infrastructure/terraform/casey_vps.tf

module "casey_firewall" {
  source = "./vultr_firewall/"

  description = "casey"
  ports = [
    "80/tcp",
    "443/tcp",
    "51820/udp",
    "8448/tcp",
    "6328/udp"
  ]
}

resource "vultr_instance" "casey" {
  plan              = "" # On a plan unsupported by API
  region            = "lhr"
  hostname          = "casey"
  firewall_group_id = module.casey_firewall.firewall_group.id
}

# Linode

resource "linode_instance" "casey" {
  label      = "casey"
  image      = "linode/arch"
  region     = "eu-west"
  type       = "g6-nanode-1"
  private_ip = true
}

resource "linode_firewall" "casey" {
  label           = "casey"
  linodes         = [linode_instance.casey.id]
  outbound_policy = "ACCEPT"
  inbound_policy  = "DROP"

  inbound {
    label    = "allow-ping"
    action   = "ACCEPT"
    protocol = "ICMP"
    ipv4     = ["0.0.0.0/0"]
    ipv6     = ["::/0"]
  }

  inbound {
    label    = "allow-inbound-https"
    action   = "ACCEPT"
    protocol = "TCP"
    ports    = "443"
    ipv4     = ["0.0.0.0/0"]
    ipv6     = ["::/0"]
  }

  inbound {
    label    = "allow-inbound-http"
    action   = "ACCEPT"
    protocol = "TCP"
    ports    = "80"
    ipv4     = ["0.0.0.0/0"]
    ipv6     = ["::/0"]
  }

  inbound {
    label    = "allow-inbound-wireguard"
    action   = "ACCEPT"
    protocol = "UDP"
    ports    = "51820"
    ipv4     = ["0.0.0.0/0"]
    ipv6     = ["::/0"]
  }

  inbound {
    label    = "allow-inbound-nebula"
    action   = "ACCEPT"
    protocol = "UDP"
    ports    = "6328"
    ipv4     = ["0.0.0.0/0"]
    ipv6     = ["::/0"]
  }

  inbound {
    label    = "allow-inbound-matrix"
    action   = "ACCEPT"
    protocol = "TCP"
    ports    = "8448"
    ipv4     = ["0.0.0.0/0"]
    ipv6     = ["::/0"]
  }
}

resource "linode_rdns" "casey_reverse_ipv4" {
  address = linode_instance.casey.ip_address
  rdns    = "casey.sys.theorangeone.net"
}
Move generic vultr firewall stuff into module Modules are pretty nice! 2021-03-23 22:33:10 +00:00			`module "casey_firewall" {`
			`source = "./vultr_firewall/"`

			`description = "casey"`
			`ports = [`
Iterate over firewall ports I'll convert this to a module some day, honest! 2021-03-23 22:09:48 +00:00			`"80/tcp",`
			`"443/tcp",`
			`"51820/udp",`
			`"8448/tcp",`
			`"6328/udp"`
Move generic vultr firewall stuff into module Modules are pretty nice! 2021-03-23 22:33:10 +00:00			`]`
Iterate over firewall ports I'll convert this to a module some day, honest! 2021-03-23 22:09:48 +00:00			`}`

Update vultr provider This was a pretty breaking change which required re-importing most of its state 2021-03-23 21:22:31 +00:00			`resource "vultr_instance" "casey" {`
			`plan = "" # On a plan unsupported by API`
			`region = "lhr"`
Add casey firewall config 2020-02-22 22:13:44 +00:00			`hostname = "casey"`
Move generic vultr firewall stuff into module Modules are pretty nice! 2021-03-23 22:33:10 +00:00			`firewall_group_id = module.casey_firewall.firewall_group.id`
Init some skeleton nebula stuff 2021-01-25 21:53:04 +00:00			`}`
Give every cloud machine its own cname 2022-01-19 08:29:56 +00:00
Provision a new `casey`on Linode 2022-01-21 21:52:21 +00:00			`# Linode`

			`resource "linode_instance" "casey" {`
			`label = "casey"`
			`image = "linode/arch"`
			`region = "eu-west"`
			`type = "g6-nanode-1"`
			`private_ip = true`
			`}`

			`resource "linode_firewall" "casey" {`
			`label = "casey"`
			`linodes = [linode_instance.casey.id]`
			`outbound_policy = "ACCEPT"`
			`inbound_policy = "DROP"`

			`inbound {`
			`label = "allow-ping"`
			`action = "ACCEPT"`
			`protocol = "ICMP"`
			`ipv4 = ["0.0.0.0/0"]`
			`ipv6 = ["::/0"]`
			`}`

			`inbound {`
			`label = "allow-inbound-https"`
			`action = "ACCEPT"`
			`protocol = "TCP"`
			`ports = "443"`
			`ipv4 = ["0.0.0.0/0"]`
			`ipv6 = ["::/0"]`
			`}`

			`inbound {`
			`label = "allow-inbound-http"`
			`action = "ACCEPT"`
			`protocol = "TCP"`
			`ports = "80"`
			`ipv4 = ["0.0.0.0/0"]`
			`ipv6 = ["::/0"]`
			`}`

			`inbound {`
			`label = "allow-inbound-wireguard"`
			`action = "ACCEPT"`
			`protocol = "UDP"`
			`ports = "51820"`
			`ipv4 = ["0.0.0.0/0"]`
			`ipv6 = ["::/0"]`
			`}`

			`inbound {`
			`label = "allow-inbound-nebula"`
			`action = "ACCEPT"`
			`protocol = "UDP"`
			`ports = "6328"`
			`ipv4 = ["0.0.0.0/0"]`
			`ipv6 = ["::/0"]`
			`}`

			`inbound {`
			`label = "allow-inbound-matrix"`
			`action = "ACCEPT"`
			`protocol = "TCP"`
			`ports = "8448"`
			`ipv4 = ["0.0.0.0/0"]`
			`ipv6 = ["::/0"]`
			`}`
			`}`

			`resource "linode_rdns" "casey_reverse_ipv4" {`
			`address = linode_instance.casey.ip_address`
			`rdns = "casey.sys.theorangeone.net"`
Give every cloud machine its own cname 2022-01-19 08:29:56 +00:00			`}`