b6c9fa666d
This commit captures the infrastructure state immediately following the "Post-Tyranny Tech" workshop on January 23rd, 2026. Infrastructure Status: - 13 client servers deployed (white, valk, zwaan, specht, das, uil, vos, haas, wolf, ree, mees, mus, mol, kikker) - Services: Authentik SSO, Nextcloud, Collabora Office, Traefik - Private network architecture with edge NAT gateway - OIDC integration between Authentik and Nextcloud - Automated recovery flows and invitation system - Container update monitoring with Diun - Uptime monitoring with Uptime Kuma Changes include: - Multiple new client host configurations - Network architecture improvements (private IPs + NAT) - DNS management automation - Container update notifications - Email configuration via Mailgun - SSH key generation for all clients - Encrypted secrets for all deployments - Health check and diagnostic scripts Known Issues to Address: - Nextcloud version pinned to v30 (should use 'latest' or v32) - Zitadel references in templates (migrated to Authentik but templates not updated) - Traefik dynamic config has obsolete static routes 🤖 Generated with Claude Code (https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
83 lines
1.8 KiB
HCL
83 lines
1.8 KiB
HCL
# Provider Configuration
|
|
provider "hcloud" {
|
|
token = var.hcloud_token
|
|
}
|
|
|
|
# hcloud provider handles both Cloud and DNS resources
|
|
|
|
# Per-Client SSH Keys
|
|
resource "hcloud_ssh_key" "client" {
|
|
for_each = var.clients
|
|
name = "client-${each.key}-deploy-key"
|
|
public_key = file("${path.module}/../keys/ssh/${each.key}.pub")
|
|
}
|
|
|
|
# Firewall Rules
|
|
resource "hcloud_firewall" "client_firewall" {
|
|
name = "client-default-firewall"
|
|
|
|
# SSH (restricted - add your management IPs here)
|
|
rule {
|
|
direction = "in"
|
|
protocol = "tcp"
|
|
port = "22"
|
|
source_ips = [
|
|
"0.0.0.0/0", # CHANGE THIS: Replace with your management IP
|
|
"::/0"
|
|
]
|
|
}
|
|
|
|
# HTTP (for Let's Encrypt challenge)
|
|
rule {
|
|
direction = "in"
|
|
protocol = "tcp"
|
|
port = "80"
|
|
source_ips = [
|
|
"0.0.0.0/0",
|
|
"::/0"
|
|
]
|
|
}
|
|
|
|
# HTTPS
|
|
rule {
|
|
direction = "in"
|
|
protocol = "tcp"
|
|
port = "443"
|
|
source_ips = [
|
|
"0.0.0.0/0",
|
|
"::/0"
|
|
]
|
|
}
|
|
}
|
|
|
|
# Client VPS Instances
|
|
resource "hcloud_server" "client" {
|
|
for_each = var.clients
|
|
|
|
name = each.key
|
|
server_type = each.value.server_type
|
|
image = "ubuntu-24.04"
|
|
location = each.value.location
|
|
ssh_keys = [hcloud_ssh_key.client[each.key].id]
|
|
firewall_ids = [hcloud_firewall.client_firewall.id]
|
|
|
|
labels = {
|
|
client = each.key
|
|
role = "app-server"
|
|
# Note: labels can't contain special chars, store apps list separately if needed
|
|
}
|
|
|
|
# Enable backups if requested
|
|
backups = var.enable_snapshots
|
|
|
|
# Public network configuration - all servers now have public IPs
|
|
public_net {
|
|
ipv4_enabled = true
|
|
ipv6_enabled = true
|
|
}
|
|
|
|
# User data for initial setup
|
|
user_data = templatefile("${path.module}/user-data-public.yml", {
|
|
hostname = each.key
|
|
})
|
|
}
|