diff options
author | clarkzjw <[email protected]> | 2023-01-13 22:12:56 -0800 |
---|---|---|
committer | clarkzjw <[email protected]> | 2023-01-13 22:12:56 -0800 |
commit | 61b547c9444ac0f2ae925b794f8c65f3b1a429ce (patch) | |
tree | e538320a550b9fa41b1524cce5b4dbd7284d4f5c /clarkzjw.cc/infra | |
parent | 4f274f77122479d16d74ade9a0867da71cdf3cee (diff) | |
download | homelab-61b547c9444ac0f2ae925b794f8c65f3b1a429ce.tar.gz |
cloudflare: add edgerouterx
Diffstat (limited to 'clarkzjw.cc/infra')
-rw-r--r-- | clarkzjw.cc/infra/cloudflare_access.tf | 23 | ||||
-rw-r--r-- | clarkzjw.cc/infra/dns.tf | 9 | ||||
-rw-r--r-- | clarkzjw.cc/infra/tunnel.tf | 12 | ||||
-rw-r--r-- | clarkzjw.cc/infra/variables.tf | 6 |
4 files changed, 50 insertions, 0 deletions
diff --git a/clarkzjw.cc/infra/cloudflare_access.tf b/clarkzjw.cc/infra/cloudflare_access.tf index 00dfcee..0708a53 100644 --- a/clarkzjw.cc/infra/cloudflare_access.tf +++ b/clarkzjw.cc/infra/cloudflare_access.tf | |||
@@ -1,5 +1,6 @@ | |||
1 | # Cloudflare Access Policy | 1 | # Cloudflare Access Policy |
2 | 2 | ||
3 | # bt | ||
3 | resource "cloudflare_access_application" "bt" { | 4 | resource "cloudflare_access_application" "bt" { |
4 | zone_id = data.cloudflare_zones.homelab_main_domain.zones[0].id | 5 | zone_id = data.cloudflare_zones.homelab_main_domain.zones[0].id |
5 | name = "bt.${var.homelab_main_domain}" | 6 | name = "bt.${var.homelab_main_domain}" |
@@ -20,3 +21,25 @@ resource "cloudflare_access_policy" "bt" { | |||
20 | email = [var.cloudflare_access_application_email] | 21 | email = [var.cloudflare_access_application_email] |
21 | } | 22 | } |
22 | } | 23 | } |
24 | |||
25 | # router | ||
26 | resource "cloudflare_access_application" "edgerouterx" { | ||
27 | zone_id = data.cloudflare_zones.homelab_main_domain.zones[0].id | ||
28 | name = "edgerouterx.${var.homelab_main_domain}" | ||
29 | domain = "edgerouterx.${var.homelab_main_domain}" | ||
30 | type = "self_hosted" | ||
31 | session_duration = "24h" | ||
32 | auto_redirect_to_identity = false | ||
33 | } | ||
34 | |||
35 | resource "cloudflare_access_policy" "edgerouterx" { | ||
36 | application_id = cloudflare_access_application.edgerouterx.id | ||
37 | zone_id = data.cloudflare_zones.homelab_main_domain.zones[0].id | ||
38 | name = "Allow" | ||
39 | precedence = "1" | ||
40 | decision = "allow" | ||
41 | |||
42 | include { | ||
43 | email = [var.cloudflare_access_application_email] | ||
44 | } | ||
45 | } | ||
diff --git a/clarkzjw.cc/infra/dns.tf b/clarkzjw.cc/infra/dns.tf index d066f67..30d42fa 100644 --- a/clarkzjw.cc/infra/dns.tf +++ b/clarkzjw.cc/infra/dns.tf | |||
@@ -28,6 +28,15 @@ resource "cloudflare_record" "bt" { | |||
28 | proxied = true | 28 | proxied = true |
29 | } | 29 | } |
30 | 30 | ||
31 | # EdgeRouterX | ||
32 | resource "cloudflare_record" "edgerouterx" { | ||
33 | name = "edgerouterx.${var.homelab_main_domain}" | ||
34 | type = "CNAME" | ||
35 | zone_id = data.cloudflare_zones.homelab_main_domain.zones[0].id | ||
36 | value = "${cloudflare_argo_tunnel.atlas_main_tunnel.id}.cfargotunnel.com" | ||
37 | proxied = true | ||
38 | } | ||
39 | |||
31 | # notify | 40 | # notify |
32 | # DNS config for Mailgun | 41 | # DNS config for Mailgun |
33 | resource "cloudflare_record" "notify_SPF" { | 42 | resource "cloudflare_record" "notify_SPF" { |
diff --git a/clarkzjw.cc/infra/tunnel.tf b/clarkzjw.cc/infra/tunnel.tf index 4ec9a7f..ba929c2 100644 --- a/clarkzjw.cc/infra/tunnel.tf +++ b/clarkzjw.cc/infra/tunnel.tf | |||
@@ -10,12 +10,24 @@ resource "cloudflare_tunnel_config" "atlas_tunnel_route" { | |||
10 | tunnel_id = cloudflare_argo_tunnel.atlas_main_tunnel.id | 10 | tunnel_id = cloudflare_argo_tunnel.atlas_main_tunnel.id |
11 | 11 | ||
12 | config { | 12 | config { |
13 | // TODO: https://github.com/cloudflare/terraform-provider-cloudflare/issues/2072 | ||
14 | // It seems the `origin_request` here doesn't enable `no_tls_verify` in each ingress_rule | ||
15 | // For now, you have to enable `no_tls_verify` in the dashboard | ||
16 | origin_request { | ||
17 | no_tls_verify = true | ||
18 | } | ||
13 | ingress_rule { | 19 | ingress_rule { |
14 | hostname = "bt.${var.homelab_main_domain}" | 20 | hostname = "bt.${var.homelab_main_domain}" |
15 | path = "/" | 21 | path = "/" |
16 | service = "http://127.0.0.1:8080" | 22 | service = "http://127.0.0.1:8080" |
17 | } | 23 | } |
18 | ingress_rule { | 24 | ingress_rule { |
25 | hostname = "edgerouterx.${var.homelab_main_domain}" | ||
26 | path = "/" | ||
27 | service = "https://${var.edgerouterx_ip}" | ||
28 | |||
29 | } | ||
30 | ingress_rule { | ||
19 | service = "http_status:404" | 31 | service = "http_status:404" |
20 | } | 32 | } |
21 | } | 33 | } |
diff --git a/clarkzjw.cc/infra/variables.tf b/clarkzjw.cc/infra/variables.tf index 5326464..dcee8e9 100644 --- a/clarkzjw.cc/infra/variables.tf +++ b/clarkzjw.cc/infra/variables.tf | |||
@@ -25,3 +25,9 @@ variable "cloudflare_access_application_email" { | |||
25 | type = string | 25 | type = string |
26 | sensitive = false | 26 | sensitive = false |
27 | } | 27 | } |
28 | |||
29 | variable "edgerouterx_ip" { | ||
30 | description = "IP address for EdgeRouterX" | ||
31 | type = string | ||
32 | sensitive = false | ||
33 | } | ||