Skip to content

Instantly share code, notes, and snippets.

@zealot128
Last active November 4, 2023 10:46
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
Save zealot128/7db90fdd6144330a667d0f8bdf6105c7 to your computer and use it in GitHub Desktop.
- Check out
- install modern terraform version
- ``terraform init``
- get a Hetzner key,
- set it before run: ``` export TF_VAR_hcloud_token=...```
- ``terraform plan``
- ``terraform apply``
data "template_file" "docker" {
template = file("docker.yml")
}
# use your id_rsa.pub instead
resource "hcloud_ssh_key" "default" {
name = "Terraform"
public_key = file("~/.ssh/id_rsa.pub")
}
resource "hcloud_server" "myapp" {
name = "myapp"
allow_deprecated_images = true
image = "debian-11"
server_type = "cx21"
location = "nbg1"
ssh_keys = [hcloud_ssh_key.default.id]
firewall_ids = [hcloud_firewall.ssh_only.id]
backups = false
# can set to true, but increase cost by 20%
user_data = data.template_file.docker.rendered
delete_protection = false
rebuild_protection = false
lifecycle {
ignore_changes = [
user_data,
ssh_keys
]
}
}
resource "hcloud_server_network" "app_network" {
server_id = hcloud_server.myapp.id
network_id = hcloud_network.internal.id
ip = "10.90.90.2"
}
output "workInDe_public_ip" {
value = hcloud_server.myapp.ipv4_address
}
#cloud-config
package_upgrade: true
package_update: true
packages:
# Required by docker on Debian 11
- apparmor
- apt-listchanges
- apt-transport-https
- ca-certificates
- curl
- gnupg-agent
- htop
- software-properties-common
- unattended-upgrades
- vim
swap:
filename: /var/swap.img
size: "auto" # or size in bytes
maxsize: 2147483648
runcmd:
- curl -fsSL https://download.docker.com/linux/debian/gpg | apt-key add -
- add-apt-repository "deb [arch=$(dpkg --print-architecture)] https://download.docker.com/linux/debian $(lsb_release -cs) stable"
- apt-get update -y
- apt-get install -y docker-ce docker-ce-cli containerd.io docker-compose
- systemctl start docker
- systemctl enable docker
- echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCd11Cct4RqMhL6lu3j1wVNfr8oK5UMECHTCP/tEEvgMuTdlSve1rAapCTwiirsez3lsHVzxCALg8k1DEpBwWpBJYnx9dDCn8PnsF4XMHxCOsftHURbROhm69CrCToRUkQfUnFDkOhZDAbdyVN+s+MKIh3YDHjz6GWCHsaf3QyrLe34DCd5fc4+P9o58AT5CDrHevH29VI2T4lmanjxBa/7/uyq72cqxQ0CcJnVRKEzRjG/GctWcNcMs8Fh4ggtpgYhhaJvYy9BuE4C7fng7ZgOTGYPATjpvAbUxhJzKbzaBukfIQqLvAAdHxQaiXDafo+KzyvoSIg5AT0DE+qXDJxf stefan@MacBook-Pro.fritz.box" >> /root/.ssh/authorized_keys
- echo "SystemMaxUse=100M" >> /etc/systemd/journald.conf && service systemd-journald restart
write_files:
- owner: 'root:root'
path: /etc/apt/apt.conf.d/10periodic
content: |
// Automatically upgrade packages from these (origin:archive) pairs
Unattended-Upgrade::Allowed-Origins {
"$${distro_id}:$${distro_codename}-security";
// Extended Security Maintenance; doesn't necessarily exist for
// every release and this system may not have it installed, but if
// available, the policy for updates is such that unattended-upgrades
// should also install from here by default.
"$${distro_id}ESM:$${distro_codename}";
// "$${distro_id}:$${distro_codename}-updates";
// "$${distro_id}:$${distro_codename}-proposed";
// "$${distro_id}:$${distro_codename}-backports";
};
// List of packages to not update (regexp are supported)
Unattended-Upgrade::Package-Blacklist {
// "vim";
// "libc6";
// "libc6-dev";
// "libc6-i686";
};
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";
APT::Periodic::AutocleanInterval "14";
resource "hcloud_network" "internal" {
name = "internal"
ip_range = "10.90.90.0/24"
delete_protection = true
}
resource "hcloud_network_subnet" "subnet" {
network_id = hcloud_network.internal.id
type = "server"
network_zone = "eu-central"
ip_range = "10.90.90.0/24"
}
resource "hcloud_firewall" "ssh_only" {
name = "ssh-only"
rule {
direction = "in"
protocol = "icmp"
source_ips = [
"0.0.0.0/0",
"::/0"
]
}
rule {
direction = "in"
protocol = "tcp"
port = "22"
source_ips = [
"0.0.0.0/0",
"::/0"
]
}
}
terraform {
required_version = ">= 0.13"
required_providers {
hcloud = {
source = "hetznercloud/hcloud"
version = "1.36.2"
}
}
}
provider "hcloud" {
token = var.hcloud_token
}
variable "hcloud_token" {}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment