From 2cd6331a24fd496c50039a2efca302d2ba01c5a7 Mon Sep 17 00:00:00 2001
From: Simon Emms <simon@simonemms.com>
Date: Fri, 1 Nov 2024 17:26:09 +0000
Subject: [PATCH] feat: remove public ipv4 access from worker nodes

There is a nominal charge for IPv4 addresses. Whilst not
huge, there isn't really much point in having this if the
addresses aren't really necessary
---
 modules/hetzner/k3s.tf    | 12 +++++++++---
 modules/hetzner/server.tf | 10 ++++++++--
 2 files changed, 17 insertions(+), 5 deletions(-)

diff --git a/modules/hetzner/k3s.tf b/modules/hetzner/k3s.tf
index 4686276..55400c4 100644
--- a/modules/hetzner/k3s.tf
+++ b/modules/hetzner/k3s.tf
@@ -35,14 +35,20 @@ module "k3s" {
   workers = {
     for i, p in local.k3s_worker_pools : p.pool => {
       name             = hcloud_server.workers[i].name
-      node-external-ip = hcloud_server.workers[i].ipv4_address
-      node-ip          = tolist(hcloud_server.workers[i].network)[0].ip
+      node-external-ip = hcloud_server.workers[i].ipv6_address
+      node-ip          = one(hcloud_server.workers[i].network[*].ip)
 
       connection = {
-        host        = hcloud_server.workers[i].ipv4_address
+        host        = one(hcloud_server.workers[i].network[*].ip)
         port        = var.ssh_port
         private_key = var.ssh_key
         user        = local.ssh_user
+
+        # Always go through the first manager
+        bastion_host        = hcloud_server.manager[0].ipv4_address
+        bastion_user        = local.ssh_user
+        bastion_private_key = var.ssh_key
+        bastion_port        = var.ssh_port
       }
     }...
   }
diff --git a/modules/hetzner/server.tf b/modules/hetzner/server.tf
index 30eead2..89babda 100644
--- a/modules/hetzner/server.tf
+++ b/modules/hetzner/server.tf
@@ -110,7 +110,7 @@ resource "hcloud_server" "workers" {
   }
 
   public_net {
-    ipv4_enabled = true
+    ipv4_enabled = false
     ipv6_enabled = true
   }
 
@@ -146,11 +146,17 @@ resource "ssh_resource" "manager_ready" {
 resource "ssh_resource" "workers_ready" {
   count = length(hcloud_server.workers)
 
-  host        = hcloud_server.workers[count.index].ipv4_address
+  host        = one(hcloud_server.workers[count.index].network[*].ip)
   user        = local.ssh_user
   private_key = var.ssh_key
   port        = var.ssh_port
 
+  # Always go through the first manager
+  bastion_host        = hcloud_server.manager[0].ipv4_address
+  bastion_user        = local.ssh_user
+  bastion_private_key = var.ssh_key
+  bastion_port        = var.ssh_port
+
   timeout     = "5m"
   retry_delay = "5s"