terraform/firewall.tf

locals {
  ssh_source_ips = var.restrict_api_ssh_to_tailnet ? concat([var.tailnet_cidr], var.allowed_ssh_ips) : var.allowed_ssh_ips
  api_source_ips = var.restrict_api_ssh_to_tailnet ? concat([var.tailnet_cidr], var.allowed_api_ips) : var.allowed_api_ips
}

resource "hcloud_firewall" "cluster" {
  name = "${var.cluster_name}-firewall"

  rule {
    description = "SSH"
    direction   = "in"
    protocol    = "tcp"
    port        = "22"
    source_ips  = local.ssh_source_ips
  }

  rule {
    description = "Kubernetes API"
    direction   = "in"
    protocol    = "tcp"
    port        = "6443"
    source_ips  = local.api_source_ips
  }

  rule {
    description = "Tailscale WireGuard"
    direction   = "in"
    protocol    = "udp"
    port        = "41641"
    source_ips  = ["0.0.0.0/0"]
  }

  rule {
    description = "Kubernetes API (internal)"
    direction   = "in"
    protocol    = "tcp"
    port        = "6443"
    source_ips  = [var.subnet_cidr]
  }

  rule {
    description = "k3s Supervisor"
    direction   = "in"
    protocol    = "tcp"
    port        = "9345"
    source_ips  = [var.subnet_cidr]
  }

  rule {
    description = "etcd Client"
    direction   = "in"
    protocol    = "tcp"
    port        = "2379"
    source_ips  = [var.subnet_cidr]
  }

  rule {
    description = "etcd Peer"
    direction   = "in"
    protocol    = "tcp"
    port        = "2380"
    source_ips  = [var.subnet_cidr]
  }

  rule {
    description = "Flannel VXLAN"
    direction   = "in"
    protocol    = "udp"
    port        = "8472"
    source_ips  = [var.subnet_cidr]
  }

  rule {
    description = "Kubelet"
    direction   = "in"
    protocol    = "tcp"
    port        = "10250"
    source_ips  = [var.subnet_cidr]
  }

  dynamic "rule" {
    for_each = var.enable_nodeport_public ? [1] : []
    content {
      description = "NodePorts"
      direction   = "in"
      protocol    = "tcp"
      port        = "30000-32767"
      source_ips  = ["0.0.0.0/0"]
    }
  }

  rule {
    description = "ICMP"
    direction   = "in"
    protocol    = "icmp"
    source_ips  = ["0.0.0.0/0"]
  }

  apply_to {
    label_selector = "cluster=${var.cluster_name}"
  }
}
feat: integrate tailscale access and lock SSH/API to tailnet 2026-03-01 04:04:56 +00:00			`locals {`
fix: allow optional non-tailnet CIDRs alongside tailnet restrictions 2026-03-01 14:01:32 +00:00			`ssh_source_ips = var.restrict_api_ssh_to_tailnet ? concat([var.tailnet_cidr], var.allowed_ssh_ips) : var.allowed_ssh_ips`
			`api_source_ips = var.restrict_api_ssh_to_tailnet ? concat([var.tailnet_cidr], var.allowed_api_ips) : var.allowed_api_ips`
feat: integrate tailscale access and lock SSH/API to tailnet 2026-03-01 04:04:56 +00:00			`}`

feat: Add HA Kubernetes cluster with Terraform + Ansible - 3x CX23 control plane nodes (HA) - 4x CX33 worker nodes - k3s with embedded etcd - Hetzner CCM for load balancers - Gitea CI/CD workflows - Backblaze B2 for Terraform state 2026-02-28 20:24:55 +00:00			`resource "hcloud_firewall" "cluster" {`
			`name = "${var.cluster_name}-firewall"`

			`rule {`
			`description = "SSH"`
			`direction = "in"`
			`protocol = "tcp"`
			`port = "22"`
feat: integrate tailscale access and lock SSH/API to tailnet 2026-03-01 04:04:56 +00:00			`source_ips = local.ssh_source_ips`
feat: Add HA Kubernetes cluster with Terraform + Ansible - 3x CX23 control plane nodes (HA) - 4x CX33 worker nodes - k3s with embedded etcd - Hetzner CCM for load balancers - Gitea CI/CD workflows - Backblaze B2 for Terraform state 2026-02-28 20:24:55 +00:00			`}`

			`rule {`
			`description = "Kubernetes API"`
			`direction = "in"`
			`protocol = "tcp"`
			`port = "6443"`
feat: integrate tailscale access and lock SSH/API to tailnet 2026-03-01 04:04:56 +00:00			`source_ips = local.api_source_ips`
			`}`

			`rule {`
			`description = "Tailscale WireGuard"`
			`direction = "in"`
			`protocol = "udp"`
			`port = "41641"`
			`source_ips = ["0.0.0.0/0"]`
feat: Add HA Kubernetes cluster with Terraform + Ansible - 3x CX23 control plane nodes (HA) - 4x CX33 worker nodes - k3s with embedded etcd - Hetzner CCM for load balancers - Gitea CI/CD workflows - Backblaze B2 for Terraform state 2026-02-28 20:24:55 +00:00			`}`

			`rule {`
			`description = "Kubernetes API (internal)"`
			`direction = "in"`
			`protocol = "tcp"`
			`port = "6443"`
			`source_ips = [var.subnet_cidr]`
			`}`

			`rule {`
			`description = "k3s Supervisor"`
			`direction = "in"`
			`protocol = "tcp"`
			`port = "9345"`
			`source_ips = [var.subnet_cidr]`
			`}`

			`rule {`
			`description = "etcd Client"`
			`direction = "in"`
			`protocol = "tcp"`
			`port = "2379"`
			`source_ips = [var.subnet_cidr]`
			`}`

			`rule {`
			`description = "etcd Peer"`
			`direction = "in"`
			`protocol = "tcp"`
			`port = "2380"`
			`source_ips = [var.subnet_cidr]`
			`}`

			`rule {`
			`description = "Flannel VXLAN"`
			`direction = "in"`
			`protocol = "udp"`
			`port = "8472"`
			`source_ips = [var.subnet_cidr]`
			`}`

			`rule {`
			`description = "Kubelet"`
			`direction = "in"`
			`protocol = "tcp"`
			`port = "10250"`
			`source_ips = [var.subnet_cidr]`
			`}`

feat: integrate tailscale access and lock SSH/API to tailnet 2026-03-01 04:04:56 +00:00			`dynamic "rule" {`
			`for_each = var.enable_nodeport_public ? [1] : []`
			`content {`
			`description = "NodePorts"`
			`direction = "in"`
			`protocol = "tcp"`
			`port = "30000-32767"`
			`source_ips = ["0.0.0.0/0"]`
			`}`
feat: Add HA Kubernetes cluster with Terraform + Ansible - 3x CX23 control plane nodes (HA) - 4x CX33 worker nodes - k3s with embedded etcd - Hetzner CCM for load balancers - Gitea CI/CD workflows - Backblaze B2 for Terraform state 2026-02-28 20:24:55 +00:00			`}`

			`rule {`
			`description = "ICMP"`
			`direction = "in"`
			`protocol = "icmp"`
			`source_ips = ["0.0.0.0/0"]`
			`}`

			`apply_to {`
			`label_selector = "cluster=${var.cluster_name}"`
			`}`
			`}`