terranix: better handle deployments

1 files changed, 64 insertions, 0 deletions

diff --git a/terranix/cloudflare/dns.nix b/terranix/cloudflare/dns.nix
new file mode 100644
index 0000000..9618019
--- /dev/null
+++ b/terranix/cloudflare/dns.nix
@@ -0,0 +1,64 @@
+{lib, ...}: let
+  mkRecord = name: {
+    value,
+    type,
+    ...
+  } @ args:
+    {
+      name = args.name or name;
+      zone_id = lib.tfRef "var.zone_id";
+      ttl = 1;
+      inherit value type;
+    }
+    // lib.optionalAttrs (type != "TXT") {proxied = true;};
+
+  atlas_tunnel = lib.tfRef "data.cloudflare_tunnel.atlas-nginx.id" + ".cfargotunnel.com";
+in {
+  resource.cloudflare_record = builtins.mapAttrs mkRecord {
+    website = {
+      name = "@";
+      value = "website-86j.pages.dev";
+      type = "CNAME";
+    };
+
+    www = {
+      value = "mydadleft.me";
+      type = "CNAME";
+    };
+
+    api = {
+      value = "teawieapi.pages.dev";
+      type = "CNAME";
+    };
+
+    miniflux = {
+      value = atlas_tunnel;
+      type = "CNAME";
+    };
+
+    msix = {
+      value = atlas_tunnel;
+      type = "CNAME";
+    };
+
+    # prevent email spoofing
+
+    dmarc = {
+      name = "_dmarc";
+      value = "v=DMARC1; p=reject; sp=reject; adkim=s; aspf=s;";
+      type = "TXT";
+    };
+
+    domainkey = {
+      name = "*._domainkey";
+      value = "v=DKIM1; p=";
+      type = "TXT";
+    };
+
+    email = {
+      name = "mydadleft.me";
+      value = "v=spf1 -all";
+      type = "TXT";
+    };
+  };
+}