init

main.tf

@@ -0,0 +1,264 @@
+locals {
+  prod_env_file = file("${path.module}/files/env/prod.env")
+  prod_compose  = file("${path.module}/files/stacks/docker-compose.prod.yml")
+  ops_env_file  = file("${path.module}/files/env/ops.env")
+  ops_compose   = file("${path.module}/files/stacks/docker-compose.ops.yml")
+}
+
+resource "tls_private_key" "deploy" {
+  algorithm = "ED25519"
+}
+
+resource "hcloud_ssh_key" "default" {
+  name       = "writekit"
+  public_key = var.ssh_public_key
+}
+
+resource "hcloud_network" "writekit" {
+  name     = "writekit-internal"
+  ip_range = "10.0.0.0/16"
+}
+
+resource "hcloud_network_subnet" "writekit" {
+  network_id   = hcloud_network.writekit.id
+  type         = "cloud"
+  network_zone = "eu-central"
+  ip_range     = "10.0.0.0/24"
+}
+
+resource "hcloud_server" "prod" {
+  name        = "writekit-prod"
+  image       = "ubuntu-24.04"
+  server_type = var.prod_server_type
+  location    = var.location
+  ssh_keys    = [hcloud_ssh_key.default.id]
+
+  user_data = templatefile("${path.module}/files/cloud-init/prod.yml", {
+    ssh_public_key        = var.ssh_public_key
+    deploy_ssh_public_key = tls_private_key.deploy.public_key_openssh
+    env_file              = local.prod_env_file
+    docker_compose        = local.prod_compose
+  })
+
+  public_net {
+    ipv4_enabled = true
+    ipv6_enabled = true
+  }
+
+  labels = {
+    environment = "production"
+    managed_by  = "terraform"
+  }
+}
+
+resource "hcloud_server_network" "prod" {
+  server_id  = hcloud_server.prod.id
+  network_id = hcloud_network.writekit.id
+  ip         = "10.0.0.2"
+}
+
+resource "hcloud_firewall" "prod" {
+  name = "writekit-prod"
+
+  rule {
+    direction  = "in"
+    protocol   = "tcp"
+    port       = "22"
+    source_ips = var.allowed_ssh_ips
+  }
+
+  rule {
+    direction  = "in"
+    protocol   = "tcp"
+    port       = "22"
+    source_ips = ["10.0.0.0/24"]
+  }
+
+  rule {
+    direction  = "in"
+    protocol   = "tcp"
+    port       = "80"
+    source_ips = ["0.0.0.0/0", "::/0"]
+  }
+
+  rule {
+    direction  = "in"
+    protocol   = "tcp"
+    port       = "443"
+    source_ips = ["0.0.0.0/0", "::/0"]
+  }
+
+  rule {
+    direction       = "out"
+    protocol        = "tcp"
+    port            = "1-65535"
+    destination_ips = ["0.0.0.0/0", "::/0"]
+  }
+
+  rule {
+    direction       = "out"
+    protocol        = "udp"
+    port            = "1-65535"
+    destination_ips = ["0.0.0.0/0", "::/0"]
+  }
+
+  rule {
+    direction       = "out"
+    protocol        = "icmp"
+    destination_ips = ["0.0.0.0/0", "::/0"]
+  }
+}
+
+resource "hcloud_firewall_attachment" "prod" {
+  firewall_id = hcloud_firewall.prod.id
+  server_ids  = [hcloud_server.prod.id]
+}
+
+resource "hcloud_server" "ops" {
+  name        = "writekit-ops"
+  image       = "ubuntu-24.04"
+  server_type = var.ops_server_type
+  location    = var.location
+  ssh_keys    = [hcloud_ssh_key.default.id]
+
+  user_data = templatefile("${path.module}/files/cloud-init/ops.yml", {
+    ssh_public_key         = var.ssh_public_key
+    deploy_ssh_private_key = tls_private_key.deploy.private_key_openssh
+    env_file               = local.ops_env_file
+    docker_compose         = local.ops_compose
+  })
+
+  public_net {
+    ipv4_enabled = true
+    ipv6_enabled = true
+  }
+
+  labels = {
+    environment = "ops"
+    managed_by  = "terraform"
+  }
+}
+
+resource "hcloud_server_network" "ops" {
+  server_id  = hcloud_server.ops.id
+  network_id = hcloud_network.writekit.id
+  ip         = "10.0.0.3"
+}
+
+resource "hcloud_firewall" "ops" {
+  name = "writekit-ops"
+
+  rule {
+    direction  = "in"
+    protocol   = "tcp"
+    port       = "22"
+    source_ips = var.allowed_ssh_ips
+  }
+
+  rule {
+    direction  = "in"
+    protocol   = "tcp"
+    port       = "80"
+    source_ips = ["0.0.0.0/0", "::/0"]
+  }
+
+  rule {
+    direction  = "in"
+    protocol   = "tcp"
+    port       = "443"
+    source_ips = ["0.0.0.0/0", "::/0"]
+  }
+
+  rule {
+    direction  = "in"
+    protocol   = "tcp"
+    port       = "2222"
+    source_ips = ["0.0.0.0/0", "::/0"]
+  }
+
+  rule {
+    direction  = "in"
+    protocol   = "tcp"
+    port       = "5000"
+    source_ips = ["10.0.0.0/24"]
+  }
+
+  rule {
+    direction       = "out"
+    protocol        = "tcp"
+    port            = "1-65535"
+    destination_ips = ["0.0.0.0/0", "::/0"]
+  }
+
+  rule {
+    direction       = "out"
+    protocol        = "udp"
+    port            = "1-65535"
+    destination_ips = ["0.0.0.0/0", "::/0"]
+  }
+
+  rule {
+    direction       = "out"
+    protocol        = "icmp"
+    destination_ips = ["0.0.0.0/0", "::/0"]
+  }
+}
+
+resource "hcloud_firewall_attachment" "ops" {
+  firewall_id = hcloud_firewall.ops.id
+  server_ids  = [hcloud_server.ops.id]
+}
+
+resource "cloudflare_record" "root" {
+  zone_id = var.cloudflare_zone_id
+  name    = "@"
+  content = hcloud_server.prod.ipv4_address
+  type    = "A"
+  proxied = true
+}
+
+resource "cloudflare_record" "wildcard" {
+  zone_id = var.cloudflare_zone_id
+  name    = "*"
+  content = hcloud_server.prod.ipv4_address
+  type    = "A"
+  proxied = true
+}
+
+resource "cloudflare_record" "staging" {
+  zone_id = var.cloudflare_zone_id
+  name    = "staging"
+  content = hcloud_server.prod.ipv4_address
+  type    = "A"
+  proxied = true
+}
+
+resource "cloudflare_record" "staging_wildcard" {
+  zone_id = var.cloudflare_zone_id
+  name    = "*.staging"
+  content = hcloud_server.prod.ipv4_address
+  type    = "A"
+  proxied = true
+}
+
+resource "cloudflare_record" "source" {
+  zone_id = var.cloudflare_zone_id
+  name    = "source"
+  content = hcloud_server.ops.ipv4_address
+  type    = "A"
+  proxied = true
+}
+
+resource "cloudflare_record" "ci" {
+  zone_id = var.cloudflare_zone_id
+  name    = "ci"
+  content = hcloud_server.ops.ipv4_address
+  type    = "A"
+  proxied = true
+}
+
+resource "cloudflare_r2_bucket" "assets" {
+  account_id = var.cloudflare_account_id
+  name       = "writekit-assets"
+  location   = "WEUR"
+}