Initial commit - realms platform

2026-01-05 22:54:27 -05:00 · 2026-01-05 22:54:27 -05:00 · c717c3751c
commit c717c3751c
parent c590ab6d18
234 changed files with 74103 additions and 15231 deletions
--- a/devops/terraform/modules/firewalls/main.tf
+++ b/devops/terraform/modules/firewalls/main.tf
@ -0,0 +1,187 @@
+# =============================================================================
+# Firewalls Module
+# Defense in depth with DigitalOcean Cloud Firewalls
+# =============================================================================
+
+# -----------------------------------------------------------------------------
+# Jump Host Firewall
+# Only allows SSH on non-standard port from anywhere
+# -----------------------------------------------------------------------------
+resource "digitalocean_firewall" "jump_host" {
+  name = "${var.project_name}-${var.environment}-jump-fw"
+
+  droplet_ids = [var.jump_host_droplet_id]
+
+  # Inbound: SSH on non-standard port
+  inbound_rule {
+    protocol         = "tcp"
+    port_range       = var.jump_host_ssh_port
+    source_addresses = ["0.0.0.0/0", "::/0"]
+  }
+
+  # Inbound: Allow all VPC traffic
+  inbound_rule {
+    protocol         = "tcp"
+    port_range       = "1-65535"
+    source_addresses = [var.vpc_ip_range]
+  }
+
+  inbound_rule {
+    protocol         = "udp"
+    port_range       = "1-65535"
+    source_addresses = [var.vpc_ip_range]
+  }
+
+  inbound_rule {
+    protocol         = "icmp"
+    source_addresses = [var.vpc_ip_range]
+  }
+
+  # Outbound: Only necessary traffic (security hardening)
+  outbound_rule {
+    protocol              = "tcp"
+    port_range            = "53"
+    destination_addresses = ["0.0.0.0/0", "::/0"]  # DNS
+  }
+
+  outbound_rule {
+    protocol              = "udp"
+    port_range            = "53"
+    destination_addresses = ["0.0.0.0/0", "::/0"]  # DNS
+  }
+
+  outbound_rule {
+    protocol              = "tcp"
+    port_range            = "80"
+    destination_addresses = ["0.0.0.0/0", "::/0"]  # HTTP (apt)
+  }
+
+  outbound_rule {
+    protocol              = "tcp"
+    port_range            = "443"
+    destination_addresses = ["0.0.0.0/0", "::/0"]  # HTTPS
+  }
+
+  outbound_rule {
+    protocol              = "udp"
+    port_range            = "123"
+    destination_addresses = ["0.0.0.0/0", "::/0"]  # NTP
+  }
+
+  outbound_rule {
+    protocol              = "icmp"
+    destination_addresses = ["0.0.0.0/0", "::/0"]
+  }
+
+  # VPC outbound (all ports for internal communication)
+  outbound_rule {
+    protocol              = "tcp"
+    port_range            = "1-65535"
+    destination_addresses = [var.vpc_ip_range]
+  }
+
+  outbound_rule {
+    protocol              = "udp"
+    port_range            = "1-65535"
+    destination_addresses = [var.vpc_ip_range]
+  }
+}
+
+# -----------------------------------------------------------------------------
+# Forgejo Firewall
+# Allows HTTP, HTTPS, and Git SSH from anywhere
+# System SSH only from VPC (handled by VPC rule)
+# -----------------------------------------------------------------------------
+resource "digitalocean_firewall" "forgejo" {
+  name = "${var.project_name}-${var.environment}-forgejo-fw"
+
+  droplet_ids = [var.forgejo_droplet_id]
+
+  # Inbound: HTTP
+  inbound_rule {
+    protocol         = "tcp"
+    port_range       = "80"
+    source_addresses = ["0.0.0.0/0", "::/0"]
+  }
+
+  # Inbound: HTTPS
+  inbound_rule {
+    protocol         = "tcp"
+    port_range       = "443"
+    source_addresses = ["0.0.0.0/0", "::/0"]
+  }
+
+  # Inbound: Git SSH
+  inbound_rule {
+    protocol         = "tcp"
+    port_range       = var.forgejo_git_ssh_port
+    source_addresses = ["0.0.0.0/0", "::/0"]
+  }
+
+  # Inbound: Allow all VPC traffic (includes system SSH on non-standard port)
+  inbound_rule {
+    protocol         = "tcp"
+    port_range       = "1-65535"
+    source_addresses = [var.vpc_ip_range]
+  }
+
+  inbound_rule {
+    protocol         = "udp"
+    port_range       = "1-65535"
+    source_addresses = [var.vpc_ip_range]
+  }
+
+  inbound_rule {
+    protocol         = "icmp"
+    source_addresses = [var.vpc_ip_range]
+  }
+
+  # Outbound: Only necessary traffic (security hardening)
+  outbound_rule {
+    protocol              = "tcp"
+    port_range            = "53"
+    destination_addresses = ["0.0.0.0/0", "::/0"]  # DNS
+  }
+
+  outbound_rule {
+    protocol              = "udp"
+    port_range            = "53"
+    destination_addresses = ["0.0.0.0/0", "::/0"]  # DNS
+  }
+
+  outbound_rule {
+    protocol              = "tcp"
+    port_range            = "80"
+    destination_addresses = ["0.0.0.0/0", "::/0"]  # HTTP (apt, Let's Encrypt)
+  }
+
+  outbound_rule {
+    protocol              = "tcp"
+    port_range            = "443"
+    destination_addresses = ["0.0.0.0/0", "::/0"]  # HTTPS (Docker, webhooks)
+  }
+
+  outbound_rule {
+    protocol              = "udp"
+    port_range            = "123"
+    destination_addresses = ["0.0.0.0/0", "::/0"]  # NTP
+  }
+
+  outbound_rule {
+    protocol              = "icmp"
+    destination_addresses = ["0.0.0.0/0", "::/0"]
+  }
+
+  # VPC outbound (all ports for internal communication)
+  outbound_rule {
+    protocol              = "tcp"
+    port_range            = "1-65535"
+    destination_addresses = [var.vpc_ip_range]
+  }
+
+  outbound_rule {
+    protocol              = "udp"
+    port_range            = "1-65535"
+    destination_addresses = [var.vpc_ip_range]
+  }
+}