diff options
author | clarkzjw <[email protected]> | 2023-01-13 22:57:51 -0800 |
---|---|---|
committer | clarkzjw <[email protected]> | 2023-01-13 22:57:51 -0800 |
commit | 63673af754d77df0a4bd3fda6b38ebb91dca5bdb (patch) | |
tree | 233e9f050eb971340b4806169efa8a72c10800b7 | |
parent | ad28eb8b886931995b7c294a80357a6c5dca1772 (diff) | |
download | homelab-63673af754d77df0a4bd3fda6b38ebb91dca5bdb.tar.gz |
cloudflare: add proxmox
-rw-r--r-- | clarkzjw.cc/infra/cloudflare_access.tf | 22 | ||||
-rw-r--r-- | clarkzjw.cc/infra/dns.tf | 9 | ||||
-rw-r--r-- | clarkzjw.cc/infra/terraform.tfvars.example | 7 | ||||
-rw-r--r-- | clarkzjw.cc/infra/tunnel.tf | 11 | ||||
-rw-r--r-- | clarkzjw.cc/infra/variables.tf | 6 |
5 files changed, 51 insertions, 4 deletions
diff --git a/clarkzjw.cc/infra/cloudflare_access.tf b/clarkzjw.cc/infra/cloudflare_access.tf index 0708a53..267b1f7 100644 --- a/clarkzjw.cc/infra/cloudflare_access.tf +++ b/clarkzjw.cc/infra/cloudflare_access.tf | |||
@@ -43,3 +43,25 @@ resource "cloudflare_access_policy" "edgerouterx" { | |||
43 | email = [var.cloudflare_access_application_email] | 43 | email = [var.cloudflare_access_application_email] |
44 | } | 44 | } |
45 | } | 45 | } |
46 | |||
47 | # proxmox | ||
48 | resource "cloudflare_access_application" "proxmox" { | ||
49 | zone_id = data.cloudflare_zones.homelab_main_domain.zones[0].id | ||
50 | name = "proxmox.${var.homelab_main_domain}" | ||
51 | domain = "proxmox.${var.homelab_main_domain}" | ||
52 | type = "self_hosted" | ||
53 | session_duration = "24h" | ||
54 | auto_redirect_to_identity = false | ||
55 | } | ||
56 | |||
57 | resource "cloudflare_access_policy" "proxmox" { | ||
58 | application_id = cloudflare_access_application.proxmox.id | ||
59 | zone_id = data.cloudflare_zones.homelab_main_domain.zones[0].id | ||
60 | name = "Allow" | ||
61 | precedence = "1" | ||
62 | decision = "allow" | ||
63 | |||
64 | include { | ||
65 | email = [var.cloudflare_access_application_email] | ||
66 | } | ||
67 | } | ||
diff --git a/clarkzjw.cc/infra/dns.tf b/clarkzjw.cc/infra/dns.tf index 30d42fa..1240399 100644 --- a/clarkzjw.cc/infra/dns.tf +++ b/clarkzjw.cc/infra/dns.tf | |||
@@ -37,6 +37,15 @@ resource "cloudflare_record" "edgerouterx" { | |||
37 | proxied = true | 37 | proxied = true |
38 | } | 38 | } |
39 | 39 | ||
40 | # Proxmox | ||
41 | resource "cloudflare_record" "proxmox" { | ||
42 | name = "proxmox.${var.homelab_main_domain}" | ||
43 | type = "CNAME" | ||
44 | zone_id = data.cloudflare_zones.homelab_main_domain.zones[0].id | ||
45 | value = "${cloudflare_argo_tunnel.atlas_main_tunnel.id}.cfargotunnel.com" | ||
46 | proxied = true | ||
47 | } | ||
48 | |||
40 | # notify | 49 | # notify |
41 | # DNS config for Mailgun | 50 | # DNS config for Mailgun |
42 | resource "cloudflare_record" "notify_SPF" { | 51 | resource "cloudflare_record" "notify_SPF" { |
diff --git a/clarkzjw.cc/infra/terraform.tfvars.example b/clarkzjw.cc/infra/terraform.tfvars.example index 6fd3085..e7c1085 100644 --- a/clarkzjw.cc/infra/terraform.tfvars.example +++ b/clarkzjw.cc/infra/terraform.tfvars.example | |||
@@ -1 +1,6 @@ | |||
1 | homelab_notify_DKIM = "k=rsa; p=xxx" | 1 | homelab_notify_DKIM = "k=rsa; p=xxx" |
2 | cloudflare_account_id = "" | ||
3 | cloudflare_api_token = "" | ||
4 | cloudflare_access_application_email = "" | ||
5 | edgerouterx_ip = "192.168.1.85" | ||
6 | proxmox_ip = "192.168.1.88" | ||
diff --git a/clarkzjw.cc/infra/tunnel.tf b/clarkzjw.cc/infra/tunnel.tf index 81c6ed4..e891f07 100644 --- a/clarkzjw.cc/infra/tunnel.tf +++ b/clarkzjw.cc/infra/tunnel.tf | |||
@@ -13,9 +13,9 @@ resource "cloudflare_tunnel_config" "atlas_tunnel_route" { | |||
13 | // TODO: https://github.com/cloudflare/terraform-provider-cloudflare/issues/2072 | 13 | // TODO: https://github.com/cloudflare/terraform-provider-cloudflare/issues/2072 |
14 | // It seems the `origin_request` here doesn't enable `no_tls_verify` in each ingress_rule | 14 | // It seems the `origin_request` here doesn't enable `no_tls_verify` in each ingress_rule |
15 | // For now, you have to enable `no_tls_verify` in the dashboard | 15 | // For now, you have to enable `no_tls_verify` in the dashboard |
16 | origin_request { | 16 | # origin_request { |
17 | no_tls_verify = true | 17 | # no_tls_verify = true |
18 | } | 18 | # } |
19 | ingress_rule { | 19 | ingress_rule { |
20 | hostname = "bt.${var.homelab_main_domain}" | 20 | hostname = "bt.${var.homelab_main_domain}" |
21 | path = "/" | 21 | path = "/" |
@@ -27,6 +27,11 @@ resource "cloudflare_tunnel_config" "atlas_tunnel_route" { | |||
27 | service = "https://${var.edgerouterx_ip}" | 27 | service = "https://${var.edgerouterx_ip}" |
28 | } | 28 | } |
29 | ingress_rule { | 29 | ingress_rule { |
30 | hostname = "proxmox.${var.homelab_main_domain}" | ||
31 | path = "/" | ||
32 | service = "https://${var.proxmox_ip}:8006" | ||
33 | } | ||
34 | ingress_rule { | ||
30 | service = "http_status:404" | 35 | service = "http_status:404" |
31 | } | 36 | } |
32 | } | 37 | } |
diff --git a/clarkzjw.cc/infra/variables.tf b/clarkzjw.cc/infra/variables.tf index 58e8976..bb5b06d 100644 --- a/clarkzjw.cc/infra/variables.tf +++ b/clarkzjw.cc/infra/variables.tf | |||
@@ -31,3 +31,9 @@ variable "edgerouterx_ip" { | |||
31 | type = string | 31 | type = string |
32 | sensitive = false | 32 | sensitive = false |
33 | } | 33 | } |
34 | |||
35 | variable "proxmox_ip" { | ||
36 | description = "IP address for Proxmox" | ||
37 | type = string | ||
38 | sensitive = false | ||
39 | } | ||