feat: attached firewall to server instance

terraform/main.tf

@@ -6,19 +6,57 @@ resource "hcloud_primary_ip" "public_ip" {
   auto_delete   = false
 }
 
-resource "hcloud_ssh_key" "ssky_key" {
+resource "hcloud_ssh_key" "ssh_key" {
   name       = "repository-ssh-key"
   public_key = file(var.public_ssh_key_path)
 }
 
-resource "hcloud_server" "server_test" {
+resource "hcloud_server" "server_instance" {
   name        = "repository-server"
   image       = local.server_image
   server_type = local.server_type
   datacenter  = local.datacenter
+  ssh_keys    = [hcloud_ssh_key.ssh_key.id]
+
   public_net {
     ipv4_enabled = true
-    ipv4 = hcloud_primary_ip.public_ip.id
+    ipv4         = hcloud_primary_ip.public_ip.id
     ipv6_enabled = false
   }
 }
+
+resource "hcloud_firewall" "server_firewall" {
+  name = "repository-server-firewall"
+
+  # Allow ICMP.
+  rule {
+    direction  = "in"
+    protocol   = "icmp"
+    source_ips = ["0.0.0.0/0", "::/0"]
+  }
+
+  # Allow all out.
+  rule {
+    direction       = "out"
+    protocol        = "tcp"
+    port            = "any"
+    destination_ips = ["0.0.0.0/0", "::/0"]
+  }
+
+  # Poke holes for applications, and SSH.
+  dynamic "rule" {
+    for_each = ["80", "443", "22"]
+
+    content {
+      direction  = "in"
+      protocol   = "tcp"
+      port       = rule.value
+      source_ips = ["0.0.0.0/0", "::/0"]
+    }
+  }
+}
+
+resource "hcloud_firewall_attachment" "server_fw_attachment" {
+  firewall_id = hcloud_firewall.server_firewall.id
+  server_ids  = [hcloud_server.server_instance.id]
+}

terraform/outputs.tf

@@ -0,0 +1,5 @@
+output "server_ip" {
+  description = "The public address of the server."
+  value = hcloud_server.server_instance.ipv4_address
+  sensitive = false
+}