From 8d9d04810c3921fa09ad1572f023ba8ad498a7b3 Mon Sep 17 00:00:00 2001
From: Max <git@maximhutz.me>
Date: Tue, 30 Dec 2025 12:22:41 -0500
Subject: [PATCH] feat: networking

---
 terraform/compute.tf   | 22 +++++++++++++++++++
 terraform/main.tf      | 26 +++++++++++++++++++++++
 terraform/providers.tf |  6 +++---
 terraform/variables.tf | 17 ++++++++++++---
 vault.yml              | 48 ++++++++++++++++++++++--------------------
 5 files changed, 90 insertions(+), 29 deletions(-)
 create mode 100644 terraform/compute.tf
 create mode 100644 terraform/main.tf

diff --git a/terraform/compute.tf b/terraform/compute.tf
new file mode 100644
index 0000000..f4a1702
--- /dev/null
+++ b/terraform/compute.tf
@@ -0,0 +1,22 @@
+// Add the servers to a placement group.
+resource "hcloud_placement_group" "group" {
+  name = "Cluster Group"
+  type = "spread"
+}
+
+// Secure NAT via SSH key.
+resource "hcloud_ssh_key" "main" {
+  name       = "my-ssh-key"
+  public_key = file(var.public_key_file)
+}
+
+// The Jumphost/NAT, to interact and provide internet access to the cluster.
+resource "hcloud_server" "nat" {
+  name               = "Cluster NAT"
+  image              = "debian-12"
+  server_type        = "cx23"
+  placement_group_id = hcloud_placement_group.group.id
+  ssh_keys           = [hcloud_ssh_key.main.id]
+}
+
+
diff --git a/terraform/main.tf b/terraform/main.tf
new file mode 100644
index 0000000..e08744e
--- /dev/null
+++ b/terraform/main.tf
@@ -0,0 +1,26 @@
+// Set up network for compute to live.
+resource "hcloud_network" "net" {
+  name     = "Private Network"
+  ip_range = local.net-cidr
+}
+
+// Attach the NAT to the network.
+resource "hcloud_server_network" "nat-to-net" {
+  server_id  = hcloud_server.nat.id
+  network_id = hcloud_network.net.id
+  ip         = local.nat-private-ip
+}
+
+// Provide internet to the private servers, by sending all internet traffic to
+// the NAT.
+resource "hcloud_network_route" "gateway" {
+  network_id  = hcloud_network.net.id
+  destination = "0.0.0.0/0"
+  gateway     = local.nat-private-ip
+}
+
+// Give the NAT a public IP.
+resource "hcloud_floating_ip" "master" {
+  type      = "ipv4"
+  server_id = hcloud_server.nat.id
+}
diff --git a/terraform/providers.tf b/terraform/providers.tf
index 066050b..462c362 100644
--- a/terraform/providers.tf
+++ b/terraform/providers.tf
@@ -1,8 +1,8 @@
 terraform {
   backend "s3" {
     skip_credentials_validation = true
-    skip_region_validation = true
-    skip_requesting_account_id = true
+    skip_region_validation      = true
+    skip_requesting_account_id  = true
   }
 
   required_providers {
@@ -15,4 +15,4 @@ terraform {
 
 provider "hcloud" {
   token = var.hcloud_token
-}
\ No newline at end of file
+}
diff --git a/terraform/variables.tf b/terraform/variables.tf
index 76bf35f..eb819c2 100644
--- a/terraform/variables.tf
+++ b/terraform/variables.tf
@@ -1,4 +1,15 @@
-variable "hcloud_token" {
-  type = string
+locals {
+  net-cidr = "10.0.0.0/8"
+
+  nat-private-ip = "10.0.1.5"
+}
+
+variable "public_key_file" {
+  type      = string
   sensitive = true
-}
\ No newline at end of file
+}
+
+variable "hcloud_token" {
+  type      = string
+  sensitive = true
+}
diff --git a/vault.yml b/vault.yml
index cc98c0c..008e818 100644
--- a/vault.yml
+++ b/vault.yml
@@ -1,24 +1,26 @@
 $ANSIBLE_VAULT;1.1;AES256
-35653838333437306561313133383766346664343266623466316634626436386336653737346537
-6432613862613336666337646162343738356636626438620a353331383138653131666566303865
-66306562346332356165323761393732613334663932396236623262623238383033373330336332
-3931306261363638610a636262356339643862393235363363343231353030373766346332613031
-66363266353134616465323230633964313966313136333563353232383838353130663139326631
-30343936316234366563626537366337326430376132373861366663306461353738383932376633
-30316231636631346365376262303733626430376162663933613135346266376132306530623361
-61663965663135323466353431623639363135386361663664613539373165653630383337363132
-31656361363466383036383962363166613530653065613037366136643235386130373131656432
-63626632316139613836313662383532323262333665303031636335393231663964336336376533
-62363638623434313931336634393166313665613861636432646462646235353266393638363564
-66643534643262363361383963656536396338326631343633626165316438666237393838643335
-33656163326531396533346266356464386338633034643635666138346261623538343036653465
-64643033643533643364393830303939376134633565656238656263363862353663373133303438
-65336436343662326432376562303930616435646564366536353562326364383737336663613938
-36353063643064356239363433393234633234636465363934623630386564343939656463666633
-30383438316563393631366364313133653139616361333537346138303662353533626632643462
-65383038356663633863396338396637353331623132353034346237633963613035653264396161
-32623134633737383764333163343664353430363531383839346239376637303262333238643733
-35616231353131613865353364646565396335353535383735383164616238366137306137303532
-31643864633036636237663438326633336130376362373465653161383761336337633261306132
-31663464393635366231656266626364333232383539373639633334326464633430383364303933
-313937313036393638363638633234363861
+35356236333530653131643132323063643336666133626264313464613335303237373935633666
+6136313361316634306135353237663639663063383562610a376638663965383539396364613565
+30343161613563386333313761383739666462656533633831616632363335613661643232323563
+3766623930633531310a363762366536633032376237623563666631626536313238373930663465
+64626239316164396638336335316338373963323635626161353763396534303930366365333837
+33373938643966633337313635633934656461616364653335626339303635373230663834623634
+63653163343765373338363265636162363833306132366239663537306463646436666162386334
+61323438343338356335306636626461656634626632306632313535383035326534373334376261
+37633331393363666435393562666132656438383234376163333639643031653362343863303561
+66366634633431333466653531643463356664303165373735313338313530616630303639303234
+62613939303836653636633937343963363437663838303361363839303837313039636633396533
+38393130306362306239383534383366363630376530383635343932643735666338346263316235
+36623331306461626362303932346261666264376264633436383462646538366235323237393066
+36323837353034303266326434343766393839373761306431646436323266623436643933656662
+65386166633539656261363736356164313135373463633664623039306136363464633431653738
+38373262356138633934336530373764303966346362393432356231316531356664356633323530
+62366362336666303230376638633062653133643439343037383131353431353562316164623239
+63393831393334376137313431656637656466356437636436313531303433666536333133663931
+33343732396363336662356261316464663137376236353863346438623162376364346430376665
+30326435326439633137663832353137333062323132616362313639366432346466663262326134
+32373930383938346136336565663138333830646130653531346462336232343835323462643937
+34633535353163336666613633323261333831303139366636356531383066323362326262323165
+33366663313032316436663536393730663133336132303164333232373038636162326666656666
+33626535623637613961383363366266366438636662626162336161383536326435373132623564
+31656532376134313834356136396235396531313736393563376234653162366630