Enable deployment of client servers without public IPs using private
network (10.0.0.0/16) with NAT gateway via edge server.
## Infrastructure Changes:
### Terraform (tofu/):
- **network.tf**: Define private network and subnet (10.0.0.0/24)
- NAT gateway route through edge server
- Firewall rules for client servers
- **main.tf**: Support private-only servers
- Optional public_ip_enabled flag per client
- Dynamic network block for private IP assignment
- User-data templates for public vs private servers
- **user-data-*.yml**: Cloud-init templates
- Private servers: Configure default route via NAT gateway
- Public servers: Standard configuration
- **dns.tf**: Update DNS to support edge routing
- Client domains point to edge server IP
- Wildcard DNS for subdomains
- **variables.tf**: Add private_ip and public_ip_enabled options
### Ansible:
- **deploy.yml**: Add diun and kuma roles to deployment
## Benefits:
- Cost savings: No public IP needed for each client
- Scalability: No public IP exhaustion limits
- Security: Clients not directly exposed to internet
- Centralized SSL: All TLS termination at edge
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
