diff --git a/.terraform.lock.hcl b/.terraform.lock.hcl index 5b9227ad..cc6e5088 100644 --- a/.terraform.lock.hcl +++ b/.terraform.lock.hcl @@ -2,64 +2,64 @@ # Manual edits may be lost in future updates. provider "registry.terraform.io/cloudflare/cloudflare" { - version = "4.47.0" - constraints = "~> 4.0" + version = "4.48.0" + constraints = ">= 4.48.0" hashes = [ - "h1:jRNDuRaXbNFMLQZ298HoXodPUqI+4VVl8xgsCKAg5Yg=", - "zh:1df6a36bad08e95518987a15584e535a1dad5fa0ee6e067c0c39d709a285f6b9", - "zh:20dce2a63f24f571f4d52d3217811d71e8d21f149f751d5972ec19200674638a", - "zh:6571aeeb61d4a27b4210a1979028119a1905e162b0c3845e7b549d6e0a08c36d", - "zh:87ec7ebe65c8884e174999c22970e2f28b0da4e0f65bdc92db051eb3dd649f78", + "h1:ePGvSurmlqOCkD761vkhRmz7bsK36/EnIvx2Xy8TdXo=", + "zh:04c0a49c2b23140b2f21cfd0d52f9798d70d3bdae3831613e156aabe519bbc6c", + "zh:185f21b4834ba63e8df1f84aa34639d8a7e126429a4007bb5f9ad82f2602a997", + "zh:234724f52cb4c0c3f7313d3b2697caef26d921d134f26ae14801e7afac522f7b", + "zh:38a56fcd1b3e40706af995611c977816543b53f1e55fe2720944aae2b6828fcb", + "zh:419938f5430fc78eff933470aefbf94a460a478f867cf7761a3dea177b4eb153", + "zh:4b46d92bfde1deab7de7ba1a6bbf4ba7c711e4fd925341ddf09d4cc28dae03d8", + "zh:537acd4a31c752f1bae305ba7190f60b71ad1a459f22d464f3f914336c9e919f", + "zh:5ff36b005aad07697dd0b30d4f0c35dbcdc30dc52b41722552060792fa87ce04", + "zh:635c5ee419daea098060f794d9d7d999275301181e49562c4e4c08f043076937", + "zh:859277c330d61f91abe9e799389467ca11b77131bf34bedbef52f8da68b2bb49", "zh:890df766e9b839623b1f0437355032a3c006226a6c200cd911e15ee1a9014e9f", - "zh:a20d1c0865a9443ada90ab7c83bd8605024452cf1e9f3b2ed2efcf06221b7835", - "zh:a5a5a91f658029ae3bb0414643ca09bd6a98a1980e197a9eb2ea4ba96a190d88", - "zh:b12623a85840821c465b87b1d65542f8f4a77079afef0ad2cc102a9f6eb4045c", - "zh:b83ac4f0b81aee32b3670f5870245172741bb86b153623da687d3c45ec9c1af9", - "zh:bb1ad4fcb949b12e5b40a21e65963ff64e20e72ab4c87a3ec91306b440a2cf35", - "zh:cb5a8bc24444a9d8f536b5acb7f6346f12c03e23539b183cb370f4876992360f", - "zh:ce6cc02ac4fc8cdf48a64254fdb0ea859b5b48e7fc08c7f1fcb8e9364ed32434", - "zh:e44643c86d38799991f5eb2378c00ca4738ec0f21dd64536dadffd71a337d778", - "zh:e5024d6792fcaa974b5f294399eea9b9c7d3d5d228423e71941994858a20c58f", - "zh:f9b18d0443487e30e0f3b83e311f17c85d184dc9f55b3f9b31332e815c41745a", + "zh:927dfdb8d9aef37ead03fceaa29e87ba076a3dd24e19b6cefdbb0efe9987ff8c", + "zh:bbf2226f07f6b1e721877328e69ded4b64f9c196634d2e2429e3cfabbe41e532", + "zh:daeed873d6f38604232b46ee4a5830c85d195b967f8dbcafe2fcffa98daf9c5f", + "zh:f8f2fc4646c1ba44085612fa7f4dbb7cbcead43b4e661f2b98ddfb4f68afc758", ] } provider "registry.terraform.io/hashicorp/helm" { - version = "2.16.1" + version = "2.17.0" hashes = [ - "h1:TerRBdq69SxIWg3ET2VE0bcP0BYRIWZOp1QxXj/14Fk=", - "zh:0003f6719a32aee9afaeeb001687fc0cfc8c2d5f54861298cf1dc5711f3b4e65", - "zh:16cd5bfee09e7bb081b8b4470f31a9af508e52220fd97fd81c6dda725d9422fe", - "zh:51817de8fdc2c2e36785f23fbf4ec022111bd1cf7679498c16ad0ad7471c16db", - "zh:51b95829b2873be40a65809294bffe349e40cfccc3ff6fee0f471d01770e0ebd", - "zh:56b158dde897c47e1460181fc472c3e920aa23db40579fdc2aad333c1456d2dd", - "zh:916641d26c386959eb982e680028aa677b787687ef7c1283241e45620bc8df50", - "zh:aec15ca8605babba77b283f2ca35daca53e006d567e1c3a3daf50497035b820b", - "zh:c2cecf710b87c8f3a4d186da2ea12cf08041f97ae0c6db82649720d6ed929d65", - "zh:dbdd96f17aea25c7db2d516ab8172a5e683c6686c72a1a44173d2fe96319be39", - "zh:de11e180368434a796b1ab6f20fde7554dc74f7800e063b8e4c8ec3a86d0be63", + "h1:K5FEjxvDnxb1JF1kG1xr8J3pNGxoaR3Z0IBG9Csm/Is=", + "zh:06fb4e9932f0afc1904d2279e6e99353c2ddac0d765305ce90519af410706bd4", + "zh:104eccfc781fc868da3c7fec4385ad14ed183eb985c96331a1a937ac79c2d1a7", + "zh:129345c82359837bb3f0070ce4891ec232697052f7d5ccf61d43d818912cf5f3", + "zh:3956187ec239f4045975b35e8c30741f701aa494c386aaa04ebabffe7749f81c", + "zh:66a9686d92a6b3ec43de3ca3fde60ef3d89fb76259ed3313ca4eb9bb8c13b7dd", + "zh:88644260090aa621e7e8083585c468c8dd5e09a3c01a432fb05da5c4623af940", + "zh:a248f650d174a883b32c5b94f9e725f4057e623b00f171936dcdcc840fad0b3e", + "zh:aa498c1f1ab93be5c8fbf6d48af51dc6ef0f10b2ea88d67bcb9f02d1d80d3930", + "zh:bf01e0f2ec2468c53596e027d376532a2d30feb72b0b5b810334d043109ae32f", + "zh:c46fa84cc8388e5ca87eb575a534ebcf68819c5a5724142998b487cb11246654", + "zh:d0c0f15ffc115c0965cbfe5c81f18c2e114113e7a1e6829f6bfd879ce5744fbb", "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", - "zh:f827a9c1540d210c56053a2d5d5a6abda924896ffa8eeedc94054cf6d44c5f60", ] } provider "registry.terraform.io/hashicorp/kubernetes" { - version = "2.34.0" + version = "2.35.1" constraints = ">= 2.7.1" hashes = [ - "h1:QOiO85qZnkUm7kAtuPkfblchuKPWUqRdNVWE5agpr8k=", - "zh:076b451dc8629c49f4260de6d43595e98ac5f1bdbebb01d112659ef94d99451f", - "zh:0c29855dbd3c6ba82fce680fa5ac969d4e09e20fecb4ed40166b778bd19895a4", - "zh:583b4dfcea4d8392dd7904c00b2ff41bbae78d238e8b72e5ad580370a24a4ecb", - "zh:5e20844d8d1af052381d00de4febd4055ad0f3c3c02795c361265b9ef72a1075", - "zh:766b7ab7c4727c62b5887c3922e0467c4cc355ba0dc3aabe465ebb86bc1caabb", - "zh:776a5000b441d7c8262d17d4a4aa4aa9760ae64de4cb7172961d9e007e0be1e5", - "zh:7838f509235116e55adeeecbe6def3da1b66dd3c4ce0de02fc7dc66a60e1d630", - "zh:931e5581ec66c145c1d29198bd23fddc8d0c5cbf4cda22e02dba65644c7842f2", - "zh:95e728efa2a31a63b879fd093507466e509e3bfc9325eb35ea3dc28fed15c6f7", - "zh:972b9e3ca2b6a1057dcf5003fc78cabb0dd8847580bddeb52d885ebd64df38ea", - "zh:ef6114217965d55f5bddbd7a316b8f85f15b8a77c075fcbed95813039d522e0a", + "h1:Av0Wk8g2XjY2oap7nyWNHEgfCRfphdJvrkqJjEM2ZKM=", + "zh:12212ca5ae47823ce14bfafb909eeb6861faf1e2435fb2fc4a8b334b3544b5f5", + "zh:3f49b3d77182df06b225ab266667de69681c2e75d296867eb2cf06a8f8db768c", + "zh:40832494d19f8a2b3cd0c18b80294d0b23ef6b82f6f6897b5fe00248a9997460", + "zh:739a5ddea61a77925ee7006a29c8717377a2e9d0a79a0bbd98738d92eec12c0d", + "zh:a02b472021753627c5c39447a56d125a32214c29ff9108fc499f2dcdf4f1cc4f", + "zh:b78865b3867065aa266d6758c9601a2756741478f5735a838c20d633d65e085b", + "zh:d362e87464683f5632790e66920ea803adb54c2bc0cb24b6fd9a314d2b1efffd", + "zh:d98206fe88c2c9a52b8d2d0cb2c877c812a4a51d19f9d8428e63cbd5fd8a304d", + "zh:dfa320946b1ce3f3615c42b3447a28dc9f604c06d8b9a6fe289855ab2ade4d11", "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + "zh:fc1debd2e695b5222d2ccc8b24dab65baba4ee2418ecce944e64d42e79474cb5", + "zh:fdaf960443720a238c09e519aeb30faf74f027ac5d1e0a309c3b326888e031d7", ] } diff --git a/main.tf b/main.tf index b35983a9..3c307eb5 100644 --- a/main.tf +++ b/main.tf @@ -86,6 +86,15 @@ variable "ansible_prefix" { variable "linkwarden_postgresql_password" {} variable "linkwarden_authentik_client_id" {} variable "linkwarden_authentik_client_secret" {} +variable "cloudflare_api_key" {} +variable "cloudflare_email" {} +variable "cloudflare_account_id" {} +variable "cloudflare_zone_id" {} +variable "cloudflare_tunnel_id" {} +variable "public_ip" {} +variable "cloudflare_proxied_names" {} +variable "cloudflare_non_proxied_names" {} +variable "cloudflare_tunnel_token" {} # data "terraform_remote_state" "foo" { # backend = "kubernetes" @@ -379,6 +388,17 @@ module "kubernetes_cluster" { linkwarden_postgresql_password = var.linkwarden_postgresql_password linkwarden_authentik_client_id = var.linkwarden_authentik_client_id linkwarden_authentik_client_secret = var.linkwarden_authentik_client_secret + + # Cloudflare credentials + cloudflare_api_key = var.cloudflare_api_key + cloudflare_email = var.cloudflare_email + cloudflare_account_id = var.cloudflare_account_id + cloudflare_zone_id = var.cloudflare_zone_id + cloudflare_tunnel_id = var.cloudflare_tunnel_id + public_ip = var.public_ip + cloudflare_proxied_names = var.cloudflare_proxied_names + cloudflare_non_proxied_names = var.cloudflare_non_proxied_names + cloudflare_tunnel_token = var.cloudflare_tunnel_token } diff --git a/modules/kubernetes/cloudflared/cloudflare.tf b/modules/kubernetes/cloudflared/cloudflare.tf new file mode 100644 index 00000000..974faeca --- /dev/null +++ b/modules/kubernetes/cloudflared/cloudflare.tf @@ -0,0 +1,82 @@ +# Contents for cloudflare account +variable "cloudflare_api_key" {} +variable "cloudflare_email" {} +variable "cloudflare_proxied_names" {} +variable "cloudflare_non_proxied_names" { + type = list(string) +} +variable "cloudflare_zone_id" { + description = "Zone ID for your domain" + type = string +} +variable "cloudflare_account_id" { + type = string + sensitive = true +} +variable "cloudflare_tunnel_id" { + type = string + sensitive = true +} +variable "public_ip" { + type = string +} + + +terraform { + required_providers { + cloudflare = { + source = "cloudflare/cloudflare" + version = ">= 4.48.0" + } + } +} +provider "cloudflare" { + api_key = var.cloudflare_api_key # I gave up on getting the permissions on the token... + email = var.cloudflare_email +} + +resource "cloudflare_zero_trust_tunnel_cloudflared_config" "sof" { + account_id = var.cloudflare_account_id + tunnel_id = var.cloudflare_tunnel_id + + config { + warp_routing { + enabled = true + } + dynamic "ingress_rule" { + for_each = toset(var.cloudflare_proxied_names) + content { + hostname = ingress_rule.value == "viktorbarzin.me" ? ingress_rule.value : "${ingress_rule.value}.viktorbarzin.me" + path = "/" + service = "https://10.0.20.202:443" + origin_request { + no_tls_verify = true + } + } + } + ingress_rule { + service = "http_status:404" + } + } +} + +resource "cloudflare_record" "dns_record" { + count = length(var.cloudflare_proxied_names) + content = "${var.cloudflare_tunnel_id}.cfargotunnel.com" + name = var.cloudflare_proxied_names[count.index] + proxied = true + ttl = 1 + type = "CNAME" + zone_id = var.cloudflare_zone_id +} + +resource "cloudflare_record" "non_proxied_dns_record" { + count = length(var.cloudflare_non_proxied_names) + # content = var.non_proxied_names[count.index].ip + content = var.public_ip + name = var.cloudflare_non_proxied_names[count.index] + proxied = false + ttl = 1 + type = "A" + zone_id = var.cloudflare_zone_id +} diff --git a/modules/kubernetes/cloudflared/main.tf b/modules/kubernetes/cloudflared/main.tf index 68efc1d6..0b14f48d 100644 --- a/modules/kubernetes/cloudflared/main.tf +++ b/modules/kubernetes/cloudflared/main.tf @@ -1,4 +1,7 @@ +# Contents for cloudflare tunnel + variable "tls_secret_name" {} +variable "cloudflare_tunnel_token" {} resource "kubernetes_namespace" "cloudflared" { metadata { name = "cloudflared" @@ -40,8 +43,14 @@ resource "kubernetes_deployment" "cloudflared" { } spec { container { - image = "wisdomsky/cloudflared-web:latest" - name = "cloudflared" + # image = "wisdomsky/cloudflared-web:latest" + image = "cloudflare/cloudflared" + name = "cloudflared" + command = ["cloudflared", "tunnel", "run"] + env { + name = "TUNNEL_TOKEN" + value = var.cloudflare_tunnel_token + } port { container_port = 14333 @@ -108,4 +117,3 @@ resource "kubernetes_ingress_v1" "cloudflared" { } } } - diff --git a/modules/kubernetes/main.tf b/modules/kubernetes/main.tf index 297b21c5..1ddac145 100644 --- a/modules/kubernetes/main.tf +++ b/modules/kubernetes/main.tf @@ -66,6 +66,15 @@ variable "authentik_postgres_password" {} variable "linkwarden_postgresql_password" {} variable "linkwarden_authentik_client_id" {} variable "linkwarden_authentik_client_secret" {} +variable "cloudflare_tunnel_token" {} +variable "cloudflare_api_key" {} +variable "cloudflare_email" {} +variable "cloudflare_account_id" {} +variable "cloudflare_zone_id" {} +variable "cloudflare_tunnel_id" {} +variable "public_ip" {} +variable "cloudflare_proxied_names" {} +variable "cloudflare_non_proxied_names" {} resource "null_resource" "core_services" { # List all the core modules that must be provisioned first @@ -425,6 +434,16 @@ module "frigate" { module "cloudflared" { source = "./cloudflared" tls_secret_name = var.tls_secret_name + + cloudflare_api_key = var.cloudflare_api_key + cloudflare_email = var.cloudflare_email + cloudflare_account_id = var.cloudflare_account_id + cloudflare_zone_id = var.cloudflare_zone_id + cloudflare_tunnel_id = var.cloudflare_tunnel_id + public_ip = var.public_ip + cloudflare_proxied_names = var.cloudflare_proxied_names + cloudflare_non_proxied_names = var.cloudflare_non_proxied_names + cloudflare_tunnel_token = var.cloudflare_tunnel_token } # module "istio" {