feat: add VM 202 for report-generator PostgreSQL + MinIO

Provision a dedicated VM (VMID 202, 185.47.204.228) with 4 CPU / 8GB RAM / 100GB disk for hosting PostgreSQL and MinIO — moving stateful workloads out of K8s. Module changes: - Add extra_firewall_rules variable to tenant-vm module (dynamic block) - VM 202 gets additional FW rules: PostgreSQL (5432) and MinIO (9000) from K8s host Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-20 09:26:53 +01:00 · 2026-02-20 09:26:53 +01:00 · 011bbf52f4
commit 011bbf52f4
parent 45806bc13f
3 changed files with 53 additions and 1 deletions
--- a/environments/production/tenant-vms.tf
+++ b/environments/production/tenant-vms.tf
@ -8,7 +8,33 @@

 locals {
  tenant_vms = {
-    # No VMs currently provisioned
+    "vm-202-reportgen" = {
+      vm_id     = 202
+      public_ip = "185.47.204.228"
+      password  = "ir61mXhg7czPsdgf/ZHOom3j"
+      cpu_cores = 4
+      ram_mb    = 8192
+      disk_gb   = 100
+      started   = true
+      extra_firewall_rules = [
+        {
+          type    = "in"
+          action  = "ACCEPT"
+          proto   = "tcp"
+          dport   = "5432"
+          source  = "185.47.204.226"
+          comment = "PostgreSQL from K8s (bare_srv_1)"
+        },
+        {
+          type    = "in"
+          action  = "ACCEPT"
+          proto   = "tcp"
+          dport   = "9000"
+          source  = "185.47.204.226"
+          comment = "MinIO from K8s (bare_srv_1)"
+        },
+      ]
+    }
  }
 }

@ -24,6 +50,7 @@ module "tenant_vm" {
  ram_mb    = lookup(each.value, "ram_mb", 4096)
  disk_gb   = lookup(each.value, "disk_gb", 50)
  started   = lookup(each.value, "started", true)
+  extra_firewall_rules = lookup(each.value, "extra_firewall_rules", [])

  depends_on = [proxmox_virtual_environment_download_file.ubuntu_2404_cloud]
 }
--- a/modules/tenant-vm/main.tf
+++ b/modules/tenant-vm/main.tf
@ -152,4 +152,16 @@ resource "proxmox_virtual_environment_firewall_rules" "tenant" {
    dport   = "25"
    comment = "Block SMTP (anti-spam)"
  }
+
+  dynamic "rule" {
+    for_each = var.extra_firewall_rules
+    content {
+      type    = rule.value.type
+      action  = rule.value.action
+      proto   = rule.value.proto
+      dport   = rule.value.dport
+      source  = rule.value.source
+      comment = rule.value.comment
+    }
+  }
 }
--- a/modules/tenant-vm/variables.tf
+++ b/modules/tenant-vm/variables.tf
@ -75,3 +75,16 @@ variable "subnet_mask" {
  type        = string
  default     = "28"
 }
+
+variable "extra_firewall_rules" {
+  description = "Additional Proxmox firewall rules (added after default SSH/ICMP/monitoring rules)"
+  type = list(object({
+    type    = string
+    action  = string
+    proto   = string
+    dport   = optional(string)
+    source  = optional(string)
+    comment = optional(string)
+  }))
+  default = []
+}