-
Notifications
You must be signed in to change notification settings - Fork 0
/
main.tf
222 lines (190 loc) · 5.86 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
terraform {
required_providers {
cloudflare = {
source = "cloudflare/cloudflare"
}
hcloud = {
source = "hetznercloud/hcloud"
}
null = {
source = "hashicorp/null"
}
}
}
# Configuration for SSH key to be used with Hetzner Cloud instances
resource "hcloud_ssh_key" "yubi" {
name = "foo"
public_key = chomp(file("~/.ssh/id_rsa_yubikey.pub"))
}
# Define a Hetzner Cloud Firewall
resource "hcloud_firewall" "web_firewall" {
name = "web-firewall"
# Allow TCP Port 443 (HTTPS)
rule {
direction = "in"
protocol = "tcp"
port = "443"
source_ips = ["0.0.0.0/0", "::/0"] # Allow from any IP
}
# Allow TCP Port 80 (HTTP)
rule {
direction = "in"
protocol = "tcp"
port = "80"
source_ips = ["0.0.0.0/0", "::/0"] # Allow from any IP
}
# Allow outgoing TCP to *:80 and *:443
rule {
direction = "out"
protocol = "tcp"
port = "80"
destination_ips = ["0.0.0.0/0", "::/0"]
}
rule {
direction = "out"
protocol = "tcp"
port = "443"
destination_ips = ["0.0.0.0/0", "::/0"]
}
# Allow UDP from :41641 to *:*
rule {
direction = "in"
protocol = "udp"
port = "41641"
source_ips = ["0.0.0.0/0", "::/0"]
}
# Allow UDP to *:3478
rule {
direction = "out"
protocol = "udp"
port = "3478"
destination_ips = ["0.0.0.0/0", "::/0"]
}
}
# Define a Hetzner Cloud Server resource for the blog
resource "hcloud_server" "blog" {
name = "blog-instance"
image = "ubuntu-22.04" # After provisioning, NixOS will be installed see @install
server_type = "cpx11" # AMD 2 vCPU, 2 GB RAM, 40 GB NVMe SSD
location = "fsn1"
ssh_keys = [hcloud_ssh_key.yubi.id] # SSH keys associated with the server
# Associate the firewall
firewall_ids = [hcloud_firewall.web_firewall.id]
}
# Output the public IP address of the Hetzner Cloud Server
output "public_ip" {
value = hcloud_server.blog.ipv4_address
}
# Define a variable for Cloudflare Zone ID
variable "ZONE_ID" {
# Environment variable for Cloudflare Zone ID
# export TF_VAR_ZONE_ID="..."
}
variable "CODER_ZONE_ID" {
# Environment variable for Cloudflare Zone ID
# export TF_VAR_CODER_ZONE_ID="..."
}
# Cloudflare DNS A record configuration for the blog
# This is used for the blog to be accessible directly via the IP ip address
# The blog will be also accessible via the domain name behind the Cloudflare proxy
# See @blog for the CNAME record and cloudflare_page_rule for the url
# This way the communication between Cloudflare and the blog is encrypted
resource "cloudflare_record" "blog_nginx" {
zone_id = var.ZONE_ID
name = "blog.flakm.com"
value = hcloud_server.blog.ipv4_address
type = "A"
proxied = false # Direct DNS, no Cloudflare proxy
}
resource "cloudflare_record" "landing_nginx" {
zone_id = var.CODER_ZONE_ID
name = "landing.coderkata.dev"
value = hcloud_server.blog.ipv4_address
type = "A"
proxied = false # Direct DNS, no Cloudflare proxy
}
# Cloudflare DNS A record configuration for the plausible analytics
resource "cloudflare_record" "plausible_nginx" {
zone_id = var.ZONE_ID
name = "plausible.flakm.com"
value = hcloud_server.blog.ipv4_address
type = "A"
proxied = false # Direct DNS, no Cloudflare proxy
}
resource "cloudflare_record" "fedi_nginx" {
zone_id = var.ZONE_ID
name = "fedi.flakm.com"
value = hcloud_server.blog.ipv4_address
type = "A"
proxied = false # Direct DNS, no Cloudflare proxy
}
# Cloudflare DNS CNAME record for the blog behind Cloudflare proxy
resource "cloudflare_record" "blog" {
zone_id = var.ZONE_ID
name = "@"
value = "blog.flakm.com"
type = "CNAME"
proxied = true # Enable Cloudflare proxy
}
# Cloudflare DNS CNAME record for the blog behind Cloudflare proxy
resource "cloudflare_record" "landing" {
zone_id = var.CODER_ZONE_ID
name = "@"
value = "landing.coderkata.dev"
type = "CNAME"
proxied = true # Enable Cloudflare proxy
}
# Configure settings for the flakm.com domain in Cloudflare
resource "cloudflare_zone_settings_override" "flakm-com-settings" {
zone_id = var.ZONE_ID
settings {
tls_1_3 = "on"
automatic_https_rewrites = "on"
ssl = "strict"
cache_level = "aggressive"
}
}
resource "cloudflare_zone_settings_override" "coderkata-dev-settings" {
zone_id = var.CODER_ZONE_ID
settings {
tls_1_3 = "on"
automatic_https_rewrites = "on"
ssl = "full" # strict doesn't work for some reason...
cache_level = "aggressive"
}
}
# Cloudflare page rule for caching and optimizations
resource "cloudflare_page_rule" "blog" {
zone_id = var.ZONE_ID
target = "https://flakm.com"
priority = 1
actions {
cache_level = "cache_everything" # Cache HTML and other assets
}
}
# Cloudflare page rule for caching and optimizations
resource "cloudflare_page_rule" "landing" {
zone_id = var.CODER_ZONE_ID
target = "https://coderkata.dev"
priority = 1
actions {
cache_level = "cache_everything" # Cache HTML and other assets
}
}
# NixOS system build module from Nixos anywhere
module "system-build" {
source = "github.com/nix-community/nixos-anywhere//terraform/nix-build"
attribute = ".#nixosConfigurations.blog.config.system.build.toplevel"
}
# Module for disk partitioning script
module "disko" {
source = "github.com/nix-community/nixos-anywhere//terraform/nix-build"
attribute = ".#nixosConfigurations.blog.config.system.build.diskoScript"
}
# Module for installing NixOS on the provisioned server
module "install" {
source = "github.com/nix-community/nixos-anywhere//terraform/install"
nixos_system = module.system-build.result.out
nixos_partitioner = module.disko.result.out
target_host = hcloud_server.blog.ipv4_address
}