feat: integrate tailscale access and lock SSH/API to tailnet

terraform/firewall.tf

@@ -1,3 +1,8 @@
+locals {
+  ssh_source_ips = var.restrict_api_ssh_to_tailnet ? [var.tailnet_cidr] : var.allowed_ssh_ips
+  api_source_ips = var.restrict_api_ssh_to_tailnet ? [var.tailnet_cidr] : var.allowed_api_ips
+}
+
 resource "hcloud_firewall" "cluster" {
   name = "${var.cluster_name}-firewall"
 
@@ -6,7 +11,7 @@ resource "hcloud_firewall" "cluster" {
     direction   = "in"
     protocol    = "tcp"
     port        = "22"
-    source_ips  = var.allowed_ssh_ips
+    source_ips  = local.ssh_source_ips
   }
 
   rule {
@@ -14,7 +19,15 @@ resource "hcloud_firewall" "cluster" {
     direction   = "in"
     protocol    = "tcp"
     port        = "6443"
-    source_ips  = var.allowed_api_ips
+    source_ips  = local.api_source_ips
+  }
+
+  rule {
+    description = "Tailscale WireGuard"
+    direction   = "in"
+    protocol    = "udp"
+    port        = "41641"
+    source_ips  = ["0.0.0.0/0"]
   }
 
   rule {
@@ -65,12 +78,15 @@ resource "hcloud_firewall" "cluster" {
     source_ips  = [var.subnet_cidr]
   }
 
-  rule {
-    description = "NodePorts"
-    direction   = "in"
-    protocol    = "tcp"
-    port        = "30000-32767"
-    source_ips  = ["0.0.0.0/0"]
+  dynamic "rule" {
+    for_each = var.enable_nodeport_public ? [1] : []
+    content {
+      description = "NodePorts"
+      direction   = "in"
+      protocol    = "tcp"
+      port        = "30000-32767"
+      source_ips  = ["0.0.0.0/0"]
+    }
   }
 
   rule {