nemoinho/base-infra
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
7297892e18cffd44742d986c0d9a95be015e0d69
base-infra/modules/hetzner/kubernetes/main.tf
Felix Nehrke 7297892e18 Merge infra and k3 into one directory again 
Since I don't have multiple terraform steps anymore it simply doesn't
make sense to me anymore to split all tasks into separate folders.
Instead I try to be as clear as possible in the README to make it easy
to follow the structure in the future without too much headache.
2025-11-28 00:24:18 +01:00

117 lines
3.1 KiB
HCL
Raw Blame History

locals {
network = "10.0.0.0/16"
subnet_eu_central = "10.0.0.0/24"
servers = {
for idx, config in var.servers : "${var.name}-server-${idx + 1}" => merge(
config,
{
ip = cidrhost(local.subnet_eu_central, idx + 2)
first_ip = idx == 0 ? "" : cidrhost(local.subnet_eu_central, 2)
}
)
}
agents = merge([
for idx, config in var.agents : {
for n in range(0, config.count) : "${var.name}-agent-${idx + 1}-${n + 1}" => merge(
config,
{ ip = cidrhost(local.subnet_eu_central, 255 - (idx * 20) - n - 1) }
)
}
]...)
all_ips = ["0.0.0.0/0", "::/0"]
ping_firewall = var.ping_enabled ? { "ping" : [{ protocol = "icmp", port = null }] } : {}
k8s_firewall = { "kubernetes" : [{ port = "6443", source_ips = concat([local.network], var.kubernetes_exposed_ips) }] }
ssh_firewall = length(var.ssh_exposed_ips) > 0 ? { "ssh" : [{ port = var.ssh_port, source_ips = var.ssh_exposed_ips }] } : {}
service_firewalls = { for service, ports in var.public_tcp_services : service => [for port in ports : { port = port }] }
firewalls = merge(
local.ping_firewall,
local.k8s_firewall,
local.ssh_firewall,
local.service_firewalls
)
}
resource "hcloud_network" "this" {
name = var.name
ip_range = local.network
}
resource "hcloud_network_subnet" "this" {
type = "cloud"
network_id = hcloud_network.this.id
network_zone = "eu-central"
ip_range = local.subnet_eu_central
}
resource "hcloud_network_route" "this" {
network_id = hcloud_network.this.id
destination = "0.0.0.0/0"
gateway = cidrhost(local.subnet_eu_central, 2)
}
resource "random_string" "k3s_token" {
length = 100
special = false
}
resource "hcloud_firewall" "this" {
for_each = local.firewalls
name = each.key
dynamic "rule" {
for_each = each.value
content {
direction = lookup(rule.value, "direction", "in")
protocol = lookup(rule.value, "protocol", "tcp")
source_ips = lookup(rule.value, "source_ips", local.all_ips)
port = lookup(rule.value, "port")
}
}
}
resource "hcloud_server" "server" {
depends_on = [hcloud_network_subnet.this]
for_each = local.servers
lifecycle {
ignore_changes = [ user_data ]
}
name = each.key
image = "ubuntu-24.04"
server_type = each.value.type
location = each.value.location
ssh_keys = var.ssh_keys
public_net {
ipv4 = each.value.ipv4_id
ipv6 = each.value.ipv6_id
}
network {
network_id = hcloud_network.this.id
ip = each.value.ip
}
firewall_ids = [for firewall in hcloud_firewall.this : firewall.id]
}
resource "hcloud_server" "agent" {
depends_on = [hcloud_server.server]
for_each = local.agents
lifecycle {
ignore_changes = [ user_data ]
}
name = each.key
image = "ubuntu-24.04"
server_type = each.value.type
location = each.value.location
ssh_keys = var.ssh_keys
public_net {
ipv4_enabled = false
ipv6_enabled = false
}
network {
network_id = hcloud_network.this.id
ip = each.value.ip
}
}
Reference in New Issue View Git Blame Copy Permalink