diff --git a/main.tf b/main.tf index 0c064703..ed029eb6 100644 --- a/main.tf +++ b/main.tf @@ -57,6 +57,7 @@ variable "finance_app_graphql_api_secret" {} variable "finance_app_gocardless_secret_key" {} variable "finance_app_gocardless_secret_id" {} variable "headscale_config" {} +variable "headscale_acl" {} variable "immich_postgresql_password" {} variable "ingress_honeypotapikey" {} variable "ingress_crowdsec_api_key" {} @@ -328,6 +329,7 @@ module "kubernetes_cluster" { finance_app_gocardless_secret_id = var.finance_app_gocardless_secret_id headscale_config = var.headscale_config + headscale_acl = var.headscale_acl immich_postgresql_password = var.immich_postgresql_password diff --git a/modules/kubernetes/cloudflared/main.tf b/modules/kubernetes/cloudflared/main.tf new file mode 100644 index 00000000..68efc1d6 --- /dev/null +++ b/modules/kubernetes/cloudflared/main.tf @@ -0,0 +1,111 @@ +variable "tls_secret_name" {} +resource "kubernetes_namespace" "cloudflared" { + metadata { + name = "cloudflared" + } +} + +module "tls_secret" { + source = "../setup_tls_secret" + namespace = "cloudflared" + tls_secret_name = var.tls_secret_name +} + +resource "kubernetes_deployment" "cloudflared" { + metadata { + name = "cloudflared" + namespace = "cloudflared" + labels = { + app = "cloudflared" + } + annotations = { + "reloader.stakater.com/search" = "true" + } + } + spec { + replicas = 1 + strategy { + type = "RollingUpdate" + } + selector { + match_labels = { + app = "cloudflared" + } + } + template { + metadata { + labels = { + app = "cloudflared" + } + } + spec { + container { + image = "wisdomsky/cloudflared-web:latest" + name = "cloudflared" + + port { + container_port = 14333 + } + } + } + } + } +} + +resource "kubernetes_service" "cloudflared" { + metadata { + name = "cloudflared" + namespace = "cloudflared" + labels = { + "app" = "cloudflared" + } + } + + spec { + selector = { + app = "cloudflared" + } + port { + name = "http" + target_port = 14333 + port = 80 + protocol = "TCP" + } + } +} + +resource "kubernetes_ingress_v1" "cloudflared" { + metadata { + name = "cloudflared" + namespace = "cloudflared" + annotations = { + "kubernetes.io/ingress.class" = "nginx" + "nginx.ingress.kubernetes.io/auth-url" : "https://oauth2.viktorbarzin.me/oauth2/auth" + "nginx.ingress.kubernetes.io/auth-signin" : "https://oauth2.viktorbarzin.me/oauth2/start?rd=/redirect/$http_host$escaped_request_uri" + } + } + + spec { + tls { + hosts = ["cloudflared.viktorbarzin.me"] + secret_name = var.tls_secret_name + } + rule { + host = "cloudflared.viktorbarzin.me" + http { + path { + path = "/" + backend { + service { + name = "cloudflared" + port { + number = 80 + } + } + } + } + } + } + } +} + diff --git a/modules/kubernetes/main.tf b/modules/kubernetes/main.tf index 39c1b594..4071e1ce 100644 --- a/modules/kubernetes/main.tf +++ b/modules/kubernetes/main.tf @@ -44,6 +44,7 @@ variable "finance_app_graphql_api_secret" {} variable "finance_app_gocardless_secret_key" {} variable "finance_app_gocardless_secret_id" {} variable "headscale_config" {} +variable "headscale_acl" {} variable "immich_postgresql_password" {} variable "ingress_honeypotapikey" {} variable "ingress_crowdsec_api_key" {} @@ -303,6 +304,7 @@ module "headscale" { source = "./headscale" tls_secret_name = var.tls_secret_name headscale_config = var.headscale_config + headscale_acl = var.headscale_acl } # module "metrics_api" { @@ -407,3 +409,8 @@ module "frigate" { # source = "./vikunja" # tls_secret_name = var.tls_secret_name # } + +module "cloudflared" { + source = "./cloudflared" + tls_secret_name = var.tls_secret_name +}