chore(minecraft): mounts

2026-02-09 04:19:19 -08:00 · 2024-09-17 12:42:18 -07:00 · 2024-09-17 12:42:18 -07:00 · 75b123776b
commit 75b123776b
parent 33b18bc348
15 changed files with 402 additions and 54 deletions
--- a/tf/cloudflare_records.tf
+++ b/tf/cloudflare_records.tf
@ -92,6 +92,13 @@ module "aya_system_records" {
  ]
 }

+module "minecraft_system_records" {
+  source    = "./system/records"
+  zone_id   = cloudflare_zone.gensokyo-zone_zone.id
+  zone_zone = cloudflare_zone.gensokyo-zone_zone.zone
+  net_data  = local.systems.minecraft.network
+}
+
 module "tewi_system_records" {
  source    = "./system/records"
  zone_id   = cloudflare_zone.gensokyo-zone_zone.id
--- a/tf/proxmox_vms.tf
+++ b/tf/proxmox_vms.tf
@ -784,15 +784,8 @@ EOT
        address = "auto"
      }
      ipv4 {
-        address = "dhcp"
-      }
-    }
-    ip_config {
-      ipv6 {
-        address = "${cidrhost(local.reisen_int_prefix6, local.proxmox_minecraft_vm_id - local.reisen_int_offset)}/64"
-      }
-      ipv4 {
-        address = "${cidrhost(local.reisen_int_prefix4, local.proxmox_minecraft_vm_id - local.reisen_int_offset)}/24"
+        address = "10.1.1.51/24"
+        gateway = "10.1.1.1"
      }
    }
  }
@ -807,11 +800,6 @@ EOT
    name        = "eth0"
    mac_address = "BC:24:11:C4:66:AD"
  }
-  network_interface {
-    name        = "eth9"
-    mac_address = "BC:24:19:C4:66:AD"
-    bridge      = proxmox_virtual_environment_network_linux_bridge.internal.name
-  }

  operating_system {
    template_file_id = var.proxmox_container_template
--- a/tf/tailscale_devices.tf
+++ b/tf/tailscale_devices.tf
@ -1,7 +1,8 @@
 locals {
-  tailscale_tag_infra  = "tag:infrastructure"
-  tailscale_tag_genso  = "tag:gensokyo"
-  tailscale_tag_reisen = "tag:reisen"
+  tailscale_tag_infra     = "tag:infrastructure"
+  tailscale_tag_genso     = "tag:gensokyo"
+  tailscale_tag_reisen    = "tag:reisen"
+  tailscale_tag_minecraft = "tag:minecraft"

  tailscale_tag_arc        = "tag:arc"
  tailscale_tag_arc_deploy = "tag:arc-deploy"
@ -11,7 +12,14 @@ locals {
  tailscale_user_arc = "arc@${var.tailscale_tailnet}"
  tailscale_user_kat = "kat@${var.tailscale_tailnet}"

-  tailscale_group_admin = "autogroup:admin"
+  tailscale_group_member = "autogroup:member"
+  tailscale_group_admin  = "autogroup:admin"
+
+  tailscale_tags_genso  = [local.tailscale_tag_infra, local.tailscale_tag_genso]
+  tailscale_tags_reisen = concat(local.tailscale_tags_genso, [local.tailscale_tag_reisen])
+  tailscale_tags_arc    = [local.tailscale_user_arc, local.tailscale_tag_arc]
+  tailscale_tags_kat    = [local.tailscale_user_kat, local.tailscale_tag_kat]
+  tailscale_tags_peeps  = concat(local.tailscale_tags_arc, local.tailscale_tags_kat)
 }

 resource "tailscale_acl" "tailnet" {
@ -20,6 +28,7 @@ resource "tailscale_acl" "tailnet" {
      "${local.tailscale_tag_infra}" : [local.tailscale_group_admin],
      "${local.tailscale_tag_reisen}" : [local.tailscale_group_admin, local.tailscale_tag_infra],
      "${local.tailscale_tag_genso}" : [local.tailscale_group_admin, local.tailscale_tag_arc_deploy, local.tailscale_tag_kat_deploy],
+      "${local.tailscale_tag_minecraft}" : [local.tailscale_group_admin, local.tailscale_tag_infra],
      "${local.tailscale_tag_arc}" : [local.tailscale_user_arc, local.tailscale_tag_arc_deploy],
      "${local.tailscale_tag_arc_deploy}" : [local.tailscale_user_arc],
      "${local.tailscale_tag_kat}" : [local.tailscale_user_kat, local.tailscale_tag_kat_deploy],
@ -27,10 +36,34 @@ resource "tailscale_acl" "tailnet" {
    }
    acls = [
      {
-        # Allow all connections
+        action = "accept"
+        src    = [local.tailscale_group_admin]
+        dst    = ["*:*"]
+      },
+      {
+        action = "accept"
+        src    = [local.tailscale_tag_reisen]
+        dst    = ["${local.tailscale_tag_reisen}:*"]
+      },
+      {
+        action = "accept"
+        src    = concat([local.tailscale_tag_genso], local.tailscale_tags_peeps)
+        dst = [
+          "${local.tailscale_tag_genso}:*",
+        ]
+      },
+      {
        action = "accept"
        src    = ["*"]
-        dst    = ["*:*"]
+        dst = [
+          "autogroup:self:*",
+          "${local.tailscale_tag_minecraft}:19132,19133,25565",
+        ]
+      },
+      {
+        action = "accept"
+        src    = [local.tailscale_group_member]
+        dst    = ["autogroup:internet:*"]
      },
    ]
    # Define users and devices that can use Tailscale SSH.
@ -38,7 +71,7 @@ resource "tailscale_acl" "tailnet" {
      # Allow all users to SSH into their own devices in check mode.
      {
        action = "check",
-        src    = ["autogroup:member"],
+        src    = [local.tailscale_group_member],
        dst    = ["autogroup:self"],
        users  = ["autogroup:nonroot", "root"],
      },
@ -51,7 +84,7 @@ resource "tailscale_tailnet_key" "reisen" {
  ephemeral     = false
  preauthorized = true
  description   = "Reisen VM"
-  tags          = [local.tailscale_tag_infra, local.tailscale_tag_genso, local.tailscale_tag_reisen]
+  tags          = local.tailscale_tags_reisen
  depends_on    = [tailscale_acl.tailnet]
 }

@ -60,7 +93,7 @@ resource "tailscale_tailnet_key" "gensokyo" {
  ephemeral     = false
  preauthorized = true
  description   = "Reisen VM"
-  tags          = [local.tailscale_tag_infra, local.tailscale_tag_genso]
+  tags          = local.tailscale_tags_genso
  depends_on    = [tailscale_acl.tailnet]
 }