You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 
 
 

97 lines
2.3 KiB

data "http" "cloudflare_ip4_addrs" {
url = "https://www.cloudflare.com/ips-v4"
}
data "http" "cloudflare_ip6_addrs" {
url = "https://www.cloudflare.com/ips-v6"
}
resource "digitalocean_firewall" "web" {
name = "allow-http-https-cloudflare"
droplet_ids = [digitalocean_droplet.floyd.id, digitalocean_droplet.gilmour.id]
inbound_rule {
protocol = "tcp"
port_range = "80"
source_addresses = concat(
split("\n", trimspace(data.http.cloudflare_ip4_addrs.body)),
split("\n", trimspace(data.http.cloudflare_ip6_addrs.body))
)
}
inbound_rule {
protocol = "tcp"
port_range = "443"
source_addresses = concat(
split("\n", trimspace(data.http.cloudflare_ip4_addrs.body)),
split("\n", trimspace(data.http.cloudflare_ip6_addrs.body))
)
}
}
resource "digitalocean_firewall" "icmp" {
name = "allow-icmp-all"
droplet_ids = [digitalocean_droplet.floyd.id, digitalocean_droplet.gilmour.id]
inbound_rule {
protocol = "icmp"
source_addresses = ["0.0.0.0/0", "::/0"]
}
}
resource "digitalocean_firewall" "vpn" {
name = "allow-all-tailscale-inbound"
droplet_ids = [digitalocean_droplet.floyd.id, digitalocean_droplet.gilmour.id]
inbound_rule {
protocol = "tcp"
port_range = "1-65535"
source_addresses = ["100.64.0.0/10"]
}
inbound_rule {
protocol = "udp"
port_range = "1-65535"
source_addresses = ["100.64.0.0/10"]
}
}
resource "digitalocean_firewall" "ssh" {
name = "ssh-inbound"
droplet_ids = [digitalocean_droplet.floyd.id, digitalocean_droplet.gilmour.id]
inbound_rule {
protocol = "tcp"
port_range = "22"
source_addresses = ["0.0.0.0/0", "::/0"]
}
}
resource "digitalocean_firewall" "outbound-all" {
name = "allow-all-outbound"
droplet_ids = [digitalocean_droplet.floyd.id, digitalocean_droplet.gilmour.id]
outbound_rule {
protocol = "tcp"
port_range = "1-65535"
destination_addresses = ["0.0.0.0/0", "::/0"]
}
outbound_rule {
protocol = "udp"
port_range = "1-65535"
destination_addresses = ["0.0.0.0/0", "::/0"]
}
outbound_rule {
protocol = "icmp"
destination_addresses = ["0.0.0.0/0", "::/0"]
}
}