# Private Network Configuration # Enables client servers to communicate without public IPs # Private Network resource "hcloud_network" "private" { name = "client-private-network" ip_range = "10.0.0.0/16" labels = { managed = "terraform" purpose = "client-internal" } } # Subnet for client servers resource "hcloud_network_subnet" "clients" { network_id = hcloud_network.private.id type = "cloud" network_zone = "eu-central" ip_range = "10.0.0.0/24" } # Note: Client servers attach to private network via main.tf dynamic block # Edge Server Configuration # Single public-facing reverse proxy for all clients # SSH key for edge server resource "hcloud_ssh_key" "edge" { name = "edge-server-deploy-key" public_key = file("${path.module}/../keys/ssh/edge.pub") } # Edge server (public IP + private network) resource "hcloud_server" "edge" { name = "edge" server_type = var.edge_server_type image = "ubuntu-24.04" location = var.edge_location ssh_keys = [hcloud_ssh_key.edge.id] firewall_ids = [hcloud_firewall.client_firewall.id] labels = { role = "edge-proxy" managed = "terraform" } # Enable backups backups = var.enable_snapshots # User data for initial setup user_data = <<-EOF #cloud-config package_update: true package_upgrade: true packages: - curl - wget - git - python3 - python3-pip runcmd: - hostnamectl set-hostname edge EOF # Ensure public network is enabled public_net { ipv4_enabled = true ipv6_enabled = true } } # Attach edge server to private network resource "hcloud_server_network" "edge" { server_id = hcloud_server.edge.id network_id = hcloud_network.private.id ip = "10.0.0.2" # Fixed IP for edge server (10.0.0.1 is gateway) } # NAT Gateway Route # Routes all internet-bound traffic from private network through edge server resource "hcloud_network_route" "nat_gateway" { network_id = hcloud_network.private.id destination = "0.0.0.0/0" gateway = "10.0.0.2" # Edge server acts as NAT gateway }