Post-X-Society/Post-Tyranny-Tech-Infrastructure
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
Post-Tyranny-Tech-Infrastru.../tofu/dns.tf
Pieter 79635eeece feat: Add private network architecture with NAT gateway 
Enable deployment of client servers without public IPs using private
network (10.0.0.0/16) with NAT gateway via edge server.

## Infrastructure Changes:

### Terraform (tofu/):
- **network.tf**: Define private network and subnet (10.0.0.0/24)
  - NAT gateway route through edge server
  - Firewall rules for client servers

- **main.tf**: Support private-only servers
  - Optional public_ip_enabled flag per client
  - Dynamic network block for private IP assignment
  - User-data templates for public vs private servers

- **user-data-*.yml**: Cloud-init templates
  - Private servers: Configure default route via NAT gateway
  - Public servers: Standard configuration

- **dns.tf**: Update DNS to support edge routing
  - Client domains point to edge server IP
  - Wildcard DNS for subdomains

- **variables.tf**: Add private_ip and public_ip_enabled options

### Ansible:
- **deploy.yml**: Add diun and kuma roles to deployment

## Benefits:
- Cost savings: No public IP needed for each client
- Scalability: No public IP exhaustion limits
- Security: Clients not directly exposed to internet
- Centralized SSL: All TLS termination at edge

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
2026-01-20 19:06:19 +01:00

73 lines
2.2 KiB
HCL
Raw Blame History

# DNS Configuration for vrije.cloud using hcloud provider
# The zone already exists in Hetzner Console, so we reference it as a data source
# Reference the existing DNS zone
data "hcloud_zone" "main" {
name = var.base_domain
}
# A Records for client servers with public IPs (e.g., test.vrije.cloud -> 78.47.191.38)
# Clients without public IPs (behind edge proxy) point to edge server instead
resource "hcloud_zone_rrset" "client_a" {
for_each = var.clients
zone = data.hcloud_zone.main.name
name = each.value.subdomain
type = "A"
ttl = 300
records = [
{
value = lookup(each.value, "public_ip_enabled", true) ? hcloud_server.client[each.key].ipv4_address : hcloud_server.edge.ipv4_address
comment = lookup(each.value, "public_ip_enabled", true) ? "Client ${each.key} server" : "Client ${each.key} via edge proxy"
}
]
}
# Wildcard A record for each client (e.g., *.test.vrije.cloud for zitadel.test.vrije.cloud)
resource "hcloud_zone_rrset" "client_wildcard" {
for_each = var.clients
zone = data.hcloud_zone.main.name
name = "*.${each.value.subdomain}"
type = "A"
ttl = 300
records = [
{
value = lookup(each.value, "public_ip_enabled", true) ? hcloud_server.client[each.key].ipv4_address : hcloud_server.edge.ipv4_address
comment = lookup(each.value, "public_ip_enabled", true) ? "Wildcard for ${each.key} subdomains" : "Wildcard for ${each.key} via edge proxy"
}
]
}
# AAAA Records for IPv6 (only for servers with public IPs)
resource "hcloud_zone_rrset" "client_aaaa" {
for_each = {
for k, v in var.clients : k => v
if lookup(v, "public_ip_enabled", true)
}
zone = data.hcloud_zone.main.name
name = each.value.subdomain
type = "AAAA"
ttl = 300
records = [
{
value = hcloud_server.client[each.key].ipv6_address
comment = "Client ${each.key} server IPv6"
}
]
}
# Static A record for monitoring server (status.vrije.cloud -> external monitoring server)
resource "hcloud_zone_rrset" "monitoring" {
zone = data.hcloud_zone.main.name
name = "status"
type = "A"
ttl = 300
records = [
{
value = "94.130.231.155"
comment = "Uptime Kuma monitoring server"
}
]
}
Reference in a new issue View git blame Copy permalink