From 61b547c9444ac0f2ae925b794f8c65f3b1a429ce Mon Sep 17 00:00:00 2001 From: clarkzjw Date: Fri, 13 Jan 2023 22:12:56 -0800 Subject: cloudflare: add edgerouterx --- clarkzjw.cc/infra/cloudflare_access.tf | 23 +++++++++++++++++++++++ clarkzjw.cc/infra/dns.tf | 9 +++++++++ clarkzjw.cc/infra/tunnel.tf | 12 ++++++++++++ clarkzjw.cc/infra/variables.tf | 6 ++++++ 4 files changed, 50 insertions(+) (limited to 'clarkzjw.cc/infra') diff --git a/clarkzjw.cc/infra/cloudflare_access.tf b/clarkzjw.cc/infra/cloudflare_access.tf index 00dfcee..0708a53 100644 --- a/clarkzjw.cc/infra/cloudflare_access.tf +++ b/clarkzjw.cc/infra/cloudflare_access.tf @@ -1,5 +1,6 @@ # Cloudflare Access Policy +# bt resource "cloudflare_access_application" "bt" { zone_id = data.cloudflare_zones.homelab_main_domain.zones[0].id name = "bt.${var.homelab_main_domain}" @@ -20,3 +21,25 @@ resource "cloudflare_access_policy" "bt" { email = [var.cloudflare_access_application_email] } } + +# router +resource "cloudflare_access_application" "edgerouterx" { + zone_id = data.cloudflare_zones.homelab_main_domain.zones[0].id + name = "edgerouterx.${var.homelab_main_domain}" + domain = "edgerouterx.${var.homelab_main_domain}" + type = "self_hosted" + session_duration = "24h" + auto_redirect_to_identity = false +} + +resource "cloudflare_access_policy" "edgerouterx" { + application_id = cloudflare_access_application.edgerouterx.id + zone_id = data.cloudflare_zones.homelab_main_domain.zones[0].id + name = "Allow" + precedence = "1" + decision = "allow" + + include { + email = [var.cloudflare_access_application_email] + } +} diff --git a/clarkzjw.cc/infra/dns.tf b/clarkzjw.cc/infra/dns.tf index d066f67..30d42fa 100644 --- a/clarkzjw.cc/infra/dns.tf +++ b/clarkzjw.cc/infra/dns.tf @@ -28,6 +28,15 @@ resource "cloudflare_record" "bt" { proxied = true } +# EdgeRouterX +resource "cloudflare_record" "edgerouterx" { + name = "edgerouterx.${var.homelab_main_domain}" + type = "CNAME" + zone_id = data.cloudflare_zones.homelab_main_domain.zones[0].id + value = "${cloudflare_argo_tunnel.atlas_main_tunnel.id}.cfargotunnel.com" + proxied = true +} + # notify # DNS config for Mailgun resource "cloudflare_record" "notify_SPF" { diff --git a/clarkzjw.cc/infra/tunnel.tf b/clarkzjw.cc/infra/tunnel.tf index 4ec9a7f..ba929c2 100644 --- a/clarkzjw.cc/infra/tunnel.tf +++ b/clarkzjw.cc/infra/tunnel.tf @@ -10,11 +10,23 @@ resource "cloudflare_tunnel_config" "atlas_tunnel_route" { tunnel_id = cloudflare_argo_tunnel.atlas_main_tunnel.id config { + // TODO: https://github.com/cloudflare/terraform-provider-cloudflare/issues/2072 + // It seems the `origin_request` here doesn't enable `no_tls_verify` in each ingress_rule + // For now, you have to enable `no_tls_verify` in the dashboard + origin_request { + no_tls_verify = true + } ingress_rule { hostname = "bt.${var.homelab_main_domain}" path = "/" service = "http://127.0.0.1:8080" } + ingress_rule { + hostname = "edgerouterx.${var.homelab_main_domain}" + path = "/" + service = "https://${var.edgerouterx_ip}" + + } ingress_rule { service = "http_status:404" } diff --git a/clarkzjw.cc/infra/variables.tf b/clarkzjw.cc/infra/variables.tf index 5326464..dcee8e9 100644 --- a/clarkzjw.cc/infra/variables.tf +++ b/clarkzjw.cc/infra/variables.tf @@ -25,3 +25,9 @@ variable "cloudflare_access_application_email" { type = string sensitive = false } + +variable "edgerouterx_ip" { + description = "IP address for EdgeRouterX" + type = string + sensitive = false +} -- cgit v1.2.3