web/git
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
3f724dbdfda0ac06ac61732cbbfec632a2cc0e61
git/terraform/main.tf
M.V. Hutz 04ca230bee feat: add Gitea Actions runner (#6) 
## Summary
- Adds a private runner server on the Hetzner private network (no public IP)
- NAT through the gitea server for outbound internet access via `hcloud_network_route` and iptables forwarding rules
- Runner connects to gitea over HTTPS on the private network with TLS verification disabled
- Includes Taskfile commands for runner deployment and SSH access

## Test plan
- [x] Runner registers with gitea instance
- [x] Private network connectivity verified
- [ ] Run a test workflow to confirm end-to-end CI

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Reviewed-on: #6
Co-authored-by: M.V. Hutz <git@maximhutz.me>
Co-committed-by: M.V. Hutz <git@maximhutz.me>
2026-03-16 01:40:44 +00:00

83 lines
1.9 KiB
HCL
Raw Blame History

resource "hcloud_primary_ip" "public_ip" {
name = "repository-public-ip"
datacenter = local.datacenter
type = "ipv4"
assignee_type = "server"
auto_delete = false
}
resource "hcloud_ssh_key" "ssh_key" {
name = "repository-ssh-key"
public_key = file(var.public_ssh_key_path)
}
resource "hcloud_server" "server_instance" {
name = "repository-server"
image = local.server_image
server_type = local.server_type
datacenter = local.datacenter
ssh_keys = [hcloud_ssh_key.ssh_key.id]
public_net {
ipv4_enabled = true
ipv4 = hcloud_primary_ip.public_ip.id
ipv6_enabled = false
}
}
resource "hcloud_firewall" "server_firewall" {
name = "repository-server-firewall"
# Allow ICMP.
rule {
direction = "in"
protocol = "icmp"
source_ips = ["0.0.0.0/0", "::/0"]
}
# Allow all out.
rule {
direction = "out"
protocol = "tcp"
port = "any"
destination_ips = ["0.0.0.0/0", "::/0"]
}
# Poke holes for applications, and SSH.
dynamic "rule" {
for_each = ["80", "443", "22", "2222"]
content {
direction = "in"
protocol = "tcp"
port = rule.value
source_ips = ["0.0.0.0/0", "::/0"]
}
}
}
resource "hcloud_firewall_attachment" "server_fw_attachment" {
firewall_id = hcloud_firewall.server_firewall.id
server_ids = [hcloud_server.server_instance.id]
}
resource "hcloud_server" "runner_instance" {
name = "runner-server"
image = local.server_image
server_type = local.server_type
datacenter = local.datacenter
ssh_keys = [hcloud_ssh_key.ssh_key.id]
public_net {
ipv4_enabled = false
ipv6_enabled = false
}
network {
network_id = hcloud_network.private_network.id
ip = local.runner_ip
}
depends_on = [hcloud_network_subnet.private_subnet]
}
Reference in New Issue View Git Blame Copy Permalink