From 63673af754d77df0a4bd3fda6b38ebb91dca5bdb Mon Sep 17 00:00:00 2001 From: clarkzjw Date: Fri, 13 Jan 2023 22:57:51 -0800 Subject: cloudflare: add proxmox --- clarkzjw.cc/infra/cloudflare_access.tf | 22 ++++++++++++++++++++++ clarkzjw.cc/infra/dns.tf | 9 +++++++++ clarkzjw.cc/infra/terraform.tfvars.example | 7 ++++++- clarkzjw.cc/infra/tunnel.tf | 11 ++++++++--- clarkzjw.cc/infra/variables.tf | 6 ++++++ 5 files changed, 51 insertions(+), 4 deletions(-) diff --git a/clarkzjw.cc/infra/cloudflare_access.tf b/clarkzjw.cc/infra/cloudflare_access.tf index 0708a53..267b1f7 100644 --- a/clarkzjw.cc/infra/cloudflare_access.tf +++ b/clarkzjw.cc/infra/cloudflare_access.tf @@ -43,3 +43,25 @@ resource "cloudflare_access_policy" "edgerouterx" { email = [var.cloudflare_access_application_email] } } + +# proxmox +resource "cloudflare_access_application" "proxmox" { + zone_id = data.cloudflare_zones.homelab_main_domain.zones[0].id + name = "proxmox.${var.homelab_main_domain}" + domain = "proxmox.${var.homelab_main_domain}" + type = "self_hosted" + session_duration = "24h" + auto_redirect_to_identity = false +} + +resource "cloudflare_access_policy" "proxmox" { + application_id = cloudflare_access_application.proxmox.id + zone_id = data.cloudflare_zones.homelab_main_domain.zones[0].id + name = "Allow" + precedence = "1" + decision = "allow" + + include { + email = [var.cloudflare_access_application_email] + } +} diff --git a/clarkzjw.cc/infra/dns.tf b/clarkzjw.cc/infra/dns.tf index 30d42fa..1240399 100644 --- a/clarkzjw.cc/infra/dns.tf +++ b/clarkzjw.cc/infra/dns.tf @@ -37,6 +37,15 @@ resource "cloudflare_record" "edgerouterx" { proxied = true } +# Proxmox +resource "cloudflare_record" "proxmox" { + name = "proxmox.${var.homelab_main_domain}" + type = "CNAME" + zone_id = data.cloudflare_zones.homelab_main_domain.zones[0].id + value = "${cloudflare_argo_tunnel.atlas_main_tunnel.id}.cfargotunnel.com" + proxied = true +} + # notify # DNS config for Mailgun resource "cloudflare_record" "notify_SPF" { diff --git a/clarkzjw.cc/infra/terraform.tfvars.example b/clarkzjw.cc/infra/terraform.tfvars.example index 6fd3085..e7c1085 100644 --- a/clarkzjw.cc/infra/terraform.tfvars.example +++ b/clarkzjw.cc/infra/terraform.tfvars.example @@ -1 +1,6 @@ -homelab_notify_DKIM = "k=rsa; p=xxx" +homelab_notify_DKIM = "k=rsa; p=xxx" +cloudflare_account_id = "" +cloudflare_api_token = "" +cloudflare_access_application_email = "" +edgerouterx_ip = "192.168.1.85" +proxmox_ip = "192.168.1.88" diff --git a/clarkzjw.cc/infra/tunnel.tf b/clarkzjw.cc/infra/tunnel.tf index 81c6ed4..e891f07 100644 --- a/clarkzjw.cc/infra/tunnel.tf +++ b/clarkzjw.cc/infra/tunnel.tf @@ -13,9 +13,9 @@ resource "cloudflare_tunnel_config" "atlas_tunnel_route" { // TODO: https://github.com/cloudflare/terraform-provider-cloudflare/issues/2072 // It seems the `origin_request` here doesn't enable `no_tls_verify` in each ingress_rule // For now, you have to enable `no_tls_verify` in the dashboard - origin_request { - no_tls_verify = true - } + # origin_request { + # no_tls_verify = true + # } ingress_rule { hostname = "bt.${var.homelab_main_domain}" path = "/" @@ -26,6 +26,11 @@ resource "cloudflare_tunnel_config" "atlas_tunnel_route" { path = "/" service = "https://${var.edgerouterx_ip}" } + ingress_rule { + hostname = "proxmox.${var.homelab_main_domain}" + path = "/" + service = "https://${var.proxmox_ip}:8006" + } ingress_rule { service = "http_status:404" } diff --git a/clarkzjw.cc/infra/variables.tf b/clarkzjw.cc/infra/variables.tf index 58e8976..bb5b06d 100644 --- a/clarkzjw.cc/infra/variables.tf +++ b/clarkzjw.cc/infra/variables.tf @@ -31,3 +31,9 @@ variable "edgerouterx_ip" { type = string sensitive = false } + +variable "proxmox_ip" { + description = "IP address for Proxmox" + type = string + sensitive = false +} -- cgit v1.2.3