Initial commit - realms platform

2026-01-05 22:54:27 -05:00 · 2026-01-05 22:54:27 -05:00 · c717c3751c
commit c717c3751c
parent c590ab6d18
234 changed files with 74103 additions and 15231 deletions
--- a/devops/terraform/modules/firewalls/main.tf
+++ b/devops/terraform/modules/firewalls/main.tf
@ -0,0 +1,187 @@
+# =============================================================================
+# Firewalls Module
+# Defense in depth with DigitalOcean Cloud Firewalls
+# =============================================================================
+
+# -----------------------------------------------------------------------------
+# Jump Host Firewall
+# Only allows SSH on non-standard port from anywhere
+# -----------------------------------------------------------------------------
+resource "digitalocean_firewall" "jump_host" {
+  name = "${var.project_name}-${var.environment}-jump-fw"
+
+  droplet_ids = [var.jump_host_droplet_id]
+
+  # Inbound: SSH on non-standard port
+  inbound_rule {
+    protocol         = "tcp"
+    port_range       = var.jump_host_ssh_port
+    source_addresses = ["0.0.0.0/0", "::/0"]
+  }
+
+  # Inbound: Allow all VPC traffic
+  inbound_rule {
+    protocol         = "tcp"
+    port_range       = "1-65535"
+    source_addresses = [var.vpc_ip_range]
+  }
+
+  inbound_rule {
+    protocol         = "udp"
+    port_range       = "1-65535"
+    source_addresses = [var.vpc_ip_range]
+  }
+
+  inbound_rule {
+    protocol         = "icmp"
+    source_addresses = [var.vpc_ip_range]
+  }
+
+  # Outbound: Only necessary traffic (security hardening)
+  outbound_rule {
+    protocol              = "tcp"
+    port_range            = "53"
+    destination_addresses = ["0.0.0.0/0", "::/0"]  # DNS
+  }
+
+  outbound_rule {
+    protocol              = "udp"
+    port_range            = "53"
+    destination_addresses = ["0.0.0.0/0", "::/0"]  # DNS
+  }
+
+  outbound_rule {
+    protocol              = "tcp"
+    port_range            = "80"
+    destination_addresses = ["0.0.0.0/0", "::/0"]  # HTTP (apt)
+  }
+
+  outbound_rule {
+    protocol              = "tcp"
+    port_range            = "443"
+    destination_addresses = ["0.0.0.0/0", "::/0"]  # HTTPS
+  }
+
+  outbound_rule {
+    protocol              = "udp"
+    port_range            = "123"
+    destination_addresses = ["0.0.0.0/0", "::/0"]  # NTP
+  }
+
+  outbound_rule {
+    protocol              = "icmp"
+    destination_addresses = ["0.0.0.0/0", "::/0"]
+  }
+
+  # VPC outbound (all ports for internal communication)
+  outbound_rule {
+    protocol              = "tcp"
+    port_range            = "1-65535"
+    destination_addresses = [var.vpc_ip_range]
+  }
+
+  outbound_rule {
+    protocol              = "udp"
+    port_range            = "1-65535"
+    destination_addresses = [var.vpc_ip_range]
+  }
+}
+
+# -----------------------------------------------------------------------------
+# Forgejo Firewall
+# Allows HTTP, HTTPS, and Git SSH from anywhere
+# System SSH only from VPC (handled by VPC rule)
+# -----------------------------------------------------------------------------
+resource "digitalocean_firewall" "forgejo" {
+  name = "${var.project_name}-${var.environment}-forgejo-fw"
+
+  droplet_ids = [var.forgejo_droplet_id]
+
+  # Inbound: HTTP
+  inbound_rule {
+    protocol         = "tcp"
+    port_range       = "80"
+    source_addresses = ["0.0.0.0/0", "::/0"]
+  }
+
+  # Inbound: HTTPS
+  inbound_rule {
+    protocol         = "tcp"
+    port_range       = "443"
+    source_addresses = ["0.0.0.0/0", "::/0"]
+  }
+
+  # Inbound: Git SSH
+  inbound_rule {
+    protocol         = "tcp"
+    port_range       = var.forgejo_git_ssh_port
+    source_addresses = ["0.0.0.0/0", "::/0"]
+  }
+
+  # Inbound: Allow all VPC traffic (includes system SSH on non-standard port)
+  inbound_rule {
+    protocol         = "tcp"
+    port_range       = "1-65535"
+    source_addresses = [var.vpc_ip_range]
+  }
+
+  inbound_rule {
+    protocol         = "udp"
+    port_range       = "1-65535"
+    source_addresses = [var.vpc_ip_range]
+  }
+
+  inbound_rule {
+    protocol         = "icmp"
+    source_addresses = [var.vpc_ip_range]
+  }
+
+  # Outbound: Only necessary traffic (security hardening)
+  outbound_rule {
+    protocol              = "tcp"
+    port_range            = "53"
+    destination_addresses = ["0.0.0.0/0", "::/0"]  # DNS
+  }
+
+  outbound_rule {
+    protocol              = "udp"
+    port_range            = "53"
+    destination_addresses = ["0.0.0.0/0", "::/0"]  # DNS
+  }
+
+  outbound_rule {
+    protocol              = "tcp"
+    port_range            = "80"
+    destination_addresses = ["0.0.0.0/0", "::/0"]  # HTTP (apt, Let's Encrypt)
+  }
+
+  outbound_rule {
+    protocol              = "tcp"
+    port_range            = "443"
+    destination_addresses = ["0.0.0.0/0", "::/0"]  # HTTPS (Docker, webhooks)
+  }
+
+  outbound_rule {
+    protocol              = "udp"
+    port_range            = "123"
+    destination_addresses = ["0.0.0.0/0", "::/0"]  # NTP
+  }
+
+  outbound_rule {
+    protocol              = "icmp"
+    destination_addresses = ["0.0.0.0/0", "::/0"]
+  }
+
+  # VPC outbound (all ports for internal communication)
+  outbound_rule {
+    protocol              = "tcp"
+    port_range            = "1-65535"
+    destination_addresses = [var.vpc_ip_range]
+  }
+
+  outbound_rule {
+    protocol              = "udp"
+    port_range            = "1-65535"
+    destination_addresses = [var.vpc_ip_range]
+  }
+}
--- a/devops/terraform/modules/firewalls/outputs.tf
+++ b/devops/terraform/modules/firewalls/outputs.tf
@ -0,0 +1,13 @@
+# =============================================================================
+# Firewalls Module Outputs
+# =============================================================================
+
+output "jump_host_firewall_id" {
+  description = "ID of the jump host firewall"
+  value       = digitalocean_firewall.jump_host.id
+}
+
+output "forgejo_firewall_id" {
+  description = "ID of the Forgejo firewall"
+  value       = digitalocean_firewall.forgejo.id
+}
--- a/devops/terraform/modules/firewalls/variables.tf
+++ b/devops/terraform/modules/firewalls/variables.tf
@ -0,0 +1,39 @@
+# =============================================================================
+# Firewalls Module Variables
+# =============================================================================
+
+variable "project_name" {
+  description = "Name of the project"
+  type        = string
+}
+
+variable "environment" {
+  description = "Environment name"
+  type        = string
+}
+
+variable "vpc_ip_range" {
+  description = "VPC IP range for internal traffic"
+  type        = string
+}
+
+variable "jump_host_droplet_id" {
+  description = "ID of the jump host droplet"
+  type        = number
+}
+
+variable "jump_host_ssh_port" {
+  description = "SSH port for jump host"
+  type        = number
+}
+
+variable "forgejo_droplet_id" {
+  description = "ID of the Forgejo droplet"
+  type        = number
+}
+
+variable "forgejo_git_ssh_port" {
+  description = "Git SSH port for Forgejo"
+  type        = number
+  default     = 2222
+}
--- a/devops/terraform/modules/firewalls/versions.tf
+++ b/devops/terraform/modules/firewalls/versions.tf
@ -0,0 +1,8 @@
+terraform {
+  required_providers {
+    digitalocean = {
+      source  = "digitalocean/digitalocean"
+      version = ">= 2.34"
+    }
+  }
+}