95 lines
2.2 KiB
HCL
95 lines
2.2 KiB
HCL
resource "linode_sshkey" "titanium" {
|
|
label = "titanium"
|
|
ssh_key = chomp(file(var.ssh_public_key_file))
|
|
}
|
|
|
|
resource "linode_instance" "embassy" {
|
|
image = "linode/ubuntu24.04"
|
|
label = "embassy"
|
|
region = "us-sea"
|
|
type = "g6-nanode-1"
|
|
authorized_keys = [linode_sshkey.titanium.ssh_key]
|
|
}
|
|
|
|
resource "linode_ipv6_range" "embassy" {
|
|
linode_id = linode_instance.embassy.id
|
|
prefix_length = 64
|
|
}
|
|
|
|
resource "linode_firewall" "embassy" {
|
|
label = "embassy"
|
|
|
|
inbound {
|
|
label = "allow-ssh"
|
|
action = "ACCEPT"
|
|
protocol = "TCP"
|
|
ports = "22"
|
|
ipv4 = ["0.0.0.0/0"]
|
|
ipv6 = ["::/0"]
|
|
}
|
|
|
|
# idk, why not lol
|
|
inbound {
|
|
label = "allow-web"
|
|
action = "ACCEPT"
|
|
protocol = "TCP"
|
|
ports = "80,443"
|
|
ipv4 = ["0.0.0.0/0"]
|
|
ipv6 = ["::/0"]
|
|
}
|
|
|
|
inbound {
|
|
label = "allow-forward-tcp"
|
|
action = "ACCEPT"
|
|
protocol = "TCP"
|
|
ports = "20000-20100"
|
|
ipv4 = ["0.0.0.0/0"]
|
|
ipv6 = ["::/0"]
|
|
}
|
|
|
|
inbound {
|
|
label = "allow-forward-udp"
|
|
action = "ACCEPT"
|
|
protocol = "UDP"
|
|
ports = "20000-20100"
|
|
ipv4 = ["0.0.0.0/0"]
|
|
ipv6 = ["::/0"]
|
|
}
|
|
|
|
inbound {
|
|
label = "allow-wireguard"
|
|
action = "ACCEPT"
|
|
protocol = "UDP"
|
|
ports = "51820"
|
|
ipv4 = ["0.0.0.0/0"]
|
|
ipv6 = ["::/0"]
|
|
}
|
|
|
|
inbound_policy = "DROP"
|
|
|
|
outbound_policy = "ACCEPT"
|
|
|
|
linodes = [linode_instance.embassy.id]
|
|
}
|
|
|
|
resource "cloudflare_dns_record" "embassy_ipv4" {
|
|
zone_id = var.cloudflare_zone_id
|
|
content = linode_instance.embassy.ip_address
|
|
name = "embassy.mnke.org"
|
|
proxied = false
|
|
ttl = 1 # 1 = automatic TTL
|
|
type = "A"
|
|
}
|
|
|
|
resource "ansible_host" "embassy" {
|
|
# Ideally, we'd use the domain name here, but the way the internal DNS server
|
|
# is set up right now, we don't forward mnke.org requests because we have
|
|
# a primary zone for mnke.org (I think). We should change this if possible
|
|
name = linode_instance.embassy.ip_address
|
|
groups = ["embassy"]
|
|
variables = {
|
|
ipv6_subnet = "${linode_ipv6_range.embassy.range}/${linode_ipv6_range.embassy.prefix_length}"
|
|
ansible_user = "root"
|
|
}
|
|
}
|