diff --git a/hetzner/instances-master.tf b/hetzner/instances-master.tf index 3e3e08b..cbeba34 100644 --- a/hetzner/instances-master.tf +++ b/hetzner/instances-master.tf @@ -15,20 +15,18 @@ resource "hcloud_server" "controlplane" { ip = cidrhost(hcloud_network_subnet.core.ip_range, 11 + count.index) } - # user_data = templatefile("${path.module}/templates/controlplane.yaml", - # merge(var.kubernetes, { - # name = "master-${count.index + 1}" - # type = count.index == 0 ? "init" : "controlplane" - # ipv4_local = cidrhost(hcloud_network_subnet.core.ip_range, 11 + count.index) - # # ipv4 = hcloud_server.controlplane[count.index].ipv4_address - # # ipv6 = hcloud_server.controlplane[count.index].ipv6_address - # lbv4_local = hcloud_load_balancer_network.api.ip - # lbv4 = hcloud_load_balancer.api.ipv4 - # lbv6 = hcloud_load_balancer.api.ipv6 - # hcloud_network = hcloud_network.main.id - # hcloud_token = var.hcloud_token - # }) - # ) + user_data = templatefile("${path.module}/templates/controlplane.yaml", + merge(var.kubernetes, { + name = "master-${count.index + 1}" + type = count.index == 0 ? "init" : "controlplane" + ipv4_local = cidrhost(hcloud_network_subnet.core.ip_range, 11 + count.index) + lbv4_local = hcloud_load_balancer_network.api.ip + lbv4 = hcloud_load_balancer.api.ipv4 + lbv6 = hcloud_load_balancer.api.ipv6 + hcloud_network = hcloud_network.main.id + hcloud_token = var.hcloud_token + }) + ) lifecycle { ignore_changes = [ @@ -47,32 +45,34 @@ resource "hcloud_load_balancer_target" "api" { server_id = hcloud_server.controlplane[count.index].id } -resource "local_file" "controlplane" { - count = lookup(var.controlplane, "count", 0) - content = templatefile("${path.module}/templates/controlplane.yaml", - merge(var.kubernetes, { - name = "master-${count.index + 1}" - type = count.index == 0 ? "init" : "controlplane" - ipv4_local = cidrhost(hcloud_network_subnet.core.ip_range, 11 + count.index) - ipv4 = hcloud_server.controlplane[count.index].ipv4_address - ipv6 = hcloud_server.controlplane[count.index].ipv6_address - lbv4_local = hcloud_load_balancer_network.api.ip - lbv4 = hcloud_load_balancer.api.ipv4 - lbv6 = hcloud_load_balancer.api.ipv6 - hcloud_network = hcloud_network.main.id - hcloud_token = var.hcloud_token - }) - ) - filename = "_cfgs/controlplane-${count.index + 1}.yaml" - file_permission = "0640" +# +# Secure push talos config to the node +# - depends_on = [hcloud_server.controlplane] -} +# resource "local_file" "controlplane" { +# count = lookup(var.controlplane, "count", 0) +# content = templatefile("${path.module}/templates/controlplane.yaml", +# merge(var.kubernetes, { +# name = "master-${count.index + 1}" +# type = count.index == 0 ? "init" : "controlplane" +# ipv4_local = cidrhost(hcloud_network_subnet.core.ip_range, 11 + count.index) +# lbv4_local = hcloud_load_balancer_network.api.ip +# lbv4 = hcloud_load_balancer.api.ipv4 +# lbv6 = hcloud_load_balancer.api.ipv6 +# hcloud_network = hcloud_network.main.id +# hcloud_token = var.hcloud_token +# }) +# ) +# filename = "_cfgs/controlplane-${count.index + 1}.yaml" +# file_permission = "0640" -resource "null_resource" "controlplane" { - count = lookup(var.controlplane, "count", 0) - provisioner "local-exec" { - command = "sleep 60 && talosctl apply-config --insecure --nodes ${hcloud_server.controlplane[count.index].ipv4_address} --file _cfgs/controlplane-${count.index + 1}.yaml" - } - depends_on = [hcloud_load_balancer_target.api, local_file.controlplane] -} +# depends_on = [hcloud_server.controlplane] +# } + +# resource "null_resource" "controlplane" { +# count = lookup(var.controlplane, "count", 0) +# provisioner "local-exec" { +# command = "sleep 60 && talosctl apply-config --insecure --nodes ${hcloud_server.controlplane[count.index].ipv4_address} --file _cfgs/controlplane-${count.index + 1}.yaml" +# } +# depends_on = [hcloud_load_balancer_target.api, local_file.controlplane] +# } diff --git a/hetzner/modules/templates/worker.yaml.tpl b/hetzner/modules/templates/worker.yaml.tpl index 8aab1b2..7cbf3dd 100644 --- a/hetzner/modules/templates/worker.yaml.tpl +++ b/hetzner/modules/templates/worker.yaml.tpl @@ -13,24 +13,17 @@ machine: network: hostname: "${name}" interfaces: - - interface: eth0 - dhcp: true - interface: eth1 dhcp: true - interface: dummy0 - cidr: "169.254.2.53/32" - - interface: dummy0 - cidr: "fd00::169:254:2:53/128" + addresses: + - 169.254.2.53/32 + - fd00::169:254:2:53/128 sysctls: net.core.somaxconn: 65535 net.core.netdev_max_backlog: 4096 install: - disk: /dev/sda - extraKernelArgs: - - elevator=noop - image: ghcr.io/talos-systems/installer:v0.10.3 - bootloader: true - wipe: true + wipe: false systemDiskEncryption: ephemeral: provider: luks2 diff --git a/hetzner/modules/worker/main.tf b/hetzner/modules/worker/main.tf index 5680e44..d70f773 100644 --- a/hetzner/modules/worker/main.tf +++ b/hetzner/modules/worker/main.tf @@ -32,12 +32,12 @@ resource "hcloud_server" "worker" { } # IPv6 hack - provisioner "local-exec" { - command = "echo '${templatefile("${path.module}/../templates/worker-patch.json.tpl", { ipv6_address = self.ipv6_address })}' > _cfgs/${var.vm_name}${count.index + 1}.patch" - } - provisioner "local-exec" { - command = "sleep 120 && talosctl --talosconfig _cfgs/talosconfig patch --nodes ${cidrhost(var.subnet, var.vm_ip_start + count.index)} machineconfig --patch-file _cfgs/${var.vm_name}${count.index + 1}.patch" - } + # provisioner "local-exec" { + # command = "echo '${templatefile("${path.module}/../templates/worker-patch.json.tpl", { ipv6_address = self.ipv6_address })}' > _cfgs/${var.vm_name}${count.index + 1}.patch" + # } + # provisioner "local-exec" { + # command = "sleep 120 && talosctl --talosconfig _cfgs/talosconfig patch --nodes ${cidrhost(var.subnet, var.vm_ip_start + count.index)} machineconfig --patch-file _cfgs/${var.vm_name}${count.index + 1}.patch" + # } } # resource "local_file" "worker" { diff --git a/hetzner/network-secgroup.tf b/hetzner/network-secgroup.tf index 7325dce..06d6655 100644 --- a/hetzner/network-secgroup.tf +++ b/hetzner/network-secgroup.tf @@ -82,13 +82,13 @@ resource "hcloud_firewall" "web" { direction = "in" protocol = "tcp" port = "80" - source_ips = var.whitelist_admins + source_ips = var.whitelist_web } rule { direction = "in" protocol = "tcp" port = "443" - source_ips = var.whitelist_admins + source_ips = var.whitelist_web } } diff --git a/hetzner/templates/controlplane.yaml.tpl b/hetzner/templates/controlplane.yaml.tpl index bf2d648..6b1fa4c 100644 --- a/hetzner/templates/controlplane.yaml.tpl +++ b/hetzner/templates/controlplane.yaml.tpl @@ -15,8 +15,6 @@ machine: network: hostname: "${name}" interfaces: - - interface: eth0 - dhcp: true - interface: eth1 dhcp: true - interface: dummy0 diff --git a/hetzner/variables.tf b/hetzner/variables.tf index 5240cf1..60817fe 100644 --- a/hetzner/variables.tf +++ b/hetzner/variables.tf @@ -79,7 +79,29 @@ variable "tags" { } variable "whitelist_admins" { - default = ["0.0.0.0/0", "::/0"] + description = "Whitelist for administrators" + default = ["0.0.0.0/0", "::/0"] +} + +variable "whitelist_web" { + description = "Whitelist for web (default Cloudflare network)" + default = [ + "173.245.48.0/20", + "103.21.244.0/22", + "103.22.200.0/22", + "103.31.4.0/22", + "141.101.64.0/18", + "108.162.192.0/18", + "190.93.240.0/20", + "188.114.96.0/20", + "197.234.240.0/22", + "198.41.128.0/17", + "162.158.0.0/15", + "172.64.0.0/13", + "131.0.72.0/22", + "104.16.0.0/13", + "104.24.0.0/14", + ] } # variable "robot_servers" {