cuqmbr/homelab
1
0
Fork 0
Code

add production environment provisioning files

Browse Source
This commit is contained in:
cuqmbr 2025-07-13 10:58:19 +03:00
parent 1b30ca221e
commit 4ad75417fa
Signed by: cuqmbr
GPG Key ID: 0AA446880C766199
11 changed files with 782 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
terraform/common/bastion.tf
View File

@ -34,6 +34,13 @@ resource "proxmox_virtual_environment_container" "bastion" {
enabled = true enabled = true
} }
network_interface {
bridge = var.production_network_bridge_name
name = "eth-prod"
firewall = true
enabled = true
}
initialization { initialization {
hostname = "bastion" hostname = "bastion"
ip_config { ip_config {
@ -47,6 +54,12 @@ resource "proxmox_virtual_environment_container" "bastion" {
# gateway = "192.168.0.1" # gateway = "192.168.0.1"
} }
} }
ip_config {
ipv4 {
address = "192.168.1.254/24"
# gateway = "192.168.1.1"
}
}
user_account { user_account {
keys = [var.ssh_public_key] keys = [var.ssh_public_key]
} }

94
terraform/common/firewall_ipsets.tf
View File

@ -1,3 +1,19 @@
resource "proxmox_virtual_environment_firewall_ipset" "promeheus_server" {
name = "prometheus-server"
comment = "Different environment Prometheus Server addresses."
cidr {
name = "192.168.0.252"
comment = "dev"
}
cidr {
name = "192.168.1.252"
comment = "prod"
}
}
resource "proxmox_virtual_environment_firewall_ipset" "dev_loggers" { resource "proxmox_virtual_environment_firewall_ipset" "dev_loggers" {
name = "dev-loggers" name = "dev-loggers"
@ -44,6 +60,52 @@ resource "proxmox_virtual_environment_firewall_ipset" "dev_loggers" {
} }
} }
resource "proxmox_virtual_environment_firewall_ipset" "prod_loggers" {
name = "prod-loggers"
comment = "Nodes that send logs to Monitoring Node."
cidr {
name = "192.168.1.254"
comment = "bastion"
}
cidr {
name = "192.168.1.253"
comment = "load-balancer"
}
cidr {
name = "192.168.1.252"
comment = "monitoring"
}
cidr {
name = "192.168.1.3"
comment = "postgresql"
}
cidr {
name = "192.168.1.10"
comment = "main-page"
}
cidr {
name = "192.168.1.15"
comment = "searxng"
}
cidr {
name = "192.168.1.20"
comment = "forgejo"
}
cidr {
name = "192.168.1.21"
comment = "forgejo-runner"
}
}
resource "proxmox_virtual_environment_firewall_ipset" "dev_postgres_clients" { resource "proxmox_virtual_environment_firewall_ipset" "dev_postgres_clients" {
name = "dev-postgres-clients" name = "dev-postgres-clients"
@ -60,6 +122,22 @@ output "dev_postgres_clients_ipset" {
sensitive = true sensitive = true
} }
resource "proxmox_virtual_environment_firewall_ipset" "prod_postgres_clients" {
name = "prod-postgres-clients"
comment = "Nodes that can connect to postgres Node."
cidr {
name = "192.168.1.20"
comment = "forgejo"
}
}
output "prod_postgres_clients_ipset" {
value = proxmox_virtual_environment_firewall_ipset.prod_postgres_clients
sensitive = true
}
resource "proxmox_virtual_environment_firewall_ipset" "dev_valkey_clients" { resource "proxmox_virtual_environment_firewall_ipset" "dev_valkey_clients" {
name = "dev-valkey-clients" name = "dev-valkey-clients"
@ -75,3 +153,19 @@ output "dev_valkey_clients_ipset" {
value = proxmox_virtual_environment_firewall_ipset.dev_valkey_clients value = proxmox_virtual_environment_firewall_ipset.dev_valkey_clients
sensitive = true sensitive = true
} }
resource "proxmox_virtual_environment_firewall_ipset" "prod_valkey_clients" {
name = "prod-valkey-clients"
comment = "Nodes that can connect to valkey Node."
cidr {
name = "192.168.1.15"
comment = "searxng"
}
}
output "prod_valkey_clients_ipset" {
value = proxmox_virtual_environment_firewall_ipset.prod_valkey_clients
sensitive = true
}

8
terraform/common/firewall_security_groups.tf
View File

@ -4,7 +4,7 @@ resource "proxmox_virtual_environment_cluster_firewall_security_group" "promethe
rule { rule {
type = "in" type = "in"
source = split("/", proxmox_virtual_environment_container.monitoring.initialization[0].ip_config[0].ipv4[0].address)[0] source = "+${proxmox_virtual_environment_firewall_ipset.promeheus_server.name}"
proto = "tcp" proto = "tcp"
dport = "9100" dport = "9100"
action = "ACCEPT" action = "ACCEPT"
@ -22,7 +22,7 @@ resource "proxmox_virtual_environment_cluster_firewall_security_group" "promethe
rule { rule {
type = "in" type = "in"
source = split("/", proxmox_virtual_environment_container.monitoring.initialization[0].ip_config[0].ipv4[0].address)[0] source = "+${proxmox_virtual_environment_firewall_ipset.promeheus_server.name}"
proto = "tcp" proto = "tcp"
dport = "9113" dport = "9113"
action = "ACCEPT" action = "ACCEPT"
@ -40,7 +40,7 @@ resource "proxmox_virtual_environment_cluster_firewall_security_group" "promethe
rule { rule {
type = "in" type = "in"
source = split("/", proxmox_virtual_environment_container.monitoring.initialization[0].ip_config[0].ipv4[0].address)[0] source = "+${proxmox_virtual_environment_firewall_ipset.promeheus_server.name}"
proto = "tcp" proto = "tcp"
dport = "9090" dport = "9090"
action = "ACCEPT" action = "ACCEPT"
@ -58,7 +58,7 @@ resource "proxmox_virtual_environment_cluster_firewall_security_group" "promethe
rule { rule {
type = "in" type = "in"
source = split("/", proxmox_virtual_environment_container.monitoring.initialization[0].ip_config[0].ipv4[0].address)[0] source = "+${proxmox_virtual_environment_firewall_ipset.promeheus_server.name}"
proto = "tcp" proto = "tcp"
dport = "9093" dport = "9093"
action = "ACCEPT" action = "ACCEPT"

13
terraform/common/load-balancer.tf
View File

@ -34,6 +34,13 @@ resource "proxmox_virtual_environment_container" "load_balancer" {
enabled = true enabled = true
} }
network_interface {
bridge = var.production_network_bridge_name
name = "eth-prod"
firewall = true
enabled = true
}
initialization { initialization {
hostname = "load-balancer" hostname = "load-balancer"
ip_config { ip_config {
@ -47,6 +54,12 @@ resource "proxmox_virtual_environment_container" "load_balancer" {
# gateway = "192.168.0.1" # gateway = "192.168.0.1"
} }
} }
ip_config {
ipv4 {
address = "192.168.1.253/24"
# gateway = "192.168.1.1"
}
}
user_account { user_account {
keys = [var.ssh_public_key] keys = [var.ssh_public_key]
} }

13
terraform/common/monitoring.tf
View File

@ -27,6 +27,13 @@ resource "proxmox_virtual_environment_container" "monitoring" {
enabled = true enabled = true
} }
network_interface {
bridge = var.production_network_bridge_name
name = "eth-prod"
firewall = true
enabled = true
}
initialization { initialization {
hostname = "monitoring" hostname = "monitoring"
ip_config { ip_config {
@ -35,6 +42,12 @@ resource "proxmox_virtual_environment_container" "monitoring" {
gateway = "192.168.0.1" gateway = "192.168.0.1"
} }
} }
ip_config {
ipv4 {
address = "192.168.1.252/24"
# gateway = "192.168.1.1"
}
}
user_account { user_account {
keys = [var.ssh_public_key] keys = [var.ssh_public_key]
} }

100
terraform/prod/forgejo-runner.tf Normal file
View File

@ -0,0 +1,100 @@
resource "proxmox_virtual_environment_container" "forgejo-runner" {
node_name = "pve"
vm_id = 5051
tags = ["prod"]
unprivileged = true
cpu {
cores = 1
}
memory {
dedicated = 1024
}
disk {
datastore_id = var.datastore_id
size = 16
}
network_interface {
bridge = var.internal_network_bridge_name
name = "eth-prod"
firewall = true
enabled = true
}
initialization {
hostname = "forgejo-runner"
ip_config {
ipv4 {
address = "192.168.1.21/24"
gateway = "192.168.1.1"
}
}
user_account {
keys = [var.ssh_public_key]
}
}
operating_system {
template_file_id = "local:vztmpl/debian-12-standard_12.7-1_amd64.tar.zst"
type = "debian"
}
started = true
startup {
order = 500
up_delay = 0
down_delay = 0
}
features {
nesting = true
}
}
resource "proxmox_virtual_environment_firewall_options" "forgejo-runner" {
depends_on = [proxmox_virtual_environment_container.forgejo-runner]
node_name = proxmox_virtual_environment_container.forgejo-runner.node_name
vm_id = proxmox_virtual_environment_container.forgejo-runner.vm_id
enabled = true
dhcp = true
input_policy = "DROP"
output_policy = "ACCEPT"
}
resource "proxmox_virtual_environment_firewall_rules" "forgejo-runner" {
depends_on = [proxmox_virtual_environment_container.forgejo-runner]
node_name = proxmox_virtual_environment_container.forgejo-runner.node_name
vm_id = proxmox_virtual_environment_container.forgejo-runner.vm_id
rule {
type = "in"
source = split("/", data.terraform_remote_state.common.outputs.bastion_ct.initialization[0].ip_config[2].ipv4[0].address)[0]
proto = "tcp"
dport = "22"
action = "ACCEPT"
comment = "SSH from Bastion."
}
rule {
type = "in"
proto = "icmp"
dport = "8"
action = "ACCEPT"
comment = "Ping."
}
rule {
security_group = data.terraform_remote_state.common.outputs.prometheus_node_exporter_sg.name
comment = "Allow Prometheus server to pull Prometheus node exporter from Monitoring Node."
}
}

109
terraform/prod/forgejo.tf Normal file
View File

@ -0,0 +1,109 @@
resource "proxmox_virtual_environment_container" "forgejo" {
node_name = "pve"
vm_id = 5050
tags = ["prod"]
unprivileged = true
cpu {
cores = 1
}
memory {
dedicated = 1024
}
disk {
datastore_id = var.datastore_id
size = 16
}
network_interface {
bridge = var.internal_network_bridge_name
name = "eth-prod"
firewall = true
enabled = true
}
initialization {
hostname = "forgejo"
ip_config {
ipv4 {
address = "192.168.1.20/24"
gateway = "192.168.1.1"
}
}
user_account {
keys = [var.ssh_public_key]
}
}
operating_system {
template_file_id = "local:vztmpl/debian-12-standard_12.7-1_amd64.tar.zst"
type = "debian"
}
started = true
startup {
order = 500
up_delay = 0
down_delay = 0
}
features {
nesting = true
}
}
resource "proxmox_virtual_environment_firewall_options" "forgejo" {
depends_on = [proxmox_virtual_environment_container.forgejo]
node_name = proxmox_virtual_environment_container.forgejo.node_name
vm_id = proxmox_virtual_environment_container.forgejo.vm_id
enabled = true
dhcp = true
input_policy = "DROP"
output_policy = "ACCEPT"
}
resource "proxmox_virtual_environment_firewall_rules" "forgejo" {
depends_on = [proxmox_virtual_environment_container.forgejo]
node_name = proxmox_virtual_environment_container.forgejo.node_name
vm_id = proxmox_virtual_environment_container.forgejo.vm_id
rule {
type = "in"
source = split("/", data.terraform_remote_state.common.outputs.bastion_ct.initialization[0].ip_config[2].ipv4[0].address)[0]
proto = "tcp"
dport = "22"
action = "ACCEPT"
comment = "SSH from Bastion."
}
rule {
type = "in"
proto = "icmp"
dport = "8"
action = "ACCEPT"
comment = "Ping."
}
rule {
type = "in"
source = split("/", data.terraform_remote_state.common.outputs.load_balancer_ct.initialization[0].ip_config[1].ipv4[0].address)[0]
proto = "tcp"
dport = "3000"
action = "ACCEPT"
comment = "Forgejo Web."
}
rule {
security_group = data.terraform_remote_state.common.outputs.prometheus_node_exporter_sg.name
comment = "Allow Prometheus server to pull Prometheus node exporter from Monitoring Node."
}
}

109
terraform/prod/main-page.tf Normal file
View File

@ -0,0 +1,109 @@
resource "proxmox_virtual_environment_container" "main_page" {
node_name = "pve"
vm_id = 5010
tags = ["prod"]
unprivileged = true
cpu {
cores = 1
}
memory {
dedicated = 512
}
disk {
datastore_id = var.datastore_id
size = 4
}
network_interface {
bridge = var.internal_network_bridge_name
name = "eth-prod"
firewall = true
enabled = true
}
initialization {
hostname = "main-page"
ip_config {
ipv4 {
address = "192.168.1.10/24"
gateway = "192.168.1.1"
}
}
user_account {
keys = [var.ssh_public_key]
}
}
operating_system {
template_file_id = "local:vztmpl/debian-12-standard_12.7-1_amd64.tar.zst"
type = "debian"
}
started = true
startup {
order = 500
up_delay = 0
down_delay = 0
}
features {
nesting = true
}
}
resource "proxmox_virtual_environment_firewall_options" "main_page" {
depends_on = [proxmox_virtual_environment_container.main_page]
node_name = proxmox_virtual_environment_container.main_page.node_name
vm_id = proxmox_virtual_environment_container.main_page.vm_id
enabled = true
dhcp = true
input_policy = "DROP"
output_policy = "ACCEPT"
}
resource "proxmox_virtual_environment_firewall_rules" "main_page" {
depends_on = [proxmox_virtual_environment_container.main_page]
node_name = proxmox_virtual_environment_container.main_page.node_name
vm_id = proxmox_virtual_environment_container.main_page.vm_id
rule {
type = "in"
source = split("/", data.terraform_remote_state.common.outputs.bastion_ct.initialization[0].ip_config[2].ipv4[0].address)[0]
proto = "tcp"
dport = "22"
action = "ACCEPT"
comment = "SSH from Bastion."
}
rule {
type = "in"
proto = "icmp"
dport = "8"
action = "ACCEPT"
comment = "Ping."
}
rule {
type = "in"
source = split("/", data.terraform_remote_state.common.outputs.load_balancer_ct.initialization[0].ip_config[1].ipv4[0].address)[0]
proto = "tcp"
dport = "80"
action = "ACCEPT"
comment = "Nginx Static Serving."
}
rule {
security_group = data.terraform_remote_state.common.outputs.prometheus_node_exporter_sg.name
comment = "Allow Prometheus server to pull Prometheus node exporter from Monitoring Node."
}
}

109
terraform/prod/postgresql.tf Normal file
View File

@ -0,0 +1,109 @@
resource "proxmox_virtual_environment_container" "postgresql" {
node_name = "pve"
vm_id = 5030
tags = ["prod", "database"]
unprivileged = true
cpu {
cores = 1
}
memory {
dedicated = 512
}
disk {
datastore_id = var.datastore_id
size = 8
}
network_interface {
bridge = var.internal_network_bridge_name
name = "eth-prod"
firewall = true
enabled = true
}
initialization {
hostname = "postgresql"
ip_config {
ipv4 {
address = "192.168.1.3/24"
gateway = "192.168.1.1"
}
}
user_account {
keys = [var.ssh_public_key]
}
}
operating_system {
template_file_id = "local:vztmpl/debian-12-standard_12.7-1_amd64.tar.zst"
type = "debian"
}
started = true
startup {
order = 100
up_delay = 0
down_delay = 0
}
features {
nesting = true
}
}
resource "proxmox_virtual_environment_firewall_options" "postgresql" {
depends_on = [proxmox_virtual_environment_container.postgresql]
node_name = proxmox_virtual_environment_container.postgresql.node_name
vm_id = proxmox_virtual_environment_container.postgresql.vm_id
enabled = true
dhcp = true
input_policy = "DROP"
output_policy = "ACCEPT"
}
resource "proxmox_virtual_environment_firewall_rules" "postgresql" {
depends_on = [proxmox_virtual_environment_container.postgresql]
node_name = proxmox_virtual_environment_container.postgresql.node_name
vm_id = proxmox_virtual_environment_container.postgresql.vm_id
rule {
type = "in"
source = split("/", data.terraform_remote_state.common.outputs.bastion_ct.initialization[0].ip_config[2].ipv4[0].address)[0]
proto = "tcp"
dport = "22"
action = "ACCEPT"
comment = "SSH from Bastion."
}
rule {
type = "in"
proto = "icmp"
dport = "8"
action = "ACCEPT"
comment = "Ping."
}
rule {
security_group = data.terraform_remote_state.common.outputs.prometheus_node_exporter_sg.name
comment = "Allow Prometheus server to pull Prometheus node exporter from Monitoring Node."
}
rule {
type = "in"
source = "+${data.terraform_remote_state.common.outputs.prod_postgres_clients_ipset.name}"
proto = "tcp"
dport = "5432"
action = "ACCEPT"
comment = "Access postgres from client nodes."
}
}

109
terraform/prod/searxng.tf Normal file
View File

@ -0,0 +1,109 @@
resource "proxmox_virtual_environment_container" "searxng" {
node_name = "pve"
vm_id = 5020
tags = ["prod"]
unprivileged = true
cpu {
cores = 1
}
memory {
dedicated = 512
}
disk {
datastore_id = var.datastore_id
size = 4
}
network_interface {
bridge = var.internal_network_bridge_name
name = "eth-prod"
firewall = true
enabled = true
}
initialization {
hostname = "searxng"
ip_config {
ipv4 {
address = "192.168.1.15/24"
gateway = "192.168.1.1"
}
}
user_account {
keys = [var.ssh_public_key]
}
}
operating_system {
template_file_id = "local:vztmpl/debian-12-standard_12.7-1_amd64.tar.zst"
type = "debian"
}
started = true
startup {
order = 500
up_delay = 0
down_delay = 0
}
features {
nesting = true
}
}
resource "proxmox_virtual_environment_firewall_options" "searxng" {
depends_on = [proxmox_virtual_environment_container.searxng]
node_name = proxmox_virtual_environment_container.searxng.node_name
vm_id = proxmox_virtual_environment_container.searxng.vm_id
enabled = true
dhcp = true
input_policy = "DROP"
output_policy = "ACCEPT"
}
resource "proxmox_virtual_environment_firewall_rules" "searxng" {
depends_on = [proxmox_virtual_environment_container.searxng]
node_name = proxmox_virtual_environment_container.searxng.node_name
vm_id = proxmox_virtual_environment_container.searxng.vm_id
rule {
type = "in"
source = split("/", data.terraform_remote_state.common.outputs.bastion_ct.initialization[0].ip_config[2].ipv4[0].address)[0]
proto = "tcp"
dport = "22"
action = "ACCEPT"
comment = "SSH from Bastion."
}
rule {
type = "in"
proto = "icmp"
dport = "8"
action = "ACCEPT"
comment = "Ping."
}
rule {
type = "in"
source = split("/", data.terraform_remote_state.common.outputs.load_balancer_ct.initialization[0].ip_config[1].ipv4[0].address)[0]
proto = "tcp"
dport = "8888"
action = "ACCEPT"
comment = "SearxNG."
}
rule {
security_group = data.terraform_remote_state.common.outputs.prometheus_node_exporter_sg.name
comment = "Allow Prometheus server to pull Prometheus node exporter from Monitoring Node."
}
}

109
terraform/prod/valkey.tf Normal file
View File

@ -0,0 +1,109 @@
resource "proxmox_virtual_environment_container" "valkey" {
node_name = "pve"
vm_id = 5040
tags = ["prod", "database", "cache"]
unprivileged = true
cpu {
cores = 1
}
memory {
dedicated = 512
}
disk {
datastore_id = var.datastore_id
size = 4
}
network_interface {
bridge = var.internal_network_bridge_name
name = "eth-prod"
firewall = true
enabled = true
}
initialization {
hostname = "valkey"
ip_config {
ipv4 {
address = "192.168.1.4/24"
gateway = "192.168.1.1"
}
}
user_account {
keys = [var.ssh_public_key]
}
}
operating_system {
template_file_id = "local:vztmpl/debian-12-standard_12.7-1_amd64.tar.zst"
type = "debian"
}
started = true
startup {
order = 100
up_delay = 0
down_delay = 0
}
features {
nesting = true
}
}
resource "proxmox_virtual_environment_firewall_options" "valkey" {
depends_on = [proxmox_virtual_environment_container.valkey]
node_name = proxmox_virtual_environment_container.valkey.node_name
vm_id = proxmox_virtual_environment_container.valkey.vm_id
enabled = true
dhcp = true
input_policy = "DROP"
output_policy = "ACCEPT"
}
resource "proxmox_virtual_environment_firewall_rules" "valkey" {
depends_on = [proxmox_virtual_environment_container.valkey]
node_name = proxmox_virtual_environment_container.valkey.node_name
vm_id = proxmox_virtual_environment_container.valkey.vm_id
rule {
type = "in"
source = split("/", data.terraform_remote_state.common.outputs.bastion_ct.initialization[0].ip_config[2].ipv4[0].address)[0]
proto = "tcp"
dport = "22"
action = "ACCEPT"
comment = "SSH from Bastion."
}
rule {
type = "in"
proto = "icmp"
dport = "8"
action = "ACCEPT"
comment = "Ping."
}
rule {
security_group = data.terraform_remote_state.common.outputs.prometheus_node_exporter_sg.name
comment = "Allow Prometheus server to pull Prometheus node exporter from Monitoring Node."
}
rule {
type = "in"
source = "+${data.terraform_remote_state.common.outputs.prod_valkey_clients_ipset.name}"
proto = "tcp"
dport = "6379"
action = "ACCEPT"
comment = "Access valkey from client nodes."
}
}