infra/cloudflare: import zero_trust_tunnel_cloudflared

This commit is contained in:
Guanran Wang 2024-11-07 14:58:07 +08:00
parent a4e471a35f
commit 1d2253405f
Signed by: nyancat
GPG key ID: 91F97D9ED12639CF
5 changed files with 36 additions and 30 deletions

View file

@ -44,9 +44,9 @@
restartUnits = [ "mastodon-web.service" ]; restartUnits = [ "mastodon-web.service" ];
}; };
"cloudflared/secret" = { "cloudflared/secret" = {
restartUnits = [ "cloudflared-tunnel-6222a3e0-98da-4325-be19-0f86a7318a41.service" ]; restartUnits = [ "cloudflared-tunnel-b73805e7-a8a9-49db-8c9f-aae52c406635.service" ];
owner = owner =
config.systemd.services."cloudflared-tunnel-6222a3e0-98da-4325-be19-0f86a7318a41".serviceConfig.User; config.systemd.services."cloudflared-tunnel-b73805e7-a8a9-49db-8c9f-aae52c406635".serviceConfig.User;
}; };
}; };
@ -57,8 +57,7 @@
services.cloudflared = { services.cloudflared = {
enable = true; enable = true;
tunnels = { tunnels."b73805e7-a8a9-49db-8c9f-aae52c406635" = {
"6222a3e0-98da-4325-be19-0f86a7318a41" = {
credentialsFile = config.sops.secrets."cloudflared/secret".path; credentialsFile = config.sops.secrets."cloudflared/secret".path;
default = "http_status:404"; default = "http_status:404";
ingress = lib.genAttrs [ ingress = lib.genAttrs [
@ -68,7 +67,6 @@
] (_: "http://localhost"); ] (_: "http://localhost");
}; };
}; };
};
services.caddy.enable = true; services.caddy.enable = true;
services.caddy.settings.apps.http.servers.srv0 = { services.caddy.settings.apps.http.servers.srv0 = {

View file

@ -5,7 +5,7 @@ synapse:
mastodon: mastodon:
environment: ENC[AES256_GCM,data:9RjpYXbGo8lBsXKg71Vbp2iTJlvXEGhn8hTl37o8G1E28JWF5Io7+evfqUv+N7QfSk1zbA==,iv:ejfe7f941QB7iiREXx1T9Vej43cW/S9nr03P5lkw9Yg=,tag:odI7xsxoPGBrxd0GnCsnOg==,type:str] environment: ENC[AES256_GCM,data:9RjpYXbGo8lBsXKg71Vbp2iTJlvXEGhn8hTl37o8G1E28JWF5Io7+evfqUv+N7QfSk1zbA==,iv:ejfe7f941QB7iiREXx1T9Vej43cW/S9nr03P5lkw9Yg=,tag:odI7xsxoPGBrxd0GnCsnOg==,type:str]
cloudflared: cloudflared:
secret: ENC[AES256_GCM,data:QXIl0MqreqPH4LP7IQdA5qQCQdizjFixbOHjqQi/3RjYDt9zt0OejW9rIYnkIRyVj4hnkJBqd1ov/VgdSoNmy/iafIgwqwgsMH0e4R9J6n255p3JG3XBmiYry89xXvQ1SXyzWdUF6p3qgevwzjZnKYyYHT9TbLWc/BkTyyA8g1EGg0O1WfDXhq7u9kOPV4CaU1UX1MMpvZQnsV389PJEWYuK,iv:ASGw5dGOuukRREZ8vMLw5hgZmJhDZSJxDqvfWaxXKJk=,tag:75jf48BEDd4uHkb+2LV5Tg==,type:str] secret: ENC[AES256_GCM,data:3lMKq0blhC/+WqN/jfi5A/JguzGsM9KmD7yPuhzuubTY0GmTtdhgCoBG6+4SGf7Y9DMGx8HMfYPCJv/IkFFIztuQznzbTLX0wuyVjpkL8td5CBl+rlXRqq8Z4Bs5SrAdawOSMvQ/69eqRaptMP4FJOdxsQdDvpzMOvgKLFatwKXbzdZMEkWxbzcrLyQItBZds+nP07sh+j5H8+ErOYRtvStMEtPuEI7nkJ3G7Ejl5P0MISVWt4HUp0O7EtP2Vn1rHmuDEkXp4K4/E5axCg4=,iv:hF8V0E/3GkWjFOAre64Ti7Mq1wGSskwBuv5ijHoMSh4=,tag:2hcwRlinNtS6/lIMxt57jA==,type:str]
sops: sops:
kms: [] kms: []
gcp_kms: [] gcp_kms: []
@ -30,8 +30,8 @@ sops:
bGQ1cytGR09Dd2JoaU5CSW1DL1FVR0kK8F2DoJcnd+T+eQ9h39DtaAGCSpS4wXVJ bGQ1cytGR09Dd2JoaU5CSW1DL1FVR0kK8F2DoJcnd+T+eQ9h39DtaAGCSpS4wXVJ
hOZBh9fDeue1PwMWufDJ6KGeR0atPbUjn2w0dquvLEdBjt3Un9rFcA== hOZBh9fDeue1PwMWufDJ6KGeR0atPbUjn2w0dquvLEdBjt3Un9rFcA==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2024-09-30T16:13:16Z" lastmodified: "2024-11-07T06:54:21Z"
mac: ENC[AES256_GCM,data:T0xsHlw5ibxgsjuIyk7ibrEIxGnez6fwFea6L/GiIpzhBOQIAx7dX+cVO+d3Nkwblr8Sx44ytEZGzCngR2eHPG8uIjxtcWYk0Hb7/3DneLRd2+mAJej5W7UUqbNWtDMpLPHjIHMy03z6T8NOTnLfH8MLiQfxQk5QgIrisMmAmrE=,iv:SOZugaEclPpvmIADcCQJSEouuLCcI0kBAGIa7yvtxtA=,tag:PcKhw9ZT06nr7jylLMGh8Q==,type:str] mac: ENC[AES256_GCM,data:3agEy+YCG+MCO2yftrCnSU0x9+M4SXYWkHeMM/+HvbLX3oqrAM1r1somDWcjuc0gS6yaEw/7YzQOyfZe+gXtB86xxyYKHSOuXS8LDvW/Swn9BdCtK9KzE7kOEwEZBb6lijNXjfymfGo63i7rVE0UKzX9G46nQzEw/xJQW5gU4B4=,iv:xsB1GKFIYY9ZBu69EZeNiSfIuUpkTPAamr6/ArxcQXE=,tag:eRqQpL3CSMDOelqw57jR3Q==,type:str]
pgp: [] pgp: []
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.9.0 version: 3.9.1

View file

@ -1,9 +1,10 @@
locals { locals {
cloudflare_zone_id = cloudflare_zone.terraform_managed_resource_4b7a25e8fb5035c84820c26e454ed03d.id cloudflare_zone_id = cloudflare_zone.terraform_managed_resource_4b7a25e8fb5035c84820c26e454ed03d.id
cloudflare_account_id = "af3504d3b07107975feaa691beae1553"
} }
resource "cloudflare_zone" "terraform_managed_resource_4b7a25e8fb5035c84820c26e454ed03d" { resource "cloudflare_zone" "terraform_managed_resource_4b7a25e8fb5035c84820c26e454ed03d" {
account_id = "af3504d3b07107975feaa691beae1553" account_id = local.cloudflare_account_id
paused = false paused = false
plan = "free" plan = "free"
type = "full" type = "full"
@ -18,6 +19,21 @@ resource "cloudflare_zone_settings_override" "terraform_managed_resource_4b7a25e
} }
} }
resource "cloudflare_zero_trust_tunnel_cloudflared" "blacksteel" {
name = "blacksteel"
account_id = local.cloudflare_account_id
secret = local.secrets.cloudflare.tunnel_secret
}
resource "cloudflare_record" "terraform_managed_resource_e8a39752064c17b2c91d10edf667e322" {
content = cloudflare_zero_trust_tunnel_cloudflared.blacksteel.cname
name = "pek0"
proxied = true
ttl = 1
type = "CNAME"
zone_id = local.cloudflare_zone_id
}
resource "cloudflare_record" "terraform_managed_resource_3bb7c82777ada1dcafb0cd16ae22bcac" { resource "cloudflare_record" "terraform_managed_resource_3bb7c82777ada1dcafb0cd16ae22bcac" {
content = module.vultr["sin0"].ipv4 content = module.vultr["sin0"].ipv4
name = "sin0" name = "sin0"
@ -153,15 +169,6 @@ resource "cloudflare_record" "terraform_managed_resource_f3507181cd0965a1040216e
zone_id = local.cloudflare_zone_id zone_id = local.cloudflare_zone_id
} }
resource "cloudflare_record" "terraform_managed_resource_e8a39752064c17b2c91d10edf667e322" {
content = "6222a3e0-98da-4325-be19-0f86a7318a41.cfargotunnel.com"
name = "pek0"
proxied = true
ttl = 1
type = "CNAME"
zone_id = local.cloudflare_zone_id
}
resource "cloudflare_record" "terraform_managed_resource_aab250e5d93fd4ceac718dbaaee7bdb3" { resource "cloudflare_record" "terraform_managed_resource_aab250e5d93fd4ceac718dbaaee7bdb3" {
content = "tyo0.ny4.dev" content = "tyo0.ny4.dev"
name = "prom" name = "prom"

View file

@ -7,6 +7,7 @@ tofu:
encryption: ENC[AES256_GCM,data:7+K0SYGOURiEbZ4IrOMJYYVWcSlLqxLv+9lZRUH/cH34qZ7CUt8vsSYP7VyRgCVqFr7sETGj1LPliPjJT2yge9HNbbuUnJ0U3RpLytl7z63nOLeSvUU=,iv:WGrozRmPerQ7iPJAqWmBy9XQ6SnOLrcLLwxdoa1ZIWQ=,tag:rcfNqW57WyVc4U0Iy2MHKA==,type:str] encryption: ENC[AES256_GCM,data:7+K0SYGOURiEbZ4IrOMJYYVWcSlLqxLv+9lZRUH/cH34qZ7CUt8vsSYP7VyRgCVqFr7sETGj1LPliPjJT2yge9HNbbuUnJ0U3RpLytl7z63nOLeSvUU=,iv:WGrozRmPerQ7iPJAqWmBy9XQ6SnOLrcLLwxdoa1ZIWQ=,tag:rcfNqW57WyVc4U0Iy2MHKA==,type:str]
cloudflare: cloudflare:
api_token: ENC[AES256_GCM,data:3zMyjbg0zfPCOoeVAABQWdKMCIXyJ7B2SVXSVv+UyMAHdluG1+ZUqg==,iv:UfnSkkcV6WbdN1uzn1rI/x4tdupAqxKQ1Ak+untcjJs=,tag:FbFpSarg/ihFGoWTdsG5VA==,type:str] api_token: ENC[AES256_GCM,data:3zMyjbg0zfPCOoeVAABQWdKMCIXyJ7B2SVXSVv+UyMAHdluG1+ZUqg==,iv:UfnSkkcV6WbdN1uzn1rI/x4tdupAqxKQ1Ak+untcjJs=,tag:FbFpSarg/ihFGoWTdsG5VA==,type:str]
tunnel_secret: ENC[AES256_GCM,data:OSkV49b/gV8jIVVL9J6Nez4vKtKaEb0d2vjJ+X5uxLIQmzTkn5vAwRXcVfVdowu3tyKPA17lWUU7J3GoqR/N0s++6v3M4fdcATV2XIZ5ZdqiA67DprXzAA==,iv:u3Neif9JqMjHex25E0zqx+WoL/l5InD+rqUVb3czJdE=,tag:A4Bf0XYzbqljFdqS/reiAw==,type:str]
sops: sops:
kms: [] kms: []
gcp_kms: [] gcp_kms: []
@ -22,8 +23,8 @@ sops:
WmJlc0piL0s1c3dQd25ibFFZUVRjTzAKNh71/iOviUisewtjmAXmJJdq8KfI4S8X WmJlc0piL0s1c3dQd25ibFFZUVRjTzAKNh71/iOviUisewtjmAXmJJdq8KfI4S8X
pzEyAoajZIjUfqAnCNxVjxett2bKb2liM/mpO1McOpSRnFe8cOXWMg== pzEyAoajZIjUfqAnCNxVjxett2bKb2liM/mpO1McOpSRnFe8cOXWMg==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2024-11-07T04:03:30Z" lastmodified: "2024-11-07T06:44:48Z"
mac: ENC[AES256_GCM,data:0EyArHp94S3Min2AKpJgbwBNo40OaNzVt2TM1awcj83DUqNMg79AYh0HMIMH3aFYqYDDE2CfYBWgnUHP+Nj1mOx4XjvveT31wAi3kdy0aUHz68x/AdYmymN8mxU6Neu1dT4n1ODbjXqkW0wLwd/BAs1t5qckQDwzQlfDyW6/koc=,iv:R6hI7mnkloYwdYrQx9iDqCwSZUtlFKdy717bUfyqq/U=,tag:/KqSHwyjXqnYVQB2iY9WkQ==,type:str] mac: ENC[AES256_GCM,data:ICgVp6o6esQTuPinQJ4l46UIDQiPwOU1Rjd0A2BSEexH7nLHg3QSXbgbsqpf6YX3v6NY5Ex9tO8RBj7NpgTXJuWMwIa0Eh119ohHAOq6ODF6iTTIyNbeAIdj+tCXpVosStGGdRmW/iLp0mxO36YQY6pxrzhl/qTaDT0ZaN9vl0I=,iv:71dWnXlKRQtTn8kIV/bvS2ygGyXSLiqNoTJzVf/uKXg=,tag:P2Goxr1bjolM2XawvJrPIQ==,type:str]
pgp: [] pgp: []
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.9.1 version: 3.9.1

File diff suppressed because one or more lines are too long