cloudflare: add proxmox

author: clarkzjw <[email protected]> 2023-01-13 22:57:51 -0800
committer: clarkzjw <[email protected]> 2023-01-13 22:57:51 -0800
commit: 63673af754d77df0a4bd3fda6b38ebb91dca5bdb (patch)
tree: 233e9f050eb971340b4806169efa8a72c10800b7
parent: ad28eb8b886931995b7c294a80357a6c5dca1772 (diff)
download: homelab-63673af754d77df0a4bd3fda6b38ebb91dca5bdb.tar.gz
5 files changed, 51 insertions, 4 deletions
diff --git a/clarkzjw.cc/infra/cloudflare_access.tf b/clarkzjw.cc/infra/cloudflare_access.tf
index 0708a53..267b1f7 100644
--- a/clarkzjw.cc/infra/cloudflare_access.tf
+++ b/clarkzjw.cc/infra/cloudflare_access.tf
@@ -43,3 +43,25 @@ resource "cloudflare_access_policy" "edgerouterx" {
    email = [var.cloudflare_access_application_email]
  }
 }
+# proxmox
+resource "cloudflare_access_application" "proxmox" {
+  zone_id                   = data.cloudflare_zones.homelab_main_domain.zones[0].id
+  name                      = "proxmox.${var.homelab_main_domain}"
+  domain                    = "proxmox.${var.homelab_main_domain}"
+  type                      = "self_hosted"
+  session_duration          = "24h"
+  auto_redirect_to_identity = false
+}
+resource "cloudflare_access_policy" "proxmox" {
+  application_id = cloudflare_access_application.proxmox.id
+  zone_id        = data.cloudflare_zones.homelab_main_domain.zones[0].id
+  name           = "Allow"
+  precedence     = "1"
+  decision       = "allow"
+  include {
+    email = [var.cloudflare_access_application_email]
+  }
+}
diff --git a/clarkzjw.cc/infra/dns.tf b/clarkzjw.cc/infra/dns.tf
index 30d42fa..1240399 100644
--- a/clarkzjw.cc/infra/dns.tf
+++ b/clarkzjw.cc/infra/dns.tf
@@ -37,6 +37,15 @@ resource "cloudflare_record" "edgerouterx" {
  proxied = true
 }
+# Proxmox
+resource "cloudflare_record" "proxmox" {
+  name    = "proxmox.${var.homelab_main_domain}"
+  type    = "CNAME"
+  zone_id = data.cloudflare_zones.homelab_main_domain.zones[0].id
+  value   = "${cloudflare_argo_tunnel.atlas_main_tunnel.id}.cfargotunnel.com"
+  proxied = true
+}
 # notify
 # DNS config for Mailgun
 resource "cloudflare_record" "notify_SPF" {
diff --git a/clarkzjw.cc/infra/terraform.tfvars.example b/clarkzjw.cc/infra/terraform.tfvars.example
index 6fd3085..e7c1085 100644
--- a/clarkzjw.cc/infra/terraform.tfvars.example
+++ b/clarkzjw.cc/infra/terraform.tfvars.example
@@ -1 +1,6 @@
-homelab_notify_DKIM = "k=rsa; p=xxx"
+homelab_notify_DKIM                 = "k=rsa; p=xxx"
+cloudflare_account_id               = ""
+cloudflare_api_token                = ""
+cloudflare_access_application_email = ""
+edgerouterx_ip                      = "192.168.1.85"
+proxmox_ip                          = "192.168.1.88"
diff --git a/clarkzjw.cc/infra/tunnel.tf b/clarkzjw.cc/infra/tunnel.tf
index 81c6ed4..e891f07 100644
--- a/clarkzjw.cc/infra/tunnel.tf
+++ b/clarkzjw.cc/infra/tunnel.tf
@@ -13,9 +13,9 @@ resource "cloudflare_tunnel_config" "atlas_tunnel_route" {
    // TODO: https://github.com/cloudflare/terraform-provider-cloudflare/issues/2072
    // It seems the `origin_request` here doesn't enable `no_tls_verify` in each ingress_rule
    // For now, you have to enable `no_tls_verify` in the dashboard
-    origin_request {
+    #    origin_request {
-      no_tls_verify = true
+    #      no_tls_verify = true
-    }
+    #    }
    ingress_rule {
      hostname = "bt.${var.homelab_main_domain}"
      path     = "/"
@@ -27,6 +27,11 @@ resource "cloudflare_tunnel_config" "atlas_tunnel_route" {
      service  = "https://${var.edgerouterx_ip}"
    }
    ingress_rule {
+      hostname = "proxmox.${var.homelab_main_domain}"
+      path     = "/"
+      service  = "https://${var.proxmox_ip}:8006"
+    }
+    ingress_rule {
      service = "http_status:404"
    }
  }
diff --git a/clarkzjw.cc/infra/variables.tf b/clarkzjw.cc/infra/variables.tf
index 58e8976..bb5b06d 100644
--- a/clarkzjw.cc/infra/variables.tf
+++ b/clarkzjw.cc/infra/variables.tf
@@ -31,3 +31,9 @@ variable "edgerouterx_ip" {
  type        = string
  sensitive   = false
 }
+variable "proxmox_ip" {
+  description = "IP address for Proxmox"
+  type        = string
+  sensitive   = false
+}
author	clarkzjw <[email protected]>	2023-01-13 22:57:51 -0800
committer	clarkzjw <[email protected]>	2023-01-13 22:57:51 -0800
commit	63673af754d77df0a4bd3fda6b38ebb91dca5bdb (patch)
tree	233e9f050eb971340b4806169efa8a72c10800b7
parent	ad28eb8b886931995b7c294a80357a6c5dca1772 (diff)
download	homelab-63673af754d77df0a4bd3fda6b38ebb91dca5bdb.tar.gz

diff --git a/clarkzjw.cc/infra/cloudflare_access.tf b/clarkzjw.cc/infra/cloudflare_access.tf index 0708a53..267b1f7 100644 --- a/clarkzjw.cc/infra/cloudflare_access.tf +++ b/clarkzjw.cc/infra/cloudflare_access.tf
@@ -43,3 +43,25 @@ resource "cloudflare_access_policy" "edgerouterx" {
43	email = [var.cloudflare_access_application_email]	43	email = [var.cloudflare_access_application_email]
44	}	44	}
45	}	45	}
		46
		47	# proxmox
		48	resource "cloudflare_access_application" "proxmox" {
		49	zone_id = data.cloudflare_zones.homelab_main_domain.zones[0].id
		50	name = "proxmox.${var.homelab_main_domain}"
		51	domain = "proxmox.${var.homelab_main_domain}"
		52	type = "self_hosted"
		53	session_duration = "24h"
		54	auto_redirect_to_identity = false
		55	}
		56
		57	resource "cloudflare_access_policy" "proxmox" {
		58	application_id = cloudflare_access_application.proxmox.id
		59	zone_id = data.cloudflare_zones.homelab_main_domain.zones[0].id
		60	name = "Allow"
		61	precedence = "1"
		62	decision = "allow"
		63
		64	include {
		65	email = [var.cloudflare_access_application_email]
		66	}
		67	}


diff --git a/clarkzjw.cc/infra/dns.tf b/clarkzjw.cc/infra/dns.tf index 30d42fa..1240399 100644 --- a/clarkzjw.cc/infra/dns.tf +++ b/clarkzjw.cc/infra/dns.tf
@@ -37,6 +37,15 @@ resource "cloudflare_record" "edgerouterx" {
37	proxied = true	37	proxied = true
38	}	38	}
39		39
		40	# Proxmox
		41	resource "cloudflare_record" "proxmox" {
		42	name = "proxmox.${var.homelab_main_domain}"
		43	type = "CNAME"
		44	zone_id = data.cloudflare_zones.homelab_main_domain.zones[0].id
		45	value = "${cloudflare_argo_tunnel.atlas_main_tunnel.id}.cfargotunnel.com"
		46	proxied = true
		47	}
		48
40	# notify	49	# notify
41	# DNS config for Mailgun	50	# DNS config for Mailgun
42	resource "cloudflare_record" "notify_SPF" {	51	resource "cloudflare_record" "notify_SPF" {


diff --git a/clarkzjw.cc/infra/terraform.tfvars.example b/clarkzjw.cc/infra/terraform.tfvars.example index 6fd3085..e7c1085 100644 --- a/clarkzjw.cc/infra/terraform.tfvars.example +++ b/clarkzjw.cc/infra/terraform.tfvars.example
@@ -1 +1,6 @@
1	homelab_notify_DKIM = "k=rsa; p=xxx"	1	homelab_notify_DKIM = "k=rsa; p=xxx"
		2	cloudflare_account_id = ""
		3	cloudflare_api_token = ""
		4	cloudflare_access_application_email = ""
		5	edgerouterx_ip = "192.168.1.85"
		6	proxmox_ip = "192.168.1.88"


diff --git a/clarkzjw.cc/infra/tunnel.tf b/clarkzjw.cc/infra/tunnel.tf index 81c6ed4..e891f07 100644 --- a/clarkzjw.cc/infra/tunnel.tf +++ b/clarkzjw.cc/infra/tunnel.tf
@@ -13,9 +13,9 @@ resource "cloudflare_tunnel_config" "atlas_tunnel_route" {
13	// TODO: https://github.com/cloudflare/terraform-provider-cloudflare/issues/2072	13	// TODO: https://github.com/cloudflare/terraform-provider-cloudflare/issues/2072
14	// It seems the `origin_request` here doesn't enable `no_tls_verify` in each ingress_rule	14	// It seems the `origin_request` here doesn't enable `no_tls_verify` in each ingress_rule
15	// For now, you have to enable `no_tls_verify` in the dashboard	15	// For now, you have to enable `no_tls_verify` in the dashboard
16	origin_request {	16	# origin_request {
17	no_tls_verify = true	17	# no_tls_verify = true
18	}	18	# }
19	ingress_rule {	19	ingress_rule {
20	hostname = "bt.${var.homelab_main_domain}"	20	hostname = "bt.${var.homelab_main_domain}"
21	path = "/"	21	path = "/"
@@ -27,6 +27,11 @@ resource "cloudflare_tunnel_config" "atlas_tunnel_route" {
27	service = "https://${var.edgerouterx_ip}"	27	service = "https://${var.edgerouterx_ip}"
28	}	28	}
29	ingress_rule {	29	ingress_rule {
		30	hostname = "proxmox.${var.homelab_main_domain}"
		31	path = "/"
		32	service = "https://${var.proxmox_ip}:8006"
		33	}
		34	ingress_rule {
30	service = "http_status:404"	35	service = "http_status:404"
31	}	36	}
32	}	37	}


diff --git a/clarkzjw.cc/infra/variables.tf b/clarkzjw.cc/infra/variables.tf index 58e8976..bb5b06d 100644 --- a/clarkzjw.cc/infra/variables.tf +++ b/clarkzjw.cc/infra/variables.tf
@@ -31,3 +31,9 @@ variable "edgerouterx_ip" {
31	type = string	31	type = string
32	sensitive = false	32	sensitive = false
33	}	33	}
		34
		35	variable "proxmox_ip" {
		36	description = "IP address for Proxmox"
		37	type = string
		38	sensitive = false
		39	}