rebmit/nixos-config
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity
nixos-config/infra/cloudflare.tf

234 lines
6.3 KiB
HCL
Raw Blame History

provider "cloudflare" {
api_token = local.secrets.cloudflare.api_token
}
locals {
cloudflare_main_account_id = local.secrets.cloudflare.account_id
cloudflare_workers_zone_id = local.secrets.cloudflare.zone_id
}
# ------------------------------------
# authenticated origin pulls - common
resource "tls_private_key" "cloudflare_aop_ca" {
algorithm = "ECDSA"
ecdsa_curve = "P384"
}
resource "tls_self_signed_cert" "cloudflare_aop_ca" {
is_ca_certificate = true
private_key_pem = tls_private_key.cloudflare_aop_ca.private_key_pem
subject {
common_name = "workers.moe"
organization = "rebmit"
}
validity_period_hours = 8760 # 1 year
early_renewal_hours = 4320 # 6 months
allowed_uses = [
"cert_signing",
"crl_signing"
]
}
output "cloudflare_aop_ca_certificate" {
value = tls_self_signed_cert.cloudflare_aop_ca.cert_pem
sensitive = false
}
resource "tls_private_key" "cloudflare_aop_leaf" {
algorithm = "ECDSA"
ecdsa_curve = "P384"
}
resource "tls_cert_request" "cloudflare_aop_leaf" {
private_key_pem = tls_private_key.cloudflare_aop_leaf.private_key_pem
dns_names = ["*.rebmit.workers.moe", "*.rebmit.moe"]
subject {
common_name = "workers.moe"
organization = "rebmit"
}
}
resource "tls_locally_signed_cert" "cloudflare_aop_leaf" {
cert_request_pem = tls_cert_request.cloudflare_aop_leaf.cert_request_pem
ca_private_key_pem = tls_private_key.cloudflare_aop_ca.private_key_pem
ca_cert_pem = tls_self_signed_cert.cloudflare_aop_ca.cert_pem
validity_period_hours = 4320 # 6 months
early_renewal_hours = 2160 # 3 months
allowed_uses = [
"client_auth"
]
}
resource "cloudflare_authenticated_origin_pulls" "default" {
zone_id = local.cloudflare_workers_zone_id
enabled = true
}
resource "cloudflare_authenticated_origin_pulls_certificate" "zone" {
zone_id = local.cloudflare_workers_zone_id
certificate = tls_locally_signed_cert.cloudflare_aop_leaf.cert_pem
private_key = tls_private_key.cloudflare_aop_leaf.private_key_pem
type = "per-zone"
}
resource "cloudflare_authenticated_origin_pulls" "zone" {
zone_id = local.cloudflare_workers_zone_id
authenticated_origin_pulls_certificate = cloudflare_authenticated_origin_pulls_certificate.zone.id
enabled = true
}
# ------------------------------------
# custom hostname ssl - common
resource "cloudflare_record" "fallback_a" {
for_each = toset(module.hosts["suwako-vie1"].endpoints_v4)
name = "fallback"
proxied = true
ttl = 1
type = "A"
content = each.value
zone_id = local.cloudflare_workers_zone_id
}
resource "cloudflare_record" "fallback_aaaa" {
for_each = toset(module.hosts["suwako-vie1"].endpoints_v6)
name = "fallback"
proxied = true
ttl = 1
type = "AAAA"
content = each.value
zone_id = local.cloudflare_workers_zone_id
}
resource "cloudflare_custom_hostname_fallback_origin" "fallback" {
zone_id = local.cloudflare_workers_zone_id
origin = "fallback.workers.moe"
}
# ------------------------------------
# zero trust - common
resource "cloudflare_zero_trust_access_policy" "default" {
account_id = local.cloudflare_main_account_id
name = "Default Policy"
decision = "allow"
include {
email = [
"rebmit@rebmit.moe",
"rebmit233@outlook.com",
]
}
}
resource "cloudflare_zero_trust_access_identity_provider" "pin_login" {
account_id = local.cloudflare_main_account_id
name = "PIN login"
type = "onetimepin"
}
resource "cloudflare_zero_trust_access_identity_provider" "oidc_keycloak" {
account_id = local.cloudflare_main_account_id
name = "Keycloak"
type = "oidc"
config {
client_id = "cloudflare"
client_secret = local.secrets.cloudflare.keycloak_oidc_secret
auth_url = "https://id.rebmit.moe/realms/rebmit/protocol/openid-connect/auth"
token_url = "https://id.rebmit.moe/realms/rebmit/protocol/openid-connect/token"
certs_url = "https://id.rebmit.moe/realms/rebmit/protocol/openid-connect/certs"
scopes = ["openid", "email", "profile"]
}
}
# ------------------------------------
# workers - mirror
resource "cloudflare_record" "mirror_cname" {
name = "mirror.rebmit"
proxied = true
ttl = 1
type = "CNAME"
content = "fallback.workers.moe"
zone_id = local.cloudflare_workers_zone_id
}
module "cloudflare_workers_mirror" {
source = "./modules/cloudflare-workers"
name = "mirror"
hostname = ["mirror.rebmit.workers.moe"]
script = file("${path.module}/resources/cloudflare-workers/mirror.js")
account_id = local.cloudflare_main_account_id
zone_id = local.cloudflare_workers_zone_id
}
# ------------------------------------
# zero trust - prom
resource "cloudflare_record" "prom_a" {
name = "prom.rebmit"
for_each = toset(module.hosts["suwako-vie1"].endpoints_v4)
proxied = true
ttl = 1
type = "A"
content = each.value
zone_id = local.cloudflare_workers_zone_id
}
resource "cloudflare_record" "prom_aaaa" {
name = "prom.rebmit"
for_each = toset(module.hosts["suwako-vie1"].endpoints_v6)
proxied = true
ttl = 1
type = "AAAA"
content = each.value
zone_id = local.cloudflare_workers_zone_id
}
module "cloudflare_zero_trust_prom" {
source = "./modules/cloudflare-zero-trust"
name = "prom"
hostname = ["prom.rebmit.workers.moe", "prom.rebmit.moe"]
policies = [cloudflare_zero_trust_access_policy.default.id]
zone_id = local.cloudflare_workers_zone_id
}
# ------------------------------------
# dns only - push
resource "cloudflare_record" "push_a" {
name = "push.rebmit"
for_each = toset(module.hosts["suwako-vie1"].endpoints_v4)
proxied = false
ttl = 1
type = "A"
content = each.value
zone_id = local.cloudflare_workers_zone_id
}
resource "cloudflare_record" "push_aaaa" {
name = "push.rebmit"
for_each = toset(module.hosts["suwako-vie1"].endpoints_v6)
proxied = false
ttl = 1
type = "AAAA"
content = each.value
zone_id = local.cloudflare_workers_zone_id
}
resource "cloudflare_record" "push_https" {
name = "push.rebmit"
proxied = false
ttl = 1
type = "HTTPS"
zone_id = local.cloudflare_workers_zone_id
data {
priority = 1
target = "."
value = "alpn=\"h3,h2\""
}
}
Reference in a new issue View git blame Copy permalink