2",
"zh:055835d483dd172e7b0e500f9dd789353e32c9328d51793b8d88451df4e92067",
"zh:3dd5a0006ab7f464a2bca8c5a46e583c6f09ba66aeff1ca847397b61fc823597",
"zh:3f0444956fdcb059ee9ea54f51af016d86f297477335f519256ca158a75c5e59",
"zh:569a80f0c9e2f5fb121d9050bc10d6e6ba30507e2e985b809a2613dcb5bdc095",
"zh:5e7e8499e62408d784d4c886827d421962134a3efda5f5f4f8794f9b1c17190c",
"zh:67b48380e144ba4c31fff41442cbf53463eba285321d4283430b605285048923",
"zh:7ddc434dbefecc6b1934f683f54ad5552c9e466b5e256b9cfe67f7b28ffecc7d",
"zh:87c0b5f4f6b3121cc81935ccb8598a58bda20c7f96f8a4270ecb0b6b2096ba40",
"zh:891d2234146c3fbc2fe6d2a0c176cefd01d16d2d1d25eebe6e15909aac4a1ddf",
"zh:a90ced7f84d8bdd64afd00c69ea9e2b1ed43314da020860c31ff266b3716d1f0",
"zh:b8c86266d9f4ae4d2cca8f3f7d58a48d0c000f16aa21a733bb81c760efa690f7",
"zh:bf8fdd6eb8619dc20d85d418ed910a79af0b28bf79ac3a4029f0d0ae032c9c7d",
"zh:d6d87b405c0fd5e576a7e0a8976689d555299806484fdacca205537367d92f37",
]
}

View File

@ -2,7 +2,7 @@ terraform {
required_providers { required_providers {
hcloud = { hcloud = {
source = "hetznercloud/hcloud" source = "hetznercloud/hcloud"
version = "~> 1.26.2" version = "~> 1.32.1"
} }
} }
} }
@ -16,23 +16,59 @@ data "hcloud_image" "wg_image" {
most_recent = true most_recent = true
} }
resource "hcloud_ssh_key" "wg_server_ssh_key" { resource "hcloud_firewall" "wg_firewall" {
public_key = var.wg_server_ssh_publickey name = var.wg_firewall_name
name = var.wg_server_ssh_publickey_name labels = { service = "wireguard" }
rule {
description = "ICMP"
direction = "in"
protocol = "icmp"
source_ips = ["0.0.0.0/0", "::0/0"]
}
rule {
description = "SSH"
direction = "in"
protocol = "tcp"
port = "122"
source_ips = ["0.0.0.0/0", "::0/0"]
}
rule {
description = "WireGuard"
direction = "in"
protocol = "udp"
port = "51820"
source_ips = ["0.0.0.0/0", "::0/0"]
}
rule {
description = "WireGuard"
direction = "in"
protocol = "udp"
port = "53"
source_ips = ["0.0.0.0/0", "::0/0"]
}
rule {
description = "WireGuard"
direction = "in"
protocol = "tcp"
port = "443"
source_ips = ["0.0.0.0/0", "::0/0"]
}
}
resource "hcloud_ssh_key" "wg_ssh_key" {
public_key = var.wg_ssh_publickey
name = var.wg_ssh_publickey_name
} }
resource "hcloud_server" "wg_server" { resource "hcloud_server" "wg_server" {
image = data.hcloud_image.wg_image.id image = data.hcloud_image.wg_image.id
name = var.wg_server_name name = var.wg_server_name
server_type = var.wg_server_type server_type = var.wg_server_type
location = var.wg_server_location location = var.wg_server_location
labels = { labels = { service = "wireguard" }
service = "wireguard" firewall_ids = [hcloud_firewall.wg_firewall.id]
} ssh_keys = [hcloud_ssh_key.wg_ssh_key.id]
ssh_keys = [ user_data = templatefile("${path.module}/templates/user-data.tpl", {
hcloud_ssh_key.wg_server_ssh_key.id
]
user_data = templatefile("${path.module}/templates/user-data.tpl", {
wg_server_wg_privatekey = var.wg_server_wg_privatekey wg_server_wg_privatekey = var.wg_server_wg_privatekey
wg_server_wg_peer_publickeys = var.wg_server_wg_peer_publickeys wg_server_wg_peer_publickeys = var.wg_server_wg_peer_publickeys
}) })

View File

@ -4,8 +4,10 @@ wg_server_name = ""
wg_server_type = "" wg_server_type = ""
wg_server_location = "" wg_server_location = ""
wg_server_ssh_publickey = ""
wg_server_ssh_publickey_name = ""
wg_server_wg_privatekey = "" wg_server_wg_privatekey = ""
wg_server_wg_peer_publickeys = [] wg_server_wg_peer_publickeys = []
wg_firewall_name = ""
wg_ssh_publickey = ""
wg_ssh_publickey_name = ""

View File

@ -22,22 +22,30 @@ variable "wg_server_location" {
default = "fsn1" default = "fsn1"
} }
variable "wg_server_ssh_publickey" {
type = string
description = "SSH public key"
}
variable "wg_server_ssh_publickey_name" {
type = string
description = "SSH public key name"
}
variable "wg_server_wg_privatekey" { variable "wg_server_wg_privatekey" {
type = string type = string
description = "WireGuard private key" description = "WireGuard private key"
default = ""
} }
variable "wg_server_wg_peer_publickeys" { variable "wg_server_wg_peer_publickeys" {
type = list(string) type = list(string)
description = "WireGuard peer public keys" description = "WireGuard peer public keys"
default = []
}
variable "wg_firewall_name" {
type = string
description = "Firewall name"
default = "wireguard"
}
variable "wg_ssh_publickey" {
type = string
description = "SSH public key"
}
variable "wg_ssh_publickey_name" {
type = string
description = "SSH public key name"
} }