start using opentofu

author: seth <[email protected]> 2023-12-11 19:08:10 -0500
committer: seth <[email protected]> 2023-12-12 22:43:30 -0500
commit: 03cea3ba8fea453fa5ca1611c7d8af152e2fcaaa (patch)
tree: c3f8895328329485714a5e51d928af1bf9892d46 /tofu/cloudflare
parent: 988e00c510b1cc6b50e2211c4d0e8852463b1741 (diff)
4 files changed, 165 insertions, 0 deletions
diff --git a/tofu/cloudflare/default.nix b/tofu/cloudflare/default.nix
new file mode 100644
index 0000000..c145cb0
--- /dev/null
+++ b/tofu/cloudflare/default.nix
@@ -0,0 +1,26 @@
+{lib, ...}: {
+  imports = [
+    ./dns.nix
+    ./ruleset.nix
+    ./tunnels.nix
+  ];
+
+  terraform.required_providers.cloudflare = {
+    source = "cloudflare/cloudflare";
+    version = "~> 4";
+  };
+
+  resource = {
+    cloudflare_url_normalization_settings.incoming = {
+      scope = "incoming";
+      type = "cloudflare";
+      zone_id = lib.tfRef "var.zone_id";
+    };
+
+    cloudflare_bot_management.bots = {
+      enable_js = false;
+      fight_mode = false;
+      zone_id = lib.tfRef "var.zone_id";
+    };
+  };
+}
diff --git a/tofu/cloudflare/dns.nix b/tofu/cloudflare/dns.nix
new file mode 100644
index 0000000..3371566
--- /dev/null
+++ b/tofu/cloudflare/dns.nix
@@ -0,0 +1,64 @@
+{lib, ...}: let
+  mkRecord = name: {
+    value,
+    type,
+    ...
+  } @ args:
+    {
+      name = args.name or name;
+      zone_id = "\${var.zone_id}";
+      inherit value type;
+      proxied = true;
+    }
+    // lib.optionalAttrs (type != "TXT") {proxied = true;};
+
+  atlas_tunnel = lib.tfRef "data.cloudflare_tunnel.atlas-nginx.id" + ".cfargotunnel.com";
+in {
+  resource.cloudflare_record = builtins.mapAttrs mkRecord {
+    website = {
+      name = "@";
+      value = "website-86j.pages.dev";
+      type = "CNAME";
+    };
+
+    www = {
+      value = "mydadleft.me";
+      type = "CNAME";
+    };
+
+    api = {
+      value = atlas_tunnel;
+      type = "CNAME";
+    };
+
+    miniflux = {
+      value = atlas_tunnel;
+      type = "CNAME";
+    };
+
+    msix = {
+      value = atlas_tunnel;
+      type = "CNAME";
+    };
+
+    # prevent email spoofing
+
+    dmarc = {
+      name = "_dmarc";
+      value = "v=DMARC1; p=reject; sp=reject; adkim=s; aspf=s;";
+      type = "TXT";
+    };
+
+    domainkey = {
+      name = "*._domainkey";
+      value = "v=DKIM1; p=";
+      type = "TXT";
+    };
+
+    email = {
+      name = "mydadleft.me";
+      value = "v=spf1 -all";
+      type = "TXT";
+    };
+  };
+}
diff --git a/tofu/cloudflare/ruleset.nix b/tofu/cloudflare/ruleset.nix
new file mode 100644
index 0000000..1be98aa
--- /dev/null
+++ b/tofu/cloudflare/ruleset.nix
@@ -0,0 +1,64 @@
+{lib, ...}: {
+  resource.cloudflare_ruleset = {
+    default = {
+      kind = "zone";
+      name = "default";
+      phase = "http_config_settings";
+      zone_id = lib.tfRef "var.zone_id";
+
+      rules = [
+        {
+          action = "set_config";
+          action_parameters = {
+            automatic_https_rewrites = true;
+            email_obfuscation = true;
+            opportunistic_encryption = false;
+          };
+          description = "base redirects";
+          enabled = true;
+          expression = "true";
+        }
+      ];
+    };
+
+    redirect = {
+      kind = "zone";
+      name = "default";
+      phase = "http_request_dynamic_redirect";
+      zone_id = lib.tfRef "var.zone_id";
+
+      rules = [
+        {
+          action = "redirect";
+          action_parameters = {
+            from_value = {
+              preserve_query_string = false;
+              status_code = 301;
+              target_url = {
+                value = "https://www.youtube.com/watch?v=RvVdFXOFcjw";
+              };
+            };
+          };
+          description = "funny";
+          enabled = true;
+          expression = "(http.request.uri.path eq \"/hacks\" and http.host eq \"mydadleft.me\")";
+        }
+        {
+          action = "redirect";
+          action_parameters = {
+            from_value = {
+              preserve_query_string = false;
+              status_code = 301;
+              target_url = {
+                value = "https://www.youtube.com/watch?v=RvVdFXOFcjw";
+              };
+            };
+          };
+          description = "onlyfriends";
+          enabled = true;
+          expression = "(http.request.uri.path eq \"/onlyfriends\" and http.host eq \"mydadleft.me\")";
+        }
+      ];
+    };
+  };
+}
diff --git a/tofu/cloudflare/tunnels.nix b/tofu/cloudflare/tunnels.nix
new file mode 100644
index 0000000..bea9811
--- /dev/null
+++ b/tofu/cloudflare/tunnels.nix
@@ -0,0 +1,11 @@
+{lib, ...}: {
+  data.cloudflare_tunnel =
+    lib.genAttrs
+    [
+      "atlas-nginx"
+    ]
+    (name: {
+      inherit name;
+      account_id = lib.tfRef "var.account_id";
+    });
+}
author	seth <[email protected]>	2023-12-11 19:08:10 -0500
committer	seth <[email protected]>	2023-12-12 22:43:30 -0500
commit	03cea3ba8fea453fa5ca1611c7d8af152e2fcaaa (patch)
tree	c3f8895328329485714a5e51d928af1bf9892d46 /tofu/cloudflare
parent	988e00c510b1cc6b50e2211c4d0e8852463b1741 (diff)