kedge/terraform/modules/cloud-anchor/main.tf

terraform {
  required_providers {
    hcloud = {
      source  = "hetznercloud/hcloud"
      version = "~> 1.45"
    }
  }
}

resource "hcloud_server" "anchor" {
  name        = var.server_name
  server_type = var.server_type
  image       = var.image
  location    = var.location

  ssh_keys = var.ssh_keys

  labels = {
    role    = "cloud-anchor"
    cluster = "cloud-anchor"
    kedge   = "overlay-only"
  }

  user_data = <<-EOF
    #!/bin/bash
    apt-get update
    apt-get install -y wireguard-tools
  EOF
}

resource "hcloud_firewall" "anchor" {
  name = "${var.server_name}-fw"

  rule {
    direction = "in"
    protocol  = "tcp"
    port      = "22"
    source_ips = var.admin_ips
  }

  rule {
    direction = "in"
    protocol  = "udp"
    port      = var.wireguard_port
    source_ips = ["0.0.0.0/0", "::/0"]
  }

  rule {
    direction = "in"
    protocol  = "tcp"
    port      = "6443"
    source_ips = ["10.100.0.0/24"]
  }
}

resource "hcloud_firewall_attachment" "anchor" {
  firewall_id = hcloud_firewall.anchor.id
  server_ids  = [hcloud_server.anchor.id]
}