diff --git a/ansible/ansible.cfg b/ansible/ansible.cfg index 29a1116..3b18a2c 100644 --- a/ansible/ansible.cfg +++ b/ansible/ansible.cfg @@ -2,4 +2,4 @@ nocows=True [ssh_connection] -ssh_args = -o StrictHostKeyChecking=accept-new -o ConnectTimeout=300 -o ConnectionAttempts=5 -o PreferredAuthentications=publickey +ssh_args = -o StrictHostKeyChecking=accept-new -o PreferredAuthentications=publickey diff --git a/ansible/inventories/common/group_vars/all.yml b/ansible/inventories/common/group_vars/all.yml new file mode 100644 index 0000000..a76575a --- /dev/null +++ b/ansible/inventories/common/group_vars/all.yml @@ -0,0 +1,23 @@ +--- + +users: + - name: admin + password_hash: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 30623138653735643561343061356531373430393662383764633038383238383837626636393432 + 3138653539356430306266663864343563616332656131310a343632323363653665646363366437 + 66643430626437333461656231303339656435346261336238313036306431396333643965666631 + 3665393163623266320a373838313538626438623330393533353931336331623464613664633430 + 32303734396634376431383936643431313561303864343930393363623130663236666636353637 + 63613237383666656263316661333031643032323266636464313839653065316138343035346161 + 64313037336666353136383462333832373031623637636630326330313832333265386632343139 + 30306638356434376635346637346134653064613236326333656566383137353166393063333563 + 32623638343263313463313062303465626439356461613235656661623364656138 + ssh_public_keys: + - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDKNzJdo6/c7uXrg0lqVwyXOhcNxO/BnylyJeqoBe4rAO5fhjwWLsvMAeCEmYa/3i8ITSvurFEou7BELo25vM58dNfGQHig52LrA/GU/jwDAhHyTXP3AvqqgIFa0ysMaHasYny6oqXi+eb2w/KimtgOhe5/oUdNBe/KgqZ+hP3qlTchxBl5MEzZIKgXTXQeYJpYYrnFb0l/R8qSkFBJv2xzxVJxEamN71SG7OIsi9m14D6hd2pNDHDDqHgKBVbN5irxDuJAzHN5upzfziXiYCOusud23tX6/nNv8t03CbB7FW0OxaCGhAjbavTFAf164L9GM7j76BGsLwWSh2HhG9G9lKs2bEI3IQudllMc6p9N6j2FhMOCKK6YYekdAOVc3ozTFc73VLkXtN8pnTC8OCSavthSt5jOUd0qTsQGH91lWlEkVe0bWi+s9nggfeWFM7HMVmqsR1jYlOXoi5s7xYwKLUdeUjRk3/rkzIFoOxquE5sVVuNDRNCaqcpPVY4k0gE= openpgp:0x8880F3E0" + opendoas_settings: "permit persist admin as root" + - name: ansible + password_hash: "" + ssh_public_keys: + - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDKNzJdo6/c7uXrg0lqVwyXOhcNxO/BnylyJeqoBe4rAO5fhjwWLsvMAeCEmYa/3i8ITSvurFEou7BELo25vM58dNfGQHig52LrA/GU/jwDAhHyTXP3AvqqgIFa0ysMaHasYny6oqXi+eb2w/KimtgOhe5/oUdNBe/KgqZ+hP3qlTchxBl5MEzZIKgXTXQeYJpYYrnFb0l/R8qSkFBJv2xzxVJxEamN71SG7OIsi9m14D6hd2pNDHDDqHgKBVbN5irxDuJAzHN5upzfziXiYCOusud23tX6/nNv8t03CbB7FW0OxaCGhAjbavTFAf164L9GM7j76BGsLwWSh2HhG9G9lKs2bEI3IQudllMc6p9N6j2FhMOCKK6YYekdAOVc3ozTFc73VLkXtN8pnTC8OCSavthSt5jOUd0qTsQGH91lWlEkVe0bWi+s9nggfeWFM7HMVmqsR1jYlOXoi5s7xYwKLUdeUjRk3/rkzIFoOxquE5sVVuNDRNCaqcpPVY4k0gE= openpgp:0x8880F3E0" + opendoas_settings: "permit nopass ansible" diff --git a/ansible/inventories/dev/group_vars/bastion.yml b/ansible/inventories/common/group_vars/bastion.yml similarity index 100% rename from ansible/inventories/dev/group_vars/bastion.yml rename to ansible/inventories/common/group_vars/bastion.yml diff --git a/ansible/inventories/dev/group_vars/load_balancers.yml b/ansible/inventories/common/group_vars/load_balancers.yml similarity index 100% rename from ansible/inventories/dev/group_vars/load_balancers.yml rename to ansible/inventories/common/group_vars/load_balancers.yml diff --git a/ansible/inventories/dev/group_vars/monitoring.yml b/ansible/inventories/common/group_vars/monitoring.yml similarity index 100% rename from ansible/inventories/dev/group_vars/monitoring.yml rename to ansible/inventories/common/group_vars/monitoring.yml diff --git a/ansible/inventories/common/hosts.yml b/ansible/inventories/common/hosts.yml new file mode 100644 index 0000000..75735c7 --- /dev/null +++ b/ansible/inventories/common/hosts.yml @@ -0,0 +1,12 @@ +--- +all: + children: + bastion: + hosts: + 192.168.0.254: + load_balancers: + hosts: + 192.168.0.253: + monitoring: + hosts: + 192.168.0.252: diff --git a/ansible/inventories/dev/group_vars/main_page.yml b/ansible/inventories/dev/group_vars/main_page.yml index db2d16a..1f88454 100644 --- a/ansible/inventories/dev/group_vars/main_page.yml +++ b/ansible/inventories/dev/group_vars/main_page.yml @@ -32,7 +32,7 @@ users: hugo_version: 0.147.9 hugo_homedir: /opt/hugo hugo_git_repo: https://gitea.cuqmbr.xyz/cuqmbr/cuqmbr.xyz.git -hugo_git_commit: 5b894854d47b41996b1901fa257f8c2cad9224f9 +hugo_git_commit: 585a8ad8ca4cfeab4df7ae5d852f5fb616b72aca hugo_git_refspec: refs/heads/main hugo_base_url: http://dev.cuqmbr.xyz diff --git a/ansible/inventories/dev/hosts.yml b/ansible/inventories/dev/hosts.yml index 154bc45..793e27f 100644 --- a/ansible/inventories/dev/hosts.yml +++ b/ansible/inventories/dev/hosts.yml @@ -1,15 +1,6 @@ --- all: children: - bastion: - hosts: - 192.168.0.254: - load_balancers: - hosts: - 192.168.0.253: - monitoring: - hosts: - 192.168.0.252: postgresql: hosts: 192.168.0.3: diff --git a/terraform/.terraform.lock.hcl b/terraform/common/.terraform.lock.hcl similarity index 100% rename from terraform/.terraform.lock.hcl rename to terraform/common/.terraform.lock.hcl diff --git a/terraform/bastion.tf b/terraform/common/bastion.tf similarity index 91% rename from terraform/bastion.tf rename to terraform/common/bastion.tf index bbd829e..e2971b1 100644 --- a/terraform/bastion.tf +++ b/terraform/common/bastion.tf @@ -105,6 +105,11 @@ resource "proxmox_virtual_environment_firewall_rules" "bastion" { rule { security_group = proxmox_virtual_environment_cluster_firewall_security_group.prometheus_node_exporter.name - comment = "Allow Prometheus server to pull Prometheus node exporter from Monitoring Node." + comment = "Allow Prometheus server to pull Prometheus node exporter from Monitoring Node." } } + +output "bastion_ct" { + value = proxmox_virtual_environment_container.bastion + sensitive = true +} diff --git a/terraform/firewall_ipsets.tf b/terraform/common/firewall_ipsets.tf similarity index 87% rename from terraform/firewall_ipsets.tf rename to terraform/common/firewall_ipsets.tf index 64efe26..fc6fc7f 100644 --- a/terraform/firewall_ipsets.tf +++ b/terraform/common/firewall_ipsets.tf @@ -1,4 +1,4 @@ -resource "proxmox_virtual_environment_firewall_ipset" "loggers" { +resource "proxmox_virtual_environment_firewall_ipset" "dev_loggers" { name = "loggers" comment = "Nodes that send logs to Monitoring Node." diff --git a/terraform/firewall_security_groups.tf b/terraform/common/firewall_security_groups.tf similarity index 72% rename from terraform/firewall_security_groups.tf rename to terraform/common/firewall_security_groups.tf index 5d6c2ea..2ccc812 100644 --- a/terraform/firewall_security_groups.tf +++ b/terraform/common/firewall_security_groups.tf @@ -11,6 +11,11 @@ resource "proxmox_virtual_environment_cluster_firewall_security_group" "promethe } } +output "prometheus_node_exporter_sg" { + value = proxmox_virtual_environment_cluster_firewall_security_group.prometheus_node_exporter + sensitive = true +} + resource "proxmox_virtual_environment_cluster_firewall_security_group" "prometheus_nginx_exporter" { name = "prom-nginx-exp" comment = "Allow Prometheus server to pull Prometheus nginx exporter from Monitoring Node." @@ -24,6 +29,11 @@ resource "proxmox_virtual_environment_cluster_firewall_security_group" "promethe } } +output "prometheus_nginx_exporter_sg" { + value = proxmox_virtual_environment_cluster_firewall_security_group.prometheus_nginx_exporter + sensitive = true +} + resource "proxmox_virtual_environment_cluster_firewall_security_group" "prometheus_server_exporter" { name = "prom-srv-exp" comment = "Allow Prometheus server to pull Prometheus default exporter from Monitoring Node." @@ -37,6 +47,11 @@ resource "proxmox_virtual_environment_cluster_firewall_security_group" "promethe } } +output "prometheus_server_exporter_sg" { + value = proxmox_virtual_environment_cluster_firewall_security_group.prometheus_server_exporter + sensitive = true +} + resource "proxmox_virtual_environment_cluster_firewall_security_group" "prometheus_alertmanager" { name = "prom-alert" comment = "Access Prometheus Alertmanager from Monitoring Node." @@ -49,3 +64,8 @@ resource "proxmox_virtual_environment_cluster_firewall_security_group" "promethe action = "ACCEPT" } } + +output "prometheus_alertmanager_sg" { + value = proxmox_virtual_environment_cluster_firewall_security_group.prometheus_alertmanager + sensitive = true +} diff --git a/terraform/load-balancer.tf b/terraform/common/load-balancer.tf similarity index 77% rename from terraform/load-balancer.tf rename to terraform/common/load-balancer.tf index ec88fa5..e796183 100644 --- a/terraform/load-balancer.tf +++ b/terraform/common/load-balancer.tf @@ -89,11 +89,11 @@ resource "proxmox_virtual_environment_firewall_rules" "load_balancer" { vm_id = proxmox_virtual_environment_container.load_balancer.vm_id rule { - type = "in" - source = split("/", proxmox_virtual_environment_container.bastion.initialization[0].ip_config[1].ipv4[0].address)[0] - proto = "tcp" - dport = "22" - action = "ACCEPT" + type = "in" + source = split("/", proxmox_virtual_environment_container.bastion.initialization[0].ip_config[1].ipv4[0].address)[0] + proto = "tcp" + dport = "22" + action = "ACCEPT" comment = "SSH from Bastion." } @@ -105,28 +105,33 @@ resource "proxmox_virtual_environment_firewall_rules" "load_balancer" { } rule { - type = "in" - action = "ACCEPT" - dport = "80" - proto = "tcp" + type = "in" + action = "ACCEPT" + dport = "80" + proto = "tcp" comment = "Ping." } rule { - type = "in" - proto = "tcp" - dport = "443" - action = "ACCEPT" + type = "in" + proto = "tcp" + dport = "443" + action = "ACCEPT" comment = "HTTPS." } rule { security_group = proxmox_virtual_environment_cluster_firewall_security_group.prometheus_node_exporter.name - comment = "Allow Prometheus server to pull Prometheus node exporter from Monitoring Node." + comment = "Allow Prometheus server to pull Prometheus node exporter from Monitoring Node." } rule { security_group = proxmox_virtual_environment_cluster_firewall_security_group.prometheus_nginx_exporter.name - comment = "Allow Prometheus server to pull Prometheus nginx exporter from Monitoring Node." + comment = "Allow Prometheus server to pull Prometheus nginx exporter from Monitoring Node." } } + +output "load_balancer_ct" { + value = proxmox_virtual_environment_container.load_balancer + sensitive = true +} diff --git a/terraform/main.tf b/terraform/common/main.tf similarity index 77% rename from terraform/main.tf rename to terraform/common/main.tf index bd94ca8..8abe2f6 100644 --- a/terraform/main.tf +++ b/terraform/common/main.tf @@ -10,7 +10,7 @@ terraform { } provider "proxmox" { - endpoint = var.virtual_environment_endpoint + endpoint = var.virtual_environment_endpoint api_token = var.virtual_environment_api_token - insecure = true + insecure = true } diff --git a/terraform/monitoring.tf b/terraform/common/monitoring.tf similarity index 66% rename from terraform/monitoring.tf rename to terraform/common/monitoring.tf index 56c26f9..5e1e437 100644 --- a/terraform/monitoring.tf +++ b/terraform/common/monitoring.tf @@ -77,61 +77,61 @@ resource "proxmox_virtual_environment_firewall_rules" "monitoring" { vm_id = proxmox_virtual_environment_container.monitoring.vm_id rule { - type = "in" - source = split("/", proxmox_virtual_environment_container.bastion.initialization[0].ip_config[1].ipv4[0].address)[0] - proto = "tcp" - dport = "22" - action = "ACCEPT" + type = "in" + source = split("/", proxmox_virtual_environment_container.bastion.initialization[0].ip_config[1].ipv4[0].address)[0] + proto = "tcp" + dport = "22" + action = "ACCEPT" comment = "SSH from Bastion." } rule { - type = "in" - proto = "icmp" - dport = "8" - action = "ACCEPT" + type = "in" + proto = "icmp" + dport = "8" + action = "ACCEPT" comment = "Ping." } rule { - type = "in" - source = split("/", proxmox_virtual_environment_container.load_balancer.initialization[0].ip_config[1].ipv4[0].address)[0] - proto = "tcp" - dport = "3000" - action = "ACCEPT" + type = "in" + source = split("/", proxmox_virtual_environment_container.load_balancer.initialization[0].ip_config[1].ipv4[0].address)[0] + proto = "tcp" + dport = "3000" + action = "ACCEPT" comment = "Grafana Server from Load Balancer." } rule { - type = "in" - source = split("/", proxmox_virtual_environment_container.load_balancer.initialization[0].ip_config[1].ipv4[0].address)[0] - proto = "tcp" - dport = "9090" - action = "ACCEPT" + type = "in" + source = split("/", proxmox_virtual_environment_container.load_balancer.initialization[0].ip_config[1].ipv4[0].address)[0] + proto = "tcp" + dport = "9090" + action = "ACCEPT" comment = "Prometheus Server from Load Balancer." } rule { security_group = proxmox_virtual_environment_cluster_firewall_security_group.prometheus_node_exporter.name - comment = "Allow Prometheus server to pull Prometheus node exporter from Monitoring Node." + comment = "Allow Prometheus server to pull Prometheus node exporter from Monitoring Node." } rule { security_group = proxmox_virtual_environment_cluster_firewall_security_group.prometheus_server_exporter.name - comment = "Allow Prometheus server to pull Prometheus default exporter from Monitoring Node." + comment = "Allow Prometheus server to pull Prometheus default exporter from Monitoring Node." } rule { security_group = proxmox_virtual_environment_cluster_firewall_security_group.prometheus_alertmanager.name - comment = "Access Prometheus Alertmanager from Monitoring Node." + comment = "Access Prometheus Alertmanager from Monitoring Node." } rule { - type = "in" - source = "+${proxmox_virtual_environment_firewall_ipset.loggers.name}" - proto = "tcp" - dport = "3100" - action = "ACCEPT" + type = "in" + source = "+${proxmox_virtual_environment_firewall_ipset.dev_loggers.name}" + proto = "tcp" + dport = "3100" + action = "ACCEPT" comment = "Access Grafana Loki from logging nodes." } } diff --git a/terraform/common/variables.tf b/terraform/common/variables.tf new file mode 100644 index 0000000..f8cc7d3 --- /dev/null +++ b/terraform/common/variables.tf @@ -0,0 +1,37 @@ +# Connection Settings + +variable "virtual_environment_endpoint" { + description = "Proxmox Virtual Envirnment Endpoint e.g. https://pve.domain.tld:8006/." + type = string +} + +variable "virtual_environment_api_token" { + description = "Tocket to access PVE API on behalf of the user." + type = string + sensitive = true +} + +variable "ssh_public_key" { + description = "SSH public key to place into authorized_keys of a root user in new vm/ct." + type = string + sensitive = true +} + + +# Variables + +variable "datastore_id" { + type = string +} + +variable "external_network_bridge_name" { + type = string +} + +variable "development_network_bridge_name" { + type = string +} + +variable "production_network_bridge_name" { + type = string +} diff --git a/terraform/dev/.terraform.lock.hcl b/terraform/dev/.terraform.lock.hcl new file mode 100644 index 0000000..27ec51a --- /dev/null +++ b/terraform/dev/.terraform.lock.hcl @@ -0,0 +1,9 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "local/bpg/proxmox" { + version = "0.78.2" + hashes = [ + "h1:N/p0BJCms7y2MBJmYjoWXFtxocN55PKYz1ulwzPTO00=", + ] +} diff --git a/terraform/main-page.tf b/terraform/dev/main-page.tf similarity index 78% rename from terraform/main-page.tf rename to terraform/dev/main-page.tf index 52023bb..3f1e80a 100644 --- a/terraform/main-page.tf +++ b/terraform/dev/main-page.tf @@ -21,7 +21,7 @@ resource "proxmox_virtual_environment_container" "main_page" { } network_interface { - bridge = var.development_network_bridge_name + bridge = var.internal_network_bridge_name name = "eth-dev" firewall = true enabled = true @@ -78,7 +78,7 @@ resource "proxmox_virtual_environment_firewall_rules" "main_page" { rule { type = "in" - source = split("/", proxmox_virtual_environment_container.bastion.initialization[0].ip_config[1].ipv4[0].address)[0] + source = split("/", data.terraform_remote_state.common.outputs.bastion_ct.initialization[0].ip_config[1].ipv4[0].address)[0] proto = "tcp" dport = "22" action = "ACCEPT" @@ -95,7 +95,7 @@ resource "proxmox_virtual_environment_firewall_rules" "main_page" { rule { type = "in" - source = split("/", proxmox_virtual_environment_container.load_balancer.initialization[0].ip_config[1].ipv4[0].address)[0] + source = split("/", data.terraform_remote_state.common.outputs.load_balancer_ct.initialization[0].ip_config[1].ipv4[0].address)[0] proto = "tcp" dport = "80" action = "ACCEPT" @@ -103,7 +103,7 @@ resource "proxmox_virtual_environment_firewall_rules" "main_page" { } rule { - security_group = proxmox_virtual_environment_cluster_firewall_security_group.prometheus_node_exporter.name - comment = "Allow Prometheus server to pull Prometheus node exporter from Monitoring Node." + security_group = data.terraform_remote_state.common.outputs.prometheus_node_exporter_sg.name + comment = "Allow Prometheus server to pull Prometheus node exporter from Monitoring Node." } } diff --git a/terraform/dev/main.tf b/terraform/dev/main.tf new file mode 100644 index 0000000..58ab185 --- /dev/null +++ b/terraform/dev/main.tf @@ -0,0 +1,23 @@ +terraform { + backend "local" { + path = "./terraform.tfstate" + } + required_providers { + proxmox = { + source = "local/bpg/proxmox" + } + } +} + +provider "proxmox" { + endpoint = var.virtual_environment_endpoint + api_token = var.virtual_environment_api_token + insecure = true +} + +data "terraform_remote_state" "common" { + backend = "local" + config = { + path = "../common/terraform.tfstate" + } +} diff --git a/terraform/postgresql.tf b/terraform/dev/postgresql.tf similarity index 78% rename from terraform/postgresql.tf rename to terraform/dev/postgresql.tf index d17efee..1f0cce1 100644 --- a/terraform/postgresql.tf +++ b/terraform/dev/postgresql.tf @@ -21,7 +21,7 @@ resource "proxmox_virtual_environment_container" "postgresql" { } network_interface { - bridge = var.development_network_bridge_name + bridge = var.internal_network_bridge_name name = "eth-dev" firewall = true enabled = true @@ -78,7 +78,7 @@ resource "proxmox_virtual_environment_firewall_rules" "postgresql" { rule { type = "in" - source = split("/", proxmox_virtual_environment_container.bastion.initialization[0].ip_config[1].ipv4[0].address)[0] + source = split("/", data.terraform_remote_state.common.outputs.bastion_ct.initialization[0].ip_config[1].ipv4[0].address)[0] proto = "tcp" dport = "22" action = "ACCEPT" @@ -86,15 +86,15 @@ resource "proxmox_virtual_environment_firewall_rules" "postgresql" { } rule { - type = "in" - proto = "icmp" - dport = "8" - action = "ACCEPT" + type = "in" + proto = "icmp" + dport = "8" + action = "ACCEPT" comment = "Ping." } rule { - security_group = proxmox_virtual_environment_cluster_firewall_security_group.prometheus_node_exporter.name - comment = "Allow Prometheus server to pull Prometheus node exporter from Monitoring Node." + security_group = data.terraform_remote_state.common.outputs.prometheus_node_exporter_sg.name + comment = "Allow Prometheus server to pull Prometheus node exporter from Monitoring Node." } } diff --git a/terraform/searxng.tf b/terraform/dev/searxng.tf similarity index 78% rename from terraform/searxng.tf rename to terraform/dev/searxng.tf index f0355d8..4427208 100644 --- a/terraform/searxng.tf +++ b/terraform/dev/searxng.tf @@ -21,7 +21,7 @@ resource "proxmox_virtual_environment_container" "searxng" { } network_interface { - bridge = var.development_network_bridge_name + bridge = var.internal_network_bridge_name name = "eth-dev" firewall = true enabled = true @@ -78,7 +78,7 @@ resource "proxmox_virtual_environment_firewall_rules" "searxng" { rule { type = "in" - source = split("/", proxmox_virtual_environment_container.bastion.initialization[0].ip_config[1].ipv4[0].address)[0] + source = split("/", data.terraform_remote_state.common.outputs.bastion_ct.initialization[0].ip_config[1].ipv4[0].address)[0] proto = "tcp" dport = "22" action = "ACCEPT" @@ -95,7 +95,7 @@ resource "proxmox_virtual_environment_firewall_rules" "searxng" { rule { type = "in" - source = split("/", proxmox_virtual_environment_container.load_balancer.initialization[0].ip_config[1].ipv4[0].address)[0] + source = split("/", data.terraform_remote_state.common.outputs.load_balancer_ct.initialization[0].ip_config[1].ipv4[0].address)[0] proto = "tcp" dport = "8888" action = "ACCEPT" @@ -103,7 +103,7 @@ resource "proxmox_virtual_environment_firewall_rules" "searxng" { } rule { - security_group = proxmox_virtual_environment_cluster_firewall_security_group.prometheus_node_exporter.name - comment = "Allow Prometheus server to pull Prometheus node exporter from Monitoring Node." + security_group = data.terraform_remote_state.common.outputs.prometheus_node_exporter_sg.name + comment = "Allow Prometheus server to pull Prometheus node exporter from Monitoring Node." } } diff --git a/terraform/variables.tf b/terraform/dev/variables.tf similarity index 93% rename from terraform/variables.tf rename to terraform/dev/variables.tf index 6e731aa..2659ef4 100644 --- a/terraform/variables.tf +++ b/terraform/dev/variables.tf @@ -28,6 +28,6 @@ variable "external_network_bridge_name" { type = string } -variable "development_network_bridge_name" { +variable "internal_network_bridge_name" { type = string } diff --git a/terraform/forgejo.tf.disabled b/terraform/forgejo.tf.disabled deleted file mode 100644 index d5214a7..0000000 --- a/terraform/forgejo.tf.disabled +++ /dev/null @@ -1,109 +0,0 @@ -resource "proxmox_virtual_environment_container" "forgejo" { - node_name = "pve" - - vm_id = 1200 - - tags = ["dev"] - - unprivileged = true - - cpu { - cores = 1 - } - - memory { - dedicated = 1536 - } - - disk { - datastore_id = var.datastore_id - size = 32 - } - - network_interface { - bridge = var.development_network_bridge_name - name = "eth-dev" - firewall = true - enabled = true - } - - initialization { - hostname = "forgejo" - ip_config { - ipv4 { - address = "192.168.0.12/24" - gateway = "192.168.0.1" - } - } - user_account { - keys = [var.ssh_public_key] - } - } - - operating_system { - template_file_id = "local:vztmpl/debian-12-standard_12.7-1_amd64.tar.zst" - type = "debian" - } - - started = true - - startup { - order = 500 - up_delay = 0 - down_delay = 0 - } - - features { - nesting = true - } -} - -resource "proxmox_virtual_environment_firewall_options" "forgejo" { - depends_on = [proxmox_virtual_environment_container.forgejo] - - node_name = proxmox_virtual_environment_container.forgejo.node_name - vm_id = proxmox_virtual_environment_container.forgejo.vm_id - - enabled = true - dhcp = true - input_policy = "DROP" - output_policy = "ACCEPT" -} - -resource "proxmox_virtual_environment_firewall_rules" "forgejo" { - depends_on = [proxmox_virtual_environment_container.forgejo] - - node_name = proxmox_virtual_environment_container.forgejo.node_name - vm_id = proxmox_virtual_environment_container.forgejo.vm_id - - rule { - type = "in" - source = split("/", proxmox_virtual_environment_container.bastion.initialization[0].ip_config[1].ipv4[0].address)[0] - proto = "tcp" - dport = "22" - action = "ACCEPT" - comment = "SSH from Bastion." - } - - rule { - type = "in" - proto = "icmp" - dport = "8" - action = "ACCEPT" - comment = "Ping." - } - - rule { - type = "in" - source = split("/", proxmox_virtual_environment_container.load_balancer.initialization[0].ip_config[1].ipv4[0].address)[0] - proto = "tcp" - dport = "3000" - action = "ACCEPT" - comment = "Forgejo." - } - - rule { - security_group = proxmox_virtual_environment_cluster_firewall_security_group.prometheus_node_exporter.name - comment = "Allow Prometheus server to pull Prometheus node exporter from Monitoring Node." - } -} diff --git a/terraform/prod/.terraform.lock.hcl b/terraform/prod/.terraform.lock.hcl new file mode 100644 index 0000000..27ec51a --- /dev/null +++ b/terraform/prod/.terraform.lock.hcl @@ -0,0 +1,9 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "local/bpg/proxmox" { + version = "0.78.2" + hashes = [ + "h1:N/p0BJCms7y2MBJmYjoWXFtxocN55PKYz1ulwzPTO00=", + ] +} diff --git a/terraform/prod/main.tf b/terraform/prod/main.tf new file mode 100644 index 0000000..7b7206e --- /dev/null +++ b/terraform/prod/main.tf @@ -0,0 +1,23 @@ +terraform { + backend "local" { + path = "./terraform.tfstate" + } + required_providers { + proxmox = { + source = "local/bpg/proxmox" + } + } +} + +provider "proxmox" { + endpoint = var.virtual_environment_endpoint + api_token = var.virtual_environment_api_token + insecure = true +} + +data "terraform_remote_state" "common" { + backend = "local" + config = { + path = "../common/terraform.tfstate" + } +} diff --git a/terraform/prod/variables.tf b/terraform/prod/variables.tf new file mode 100644 index 0000000..2659ef4 --- /dev/null +++ b/terraform/prod/variables.tf @@ -0,0 +1,33 @@ +# Connection Settings + +variable "virtual_environment_endpoint" { + description = "Proxmox Virtual Envirnment Endpoint e.g. https://pve.domain.tld:8006/." + type = string +} + +variable "virtual_environment_api_token" { + description = "Tocket to access PVE API on behalf of the user." + type = string + sensitive = true +} + +variable "ssh_public_key" { + description = "SSH public key to place into authorized_keys of a root user in new vm/ct." + type = string + sensitive = true +} + + +# Variables + +variable "datastore_id" { + type = string +} + +variable "external_network_bridge_name" { + type = string +} + +variable "internal_network_bridge_name" { + type = string +} diff --git a/terraform/test.tf.disabled b/terraform/test.tf.disabled deleted file mode 100644 index 4094fea..0000000 --- a/terraform/test.tf.disabled +++ /dev/null @@ -1,109 +0,0 @@ -resource "proxmox_virtual_environment_container" "test" { - node_name = "pve" - - vm_id = 1201 - - tags = ["dev"] - - unprivileged = true - - cpu { - cores = 1 - } - - memory { - dedicated = 1536 - } - - disk { - datastore_id = var.datastore_id - size = 10 - } - - network_interface { - bridge = var.development_network_bridge_name - name = "eth-dev" - firewall = true - enabled = true - } - - initialization { - hostname = "test" - ip_config { - ipv4 { - address = "192.168.0.100/24" - gateway = "192.168.0.1" - } - } - user_account { - keys = [var.ssh_public_key] - } - } - - operating_system { - template_file_id = "local:vztmpl/debian-12-standard_12.7-1_amd64.tar.zst" - type = "debian" - } - - started = true - - startup { - order = 500 - up_delay = 0 - down_delay = 0 - } - - features { - nesting = true - } -} - -resource "proxmox_virtual_environment_firewall_options" "test" { - depends_on = [proxmox_virtual_environment_container.test] - - node_name = proxmox_virtual_environment_container.test.node_name - vm_id = proxmox_virtual_environment_container.test.vm_id - - enabled = true - dhcp = true - input_policy = "DROP" - output_policy = "ACCEPT" -} - -resource "proxmox_virtual_environment_firewall_rules" "test" { - depends_on = [proxmox_virtual_environment_container.test] - - node_name = proxmox_virtual_environment_container.test.node_name - vm_id = proxmox_virtual_environment_container.test.vm_id - - rule { - type = "in" - source = split("/", proxmox_virtual_environment_container.bastion.initialization[0].ip_config[1].ipv4[0].address)[0] - proto = "tcp" - dport = "22" - action = "ACCEPT" - comment = "SSH from Bastion." - } - - rule { - type = "in" - proto = "icmp" - dport = "8" - action = "ACCEPT" - comment = "Ping." - } - - rule { - type = "in" - source = split("/", proxmox_virtual_environment_container.load_balancer.initialization[0].ip_config[1].ipv4[0].address)[0] - proto = "tcp" - dport = "3000" - action = "ACCEPT" - comment = "test." - } - - rule { - security_group = proxmox_virtual_environment_cluster_firewall_security_group.prometheus_node_exporter.name - comment = "Allow Prometheus server to pull Prometheus node exporter from Monitoring Node." - } -}