✨ Add initial Terraform configuration for Azure and Proxmox resources

2026-03-01 14:16:44 +02:00
parent 44d658745e
commit b11172504d
17 changed files with 869 additions and 0 deletions
--- a/modules/dns/main.tf
+++ b/modules/dns/main.tf
@@ -0,0 +1,76 @@
+terraform {
+  required_providers {
+    cloudflare = {
+      source = "cloudflare/cloudflare"
+    }
+  }
+}
+
+resource "cloudflare_dns_record" "proxy_ipv4" {
+  zone_id = var.domain_zone_id
+  name    = "${var.domain_name}"
+  content = var.pangolin-proxy-v4
+  comment = "Azure VPS"
+  type    = "A"
+  proxied = false
+  ttl     = 1
+}
+
+resource "cloudflare_dns_record" "proxy_ipv6" {
+  zone_id = var.domain_zone_id
+  name    = "${var.domain_name}"
+  content = var.pangolin-proxy-v6
+  comment = "Azure VPS"
+  type    = "AAAA"
+  proxied = false
+  ttl     = 1
+}
+
+
+resource "cloudflare_dns_record" "subdomains_ipv4" {
+  zone_id = var.domain_zone_id
+  name    = "*.${var.domain_name}"
+  content = var.pangolin-proxy-v4
+  comment = "Azure VPS"
+  type    = "A"
+  proxied = false
+  ttl     = 1
+}
+
+resource "cloudflare_dns_record" "subdomains_ipv6" {
+  zone_id = var.domain_zone_id
+  name    = "*.${var.domain_name}"
+  content = var.pangolin-proxy-v6
+  comment = "Azure VPS"
+  type    = "AAAA"
+  proxied = false
+  ttl     = 1
+}
+
+# ── CDN-proxied subdomains ───────────────────────────────────
+# Specific records with proxied=true override the wildcard for
+# these subdomains, enabling Cloudflare edge caching.
+
+resource "cloudflare_dns_record" "cdn_ipv4" {
+  for_each = toset(var.cdn_subdomains)
+
+  zone_id = var.domain_zone_id
+  name    = "${each.value}.${var.domain_name}"
+  content = var.pangolin-proxy-v4
+  comment = "CDN-proxied via Cloudflare"
+  type    = "A"
+  proxied = true
+  ttl     = 1
+}
+
+resource "cloudflare_dns_record" "cdn_ipv6" {
+  for_each = toset(var.cdn_subdomains)
+
+  zone_id = var.domain_zone_id
+  name    = "${each.value}.${var.domain_name}"
+  content = var.pangolin-proxy-v6
+  comment = "CDN-proxied via Cloudflare"
+  type    = "AAAA"
+  proxied = true
+  ttl     = 1
+}
--- a/modules/dns/variables.tf
+++ b/modules/dns/variables.tf
@@ -0,0 +1,21 @@
+variable "domain_zone_id" {
+  type = string
+}
+
+variable "domain_name" {
+  type = string
+}
+
+variable "pangolin-proxy-v4" {
+  type = string
+}
+
+variable "pangolin-proxy-v6" {
+  type = string
+}
+
+variable "cdn_subdomains" {
+  description = "Subdomains to serve through Cloudflare proxy (CDN). These get proxied A/AAAA records that override the wildcard."
+  type        = list(string)
+  default     = []
+}
--- a/modules/foundry/main.tf
+++ b/modules/foundry/main.tf
@@ -0,0 +1,78 @@
+terraform {
+  required_providers {
+    proxmox = {
+      source = "bpg/proxmox"
+    }
+  }
+}
+
+resource "proxmox_virtual_environment_container" "foundry" {
+  node_name   = var.node_name
+  vm_id       = var.container_id > 0 ? var.container_id : null
+
+  description = "Foundry VTT - managed by OpenTofu"
+  tags        = var.tags
+
+  unprivileged  = var.unprivileged
+  start_on_boot = var.start_on_boot
+  started       = var.start_on_create
+
+  # ── OS Template ────────────────────────────────────────────
+  operating_system {
+    template_file_id = var.template
+    type             = "ubuntu"
+  }
+
+  # ── Features ───────────────────────────────────────────────
+  # nesting is required for systemd >= 257 (Ubuntu 25.04+)
+  features {
+    nesting = true
+  }
+
+  # ── Resources ──────────────────────────────────────────────
+  cpu {
+    cores = var.cores
+  }
+
+  memory {
+    dedicated = var.memory
+    swap      = var.swap
+  }
+
+  disk {
+    datastore_id = var.datastore_id
+    size         = var.disk_size
+  }
+
+  # ── Networking ─────────────────────────────────────────────
+  network_interface {
+    name     = "eth0"
+    bridge   = var.bridge
+    vlan_id  = var.vlan_tag
+  }
+
+  initialization {
+    hostname = var.hostname
+
+    ip_config {
+      ipv4 {
+        address = var.ip_address
+        gateway = var.gateway != "" ? var.gateway : null
+      }
+    }
+
+    dns {
+      domain  = var.dns_domain
+      servers = [var.dns_server]
+    }
+
+    user_account {
+      keys = [var.ssh_pubkey]
+    }
+  }
+
+  # Ignore template changes so we don't recreate on minor template updates
+  lifecycle {
+    ignore_changes = [operating_system]
+  }
+}
--- a/modules/foundry/outputs.tf
+++ b/modules/foundry/outputs.tf
@@ -0,0 +1,14 @@
+output "container_id" {
+  description = "The VMID of the Foundry LXC container."
+  value       = proxmox_virtual_environment_container.foundry.vm_id
+}
+
+output "hostname" {
+  description = "The hostname of the container."
+  value       = var.hostname
+}
+
+output "ip_address" {
+  description = "The configured IP address (or 'dhcp')."
+  value       = var.ip_address
+}
--- a/modules/foundry/variables.tf
+++ b/modules/foundry/variables.tf
@@ -0,0 +1,116 @@
+variable "node_name" {
+  description = "Proxmox node to create the container on."
+  type        = string
+}
+
+variable "datastore_id" {
+  description = "Proxmox datastore for the container root filesystem."
+  type        = string
+}
+
+variable "bridge" {
+  description = "Network bridge for the container NIC."
+  type        = string
+  default     = "vmbr0"
+}
+
+variable "vlan_tag" {
+  description = "VLAN tag for the container NIC. null = untagged."
+  type        = number
+  default     = null
+}
+
+variable "container_id" {
+  description = "VMID to assign to the LXC container. 0 = auto-assign."
+  type        = number
+  default     = 0
+}
+
+variable "hostname" {
+  description = "Hostname for the container."
+  type        = string
+  default     = "foundry"
+}
+
+variable "cores" {
+  description = "Number of CPU cores."
+  type        = number
+  default     = 2
+}
+
+variable "memory" {
+  description = "Memory in MB."
+  type        = number
+  default     = 2048
+}
+
+variable "swap" {
+  description = "Swap in MB."
+  type        = number
+  default     = 512
+}
+
+variable "disk_size" {
+  description = "Root filesystem size in GB."
+  type        = number
+  default     = 16
+}
+
+variable "ssh_pubkey" {
+  description = "SSH public key for root access."
+  type        = string
+}
+
+variable "ip_address" {
+  description = "Static IPv4 address in CIDR notation, or 'dhcp'."
+  type        = string
+  default     = "dhcp"
+}
+
+variable "gateway" {
+  description = "Default gateway IPv4. Leave empty when using DHCP."
+  type        = string
+  default     = ""
+}
+
+variable "dns_domain" {
+  description = "DNS search domain."
+  type        = string
+  default     = "ad.kritikos.io"
+}
+
+variable "dns_server" {
+  description = "DNS server address."
+  type        = string
+  default     = "10.10.10.1"
+}
+
+variable "template" {
+  description = "LXC template to use (download or local path)."
+  type        = string
+  default     = "persephone:vztmpl/ubuntu-25.04-standard_25.04-1.1_amd64.tar.zst"
+}
+
+variable "start_on_create" {
+  description = "Start the container immediately after creation."
+  type        = bool
+  default     = true
+}
+
+variable "start_on_boot" {
+  description = "Start the container when the Proxmox node boots."
+  type        = bool
+  default     = true
+}
+
+variable "tags" {
+  description = "Tags to apply to the container."
+  type        = list(string)
+  default     = ["foundry", "managed-by-tofu"]
+}
+
+variable "unprivileged" {
+  description = "Run as unprivileged container (recommended)."
+  type        = bool
+  default     = true
+}
--- a/modules/pangolin/firewall.tf
+++ b/modules/pangolin/firewall.tf
@@ -0,0 +1,100 @@
+resource "azurerm_network_security_group" "nsg" {
+  name                = "${var.vm_name}-nsg"
+  location            = azurerm_resource_group.rg.location
+  resource_group_name = azurerm_resource_group.rg.name
+  tags                = var.tags
+}
+
+resource "azurerm_network_interface_security_group_association" "nic_nsg" {
+  network_interface_id      = azurerm_network_interface.nic.id
+  network_security_group_id = azurerm_network_security_group.nsg.id
+}
+
+resource "azurerm_network_security_rule" "allow_udp_51820" {
+  name                        = "Allow-Wireguard"
+  priority                    = 100
+  direction                   = "Inbound"
+  access                      = "Allow"
+  protocol                    = "Udp"
+  source_port_range           = "*"
+  destination_port_range      = "51820"
+  source_address_prefix       = "*"
+  destination_address_prefix  = "*"
+  resource_group_name         = azurerm_resource_group.rg.name
+  network_security_group_name = azurerm_network_security_group.nsg.name
+}
+
+
+resource "azurerm_network_security_rule" "allow_ssh_vps" {
+  name                        = "Allow-SSH-VPS"
+  priority                    = 110
+  direction                   = "Inbound"
+  access                      = "Allow"
+  protocol                    = "Tcp"
+  source_port_range           = "*"
+  destination_port_range      = "2222"
+  destination_address_prefix  = "*"
+  resource_group_name         = azurerm_resource_group.rg.name
+  network_security_group_name = azurerm_network_security_group.nsg.name
+
+  source_address_prefix   = length(var.allowed_ssh_cidrs_ipv4) == 0 ? "*" : null
+  source_address_prefixes = length(var.allowed_ssh_cidrs_ipv4) > 0 ? var.allowed_ssh_cidrs_ipv4 : null
+}
+
+resource "azurerm_network_security_rule" "allow_ssh_proxy" {
+  name                        = "Allow-SSH-Proxy"
+  priority                    = 120
+  direction                   = "Inbound"
+  access                      = "Allow"
+  protocol                    = "Tcp"
+  source_port_range           = "*"
+  destination_port_range      = "22"
+  destination_address_prefix  = "*"
+  resource_group_name         = azurerm_resource_group.rg.name
+  network_security_group_name = azurerm_network_security_group.nsg.name
+
+  source_address_prefix   = "*"
+  source_address_prefixes = null
+}
+
+resource "azurerm_network_security_rule" "allow_postgres" {
+  name                        = "Allow-Postgres"
+  priority                    = 130
+  direction                   = "Inbound"
+  access                      = "Deny"
+  protocol                    = "Tcp"
+  source_port_range           = "*"
+  destination_port_range      = "5432"
+  source_address_prefix       = "*"
+  destination_address_prefix  = "*"
+  resource_group_name         = azurerm_resource_group.rg.name
+  network_security_group_name = azurerm_network_security_group.nsg.name
+}
+
+resource "azurerm_network_security_rule" "allow_http" {
+  name                        = "Allow-HTTP"
+  priority                    = 140
+  direction                   = "Inbound"
+  access                      = "Allow"
+  protocol                    = "Tcp"
+  source_port_range           = "*"
+  destination_port_range      = "80"
+  source_address_prefix       = "*"
+  destination_address_prefix  = "*"
+  resource_group_name         = azurerm_resource_group.rg.name
+  network_security_group_name = azurerm_network_security_group.nsg.name
+}
+
+resource "azurerm_network_security_rule" "allow_https" {
+  name                        = "Allow-HTTPS"
+  priority                    = 150
+  direction                   = "Inbound"
+  access                      = "Allow"
+  protocol                    = "*"
+  source_port_range           = "*"
+  destination_port_range      = "443"
+  source_address_prefix       = "*"
+  destination_address_prefix  = "*"
+  resource_group_name         = azurerm_resource_group.rg.name
+  network_security_group_name = azurerm_network_security_group.nsg.name
+}
--- a/modules/pangolin/main.tf
+++ b/modules/pangolin/main.tf
@@ -0,0 +1,116 @@
+terraform {
+  required_providers {
+     azurerm = {
+      source  = "hashicorp/azurerm"
+    }
+  }
+}
+
+resource "azurerm_resource_group" "rg" {
+  location = var.location
+  name = "rg-pangolin-${var.environment}-${var.location}-${var.instance}"
+}
+
+resource "azurerm_linux_virtual_machine" "vm" {
+  name = var.vm_name
+  location = azurerm_resource_group.rg.location
+  resource_group_name = azurerm_resource_group.rg.name
+  size = var.vm_size
+
+  admin_username = var.admin_username
+  disable_password_authentication = true
+
+  admin_ssh_key {
+    username = var.admin_username
+    public_key = var.ssh_pubkey
+  }
+
+  os_disk {
+    name = "${var.vm_name}-osdisk"
+    caching              = "ReadWrite"
+    storage_account_type = "Standard_LRS"
+  }
+
+  source_image_reference {
+    publisher = "Canonical"
+    offer = "ubuntu-24_04-lts"
+    sku = "server-gen1"
+    version = "latest"
+  }
+
+  network_interface_ids = [azurerm_network_interface.nic.id]
+
+  tags = var.tags
+}
+
+resource "azurerm_virtual_network" "vnet" {
+name = "${var.vm_name}-vnet"
+location = azurerm_resource_group.rg.location
+resource_group_name = azurerm_resource_group.rg.name
+
+
+address_space = [var.vnet_cidr_ipv4, var.vnet_cidr_ipv6]
+
+
+tags = var.tags
+}
+
+
+resource "azurerm_subnet" "subnet" {
+name = "${var.vm_name}-subnet"
+resource_group_name = azurerm_resource_group.rg.name
+virtual_network_name = azurerm_virtual_network.vnet.name
+
+
+address_prefixes = [var.subnet_cidr_ipv4, var.subnet_cidr_ipv6]
+}
+
+resource "azurerm_network_interface" "nic" {
+  name = "${var.vm_name}-nic"
+  location = azurerm_resource_group.rg.location
+  resource_group_name = azurerm_resource_group.rg.name
+  tags = var.tags
+
+  ip_forwarding_enabled = true
+
+  ip_configuration {
+    name                          = "ipconfig-v4"
+    subnet_id                     = azurerm_subnet.subnet.id
+    private_ip_address_allocation = "Dynamic"
+    private_ip_address_version    = "IPv4"
+    public_ip_address_id          = azurerm_public_ip.pip_v4.id
+    primary = true
+  }
+
+  ip_configuration {
+    name                          = "ipconfig-v6"
+    subnet_id                     = azurerm_subnet.subnet.id
+    private_ip_address_allocation = "Dynamic"
+    private_ip_address_version    = "IPv6"
+    public_ip_address_id          = azurerm_public_ip.pip_v6.id
+  }
+}
+
+
+
+resource "azurerm_public_ip" "pip_v4" {
+  name = "pip-pangolin-${var.environment}-${var.location}-${var.instance}-v4"
+  location = azurerm_resource_group.rg.location
+  resource_group_name = azurerm_resource_group.rg.name
+
+  allocation_method = "Static"
+  sku = "Standard"
+  ip_version = "IPv4"
+  tags = var.tags
+}
+
+resource "azurerm_public_ip" "pip_v6" {
+  name = "pip-pangolin-${var.environment}-${var.location}-${var.instance}-v6"
+  location = azurerm_resource_group.rg.location
+  resource_group_name = azurerm_resource_group.rg.name
+
+  allocation_method = "Static"
+  sku = "Standard"
+  ip_version = "IPv6"
+  tags = var.tags
+}
--- a/modules/pangolin/outputs.tf
+++ b/modules/pangolin/outputs.tf
@@ -0,0 +1,11 @@
+output "public_ipv4" {
+  value = azurerm_public_ip.pip_v4.ip_address
+}
+
+output "public_ipv6" {
+  value = azurerm_public_ip.pip_v6.ip_address
+}
+
+output "ssh_ipv4" {
+  value = "ssh ${var.admin_username}@${azurerm_public_ip.pip_v4.ip_address}"
+}
--- a/modules/pangolin/variables.tf
+++ b/modules/pangolin/variables.tf
@@ -0,0 +1,68 @@
+variable "location" {
+  type    = string
+  default = "westeurope"
+}
+
+variable "environment" {
+  type    = string
+  default = "prod"
+}
+
+variable "instance" {
+  type    = string
+  default = "homelab"
+}
+
+variable "tags" {
+  type = map(string)
+  default = {
+    project = "pangolin"
+    env     = "prod"
+  }
+}
+
+variable "vm_name" {
+  type    = string
+  default = "pangolin-proxy"
+}
+
+variable "vm_size" {
+  type = string
+  default = "Standard_A2_v2"
+}
+
+variable "admin_username" {
+  type = string
+  default = "azureuser"
+}
+
+variable "ssh_pubkey" {
+  type = string
+}
+
+variable "vnet_cidr_ipv4" {
+  type = string
+  default = "10.50.0.0/16"
+}
+
+variable "vnet_cidr_ipv6" {
+  type = string
+  default = "fd7d:bb99:1da4::/48"
+}
+
+variable "subnet_cidr_ipv4" {
+  type = string
+  default = "10.50.1.0/24"
+}
+
+
+variable "subnet_cidr_ipv6" {
+  type = string
+  default = "fd7d:bb99:1da4:195::/64"
+}
+
+variable "allowed_ssh_cidrs_ipv4" {
+  type = list(string)
+  description = "IPv4 CIDRs allowed to SSH (22/tcp). Empty list means allow from anywhere."
+  default = []
+}
--- a/modules/pip/main.tf
+++ b/modules/pip/main.tf
@@ -0,0 +1,20 @@
+terraform {
+  required_providers {
+     http = { }
+  }
+}
+
+data "http" "echoip" {
+  url = var.http_url
+  request_headers = var.http_request_headers
+  method = var.http_method
+
+  insecure = core::startswith(var.http_url, "http://")
+
+  lifecycle {
+    postcondition {
+      condition = contains([200,201,204], self.status_code)
+      error_message = "Status code ${self.status_code} indicates request failure."
+    }
+  }
+}
--- a/modules/pip/outputs.tf
+++ b/modules/pip/outputs.tf
@@ -0,0 +1,4 @@
+output "ip" {
+  description = "The `ip` field of the echoip response."
+  value       = trimspace(data.http.echoip.response_body)
+}
--- a/modules/pip/variables.tf
+++ b/modules/pip/variables.tf
@@ -0,0 +1,27 @@
+variable "http_url" {
+  description = "URL for echoip service to use."
+  type        = string
+
+  default = "https://checkip.amazonaws.com"
+
+  validation {
+    condition     = can(regex("https?://", var.http_url))
+    error_message = "The `http_url` variable must start either http:// or https://"
+  }
+}
+
+variable "http_request_headers" {
+  description = "HTTP headers to send with the request"
+  type        = map(any)
+
+  default = {
+    Accept = "application/json"
+  }
+}
+
+variable "http_method" {
+  description = "HTTP method to use for the request"
+  type        = string
+
+  default = "GET"
+}