diff options
-rw-r--r-- | clarkzjw.cc/infra/cloudflare.tf | 117 | ||||
-rw-r--r-- | clarkzjw.cc/infra/cloudflare_access.tf | 22 | ||||
-rw-r--r-- | clarkzjw.cc/infra/dns.tf | 72 | ||||
-rw-r--r-- | clarkzjw.cc/infra/random.tf | 3 | ||||
-rw-r--r-- | clarkzjw.cc/infra/tunnel.tf | 22 |
5 files changed, 119 insertions, 117 deletions
diff --git a/clarkzjw.cc/infra/cloudflare.tf b/clarkzjw.cc/infra/cloudflare.tf index 13e7f41..0361bba 100644 --- a/clarkzjw.cc/infra/cloudflare.tf +++ b/clarkzjw.cc/infra/cloudflare.tf | |||
@@ -7,120 +7,3 @@ data "cloudflare_zones" "homelab_main_domain" { | |||
7 | name = var.homelab_main_domain | 7 | name = var.homelab_main_domain |
8 | } | 8 | } |
9 | } | 9 | } |
10 | |||
11 | # www | ||
12 | variable "homelab_www_domain" { | ||
13 | default = "clarkzjw.cc" | ||
14 | } | ||
15 | |||
16 | variable "homelab_www_ip" { | ||
17 | default = "8.8.8.8" | ||
18 | } | ||
19 | |||
20 | resource "cloudflare_record" "main" { | ||
21 | zone_id = data.cloudflare_zones.homelab_main_domain.zones[0].id | ||
22 | name = var.homelab_www_domain | ||
23 | value = var.homelab_www_ip | ||
24 | type = "A" | ||
25 | |||
26 | ttl = 1 | ||
27 | proxied = true | ||
28 | } | ||
29 | |||
30 | # Argo tunnel | ||
31 | resource "random_id" "atlas_tunnel_secret" { | ||
32 | byte_length = 35 | ||
33 | } | ||
34 | |||
35 | resource "cloudflare_argo_tunnel" "atlas_main_tunnel" { | ||
36 | account_id = var.cloudflare_account_id | ||
37 | name = "${var.homelab_main_domain}-tunnel" | ||
38 | secret = random_id.atlas_tunnel_secret.b64_std | ||
39 | } | ||
40 | |||
41 | resource "cloudflare_record" "bt" { | ||
42 | zone_id = data.cloudflare_zones.homelab_main_domain.zones[0].id | ||
43 | name = "bt.${var.homelab_main_domain}" | ||
44 | value = "${cloudflare_argo_tunnel.atlas_main_tunnel.id}.cfargotunnel.com" | ||
45 | type = "CNAME" | ||
46 | proxied = true | ||
47 | } | ||
48 | |||
49 | resource "cloudflare_tunnel_config" "atlas_tunnel_route" { | ||
50 | account_id = var.cloudflare_account_id | ||
51 | tunnel_id = cloudflare_argo_tunnel.atlas_main_tunnel.id | ||
52 | |||
53 | config { | ||
54 | ingress_rule { | ||
55 | hostname = "bt.${var.homelab_main_domain}" | ||
56 | path = "/" | ||
57 | service = "http://127.0.0.1:8080" | ||
58 | } | ||
59 | ingress_rule { | ||
60 | service = "http_status:404" | ||
61 | } | ||
62 | } | ||
63 | } | ||
64 | |||
65 | resource "cloudflare_access_application" "bt" { | ||
66 | zone_id = data.cloudflare_zones.homelab_main_domain.zones[0].id | ||
67 | name = "bt.${var.homelab_main_domain}" | ||
68 | domain = "bt.${var.homelab_main_domain}" | ||
69 | type = "self_hosted" | ||
70 | session_duration = "24h" | ||
71 | auto_redirect_to_identity = false | ||
72 | } | ||
73 | |||
74 | resource "cloudflare_access_policy" "bt" { | ||
75 | application_id = cloudflare_access_application.bt.id | ||
76 | zone_id = data.cloudflare_zones.homelab_main_domain.zones[0].id | ||
77 | name = "Allow" | ||
78 | precedence = "1" | ||
79 | decision = "allow" | ||
80 | |||
81 | include { | ||
82 | email = [var.cloudflare_access_application_email] | ||
83 | } | ||
84 | } | ||
85 | |||
86 | # notify | ||
87 | resource "cloudflare_record" "notify_SPF" { | ||
88 | zone_id = data.cloudflare_zones.homelab_main_domain.zones[0].id | ||
89 | # type = "SPF" causes DNS Validation Error (1004) | ||
90 | # https://github.com/cloudflare/terraform-provider-cloudflare/issues/1473 | ||
91 | type = "TXT" | ||
92 | name = "notify.${var.homelab_main_domain}" | ||
93 | value = "v=spf1 include:mailgun.org ~all" | ||
94 | |||
95 | ttl = 1 | ||
96 | } | ||
97 | |||
98 | resource "cloudflare_record" "notify_DKIM" { | ||
99 | name = "pic._domainkey.notify.${var.homelab_main_domain}" | ||
100 | type = "TXT" | ||
101 | zone_id = data.cloudflare_zones.homelab_main_domain.zones[0].id | ||
102 | value = var.homelab_notify_DKIM | ||
103 | } | ||
104 | |||
105 | resource "cloudflare_record" "notify_CNAME" { | ||
106 | name = "email.notify.${var.homelab_main_domain}" | ||
107 | type = "CNAME" | ||
108 | zone_id = data.cloudflare_zones.homelab_main_domain.zones[0].id | ||
109 | value = "mailgun.org" | ||
110 | } | ||
111 | |||
112 | resource "cloudflare_record" "notify_MX_a" { | ||
113 | name = "notify.${var.homelab_main_domain}" | ||
114 | type = "MX" | ||
115 | zone_id = data.cloudflare_zones.homelab_main_domain.zones[0].id | ||
116 | value = "mxa.mailgun.org" | ||
117 | priority = 10 | ||
118 | } | ||
119 | |||
120 | resource "cloudflare_record" "notify_MX_b" { | ||
121 | name = "notify.${var.homelab_main_domain}" | ||
122 | type = "MX" | ||
123 | zone_id = data.cloudflare_zones.homelab_main_domain.zones[0].id | ||
124 | value = "mxb.mailgun.org" | ||
125 | priority = 10 | ||
126 | } | ||
diff --git a/clarkzjw.cc/infra/cloudflare_access.tf b/clarkzjw.cc/infra/cloudflare_access.tf new file mode 100644 index 0000000..00dfcee --- /dev/null +++ b/clarkzjw.cc/infra/cloudflare_access.tf | |||
@@ -0,0 +1,22 @@ | |||
1 | # Cloudflare Access Policy | ||
2 | |||
3 | resource "cloudflare_access_application" "bt" { | ||
4 | zone_id = data.cloudflare_zones.homelab_main_domain.zones[0].id | ||
5 | name = "bt.${var.homelab_main_domain}" | ||
6 | domain = "bt.${var.homelab_main_domain}" | ||
7 | type = "self_hosted" | ||
8 | session_duration = "24h" | ||
9 | auto_redirect_to_identity = false | ||
10 | } | ||
11 | |||
12 | resource "cloudflare_access_policy" "bt" { | ||
13 | application_id = cloudflare_access_application.bt.id | ||
14 | zone_id = data.cloudflare_zones.homelab_main_domain.zones[0].id | ||
15 | name = "Allow" | ||
16 | precedence = "1" | ||
17 | decision = "allow" | ||
18 | |||
19 | include { | ||
20 | email = [var.cloudflare_access_application_email] | ||
21 | } | ||
22 | } | ||
diff --git a/clarkzjw.cc/infra/dns.tf b/clarkzjw.cc/infra/dns.tf new file mode 100644 index 0000000..d066f67 --- /dev/null +++ b/clarkzjw.cc/infra/dns.tf | |||
@@ -0,0 +1,72 @@ | |||
1 | # Cloudflare DNS records | ||
2 | |||
3 | # www | ||
4 | variable "homelab_www_domain" { | ||
5 | default = "clarkzjw.cc" | ||
6 | } | ||
7 | |||
8 | variable "homelab_www_ip" { | ||
9 | default = "8.8.8.8" | ||
10 | } | ||
11 | |||
12 | resource "cloudflare_record" "main" { | ||
13 | zone_id = data.cloudflare_zones.homelab_main_domain.zones[0].id | ||
14 | name = var.homelab_www_domain | ||
15 | value = var.homelab_www_ip | ||
16 | type = "A" | ||
17 | |||
18 | ttl = 1 | ||
19 | proxied = true | ||
20 | } | ||
21 | |||
22 | # bt | ||
23 | resource "cloudflare_record" "bt" { | ||
24 | zone_id = data.cloudflare_zones.homelab_main_domain.zones[0].id | ||
25 | name = "bt.${var.homelab_main_domain}" | ||
26 | value = "${cloudflare_argo_tunnel.atlas_main_tunnel.id}.cfargotunnel.com" | ||
27 | type = "CNAME" | ||
28 | proxied = true | ||
29 | } | ||
30 | |||
31 | # notify | ||
32 | # DNS config for Mailgun | ||
33 | resource "cloudflare_record" "notify_SPF" { | ||
34 | zone_id = data.cloudflare_zones.homelab_main_domain.zones[0].id | ||
35 | # type = "SPF" causes DNS Validation Error (1004) | ||
36 | # https://github.com/cloudflare/terraform-provider-cloudflare/issues/1473 | ||
37 | type = "TXT" | ||
38 | name = "notify.${var.homelab_main_domain}" | ||
39 | value = "v=spf1 include:mailgun.org ~all" | ||
40 | |||
41 | ttl = 1 | ||
42 | } | ||
43 | |||
44 | resource "cloudflare_record" "notify_DKIM" { | ||
45 | name = "pic._domainkey.notify.${var.homelab_main_domain}" | ||
46 | type = "TXT" | ||
47 | zone_id = data.cloudflare_zones.homelab_main_domain.zones[0].id | ||
48 | value = var.homelab_notify_DKIM | ||
49 | } | ||
50 | |||
51 | resource "cloudflare_record" "notify_CNAME" { | ||
52 | name = "email.notify.${var.homelab_main_domain}" | ||
53 | type = "CNAME" | ||
54 | zone_id = data.cloudflare_zones.homelab_main_domain.zones[0].id | ||
55 | value = "mailgun.org" | ||
56 | } | ||
57 | |||
58 | resource "cloudflare_record" "notify_MX_a" { | ||
59 | name = "notify.${var.homelab_main_domain}" | ||
60 | type = "MX" | ||
61 | zone_id = data.cloudflare_zones.homelab_main_domain.zones[0].id | ||
62 | value = "mxa.mailgun.org" | ||
63 | priority = 10 | ||
64 | } | ||
65 | |||
66 | resource "cloudflare_record" "notify_MX_b" { | ||
67 | name = "notify.${var.homelab_main_domain}" | ||
68 | type = "MX" | ||
69 | zone_id = data.cloudflare_zones.homelab_main_domain.zones[0].id | ||
70 | value = "mxb.mailgun.org" | ||
71 | priority = 10 | ||
72 | } | ||
diff --git a/clarkzjw.cc/infra/random.tf b/clarkzjw.cc/infra/random.tf new file mode 100644 index 0000000..4dac161 --- /dev/null +++ b/clarkzjw.cc/infra/random.tf | |||
@@ -0,0 +1,3 @@ | |||
1 | resource "random_id" "atlas_tunnel_secret" { | ||
2 | byte_length = 35 | ||
3 | } | ||
diff --git a/clarkzjw.cc/infra/tunnel.tf b/clarkzjw.cc/infra/tunnel.tf new file mode 100644 index 0000000..4ec9a7f --- /dev/null +++ b/clarkzjw.cc/infra/tunnel.tf | |||
@@ -0,0 +1,22 @@ | |||
1 | # Argo tunnel | ||
2 | resource "cloudflare_argo_tunnel" "atlas_main_tunnel" { | ||
3 | account_id = var.cloudflare_account_id | ||
4 | name = "${var.homelab_main_domain}-tunnel" | ||
5 | secret = random_id.atlas_tunnel_secret.b64_std | ||
6 | } | ||
7 | |||
8 | resource "cloudflare_tunnel_config" "atlas_tunnel_route" { | ||
9 | account_id = var.cloudflare_account_id | ||
10 | tunnel_id = cloudflare_argo_tunnel.atlas_main_tunnel.id | ||
11 | |||
12 | config { | ||
13 | ingress_rule { | ||
14 | hostname = "bt.${var.homelab_main_domain}" | ||
15 | path = "/" | ||
16 | service = "http://127.0.0.1:8080" | ||
17 | } | ||
18 | ingress_rule { | ||
19 | service = "http_status:404" | ||
20 | } | ||
21 | } | ||
22 | } | ||