Post-Tyranny-Tech-Infrastru.../tofu/network.tf

# Private Network Configuration
# Enables client servers to communicate without public IPs

# Private Network
resource "hcloud_network" "private" {
  name     = "client-private-network"
  ip_range = "10.0.0.0/16"

  labels = {
    managed = "terraform"
    purpose = "client-internal"
  }
}

# Subnet for client servers
resource "hcloud_network_subnet" "clients" {
  network_id   = hcloud_network.private.id
  type         = "cloud"
  network_zone = "eu-central"
  ip_range     = "10.0.0.0/24"
}

# Note: Client servers attach to private network via main.tf dynamic block

# Edge Server Configuration
# Single public-facing reverse proxy for all clients

# SSH key for edge server
resource "hcloud_ssh_key" "edge" {
  name       = "edge-server-deploy-key"
  public_key = file("${path.module}/../keys/ssh/edge.pub")
}

# Edge server (public IP + private network)
resource "hcloud_server" "edge" {
  name        = "edge"
  server_type = var.edge_server_type
  image       = "ubuntu-24.04"
  location    = var.edge_location
  ssh_keys    = [hcloud_ssh_key.edge.id]
  firewall_ids = [hcloud_firewall.client_firewall.id]

  labels = {
    role    = "edge-proxy"
    managed = "terraform"
  }

  # Enable backups
  backups = var.enable_snapshots

  # User data for initial setup
  user_data = <<-EOF
    #cloud-config
    package_update: true
    package_upgrade: true
    packages:
      - curl
      - wget
      - git
      - python3
      - python3-pip
    runcmd:
      - hostnamectl set-hostname edge
  EOF

  # Ensure public network is enabled
  public_net {
    ipv4_enabled = true
    ipv6_enabled = true
  }
}

# Attach edge server to private network
resource "hcloud_server_network" "edge" {
  server_id  = hcloud_server.edge.id
  network_id = hcloud_network.private.id
  ip         = "10.0.0.2"  # Fixed IP for edge server (10.0.0.1 is gateway)
}

# NAT Gateway Route
# Routes all internet-bound traffic from private network through edge server
resource "hcloud_network_route" "nat_gateway" {
  network_id  = hcloud_network.private.id
  destination = "0.0.0.0/0"
  gateway     = "10.0.0.2"  # Edge server acts as NAT gateway
}
feat: Add private network architecture with NAT gateway Enable deployment of client servers without public IPs using private network (10.0.0.0/16) with NAT gateway via edge server. ## Infrastructure Changes: ### Terraform (tofu/): - network.tf: Define private network and subnet (10.0.0.0/24) - NAT gateway route through edge server - Firewall rules for client servers - main.tf: Support private-only servers - Optional public_ip_enabled flag per client - Dynamic network block for private IP assignment - User-data templates for public vs private servers - *user-data-.yml: Cloud-init templates - Private servers: Configure default route via NAT gateway - Public servers: Standard configuration - dns.tf: Update DNS to support edge routing - Client domains point to edge server IP - Wildcard DNS for subdomains - variables.tf: Add private_ip and public_ip_enabled options ### Ansible: - deploy.yml**: Add diun and kuma roles to deployment ## Benefits: - Cost savings: No public IP needed for each client - Scalability: No public IP exhaustion limits - Security: Clients not directly exposed to internet - Centralized SSL: All TLS termination at edge 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> 2026-01-20 19:06:19 +01:00			`# Private Network Configuration`
			`# Enables client servers to communicate without public IPs`

			`# Private Network`
			`resource "hcloud_network" "private" {`
			`name = "client-private-network"`
			`ip_range = "10.0.0.0/16"`

			`labels = {`
			`managed = "terraform"`
			`purpose = "client-internal"`
			`}`
			`}`

			`# Subnet for client servers`
			`resource "hcloud_network_subnet" "clients" {`
			`network_id = hcloud_network.private.id`
			`type = "cloud"`
			`network_zone = "eu-central"`
			`ip_range = "10.0.0.0/24"`
			`}`

			`# Note: Client servers attach to private network via main.tf dynamic block`

			`# Edge Server Configuration`
			`# Single public-facing reverse proxy for all clients`

			`# SSH key for edge server`
			`resource "hcloud_ssh_key" "edge" {`
			`name = "edge-server-deploy-key"`
			`public_key = file("${path.module}/../keys/ssh/edge.pub")`
			`}`

			`# Edge server (public IP + private network)`
			`resource "hcloud_server" "edge" {`
			`name = "edge"`
			`server_type = var.edge_server_type`
			`image = "ubuntu-24.04"`
			`location = var.edge_location`
			`ssh_keys = [hcloud_ssh_key.edge.id]`
			`firewall_ids = [hcloud_firewall.client_firewall.id]`

			`labels = {`
			`role = "edge-proxy"`
			`managed = "terraform"`
			`}`

			`# Enable backups`
			`backups = var.enable_snapshots`

			`# User data for initial setup`
			`user_data = <<-EOF`
			`#cloud-config`
			`package_update: true`
			`package_upgrade: true`
			`packages:`
			`- curl`
			`- wget`
			`- git`
			`- python3`
			`- python3-pip`
			`runcmd:`
			`- hostnamectl set-hostname edge`
			`EOF`

			`# Ensure public network is enabled`
			`public_net {`
			`ipv4_enabled = true`
			`ipv6_enabled = true`
			`}`
			`}`

			`# Attach edge server to private network`
			`resource "hcloud_server_network" "edge" {`
			`server_id = hcloud_server.edge.id`
			`network_id = hcloud_network.private.id`
			`ip = "10.0.0.2" # Fixed IP for edge server (10.0.0.1 is gateway)`
			`}`

			`# NAT Gateway Route`
			`# Routes all internet-bound traffic from private network through edge server`
			`resource "hcloud_network_route" "nat_gateway" {`
			`network_id = hcloud_network.private.id`
			`destination = "0.0.0.0/0"`
			`gateway = "10.0.0.2" # Edge server acts as NAT gateway`
			`}`