7 files changed, 127 insertions, 82 deletions

diff --git a/.env.template b/.env.template
index e66273f..fd01124 100644
--- a/.env.template
+++ b/.env.template
@@ -5,8 +5,8 @@
 #
 
 # cloudflare
-CLOUDFLARE_API_TOKEN=
-CLOUDFLARE_ZONE_ID=
+CLOUDFLARE_API_KEY=
+CLOUDFLARE_EMAIL=
 CLOUDFLARE_ACCOUNT_ID=
 
 # tailscale
diff --git a/ext/terranix/cloudflare/default.nix b/ext/terranix/cloudflare/default.nix
index 80e8e39..d3914df 100644
--- a/ext/terranix/cloudflare/default.nix
+++ b/ext/terranix/cloudflare/default.nix
@@ -1,21 +1,8 @@
-{lib, ...}: {
+{
   imports = [
     ./dns.nix
     ./ruleset.nix
+    ./tls.nix
     ./tunnels.nix
   ];
-
-  resource = {
-    cloudflare_url_normalization_settings.incoming = {
-      scope = "incoming";
-      type = "cloudflare";
-      zone_id = lib.tfRef "var.zone_id";
-    };
-
-    cloudflare_bot_management.bots = {
-      enable_js = false;
-      fight_mode = false;
-      zone_id = lib.tfRef "var.zone_id";
-    };
-  };
 }
diff --git a/ext/terranix/cloudflare/dns.nix b/ext/terranix/cloudflare/dns.nix
index 562fdf7..5664be2 100644
--- a/ext/terranix/cloudflare/dns.nix
+++ b/ext/terranix/cloudflare/dns.nix
@@ -1,65 +1,114 @@
 {lib, ...}: let
-  mkRecord = name: {
+  mkRecord = {
+    name,
     value,
     type,
-    ...
-  } @ args:
+    zone_id,
+  }:
     {
-      name = args.name or name;
-      zone_id = lib.tfRef "var.zone_id";
+      inherit name value type zone_id;
       ttl = 1;
-      inherit value type;
     }
     // lib.optionalAttrs (type != "TXT") {proxied = true;};
 
-  atlas_tunnel = lib.tfRef "data.cloudflare_tunnel.atlas-nginx.id" + ".cfargotunnel.com";
-in {
-  resource.cloudflare_record = builtins.mapAttrs mkRecord {
-    website = {
-      name = "@";
-      value = "website-86j.pages.dev";
-      type = "CNAME";
-    };
-
-    keyoxide = {
-      name = "@";
-      value = "$argon2id$v=19$m=512,t=256,p=1$AlA6W5fP7J14zMsw0W5KFQ$EQz/NCE0/TQpE64r2Eo/yOpjtMZ9WXevHsv3YYP7CXg";
-      type = "TXT";
-    };
-
-    www = {
-      value = "mydadleft.me";
-      type = "CNAME";
-    };
-
-    api = {
-      value = "teawieapi.pages.dev";
-      type = "CNAME";
-    };
-
-    miniflux = {
-      value = atlas_tunnel;
-      type = "CNAME";
-    };
+  zones = {
+    mydadleft_me = lib.tfRef "var.mydadleft_me_zone_id";
+    getchoo_com = lib.tfRef "var.getchoo_com_zone_id";
+  };
+  inherit
+    (zones)
+    mydadleft_me
+    getchoo_com
+    ;
 
-    # prevent email spoofing
+  atlas_tunnel = lib.tfRef "data.cloudflare_tunnel.atlas-nginx.id" + ".cfargotunnel.com";
 
-    dmarc = {
+  blockEmailSpoofingFor = domain: let
+    zone_id = zones.${domain};
+  in {
+    "${domain}_dmarc" = {
       name = "_dmarc";
       value = "v=DMARC1; p=reject; sp=reject; adkim=s; aspf=s;";
       type = "TXT";
+      inherit zone_id;
     };
 
-    domainkey = {
+    "${domain}_domainkey" = {
       name = "*._domainkey";
       value = "v=DKIM1; p=";
       type = "TXT";
+      inherit zone_id;
     };
 
-    email = {
-      name = "mydadleft.me";
+    "${domain}_email" = {
+      name = "@";
       value = "v=spf1 -all";
       type = "TXT";
+      inherit zone_id;
+    };
+  };
+in {
+  resource.cloudflare_zone_dnssec = {
+    mydadleft_me_dnssec = {
+      zone_id = mydadleft_me;
+    };
+
+    getchoo_com_dnssec = {
+      zone_id = getchoo_com;
     };
   };
+
+  resource.cloudflare_record =
+    lib.mapAttrs (_: mkRecord) {
+      getchoo_com_website = {
+        name = "@";
+        value = "website-86j.pages.dev";
+        type = "CNAME";
+        zone_id = getchoo_com;
+      };
+
+      getchoo_com_www = {
+        name = "www";
+        value = "getchoo.com";
+        type = "CNAME";
+        zone_id = getchoo_com;
+      };
+
+      mydadleft_me_website = {
+        name = "@";
+        value = "website-86j.pages.dev";
+        type = "CNAME";
+        zone_id = mydadleft_me;
+      };
+
+      mydadleft_me_keyoxide = {
+        name = "@";
+        value = "$argon2id$v=19$m=512,t=256,p=1$AlA6W5fP7J14zMsw0W5KFQ$EQz/NCE0/TQpE64r2Eo/yOpjtMZ9WXevHsv3YYP7CXg";
+        type = "TXT";
+        zone_id = mydadleft_me;
+      };
+
+      mydadleft_me_www = {
+        name = "www";
+        value = "mydadleft.me";
+        type = "CNAME";
+        zone_id = mydadleft_me;
+      };
+
+      mydadleft_me_api = {
+        name = "api";
+        value = "teawieapi.pages.dev";
+        type = "CNAME";
+        zone_id = mydadleft_me;
+      };
+
+      mydadleft_me_miniflux = {
+        name = "miniflux";
+        value = atlas_tunnel;
+        type = "CNAME";
+        zone_id = mydadleft_me;
+      };
+    }
+    // blockEmailSpoofingFor "mydadleft_me"
+    // blockEmailSpoofingFor "getchoo_com";
 }
diff --git a/ext/terranix/cloudflare/ruleset.nix b/ext/terranix/cloudflare/ruleset.nix
index 1be98aa..c5be56f 100644
--- a/ext/terranix/cloudflare/ruleset.nix
+++ b/ext/terranix/cloudflare/ruleset.nix
@@ -1,31 +1,10 @@
 {lib, ...}: {
   resource.cloudflare_ruleset = {
-    default = {
-      kind = "zone";
-      name = "default";
-      phase = "http_config_settings";
-      zone_id = lib.tfRef "var.zone_id";
-
-      rules = [
-        {
-          action = "set_config";
-          action_parameters = {
-            automatic_https_rewrites = true;
-            email_obfuscation = true;
-            opportunistic_encryption = false;
-          };
-          description = "base redirects";
-          enabled = true;
-          expression = "true";
-        }
-      ];
-    };
-
-    redirect = {
+    mydadleft_me_redirects = {
       kind = "zone";
       name = "default";
       phase = "http_request_dynamic_redirect";
-      zone_id = lib.tfRef "var.zone_id";
+      zone_id = lib.tfRef "var.mydadleft_me_zone_id";
 
       rules = [
         {
diff --git a/ext/terranix/cloudflare/tls.nix b/ext/terranix/cloudflare/tls.nix
new file mode 100644
index 0000000..8147bec
--- /dev/null
+++ b/ext/terranix/cloudflare/tls.nix
@@ -0,0 +1,18 @@
+{lib, ...}: let
+  baseSettings = {
+    always_use_https = "on";
+    ssl = "strict";
+  };
+in {
+  resource.cloudflare_zone_settings_override = {
+    mydadleft_me_settings = {
+      zone_id = lib.tfRef "var.mydadleft_me_zone_id";
+      settings = baseSettings;
+    };
+
+    getchoo_com_settings = {
+      zone_id = lib.tfRef "var.getchoo_com_zone_id";
+      settings = baseSettings;
+    };
+  };
+}
diff --git a/ext/terranix/cloudflare/tunnels.nix b/ext/terranix/cloudflare/tunnels.nix
index bea9811..e2b0c7b 100644
--- a/ext/terranix/cloudflare/tunnels.nix
+++ b/ext/terranix/cloudflare/tunnels.nix
@@ -8,4 +8,16 @@
       inherit name;
       account_id = lib.tfRef "var.account_id";
     });
+
+  resource.cloudflare_authenticated_origin_pulls = {
+    mydadleft_me_origin = {
+      zone_id = lib.tfRef "var.mydadleft_me_zone_id";
+      enabled = true;
+    };
+
+    getchoo_com_origin = {
+      zone_id = lib.tfRef "var.getchoo_com_zone_id";
+      enabled = true;
+    };
+  };
 }
diff --git a/ext/terranix/vars.nix b/ext/terranix/vars.nix
index 2f640c2..31ee464 100644
--- a/ext/terranix/vars.nix
+++ b/ext/terranix/vars.nix
@@ -1,9 +1,9 @@
 {
   variable = {
     # cloudflare
-    zone_id.default = "53286ae07c44ed39e4b1249a2adb6d4d";
+    mydadleft_me_zone_id.default = "53286ae07c44ed39e4b1249a2adb6d4d";
+    getchoo_com_zone_id.default = "5ab8019935bfb8838a820aa68250eb77";
     account_id.default = "44c47ae2d55db34c1bf2f378ea8202f1";
-    cf_domain.default = "mydadleft.me";
 
     # tailscale
     tailnet.default = "getchoo.github";