Post-X-Society/Post-Tyranny-Tech-Infrastructure
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
Post-Tyranny-Tech-Infrastru.../tofu/variables.tf
Pieter 79635eeece feat: Add private network architecture with NAT gateway 
Enable deployment of client servers without public IPs using private
network (10.0.0.0/16) with NAT gateway via edge server.

## Infrastructure Changes:

### Terraform (tofu/):
- **network.tf**: Define private network and subnet (10.0.0.0/24)
  - NAT gateway route through edge server
  - Firewall rules for client servers

- **main.tf**: Support private-only servers
  - Optional public_ip_enabled flag per client
  - Dynamic network block for private IP assignment
  - User-data templates for public vs private servers

- **user-data-*.yml**: Cloud-init templates
  - Private servers: Configure default route via NAT gateway
  - Public servers: Standard configuration

- **dns.tf**: Update DNS to support edge routing
  - Client domains point to edge server IP
  - Wildcard DNS for subdomains

- **variables.tf**: Add private_ip and public_ip_enabled options

### Ansible:
- **deploy.yml**: Add diun and kuma roles to deployment

## Benefits:
- Cost savings: No public IP needed for each client
- Scalability: No public IP exhaustion limits
- Security: Clients not directly exposed to internet
- Centralized SSL: All TLS termination at edge

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
2026-01-20 19:06:19 +01:00

58 lines
2 KiB
HCL
Raw Blame History

# Hetzner Cloud API Token
variable "hcloud_token" {
description = "Hetzner Cloud API Token (Read & Write)"
type = string
sensitive = true
}
# Hetzner DNS API Token (can be same as Cloud token)
variable "hetznerdns_token" {
description = "Hetzner DNS API Token"
type = string
sensitive = true
}
# SSH keys are now per-client, stored in keys/ssh/<client>.pub
# No global ssh_public_key variable needed
# Base Domain (optional - only needed if using DNS)
variable "base_domain" {
description = "Base domain for client subdomains (e.g., platform.nl) - leave empty if not using DNS"
type = string
default = ""
}
# Client Configurations
variable "clients" {
description = "Map of client configurations"
type = map(object({
server_type = string # e.g., "cx22" (2 vCPU, 4 GB RAM)
location = string # e.g., "fsn1" (Falkenstein), "nbg1" (Nuremberg), "hel1" (Helsinki)
subdomain = string # e.g., "alpha" for alpha.platform.nl
apps = list(string) # e.g., ["zitadel", "nextcloud"]
nextcloud_volume_size = number # Size in GB for Nextcloud data volume (min 10, max 10000)
private_ip = optional(string) # Private IP in 10.0.0.0/24 range (e.g., "10.0.0.10")
public_ip_enabled = optional(bool, true) # Whether to enable public IP (default: true for backward compatibility)
}))
default = {}
}
# Edge Server Configuration
variable "edge_server_type" {
description = "Server type for edge proxy server"
type = string
default = "cpx22" # 3 vCPU, 4 GB RAM - CPX11/21 unavailable in fsn1
}
variable "edge_location" {
description = "Location for edge proxy server"
type = string
default = "fsn1" # Falkenstein, Germany
}
# Enable automated snapshots
variable "enable_snapshots" {
description = "Enable automated daily snapshots (20% of server cost)"
type = bool
default = true
}
Reference in a new issue View git blame Copy permalink