Deploy firewall

2021-11-21 16:21:05 +01:00
parent 6796067e18
commit 2718ea4106
4 changed files with 98 additions and 28 deletions
--- a/terraform/main.tf
+++ b/terraform/main.tf
@@ -2,7 +2,7 @@ terraform {
  required_providers {
    hcloud = {
      source = "hetznercloud/hcloud"
-      version = "~> 1.26.2"
+      version = "~> 1.32.1"
    }
  }
 }
@@ -16,23 +16,59 @@ data "hcloud_image" "wg_image" {
  most_recent   = true
 }

-resource "hcloud_ssh_key" "wg_server_ssh_key" {
-  public_key = var.wg_server_ssh_publickey
-  name       = var.wg_server_ssh_publickey_name
+resource "hcloud_firewall" "wg_firewall" {
+  name   = var.wg_firewall_name
+  labels = { service = "wireguard" }
+  rule {
+    description = "ICMP"
+    direction   = "in"
+    protocol    = "icmp"
+    source_ips  = ["0.0.0.0/0", "::0/0"]
+  }
+  rule {
+    description = "SSH"
+    direction   = "in"
+    protocol    = "tcp"
+    port        = "122"
+    source_ips  = ["0.0.0.0/0", "::0/0"]
+  }
+  rule {
+    description = "WireGuard"
+    direction   = "in"
+    protocol    = "udp"
+    port        = "51820"
+    source_ips  = ["0.0.0.0/0", "::0/0"]
+  }
+  rule {
+    description = "WireGuard"
+    direction   = "in"
+    protocol    = "udp"
+    port        = "53"
+    source_ips  = ["0.0.0.0/0", "::0/0"]
+  }
+  rule {
+    description = "WireGuard"
+    direction   = "in"
+    protocol    = "tcp"
+    port        = "443"
+    source_ips  = ["0.0.0.0/0", "::0/0"]
+  }
+}
+
+resource "hcloud_ssh_key" "wg_ssh_key" {
+  public_key = var.wg_ssh_publickey
+  name       = var.wg_ssh_publickey_name
 }

 resource "hcloud_server" "wg_server" {
-  image       = data.hcloud_image.wg_image.id
-  name        = var.wg_server_name
-  server_type = var.wg_server_type
-  location    = var.wg_server_location
-  labels = {
-    service = "wireguard"
-  }
-  ssh_keys = [
-    hcloud_ssh_key.wg_server_ssh_key.id
-  ]
-  user_data = templatefile("${path.module}/templates/user-data.tpl", {
+  image        = data.hcloud_image.wg_image.id
+  name         = var.wg_server_name
+  server_type  = var.wg_server_type
+  location     = var.wg_server_location
+  labels       = { service = "wireguard" }
+  firewall_ids = [hcloud_firewall.wg_firewall.id]
+  ssh_keys     = [hcloud_ssh_key.wg_ssh_key.id]
+  user_data    = templatefile("${path.module}/templates/user-data.tpl", {
    wg_server_wg_privatekey      = var.wg_server_wg_privatekey
    wg_server_wg_peer_publickeys = var.wg_server_wg_peer_publickeys
  })