c49e4561a3
Migrate all 11 LoadBalancer services to share 10.0.20.200: - Update annotations: metallb.universe.tf → metallb.io - Pin all services to 10.0.20.200 with allow-shared-ip: shared - Standardize externalTrafficPolicy to Cluster (required for IP sharing) - Remove redundant port 80 (roundcube) from mailserver LB - Update CoreDNS forward: 10.0.20.204 → 10.0.20.200 - Update cloudflared tunnel target: 10.0.20.202 → 10.0.20.200 Services consolidated: coturn, headscale, kms, qbittorrent, shadowsocks, torrserver, wireguard, mailserver, traefik, xray, technitium
173 lines
4.5 KiB
HCL
173 lines
4.5 KiB
HCL
# Contents for cloudflare account
|
|
variable "cloudflare_api_key" {}
|
|
variable "cloudflare_email" {}
|
|
variable "cloudflare_proxied_names" { type = list(string) }
|
|
variable "cloudflare_non_proxied_names" { type = list(string) }
|
|
variable "cloudflare_zone_id" {
|
|
description = "Zone ID for your domain"
|
|
type = string
|
|
}
|
|
variable "cloudflare_account_id" {
|
|
type = string
|
|
sensitive = true
|
|
}
|
|
variable "cloudflare_tunnel_id" {
|
|
type = string
|
|
sensitive = true
|
|
}
|
|
variable "public_ip" {
|
|
type = string
|
|
}
|
|
variable "public_ipv6" {
|
|
type = string
|
|
description = "Public IPv6 address for AAAA records (from HE tunnel broker)"
|
|
}
|
|
|
|
|
|
terraform {
|
|
required_providers {
|
|
cloudflare = {
|
|
source = "cloudflare/cloudflare"
|
|
version = "~> 4"
|
|
|
|
}
|
|
}
|
|
}
|
|
provider "cloudflare" {
|
|
api_key = var.cloudflare_api_key # I gave up on getting the permissions on the token...
|
|
email = var.cloudflare_email
|
|
}
|
|
|
|
|
|
locals {
|
|
cloudflare_proxied_names_map = {
|
|
for h in var.cloudflare_proxied_names :
|
|
h => h
|
|
}
|
|
cloudflare_non_proxied_names_map = {
|
|
for h in var.cloudflare_non_proxied_names :
|
|
h => h
|
|
}
|
|
}
|
|
|
|
resource "cloudflare_zero_trust_tunnel_cloudflared_config" "sof" {
|
|
account_id = var.cloudflare_account_id
|
|
tunnel_id = var.cloudflare_tunnel_id
|
|
|
|
config {
|
|
warp_routing {
|
|
enabled = true
|
|
}
|
|
dynamic "ingress_rule" {
|
|
for_each = toset(var.cloudflare_proxied_names)
|
|
content {
|
|
hostname = ingress_rule.value == "viktorbarzin.me" ? ingress_rule.value : "${ingress_rule.value}.viktorbarzin.me"
|
|
path = "/"
|
|
service = "https://10.0.20.200:443"
|
|
origin_request {
|
|
no_tls_verify = true
|
|
}
|
|
}
|
|
}
|
|
ingress_rule {
|
|
service = "http_status:404"
|
|
}
|
|
}
|
|
}
|
|
|
|
resource "cloudflare_record" "dns_record" {
|
|
# count = length(var.cloudflare_proxied_names)
|
|
# name = var.cloudflare_proxied_names[count.index]
|
|
for_each = local.cloudflare_proxied_names_map
|
|
name = each.key
|
|
|
|
content = "${var.cloudflare_tunnel_id}.cfargotunnel.com"
|
|
proxied = true
|
|
ttl = 1
|
|
type = "CNAME"
|
|
zone_id = var.cloudflare_zone_id
|
|
}
|
|
|
|
resource "cloudflare_record" "non_proxied_dns_record" {
|
|
# count = length(var.cloudflare_non_proxied_names)
|
|
# name = var.cloudflare_non_proxied_names[count.index]
|
|
for_each = local.cloudflare_non_proxied_names_map
|
|
name = each.key
|
|
|
|
# content = var.non_proxied_names[count.index].ip
|
|
content = var.public_ip
|
|
proxied = false
|
|
ttl = 1
|
|
type = "A"
|
|
zone_id = var.cloudflare_zone_id
|
|
}
|
|
|
|
|
|
resource "cloudflare_record" "non_proxied_dns_record_ipv6" {
|
|
for_each = local.cloudflare_non_proxied_names_map
|
|
name = each.key
|
|
content = var.public_ipv6
|
|
proxied = false
|
|
ttl = 1
|
|
type = "AAAA"
|
|
zone_id = var.cloudflare_zone_id
|
|
}
|
|
|
|
resource "cloudflare_record" "mail" {
|
|
content = "mail.viktorbarzin.me"
|
|
name = "viktorbarzin.me"
|
|
proxied = false
|
|
ttl = 1
|
|
type = "MX"
|
|
priority = 1
|
|
zone_id = var.cloudflare_zone_id
|
|
}
|
|
|
|
resource "cloudflare_record" "mail_domainkey" {
|
|
content = "\"k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDIDLB8mhAHNqs1s6GeZMQHOxWweoNKIrqo5tqRM3yFilgfPUX34aTIXNZg9xAmlK+2S/xXO1ymt127ZGMjnoFKOEP8/uZ54iHTCnioHaPZWMfJ7o6TYIXjr+9ShKfoJxZLv7lHJ2wKQK3yOw4lg4cvja5nxQ6fNoGRwo+mQ/mgJQIDAQAB\""
|
|
name = "s1._domainkey.viktorbarzin.me"
|
|
proxied = false
|
|
ttl = 1
|
|
type = "TXT"
|
|
priority = 1
|
|
zone_id = var.cloudflare_zone_id
|
|
}
|
|
|
|
resource "cloudflare_record" "mail_spf" {
|
|
content = "\"v=spf1 include:mailgun.org ~all\""
|
|
name = "viktorbarzin.me"
|
|
proxied = false
|
|
ttl = 1
|
|
type = "TXT"
|
|
priority = 1
|
|
zone_id = var.cloudflare_zone_id
|
|
}
|
|
|
|
resource "cloudflare_record" "mail_dmarc" {
|
|
content = "\"v=DMARC1; p=quarantine; pct=100; fo=1; ri=3600; sp=quarantine; adkim=r; aspf=r; rua=mailto:e21c0ff8@dmarc.mailgun.org,mailto:adb84997@inbox.ondmarc.com; ruf=mailto:e21c0ff8@dmarc.mailgun.org,mailto:adb84997@inbox.ondmarc.com,mailto:postmaster@viktorbarzin.me;\""
|
|
name = "_dmarc.viktorbarzin.me"
|
|
proxied = false
|
|
ttl = 1
|
|
type = "TXT"
|
|
priority = 1
|
|
zone_id = var.cloudflare_zone_id
|
|
}
|
|
|
|
resource "cloudflare_record" "keyserver" {
|
|
content = "130.162.165.220" # Oracle VPS
|
|
name = "keyserver.viktorbarzin.me"
|
|
proxied = false
|
|
ttl = 3600
|
|
type = "A"
|
|
priority = 1
|
|
zone_id = var.cloudflare_zone_id
|
|
}
|
|
|
|
# Enable HTTP/3 (QUIC) for Cloudflare-proxied domains
|
|
resource "cloudflare_zone_settings_override" "http3" {
|
|
zone_id = var.cloudflare_zone_id
|
|
|
|
settings {
|
|
http3 = "on"
|
|
}
|
|
}
|