pangea-kubernetes 0.1.0

data/lib/pangea/kubernetes/backends/nixos_base.rb

@@ -0,0 +1,235 @@
+# frozen_string_literal: true
+
+# Copyright 2025 The Pangea Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require 'pangea/kubernetes/bare_metal/cloud_init'
+
+module Pangea
+  module Kubernetes
+    module Backends
+      # Template method module for NixOS backends.
+      # Extracts shared logic for all 4 NixOS backends (AWS, GCP, Azure, Hetzner).
+      #
+      # Shared methods (implemented here):
+      #   - create_cluster: firewall + control plane server loop + cloud-init
+      #   - create_node_pool: worker cloud-init + scaling group delegation
+      #   - build_server_cloud_init: full option passthrough from config.nixos
+      #   - build_agent_cloud_init: worker cloud-init with join_server
+      #   - base_firewall_ports: cloud-agnostic port definitions
+      #   - build_secrets_hash: extracts path references from config
+      #
+      # Template hooks (subclasses implement):
+      #   - create_compute_instance(ctx, resource_name, config, result, cloud_init, index, tags)
+      #   - create_worker_pool(ctx, name, cluster_ref, pool_config, cloud_init, tags)
+      #   - create_firewall_resources(ctx, name, config, network_result, tags)
+      #   - resolve_image(config)
+      #   - post_create_instance(ctx, name, server, result, index, tags)
+      module NixosBase
+        # Kubernetes port definitions shared across all NixOS backends
+        COMMON_PORTS = {
+          ssh: { port: 22, protocol: :tcp, public: true, description: 'SSH' },
+          http: { port: 80, protocol: :tcp, public: true, description: 'HTTP' },
+          https: { port: 443, protocol: :tcp, public: true, description: 'HTTPS' },
+          api: { port: 6443, protocol: :tcp, public: true, description: 'K8s API' },
+          kubelet: { port: 10_250, protocol: :tcp, public: false, description: 'Kubelet' },
+          etcd: { port: '2379-2380', protocol: :tcp, public: false, description: 'etcd' },
+          vxlan: { port: 8472, protocol: :udp, public: false, description: 'VXLAN' },
+          wireguard: { port: 51_820, protocol: :udp, public: false, description: 'WireGuard VPN' }
+        }.freeze
+
+        # Additional ports for vanilla Kubernetes
+        VANILLA_K8S_PORTS = {
+          controller_manager: { port: 10_257, protocol: :tcp, public: false, description: 'controller-manager' },
+          scheduler: { port: 10_259, protocol: :tcp, public: false, description: 'scheduler' }
+        }.freeze
+
+        # Returns all firewall ports for the given distribution
+        def base_firewall_ports(distribution)
+          ports = COMMON_PORTS.dup
+          ports.merge!(VANILLA_K8S_PORTS) if distribution.to_sym == :kubernetes
+          ports
+        end
+
+        # Create control plane server(s) via template hooks.
+        # Subclasses override create_compute_instance and create_firewall_resources.
+        def nixos_create_cluster(ctx, name, config, result, tags)
+          system_pool = config.system_node_pool
+          cp_count = [system_pool.min_size, 1].max
+          servers = []
+
+          cp_count.times do |idx|
+            cloud_init = build_server_cloud_init(name, config, idx, result)
+
+            server = create_compute_instance(ctx, name, config, result, cloud_init, idx, tags)
+            post_create_instance(ctx, name, server, result, idx, tags)
+
+            servers << server
+          end
+
+          servers.first
+        end
+
+        # Placeholder used in agent cloud-init for the join server address.
+        # Backends that defer user_data encoding to Terraform (e.g., AWS with
+        # terraform_base64encode) replace this with the actual Terraform
+        # expression at synthesis time via replace().
+        JOIN_SERVER_PLACEHOLDER = '__PANGEA_JOIN_SERVER__'
+
+        # Create worker node pool via template hooks.
+        # Subclasses override create_worker_pool.
+        def nixos_create_node_pool(ctx, name, cluster_ref, pool_config, tags)
+          cloud_init = build_agent_cloud_init(name, tags, cluster_ref)
+          create_worker_pool(ctx, name, cluster_ref, pool_config, cloud_init, tags)
+        end
+
+        # Build cloud-init for a control plane server with full option passthrough.
+        def build_server_cloud_init(name, config, index, result)
+          gitops_config = case config.gitops_operator
+                          when :fluxcd then config.fluxcd&.to_h
+                          when :argocd then config.argocd&.to_h
+                          end
+
+          BareMetal::CloudInit.generate(
+            cluster_name: name.to_s,
+            distribution: config.distribution,
+            profile: config.profile,
+            distribution_track: config.distribution_track || config.kubernetes_version,
+            role: 'server',
+            node_index: index,
+            cluster_init: index.zero?,
+            network_id: result.network&.dig(:network)&.id,
+            fluxcd: config.gitops_operator == :fluxcd ? gitops_config : nil,
+            argocd: config.gitops_operator == :argocd ? gitops_config : nil,
+            k3s: config.distribution == :k3s ? config.nixos&.k3s&.to_h : nil,
+            kubernetes: config.distribution == :kubernetes ? config.nixos&.kubernetes&.to_h : nil,
+            secrets: build_secrets_hash(config),
+            vpn: config.vpn&.to_h,
+            bootstrap_secrets: build_bootstrap_secrets(config),
+            persistent_state: config.persistent_state&.to_h
+          )
+        end
+
+        # Build cloud-init for a worker/agent node.
+        # Workers receive only the k3s_server_token from bootstrap_secrets
+        # (they need it to authenticate to the control plane for cluster join).
+        #
+        # node_index defaults to 'dynamic' — the generated shell script queries
+        # EC2 instance metadata at boot time to derive a unique index from the
+        # instance ID. This prevents duplicate hostnames when multiple ASG
+        # instances share the same launch template. Backends that create
+        # individual resources (e.g., Hetzner) can override with a static index.
+        #
+        # When use_join_placeholder is true, the join_server value is replaced
+        # with JOIN_SERVER_PLACEHOLDER. This allows backends that use Terraform
+        # functions (e.g., base64encode) to inject the actual Terraform
+        # expression via replace() at apply time, avoiding premature encoding
+        # of ${...} references by Ruby.
+        def build_agent_cloud_init(name, tags, cluster_ref, node_index: 'dynamic', use_join_placeholder: false)
+          track = if cluster_ref.respond_to?(:distribution_track) && cluster_ref.distribution_track
+                    cluster_ref.distribution_track
+                  else
+                    tags[:DistributionTrack] || '1.34'
+                  end
+
+          agent_secrets = if cluster_ref.respond_to?(:agent_bootstrap_secrets)
+                           cluster_ref.agent_bootstrap_secrets
+                         end
+
+          join_server = use_join_placeholder ? JOIN_SERVER_PLACEHOLDER : cluster_ref.ipv4_address
+
+          BareMetal::CloudInit.generate(
+            cluster_name: name.to_s,
+            distribution: tags[:Distribution]&.to_sym || :k3s,
+            profile: tags[:Profile] || 'cloud-server',
+            distribution_track: track,
+            role: 'agent',
+            node_index: node_index,
+            cluster_init: false,
+            join_server: join_server,
+            bootstrap_secrets: agent_secrets
+          )
+        end
+
+        # Extract secrets path references from config.
+        # Returns nil when no secrets are configured.
+        def build_secrets_hash(config)
+          paths = {}
+
+          if config.fluxcd
+            paths[:flux_ssh_key_path] = config.fluxcd.source_ssh_key_file if config.fluxcd.source_ssh_key_file
+            paths[:flux_token_path] = config.fluxcd.source_token_file if config.fluxcd.source_token_file
+            paths[:sops_age_key_path] = config.fluxcd.sops_age_key_file if config.fluxcd.sops_age_key_file
+          end
+
+          if config.nixos&.secrets
+            secrets = config.nixos.secrets
+            paths[:flux_ssh_key_path] ||= secrets.flux_ssh_key_path if secrets.flux_ssh_key_path
+            paths[:flux_token_path] ||= secrets.flux_token_path if secrets.flux_token_path
+            paths[:sops_age_key_path] ||= secrets.sops_age_key_path if secrets.sops_age_key_path
+            paths[:join_token_path] = secrets.join_token_path if secrets.join_token_path
+            paths.merge!(secrets.extra_paths) if secrets.extra_paths.any?
+          end
+
+          paths.empty? ? nil : paths
+        end
+
+        # Extract bootstrap secrets from config for cloud-init delivery.
+        # These are written to disk at first boot before sops-nix activates.
+        # Returns nil when no bootstrap secrets are configured.
+        def build_bootstrap_secrets(config)
+          bs = config.bootstrap_secrets
+          return nil unless bs.is_a?(Hash) && bs.any?
+          return nil if bs.values.all? { |v| v.nil? || (v.is_a?(String) && v.empty?) }
+
+          bs
+        end
+
+        # Extract only the secrets workers need to join the cluster.
+        # Workers receive:
+        # - k3s_server_token: cluster join authentication
+        # - nix_github_token: access private flake inputs during nixos-rebuild
+        # They do NOT receive flux tokens, SOPS keys, VPN keys, or admin passwords.
+        AGENT_BOOTSTRAP_KEYS = %i[k3s_server_token nix_github_token].freeze
+
+        def build_agent_bootstrap_secrets(config)
+          bs = config.bootstrap_secrets
+          return nil unless bs.is_a?(Hash)
+
+          agent_secrets = AGENT_BOOTSTRAP_KEYS.each_with_object({}) do |key, h|
+            h[key] = bs[key] if bs[key]
+          end
+          agent_secrets.empty? ? nil : agent_secrets
+        end
+
+        # --- Template hooks (subclasses override) ---
+
+        # Create a single compute instance. Returns a resource reference.
+        def create_compute_instance(_ctx, _name, _config, _result, _cloud_init, _index, _tags)
+          raise NotImplementedError, "#{self} must implement create_compute_instance"
+        end
+
+        # Create a worker pool (ASG, MIG, VMSS, or server loop). Returns a resource reference.
+        def create_worker_pool(_ctx, _name, _cluster_ref, _pool_config, _cloud_init, _tags)
+          raise NotImplementedError, "#{self} must implement create_worker_pool"
+        end
+
+        # Post-instance creation hook (e.g., Hetzner network attachment). No-op by default.
+        def post_create_instance(_ctx, _name, _server, _result, _index, _tags)
+          # no-op — subclasses override when needed
+        end
+      end
+    end
+  end
+end

data/lib/pangea/kubernetes/bare_metal/cloud_init.rb

@@ -0,0 +1,196 @@
+# frozen_string_literal: true
+
+# Copyright 2025 The Pangea Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require 'json'
+
+module Pangea
+  module Kubernetes
+    module BareMetal
+      # Generates user_data for NixOS servers running k3s or vanilla Kubernetes
+      # via blackmatter-kubernetes modules.
+      #
+      # The NixOS boot sequence reads /etc/pangea/cluster-config.json and applies
+      # the corresponding blackmatter-kubernetes module (k3s or kubernetes).
+      #
+      # Config is cloud-agnostic — the same JSON drives k3s/k8s setup on
+      # AWS EC2, GCP GCE, Azure VMs, and Hetzner servers.
+      #
+      # Two output formats:
+      #   :shell        — bash script (NixOS AMIs with amazon-init, default)
+      #   :cloud_config — #cloud-config YAML (providers with real cloud-init)
+      module CloudInit
+        class << self
+          # Generate user_data for a NixOS Kubernetes node.
+          #
+          # @param cluster_name [String] Name of the cluster
+          # @param distribution [Symbol] :k3s or :kubernetes
+          # @param profile [String] blackmatter-kubernetes profile (e.g., 'cilium-standard')
+          # @param distribution_track [String] version track (e.g., '1.34')
+          # @param role [String] 'server'/'agent' (k3s) or 'control-plane'/'worker' (k8s)
+          # @param node_index [Integer] Index within the role group
+          # @param cluster_init [Boolean] Whether this is the first server (cluster-init)
+          # @param network_id [String, nil] Cloud network ID for private networking
+          # @param join_server [String, nil] IP/hostname of the server to join
+          # @param fluxcd [Hash, nil] FluxCD bootstrap configuration
+          # @param argocd [Hash, nil] ArgoCD bootstrap configuration
+          # @param k3s [Hash, nil] K3s distribution options (full passthrough)
+          # @param kubernetes [Hash, nil] Vanilla Kubernetes options (full passthrough)
+          # @param secrets [Hash, nil] Secrets path references (sops-nix)
+          # @param vpn [Hash, nil] VPN configuration (WireGuard links)
+          # @param bootstrap_secrets [Hash, nil] Bootstrap secrets (age key, tokens) written at first boot
+          # @param persistent_state [Hash, nil] Persistent EBS-volume mount config — kindling discovers + attaches + mounts before k3s starts
+          # @param format [Symbol] :shell (NixOS AMIs) or :cloud_config (real cloud-init)
+          # @return [String] user_data string
+          def generate(cluster_name:, distribution: :k3s, profile: 'cloud-server',
+                       distribution_track: '1.34', role: 'server', node_index: 0,
+                       cluster_init: false, network_id: nil, join_server: nil,
+                       fluxcd: nil, argocd: nil, k3s: nil, kubernetes: nil, secrets: nil,
+                       vpn: nil, bootstrap_secrets: nil, persistent_state: nil,
+                       format: :shell)
+            config = {
+              'cluster_name' => cluster_name,
+              'distribution' => distribution.to_s,
+              'profile' => profile,
+              'distribution_track' => distribution_track,
+              'role' => normalize_role(distribution, role),
+              'node_index' => node_index,
+              'cluster_init' => cluster_init
+            }
+
+            config['network_id'] = network_id if network_id
+            config['join_server'] = join_server if join_server
+            config['fluxcd'] = fluxcd if fluxcd
+            config['argocd'] = stringify_keys_recursive(argocd) if argocd && !argocd.empty?
+            config['k3s'] = stringify_keys_recursive(k3s) if k3s && !k3s.empty?
+            config['kubernetes'] = stringify_keys_recursive(kubernetes) if kubernetes && !kubernetes.empty?
+            config['secrets'] = stringify_keys_recursive(secrets) if secrets && !secrets.empty?
+            config['vpn'] = stringify_keys_recursive(vpn) if vpn && !vpn.empty?
+            config['bootstrap_secrets'] = stringify_keys_recursive(bootstrap_secrets) if bootstrap_secrets && !bootstrap_secrets.empty?
+            config['persistent_state'] = stringify_keys_recursive(persistent_state) if persistent_state && !persistent_state.empty?
+
+            case format.to_sym
+            when :cloud_config
+              generate_cloud_config(config)
+            else
+              generate_shell_script(config)
+            end
+          end
+
+          private
+
+          # Normalize role names across distributions:
+          # k3s: server/agent
+          # kubernetes: control-plane/worker
+          def normalize_role(distribution, role)
+            return role if distribution.to_sym == :k3s
+
+            case role.to_s
+            when 'server' then 'control-plane'
+            when 'agent' then 'worker'
+            else role.to_s
+            end
+          end
+
+          def config_path
+            '/etc/pangea/cluster-config.json'
+          end
+
+          # Recursively convert symbol keys to strings for JSON serialization
+          def stringify_keys_recursive(obj)
+            case obj
+            when Hash
+              obj.each_with_object({}) { |(k, v), h| h[k.to_s] = stringify_keys_recursive(v) }
+            when Array
+              obj.map { |v| stringify_keys_recursive(v) }
+            else
+              obj
+            end
+          end
+
+          # Shell script format — for NixOS AMIs with amazon-init.
+          # amazon-init executes user_data as a shell script directly.
+          #
+          # The script ONLY writes the cluster config JSON. The pre-installed
+          # kindling-server-bootstrap.service (baked into the AMI) detects the
+          # file via ExecCondition and runs the 13-phase bootstrap automatically.
+          # This avoids a slow `nix run` that would re-download/build kindling.
+          #
+          # When node_index is "dynamic", the script queries EC2 instance
+          # metadata to derive a unique index from the instance ID. This is
+          # needed for ASG-based workers where all instances share the same
+          # launch template and cannot have a Terraform-time unique index.
+          def generate_shell_script(config)
+            dynamic_index = config['node_index'] == 'dynamic'
+            json = config.to_json
+            <<~SHELL
+              #!/usr/bin/env bash
+              set -euo pipefail
+              #{dynamic_index_snippet if dynamic_index}
+              mkdir -p "$(dirname '#{config_path}')"
+              cat > '#{config_path}' << 'PANGEA_CONFIG_EOF'
+              #{json}
+              PANGEA_CONFIG_EOF
+              #{dynamic_index_sed_snippet if dynamic_index}
+              chmod 0640 '#{config_path}'
+            SHELL
+          end
+
+          # Shell snippet that resolves a unique node index from EC2 instance
+          # metadata. Uses the last 8 hex digits of the instance ID, converted
+          # to decimal, modulo 10000 for a reasonable hostname suffix.
+          def dynamic_index_snippet
+            # Uses single-quoted heredoc so Ruby does NOT interpolate.
+            # Shell expands ${} at runtime.
+            # IMPORTANT: avoid bash 16#hex syntax — the # breaks Terraform's
+            # expression parser when embedded in base64encode(replace(...)).
+            # Use printf '%d' "0x..." instead for hex-to-decimal conversion.
+            <<~'BASH'.chomp
+              IMDS_TOKEN=$(curl -sf -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 30" 2>/dev/null || true)
+              INSTANCE_ID=$(curl -sf -H "X-aws-ec2-metadata-token: ${IMDS_TOKEN}" "http://169.254.169.254/latest/meta-data/instance-id" 2>/dev/null || echo "i-unknown0000")
+              HEX_SUFFIX="${INSTANCE_ID: -8}"
+              NODE_INDEX=$(printf '%d' "0x${HEX_SUFFIX}" 2>/dev/null || echo 0)
+              NODE_INDEX=$((NODE_INDEX % 10000))
+            BASH
+          end
+
+          # Shell snippet that replaces the "dynamic" sentinel in the config JSON
+          # with the resolved NODE_INDEX value. Uses Ruby interpolation for the
+          # config path, but shell interpolation for NODE_INDEX.
+          def dynamic_index_sed_snippet
+            # rubocop:disable Style/StringLiterals
+            "sed -i \"s/\\\"node_index\\\":\\\"dynamic\\\"/\\\"node_index\\\":${NODE_INDEX}/\" '#{config_path}'"
+            # rubocop:enable Style/StringLiterals
+          end
+
+          # cloud-config YAML format — for providers with real cloud-init
+          # (Hetzner, GCP, Azure, etc.).
+          #
+          # Only writes the config file. The pre-installed kindling-server-bootstrap
+          # service handles the actual bootstrap after cloud-init completes.
+          def generate_cloud_config(config)
+            <<~YAML
+              #cloud-config
+              write_files:
+                - path: #{config_path}
+                  content: '#{config.to_json}'
+                  permissions: '0640'
+            YAML
+          end
+        end
+      end
+    end
+  end
+end

data/lib/pangea/kubernetes/bare_metal/cluster_reference.rb

@@ -0,0 +1,72 @@
+# frozen_string_literal: true
+
+# Copyright 2025 The Pangea Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+module Pangea
+  module Kubernetes
+    module BareMetal
+      # Synthetic cluster reference for unmanaged Kubernetes (k3s, kubeadm, etc.).
+      # Unlike managed K8s (EKS, GKE, AKS), bare-metal clusters don't have a
+      # single terraform resource representing the cluster. This provides a
+      # compatible interface using the primary control plane server.
+      class ClusterReference
+        attr_reader :name, :control_plane_servers, :worker_servers, :config
+
+        def initialize(name:, control_plane_servers:, worker_servers: [], config: {})
+          @name = name
+          @control_plane_servers = control_plane_servers
+          @worker_servers = worker_servers
+          @config = config
+        end
+
+        # Primary control plane endpoint
+        def endpoint
+          primary_server&.ipv4_address
+        end
+
+        # k3s API port
+        def api_port
+          6443
+        end
+
+        # Full API endpoint URL
+        def api_endpoint
+          "https://#{endpoint}:#{api_port}"
+        end
+
+        # All node IPs (control plane + workers)
+        def all_node_ips
+          (control_plane_servers + worker_servers).map(&:ipv4_address)
+        end
+
+        def to_h
+          {
+            name: name,
+            endpoint: endpoint,
+            api_port: api_port,
+            control_plane_count: control_plane_servers.size,
+            worker_count: worker_servers.size
+          }
+        end
+
+        private
+
+        def primary_server
+          control_plane_servers.first
+        end
+      end
+    end
+  end
+end

data/lib/pangea/kubernetes/load_balancer.rb

@@ -0,0 +1,157 @@
+# frozen_string_literal: true
+
+# Copyright 2025 The Pangea Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require 'pangea/kubernetes/types'
+require 'pangea/kubernetes/bare_metal/cloud_init'
+
+module Pangea
+  module Kubernetes
+    # Elastic load balancer tier composition.
+    #
+    # Two-tier architecture:
+    #   Tier 1 (External): Fleet of NixOS HAProxy VMs behind Hetzner Cloud LB
+    #   Tier 2 (In-Cluster): Cilium eBPF (L4) + Istio Gateway (L7)
+    #
+    # Traffic flow:
+    #   DNS → Hetzner Cloud LB → NixOS HAProxy fleet → K8s NodePort → Istio Gateway
+    #
+    # For bare metal: replace Hetzner Cloud LB with NixOS BIRD BGP + keepalived VRRP
+    module LoadBalancer
+      # Create an elastic load balancer tier for a Kubernetes cluster.
+      #
+      # @param name [Symbol] LB tier name
+      # @param attributes [Hash] Load balancer configuration (see Types::LoadBalancerConfig)
+      # @return [Hash] Created resource references
+      def elastic_load_balancer(name, attributes = {})
+        config = Types::LoadBalancerConfig.new(attributes)
+        result = {}
+
+        tags = {
+          LoadBalancer: name.to_s,
+          Mode: config.mode,
+          ManagedBy: 'Pangea'
+        }.merge(config.tags)
+
+        hcloud_labels = tags.transform_keys { |k| k.to_s.downcase.gsub(/[^a-z0-9_]/, '_') }
+
+        # Create HAProxy VMs
+        result[:haproxy_servers] = create_haproxy_fleet(name, config, hcloud_labels)
+
+        # Create Hetzner Cloud LB in front of HAProxy fleet (managed mode)
+        unless config.bare_metal?
+          result[:cloud_lb] = create_hetzner_cloud_lb(name, config, result[:haproxy_servers], hcloud_labels)
+        end
+
+        result
+      end
+
+      private
+
+      def create_haproxy_fleet(name, config, labels)
+        servers = []
+
+        config.instance_count.times do |idx|
+          user_data = generate_haproxy_cloud_init(name, config, idx)
+
+          server = hcloud_server(
+            :"#{name}_haproxy_#{idx}",
+            name: "#{name}-haproxy-#{idx}",
+            server_type: config.instance_type,
+            image: 'ubuntu-24.04',
+            location: config.region,
+            user_data: user_data,
+            labels: labels.merge(
+              'role' => 'haproxy',
+              'node_index' => idx.to_s
+            )
+          )
+
+          servers << server
+        end
+
+        servers
+      end
+
+      def create_hetzner_cloud_lb(name, config, haproxy_servers, labels)
+        lb = hcloud_load_balancer(
+          :"#{name}_cloud_lb",
+          name: "#{name}-cloud-lb",
+          load_balancer_type: 'lb11',
+          location: config.region,
+          labels: labels
+        )
+
+        # Add targets (HAProxy servers)
+        haproxy_servers.each_with_index do |server, idx|
+          hcloud_load_balancer_target(
+            :"#{name}_lb_target_#{idx}",
+            load_balancer_id: lb.id,
+            type: 'server',
+            server_id: server.id
+          )
+        end
+
+        # Add services for each frontend port
+        config.frontend_ports.each do |port|
+          protocol = port == 443 ? 'https' : 'http'
+          hcloud_load_balancer_service(
+            :"#{name}_lb_service_#{port}",
+            load_balancer_id: lb.id,
+            protocol: protocol,
+            listen_port: port,
+            destination_port: port,
+            health_check: {
+              protocol: 'tcp',
+              port: port,
+              interval: config.health_check_interval.to_i
+            }
+          )
+        end
+
+        lb
+      end
+
+      def generate_haproxy_cloud_init(name, config, index)
+        haproxy_config = {
+          'cluster_name' => name.to_s,
+          'role' => 'haproxy',
+          'node_index' => index,
+          'mode' => config.mode,
+          'max_connections' => config.max_connections,
+          'frontend_ports' => config.frontend_ports,
+          'backends' => config.backends
+        }
+
+        if config.bare_metal?
+          haproxy_config['bgp_asn'] = config.bgp_asn if config.bgp_asn
+          haproxy_config['bgp_neighbor'] = config.bgp_neighbor if config.bgp_neighbor
+          haproxy_config['vrrp_interface'] = config.vrrp_interface if config.vrrp_interface
+          haproxy_config['virtual_ips'] = config.virtual_ips if config.virtual_ips.any?
+        end
+
+        <<~YAML
+          #cloud-config
+          write_files:
+            - path: /etc/pangea/haproxy-config.json
+              content: '#{haproxy_config.to_json}'
+              permissions: '0644'
+          runcmd:
+            - ['systemctl', 'start', 'pangea-haproxy-bootstrap']
+        YAML
+      end
+    end
+  end
+end