Some checks failed
PR Checks / tofu-checks (pull_request) Failing after 3s
1/1 projects applied successfully.
70 lines
2.5 KiB
HCL
70 lines
2.5 KiB
HCL
# Production environment — managed by Claude AI via Atlantis
|
|
# Changes to this file go through PR → plan → approve → apply
|
|
|
|
terraform {
|
|
required_version = ">= 1.6.0"
|
|
|
|
backend "s3" {
|
|
bucket = "tofu-state"
|
|
key = "production/terraform.tfstate"
|
|
endpoints = { s3 = "http://minio:9000" }
|
|
region = "us-east-1"
|
|
|
|
skip_credentials_validation = true
|
|
skip_metadata_api_check = true
|
|
skip_requesting_account_id = true
|
|
use_path_style = true
|
|
}
|
|
|
|
required_providers {
|
|
proxmox = {
|
|
source = "bpg/proxmox"
|
|
version = "~> 0.90"
|
|
}
|
|
}
|
|
}
|
|
|
|
provider "proxmox" {
|
|
endpoint = "https://185.47.204.226:8006/"
|
|
insecure = true # self-signed cert
|
|
|
|
# api_token read from PROXMOX_VE_API_TOKEN env var
|
|
# Decrypted from SOPS by Atlantis custom workflow
|
|
|
|
ssh {
|
|
agent = false
|
|
username = "root"
|
|
private_key = file("/secrets/ssh-key")
|
|
}
|
|
}
|
|
|
|
# Verify Proxmox connectivity — read cluster nodes
|
|
data "proxmox_virtual_environment_nodes" "nodes" {}
|
|
|
|
output "proxmox_nodes" {
|
|
description = "Proxmox cluster node names"
|
|
value = data.proxmox_virtual_environment_nodes.nodes.names
|
|
}
|
|
|
|
# ─── Cloud Images ─────────────────────────────────────────────────────────────
|
|
# Managed by OpenTofu — no manual wget needed
|
|
|
|
resource "proxmox_virtual_environment_download_file" "ubuntu_2404_cloud" {
|
|
content_type = "iso"
|
|
datastore_id = "local"
|
|
node_name = "georgeops"
|
|
url = "https://cloud-images.ubuntu.com/releases/24.04/release/ubuntu-24.04-server-cloudimg-amd64.img"
|
|
file_name = "ubuntu-24.04-cloudimg-amd64.img"
|
|
overwrite_unmanaged = true # adopt existing manually-downloaded file
|
|
}
|
|
|
|
# ─── Host Prerequisites (not manageable via Proxmox API) ─────────────────────
|
|
# vmbr1 bridge: 185.47.204.226/28, bridge-ports eth0 (public IP + tenant VMs)
|
|
# vmbr0 bridge: 10.10.10.1/24, bridge-ports none (NAT for internal VMs)
|
|
# NAT: iptables MASQUERADE 10.10.10.0/24 → vmbr1 (post-up)
|
|
# Host protect: iptables DROP .227-.236 → host INPUT (post-up on vmbr1)
|
|
# ip_forward: /etc/sysctl.d/99-ip-forward.conf (net.ipv4.ip_forward = 1)
|
|
# Storage: pvesm set local --content iso,vztmpl,backup,snippets,images
|
|
# Reason: Proxmox API does not support post-up/post-down (bpg/proxmox #1454)
|
|
# See: proxmox-patterns.md in Claude memory
|