From 76ab30aa142415c34a36e5255f25ab4d870621f5 Mon Sep 17 00:00:00 2001
From: chris <cg@zknt.org>
Date: Mon, 23 May 2022 13:37:13 +0200
Subject: [PATCH] terraform for single host setup

---
 .gitignore                             |  5 ++++
 README.md                              | 11 +++++++++
 single-host/.terraform.lock.hcl        | 24 +++++++++++++++++++
 single-host/README.md                  |  5 ++++
 single-host/firewall.tf                | 33 ++++++++++++++++++++++++++
 single-host/provider.tf                |  3 +++
 single-host/secret.auto.tfvars.example |  1 +
 single-host/server.tf                  | 22 +++++++++++++++++
 single-host/ssh.tf                     |  4 ++++
 single-host/terraform.tf               | 10 ++++++++
 single-host/variables.tf               | 28 ++++++++++++++++++++++
 11 files changed, 146 insertions(+)
 create mode 100644 .gitignore
 create mode 100644 README.md
 create mode 100644 single-host/.terraform.lock.hcl
 create mode 100644 single-host/README.md
 create mode 100644 single-host/firewall.tf
 create mode 100644 single-host/provider.tf
 create mode 100644 single-host/secret.auto.tfvars.example
 create mode 100644 single-host/server.tf
 create mode 100644 single-host/ssh.tf
 create mode 100644 single-host/terraform.tf
 create mode 100644 single-host/variables.tf

diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..35831a7
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,5 @@
+.terraform/
+terraform.tfstate*
+api-token*
+ssh-terraform-hetzner*
+secret.auto.tfvars
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..3d90369
--- /dev/null
+++ b/README.md
@@ -0,0 +1,11 @@
+# terraformed hetzner
+
+## preparation
+
+* sign up for hetzner cloud
+* create a project for testing
+* create API token for the new project
+* generate SSH key for VM access:
+  * `ssh-keygen -t ed25519 -C "terraform" -f ssh-terraform-hetzner -P ''`
+
+`single-host/` contains play for a simple test VM
diff --git a/single-host/.terraform.lock.hcl b/single-host/.terraform.lock.hcl
new file mode 100644
index 0000000..4b0f544
--- /dev/null
+++ b/single-host/.terraform.lock.hcl
@@ -0,0 +1,24 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/hetznercloud/hcloud" {
+  version     = "1.33.2"
+  constraints = "1.33.2"
+  hashes = [
+    "h1:3Hx8p9LbcnHfBhy3nT7+unlc5rwkiSZjLt9SVQOSpB8=",
+    "zh:0a5d0f332d7dfe77fa27301094af98a185aabfb9f56d71b81936e03211e4d66f",
+    "zh:0e047859ee7296f335881933ccf8ce8c07aa47bef56d5449a81b85a2d9dac93a",
+    "zh:1d3d0896f518df9e245c3207ed231e528f5dcfe628508e7c3ceba4a2bfefaa7a",
+    "zh:1d7a31c8c490512896ce327ab220e950f1a2e30ee83cc2e58e69bbbfbbb87e72",
+    "zh:67cbb2492683cb22f6c54f26bee72aec140c8dd2d0881b2815d2ef80959fc751",
+    "zh:771062815e662979204ac2dc91c34c893f27670d67e02370e48124483d3c9838",
+    "zh:957ebb146898cd059c0cc8b4c32e574b61041d8b6a11cd854b3cc1d3baaeb3a9",
+    "zh:95dbd8634000b979213cb97b5d869cad78299ac994d0665d150c8dafc1390429",
+    "zh:a21b22b2e9d835e1b8b3b7e0b41a4d199171d62e9e9be78c444c700e96b31316",
+    "zh:aead1ba50640a51f20d574374f2c6065d9bfa4eea5ef044d1475873c33e58239",
+    "zh:cefabd0a78af40ea5cd08e1ca436c753df9b1c6496eb27281b755a2de1f167ab",
+    "zh:d98cffc5206b9a7550a23e13031a6f53566bd1ed3bf65314bc55ef12404d49ce",
+    "zh:dddaaf95b6aba701153659feff12c7bce6acc78362cb5ff8321a1a1cbf780cd9",
+    "zh:fd662b483250326a1bfbe5684c22c5083955a43e0773347eea35cd4c2cfe700e",
+  ]
+}
diff --git a/single-host/README.md b/single-host/README.md
new file mode 100644
index 0000000..25dea34
--- /dev/null
+++ b/single-host/README.md
@@ -0,0 +1,5 @@
+# Sets up a single debian host with incoming firewall
+
+* Copy secret.auto.tfvars.example to secret.auto.tfvars
+* Set up your API key in secret.auto.tfvars
+* `terraform init` && `terraform plan` && `terraform apply`
diff --git a/single-host/firewall.tf b/single-host/firewall.tf
new file mode 100644
index 0000000..d1317b5
--- /dev/null
+++ b/single-host/firewall.tf
@@ -0,0 +1,33 @@
+resource "hcloud_firewall" "single-firewall" {
+  name = "single-firewall"
+  rule {
+    direction = "in"
+    protocol  = "icmp"
+    source_ips = [
+      "0.0.0.0/0",
+      "::/0"
+    ]
+  }
+
+  rule {
+    direction = "in"
+    protocol  = "tcp"
+    port      = "22"
+    source_ips = [
+      "0.0.0.0/0",
+      "::/0"
+    ]
+  }
+
+  rule {
+    direction = "in"
+    protocol  = "tcp"
+    port      = "80"
+    source_ips = [
+      "0.0.0.0/0",
+      "::/0"
+    ]
+  }
+
+}
+
diff --git a/single-host/provider.tf b/single-host/provider.tf
new file mode 100644
index 0000000..d6551da
--- /dev/null
+++ b/single-host/provider.tf
@@ -0,0 +1,3 @@
+provider "hcloud" {
+  token   = var.hcloud_token
+}
diff --git a/single-host/secret.auto.tfvars.example b/single-host/secret.auto.tfvars.example
new file mode 100644
index 0000000..476433a
--- /dev/null
+++ b/single-host/secret.auto.tfvars.example
@@ -0,0 +1 @@
+hcloud_token = "tokitoki"
diff --git a/single-host/server.tf b/single-host/server.tf
new file mode 100644
index 0000000..6edea13
--- /dev/null
+++ b/single-host/server.tf
@@ -0,0 +1,22 @@
+resource "hcloud_server" "single-server1" {
+  name        = "single-server1"
+  image       = var.os_type
+  server_type = var.server_type
+  location    = var.location
+  labels      = {
+    type = "single"
+  }
+  ssh_keys    = [hcloud_ssh_key.default.id]
+  user_data   = jsonencode({
+	"users": {
+		"name": "ansible",
+		"groups": ["users", "admin"],
+		"sudo": "ALL=(ALL) NOPASSWD:ALL",
+		"shell": "/bin/bash",
+		"ssh_authorized_keys": ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE32LygGZyJonoWVjRgQ0Hq8iy39aLs+oH5Flmn9RhAj terraform melpomene"]
+	},
+	"package_update": true,
+	"package_upgrade": true
+  })
+  firewall_ids = [hcloud_firewall.single-firewall.id]
+}
diff --git a/single-host/ssh.tf b/single-host/ssh.tf
new file mode 100644
index 0000000..adb5056
--- /dev/null
+++ b/single-host/ssh.tf
@@ -0,0 +1,4 @@
+resource "hcloud_ssh_key" "default" {
+  name       = "terraform"
+  public_key = file("../ssh-terraform-hetzner.pub")
+}
diff --git a/single-host/terraform.tf b/single-host/terraform.tf
new file mode 100644
index 0000000..0085e70
--- /dev/null
+++ b/single-host/terraform.tf
@@ -0,0 +1,10 @@
+terraform {
+  required_providers {
+    hcloud = {
+      source  = "hetznercloud/hcloud"
+      version = "1.33.2"
+    }
+  }
+
+  required_version = ">= 1.1"
+}
diff --git a/single-host/variables.tf b/single-host/variables.tf
new file mode 100644
index 0000000..eb3fb2e
--- /dev/null
+++ b/single-host/variables.tf
@@ -0,0 +1,28 @@
+variable "hcloud_token" {
+  sensitive = true
+  # default = <defined in secret.auto.tfvars>
+}
+
+variable "location" {
+  default = "nbg1"
+}
+
+variable "instances" {
+  default = "1"
+}
+
+variable "server_type" {
+  default = "cx11"
+}
+
+variable "os_type" {
+  default = "debian-11"
+}
+
+variable "disk_size" {
+  default = "20"
+}
+
+variable "ip_range" {
+  default = "10.0.1.0/24"
+}