Allow only exposing services over Tailscale

This works using public DNS, so doesn't need Tailscale's magic DNS to override my local.
2024-03-07 22:30:10 +00:00
parent 451a114262
commit f88d224168
10 changed files with 56 additions and 0 deletions
--- a/terraform/casey_vps.tf
+++ b/terraform/casey_vps.tf
@ -6,6 +6,16 @@ resource "linode_instance" "casey" {
  private_ip = true
 }

+resource "linode_ipv6_range" "casey_extra" {
+  linode_id = linode_instance.casey.id
+  prefix_length = 64
+}
+
+locals {
+  private_ipv6_marker = cidrhost(linode_ipv6_range.casey_extra.id, 1)
+  private_ipv6_range  = cidrsubnet(linode_ipv6_range.casey_extra.id, 64, 1)
+}
+
 resource "linode_firewall" "casey" {
  label           = "casey"
  linodes         = [linode_instance.casey.id]
--- a/terraform/context.tf
+++ b/terraform/context.tf
@ -2,6 +2,8 @@ resource "local_file" "hosts" {
  content = yamlencode({
    vps_hosts : {
      casey_ip : linode_instance.casey.ip_address,
+      private_ipv6_marker : local.private_ipv6_marker,
+      private_ipv6_range : local.private_ipv6_range,
      walker_ip : vultr_instance.walker.main_ip,
    }
  })
--- a/terraform/sys_domains.tf
+++ b/terraform/sys_domains.tf
@ -37,3 +37,11 @@ resource "cloudflare_record" "sys_domain_pve" {
  type    = "A"
  ttl     = 1
 }
+
+resource "cloudflare_record" "sys_domain_private" {
+  zone_id = cloudflare_zone.theorangeonenet.id
+  name    = "private.sys"
+  value   = local.private_ipv6_marker
+  type    = "AAAA"
+  ttl     = 1
+}
--- a/terraform/theorangeone.net.tf
+++ b/terraform/theorangeone.net.tf
@ -26,6 +26,14 @@ resource "cloudflare_record" "theorangeonenet_whoami_cdn" {
  ttl     = 1
 }

+resource "cloudflare_record" "theorangeonenet_whoami_private" {
+  zone_id = cloudflare_zone.theorangeonenet.id
+  name    = "whoami-private"
+  value   = cloudflare_record.sys_domain_private.hostname
+  type    = "CNAME"
+  ttl     = 1
+}
+
 resource "cloudflare_record" "theorangeonenet_mx1" {
  zone_id  = cloudflare_zone.theorangeonenet.id
  name     = "@"