add acls to tailnet and limit who can access what[ci skip]

main.tf

@@ -57,6 +57,7 @@ variable "finance_app_graphql_api_secret" {}
 variable "finance_app_gocardless_secret_key" {}
 variable "finance_app_gocardless_secret_id" {}
 variable "headscale_config" {}
+variable "headscale_acl" {}
 variable "immich_postgresql_password" {}
 variable "ingress_honeypotapikey" {}
 variable "ingress_crowdsec_api_key" {}
@@ -328,6 +329,7 @@ module "kubernetes_cluster" {
   finance_app_gocardless_secret_id       = var.finance_app_gocardless_secret_id
 
   headscale_config = var.headscale_config
+  headscale_acl    = var.headscale_acl
 
   immich_postgresql_password = var.immich_postgresql_password
 

modules/kubernetes/cloudflared/main.tf

@@ -0,0 +1,111 @@
+variable "tls_secret_name" {}
+resource "kubernetes_namespace" "cloudflared" {
+  metadata {
+    name = "cloudflared"
+  }
+}
+
+module "tls_secret" {
+  source          = "../setup_tls_secret"
+  namespace       = "cloudflared"
+  tls_secret_name = var.tls_secret_name
+}
+
+resource "kubernetes_deployment" "cloudflared" {
+  metadata {
+    name      = "cloudflared"
+    namespace = "cloudflared"
+    labels = {
+      app = "cloudflared"
+    }
+    annotations = {
+      "reloader.stakater.com/search" = "true"
+    }
+  }
+  spec {
+    replicas = 1
+    strategy {
+      type = "RollingUpdate"
+    }
+    selector {
+      match_labels = {
+        app = "cloudflared"
+      }
+    }
+    template {
+      metadata {
+        labels = {
+          app = "cloudflared"
+        }
+      }
+      spec {
+        container {
+          image = "wisdomsky/cloudflared-web:latest"
+          name  = "cloudflared"
+
+          port {
+            container_port = 14333
+          }
+        }
+      }
+    }
+  }
+}
+
+resource "kubernetes_service" "cloudflared" {
+  metadata {
+    name      = "cloudflared"
+    namespace = "cloudflared"
+    labels = {
+      "app" = "cloudflared"
+    }
+  }
+
+  spec {
+    selector = {
+      app = "cloudflared"
+    }
+    port {
+      name        = "http"
+      target_port = 14333
+      port        = 80
+      protocol    = "TCP"
+    }
+  }
+}
+
+resource "kubernetes_ingress_v1" "cloudflared" {
+  metadata {
+    name      = "cloudflared"
+    namespace = "cloudflared"
+    annotations = {
+      "kubernetes.io/ingress.class" = "nginx"
+      "nginx.ingress.kubernetes.io/auth-url" : "https://oauth2.viktorbarzin.me/oauth2/auth"
+      "nginx.ingress.kubernetes.io/auth-signin" : "https://oauth2.viktorbarzin.me/oauth2/start?rd=/redirect/$http_host$escaped_request_uri"
+    }
+  }
+
+  spec {
+    tls {
+      hosts       = ["cloudflared.viktorbarzin.me"]
+      secret_name = var.tls_secret_name
+    }
+    rule {
+      host = "cloudflared.viktorbarzin.me"
+      http {
+        path {
+          path = "/"
+          backend {
+            service {
+              name = "cloudflared"
+              port {
+                number = 80
+              }
+            }
+          }
+        }
+      }
+    }
+  }
+}
+

modules/kubernetes/main.tf

@@ -44,6 +44,7 @@ variable "finance_app_graphql_api_secret" {}
 variable "finance_app_gocardless_secret_key" {}
 variable "finance_app_gocardless_secret_id" {}
 variable "headscale_config" {}
+variable "headscale_acl" {}
 variable "immich_postgresql_password" {}
 variable "ingress_honeypotapikey" {}
 variable "ingress_crowdsec_api_key" {}
@@ -303,6 +304,7 @@ module "headscale" {
   source           = "./headscale"
   tls_secret_name  = var.tls_secret_name
   headscale_config = var.headscale_config
+  headscale_acl = var.headscale_acl
 }
 
 # module "metrics_api" {
@@ -407,3 +409,8 @@ module "frigate" {
 #   source          = "./vikunja"
 #   tls_secret_name = var.tls_secret_name
 # }
+
+module "cloudflared" {
+  source          = "./cloudflared"
+  tls_secret_name = var.tls_secret_name
+}