infrastructure/terraform/casey_vps.tf

resource "linode_instance" "casey" {
  label      = "casey"
  image      = "linode/arch"
  region     = "eu-west"
  type       = "g6-nanode-1"
  private_ip = true
}

resource "linode_ipv6_range" "casey_extra" {
  linode_id     = linode_instance.casey.id
  prefix_length = 64
}

locals {
  private_ipv6_marker = cidrhost(linode_ipv6_range.casey_extra.id, 1)
  private_ipv6_range  = cidrsubnet(linode_ipv6_range.casey_extra.id, 64, 1)
}

resource "linode_firewall" "casey" {
  label           = "casey"
  linodes         = [linode_instance.casey.id]
  outbound_policy = "ACCEPT"
  inbound_policy  = "DROP"

  inbound {
    label    = "allow-ping"
    action   = "ACCEPT"
    protocol = "ICMP"
    ipv4     = ["0.0.0.0/0"]
    ipv6     = ["::/0"]
  }

  inbound {
    label    = "allow-inbound-https"
    action   = "ACCEPT"
    protocol = "TCP"
    ports    = "443"
    ipv4     = ["0.0.0.0/0"]
    ipv6     = ["::/0"]
  }

  inbound {
    label    = "allow-inbound-http"
    action   = "ACCEPT"
    protocol = "TCP"
    ports    = "80"
    ipv4     = ["0.0.0.0/0"]
    ipv6     = ["::/0"]
  }

  inbound {
    label    = "allow-inbound-wireguard"
    action   = "ACCEPT"
    protocol = "UDP"
    ports    = "51820"
    ipv4     = ["0.0.0.0/0"]
    ipv6     = ["::/0"]
  }

  inbound {
    label    = "allow-inbound-wireguard-53"
    action   = "ACCEPT"
    protocol = "UDP"
    ports    = "53"
    ipv4     = ["0.0.0.0/0"]
    ipv6     = ["::/0"]
  }

  inbound {
    label    = "allow-inbound-nebula"
    action   = "ACCEPT"
    protocol = "UDP"
    ports    = "6328"
    ipv4     = ["0.0.0.0/0"]
    ipv6     = ["::/0"]
  }

  inbound {
    label    = "allow-inbound-matrix"
    action   = "ACCEPT"
    protocol = "TCP"
    ports    = "8448"
    ipv4     = ["0.0.0.0/0"]
    ipv6     = ["::/0"]
  }

  inbound {
    label    = "allow-inbound-headscale"
    action   = "ACCEPT"
    protocol = "UDP"
    ports    = "41641"
    ipv4     = ["0.0.0.0/0"]
    ipv6     = ["::/0"]
  }

  inbound {
    label    = "allow-inbound-stun"
    action   = "ACCEPT"
    protocol = "UDP"
    ports    = "3478"
    ipv4     = ["0.0.0.0/0"]
    ipv6     = ["::/0"]
  }
}

resource "linode_rdns" "casey_reverse_ipv4" {
  address = linode_instance.casey.ip_address
  rdns    = cloudflare_record.sys_domain_casey.hostname
}

resource "linode_rdns" "casey_reverse_ipv6" {
  address = split("/", linode_instance.casey.ipv6)[0]
  rdns    = cloudflare_record.sys_domain_casey.hostname
}