homelab/tf/modules/embassy/main.tf

resource "linode_sshkey" "titanium" {
  label   = "titanium"
  ssh_key = chomp(file(var.ssh_public_key_file))
}

resource "linode_instance" "embassy" {
  image           = "linode/ubuntu24.04"
  label           = "embassy"
  region          = "us-sea"
  type            = "g6-nanode-1"
  authorized_keys = [linode_sshkey.titanium.ssh_key]
}

resource "linode_ipv6_range" "embassy" {
  linode_id     = linode_instance.embassy.id
  prefix_length = 64
}

resource "linode_firewall" "embassy" {
  label = "embassy"

  inbound {
    label    = "allow-ssh"
    action   = "ACCEPT"
    protocol = "TCP"
    ports    = "22"
    ipv4     = ["0.0.0.0/0"]
    ipv6     = ["::/0"]
  }

  # idk, why not lol
  inbound {
    label    = "allow-web"
    action   = "ACCEPT"
    protocol = "TCP"
    ports    = "80,443"
    ipv4     = ["0.0.0.0/0"]
    ipv6     = ["::/0"]
  }

  inbound {
    label    = "allow-forward-tcp"
    action   = "ACCEPT"
    protocol = "TCP"
    ports    = "16261-16262,20000-20100"
    ipv4     = ["0.0.0.0/0"]
    ipv6     = ["::/0"]
  }

  inbound {
    label    = "allow-forward-udp"
    action   = "ACCEPT"
    protocol = "UDP"
    ports    = "16261-16262,20000-20100"
    ipv4     = ["0.0.0.0/0"]
    ipv6     = ["::/0"]
  }

  inbound {
    label = "allow-frp-tcp"
    action = "ACCEPT"
    protocol = "TCP"
    ports    = "7000"
    ipv4     = ["0.0.0.0/0"]
    ipv6     = ["::/0"]
  }

  # For FRP server KCP
  inbound {
    label = "allow-frp-udp"
    action = "ACCEPT"
    protocol = "UDP"
    ports    = "7000"
    ipv4     = ["0.0.0.0/0"]
    ipv6     = ["::/0"]
  }

  inbound {
    label = "allow-frp-udp"
    action = "ACCEPT"
    protocol = "UDP"
    ports    = "7000"
    ipv4     = ["0.0.0.0/0"]
    ipv6     = ["::/0"]
  }

  inbound {
    label = "allow-frp-proxies-tcp"
    action = "ACCEPT"
    protocol = "TCP"
    ports    = "21000-21100"
    ipv4     = ["0.0.0.0/0"]
    ipv6     = ["::/0"]
  }

  inbound {
    label = "allow-frp-proxies-udp"
    action = "ACCEPT"
    protocol = "UDP"
    ports    = "21000-21100"
    ipv4     = ["0.0.0.0/0"]
    ipv6     = ["::/0"]
  }

  inbound {
    label    = "allow-sftp"
    action   = "ACCEPT"
    protocol = "TCP"
    ports    = "2022"
    ipv4     = ["0.0.0.0/0"]
    ipv6     = ["::/0"]
  }

  inbound {
    label    = "allow-wireguard"
    action   = "ACCEPT"
    protocol = "UDP"
    ports    = "51820"
    ipv4     = ["0.0.0.0/0"]
    ipv6     = ["::/0"]
  }

  inbound_policy = "DROP"

  outbound_policy = "ACCEPT"

  linodes = [linode_instance.embassy.id]
}

resource "cloudflare_dns_record" "embassy_ipv4" {
  zone_id = var.cloudflare_zone_id
  content = linode_instance.embassy.ip_address
  name    = "embassy.mnke.org"
  proxied = false
  ttl     = 1 # 1 = automatic TTL
  type    = "A"
}

resource "ansible_host" "embassy" {
  # Ideally, we'd use the domain name here, but the way the internal DNS server
  # is set up right now, we don't forward mnke.org requests because we have
  # a primary zone for mnke.org (I think). We should change this if possible
  name   = linode_instance.embassy.ip_address
  groups = ["embassy"]
  variables = {
    ipv6_subnet  = "${linode_ipv6_range.embassy.range}/${linode_ipv6_range.embassy.prefix_length}"
    ansible_user = "root"
  }
}