feat: nginx proxy manager

2025-10-12 17:32:07 -04:00
parent 8ca2011d77
commit 2401368316
13 changed files with 309 additions and 67 deletions
--- a/terraform/.terraform.lock.hcl
+++ b/terraform/.terraform.lock.hcl
@@ -1,6 +1,28 @@
 # This file is maintained automatically by "terraform init".
 # Manual edits may be lost in future updates.

+provider "registry.terraform.io/hashicorp/aws" {
+  version = "6.16.0"
+  hashes = [
+    "h1:eBjQq1U3AZ+mkEgE6cC8z6Qw4DIV23tNmM8tCcuqXuk=",
+    "zh:11b5c11fc47aa7537d3acfb3156c9206ce465c2c0db4478914d1ba9493a27f38",
+    "zh:1de5c4ef8096ab6a4fe8e528c5a1d772a57de74ef4de98996071987d0d6a7696",
+    "zh:1eaaaa02503e34e57494831ea32b3327482857b01011b40753ec37c502719ee0",
+    "zh:367159ac72b344802e72631505894b1e7c04211f59d17c137cc9528acfb3b940",
+    "zh:449bb91e861d16ce80aabe148b40fa20ee4250c934cf467f6c21cf2206be1b5f",
+    "zh:45b4757e15a9887bf1d6dce07cbbbff365399759bb920456cf30cae47f0b0170",
+    "zh:4d2824050f8f2d3916a3363e0eeeab6c2c5a0912323029c4c7dc6e93ff3cfbc1",
+    "zh:6f363f811d20d7bd3e558d6da2cff0506c78ccea5956f919e531b22fdc7300c8",
+    "zh:7ab0990fc172a1343e4af6d7540be43adba989ee1b422b9d54c3369247155cea",
+    "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425",
+    "zh:9eaae66cc57aa07a392eb9cb3fc115a5f446ffe9f51a7f45ffaefc7a64c17b31",
+    "zh:aee7dbba84823ed9ca93afb0579c78605588f9355e23ec1aafa22ac4a77c45c3",
+    "zh:be18792d2a52bbc06e6d21dc69c7ec7134e7aaf9e8bca5fd48d2edc8c1f9085e",
+    "zh:d2fb28162a6ed080fefe1d16b20be86652568e930aa777f186ecfcac66af6c43",
+    "zh:e1ffb80f46b64c26742417abe454af9c0d3920a8636698574c0a558e66cad535",
+  ]
+}
+
 provider "registry.terraform.io/hetznercloud/hcloud" {
  version     = "1.54.0"
  constraints = "~> 1.45"
--- a/terraform/main.tf
+++ b/terraform/main.tf
@@ -10,6 +10,12 @@ resource "hcloud_network_subnet" "subnet" {
  ip_range     = local.subnet_cidr
 }

+resource "hcloud_network_route" "privNet" {
+  network_id  = hcloud_network.network.id
+  destination = "0.0.0.0/0"
+  gateway     = local.proxy_ip
+}
+
 /* -------------------------------------------------------------------------- */

 resource "hcloud_primary_ip" "public_ip" {
@@ -75,12 +81,16 @@ resource "hcloud_firewall" "server_firewall" {
    source_ips = [local.network_cidr]
  }

-  # Poke holes for SSH.
-  rule {
-    direction  = "in"
-    protocol   = "tcp"
-    port = "22"
-    source_ips = ["0.0.0.0/0", "::/0"]
+  # Poke holes for applications, and SSH.
+  dynamic "rule" {
+    for_each = ["80", "443", "22", "81"]
+
+    content {
+      direction  = "in"
+      protocol   = "tcp"
+      port       = rule.value
+      source_ips = ["0.0.0.0/0", "::/0"]
+    }
  }
 }

--- a/terraform/outputs.tf
+++ b/terraform/outputs.tf
@@ -3,3 +3,9 @@ output "proxy_ip" {
  value = hcloud_server.server_instance.ipv4_address
  sensitive = false
 }
+
+output "network_cidr" {
+  description = "The CIDR of the private network."
+  value = local.network_cidr
+  sensitive = false
+}
--- a/terraform/providers.tf
+++ b/terraform/providers.tf
@@ -16,3 +16,9 @@ terraform {
 provider "hcloud" {
  token = var.hcloud_token
 }
+
+provider "aws" {
+  region     = var.aws_region
+  access_key = var.aws_access_key
+  secret_key = var.aws_secret_key
+}
--- a/terraform/routing.tf
+++ b/terraform/routing.tf
@@ -0,0 +1,14 @@
+# The Route53 DNS zone.
+data "aws_route53_zone" "main" {
+  name = local.domain
+}
+
+# Push all domain traffic through the reverse proxy.
+resource "aws_route53_record" "domain" {
+  zone_id = data.aws_route53_zone.main.zone_id
+  name    = "*.${data.aws_route53_zone.main.name}"
+  type    = "A"
+  ttl     = "60"
+  records = [hcloud_primary_ip.public_ip.ip_address]
+}
+
--- a/terraform/variables.tf
+++ b/terraform/variables.tf
@@ -4,7 +4,6 @@ locals {
  server_image = "debian-12"

  domain = "maximhutz.com"
-  subdomain = "git"

  network_cidr = "10.10.0.0/16"
  subnet_cidr = "10.10.0.0/24"
@@ -23,3 +22,21 @@ variable "public_ssh_key_path" {
  description = "The location of the public key used to access the repository Gitea server."
  type = string
 }
+
+variable "aws_region" {
+  description = "The region of the AWS account."
+  type = string
+  sensitive = true
+}
+
+variable "aws_access_key" {
+  description = "The access key of the account."
+  type = string
+  sensitive = true
+}
+
+variable "aws_secret_key" {
+  description = "The secret key of the account."
+  type = string
+  sensitive = true
+}