terraform/firewall.tf

resource "hcloud_firewall" "cluster" {
  name = "${var.cluster_name}-firewall"

  rule {
    description = "SSH"
    direction   = "in"
    protocol    = "tcp"
    port        = "22"
    source_ips  = var.allowed_ssh_ips
  }

  rule {
    description = "Kubernetes API"
    direction   = "in"
    protocol    = "tcp"
    port        = "6443"
    source_ips  = var.allowed_api_ips
  }

  rule {
    description = "Kubernetes API (internal)"
    direction   = "in"
    protocol    = "tcp"
    port        = "6443"
    source_ips  = [var.subnet_cidr]
  }

  rule {
    description = "k3s Supervisor"
    direction   = "in"
    protocol    = "tcp"
    port        = "9345"
    source_ips  = [var.subnet_cidr]
  }

  rule {
    description = "etcd Client"
    direction   = "in"
    protocol    = "tcp"
    port        = "2379"
    source_ips  = [var.subnet_cidr]
  }

  rule {
    description = "etcd Peer"
    direction   = "in"
    protocol    = "tcp"
    port        = "2380"
    source_ips  = [var.subnet_cidr]
  }

  rule {
    description = "Flannel VXLAN"
    direction   = "in"
    protocol    = "udp"
    port        = "8472"
    source_ips  = [var.subnet_cidr]
  }

  rule {
    description = "Kubelet"
    direction   = "in"
    protocol    = "tcp"
    port        = "10250"
    source_ips  = [var.subnet_cidr]
  }

  rule {
    description = "NodePorts"
    direction   = "in"
    protocol    = "tcp"
    port        = "30000-32767"
    source_ips  = ["0.0.0.0/0"]
  }

  rule {
    description = "ICMP"
    direction   = "in"
    protocol    = "icmp"
    source_ips  = ["0.0.0.0/0"]
  }

  apply_to {
    label_selector = "cluster=${var.cluster_name}"
  }
}
feat: Add HA Kubernetes cluster with Terraform + Ansible - 3x CX23 control plane nodes (HA) - 4x CX33 worker nodes - k3s with embedded etcd - Hetzner CCM for load balancers - Gitea CI/CD workflows - Backblaze B2 for Terraform state 2026-02-28 20:24:55 +00:00			`resource "hcloud_firewall" "cluster" {`
			`name = "${var.cluster_name}-firewall"`

			`rule {`
			`description = "SSH"`
			`direction = "in"`
			`protocol = "tcp"`
			`port = "22"`
			`source_ips = var.allowed_ssh_ips`
			`}`

			`rule {`
			`description = "Kubernetes API"`
			`direction = "in"`
			`protocol = "tcp"`
			`port = "6443"`
			`source_ips = var.allowed_api_ips`
			`}`

			`rule {`
			`description = "Kubernetes API (internal)"`
			`direction = "in"`
			`protocol = "tcp"`
			`port = "6443"`
			`source_ips = [var.subnet_cidr]`
			`}`

			`rule {`
			`description = "k3s Supervisor"`
			`direction = "in"`
			`protocol = "tcp"`
			`port = "9345"`
			`source_ips = [var.subnet_cidr]`
			`}`

			`rule {`
			`description = "etcd Client"`
			`direction = "in"`
			`protocol = "tcp"`
			`port = "2379"`
			`source_ips = [var.subnet_cidr]`
			`}`

			`rule {`
			`description = "etcd Peer"`
			`direction = "in"`
			`protocol = "tcp"`
			`port = "2380"`
			`source_ips = [var.subnet_cidr]`
			`}`

			`rule {`
			`description = "Flannel VXLAN"`
			`direction = "in"`
			`protocol = "udp"`
			`port = "8472"`
			`source_ips = [var.subnet_cidr]`
			`}`

			`rule {`
			`description = "Kubelet"`
			`direction = "in"`
			`protocol = "tcp"`
			`port = "10250"`
			`source_ips = [var.subnet_cidr]`
			`}`

			`rule {`
			`description = "NodePorts"`
			`direction = "in"`
			`protocol = "tcp"`
			`port = "30000-32767"`
			`source_ips = ["0.0.0.0/0"]`
			`}`

			`rule {`
			`description = "ICMP"`
			`direction = "in"`
			`protocol = "icmp"`
			`source_ips = ["0.0.0.0/0"]`
			`}`

			`apply_to {`
			`label_selector = "cluster=${var.cluster_name}"`
			`}`
			`}`