7 files changed, 270 insertions, 0 deletions
diff --git a/terranix/cloudflare/default.nix b/terranix/cloudflare/default.nix
new file mode 100644
index 0000000..a8f6d43
--- /dev/null
+++ b/terranix/cloudflare/default.nix
@@ -0,0 +1,10 @@
+{
+  imports = [
+    ./dns.nix
+    ./pages_domains.nix
+    ./pages_projects.nix
+    ./ruleset.nix
+    ./tls.nix
+    ./tunnels.nix
+  ];
+}
diff --git a/terranix/cloudflare/dns.nix b/terranix/cloudflare/dns.nix
new file mode 100644
index 0000000..335562d
--- /dev/null
+++ b/terranix/cloudflare/dns.nix
@@ -0,0 +1,110 @@
+{ lib, ... }:
+let
+  mkRecord =
+    {
+      name,
+      content,
+      type,
+      zone_id,
+    }:
+    {
+      inherit
+        name
+        content
+        type
+        zone_id
+        ;
+      ttl = 1;
+    }
+    // lib.optionalAttrs (type != "TXT") { proxied = true; };
+
+  zones = {
+    getchoo_com = lib.tfRef "var.getchoo_com_zone_id";
+  };
+  inherit (zones) getchoo_com;
+
+  atlas_tunnel =
+    lib.tfRef "data.cloudflare_zero_trust_tunnel_cloudflared.atlas-nginx.id" + ".cfargotunnel.com";
+
+  pagesSubdomainFor = project: lib.tfRef "resource.cloudflare_pages_project.${project}.subdomain";
+  blockEmailSpoofingFor =
+    domain:
+    let
+      zone_id = zones.${domain};
+    in
+    {
+      "${domain}_dmarc" = {
+        name = "_dmarc";
+        content = "v=DMARC1; p=reject; sp=reject; adkim=s; aspf=s;";
+        type = "TXT";
+        inherit zone_id;
+      };
+
+      "${domain}_domainkey" = {
+        name = "*._domainkey";
+        content = "v=DKIM1; p=";
+        type = "TXT";
+        inherit zone_id;
+      };
+
+      "${domain}_email" = {
+        name = "@";
+        content = "v=spf1 -all";
+        type = "TXT";
+        inherit zone_id;
+      };
+    };
+in
+{
+  resource.cloudflare_zone_dnssec = {
+    getchoo_com_dnssec = {
+      zone_id = getchoo_com;
+    };
+  };
+
+  resource.cloudflare_record =
+    lib.mapAttrs (_: mkRecord) {
+      getchoo_com_website = {
+        name = "@";
+        content = pagesSubdomainFor "personal_website";
+        type = "CNAME";
+        zone_id = getchoo_com;
+      };
+
+      getchoo_com_www = {
+        name = "www";
+        content = "getchoo.com";
+        type = "CNAME";
+        zone_id = getchoo_com;
+      };
+
+      getchoo_com_api = {
+        name = "api";
+        content = pagesSubdomainFor "teawie_api";
+        type = "CNAME";
+        zone_id = getchoo_com;
+      };
+
+      getchoo_com_miniflux = {
+        name = "miniflux";
+        content = atlas_tunnel;
+        type = "CNAME";
+        zone_id = getchoo_com;
+      };
+
+      getchoo_com_git = {
+        name = "git";
+        content = atlas_tunnel;
+        type = "CNAME";
+        zone_id = getchoo_com;
+      };
+
+      getchoo_com_keyoxide = {
+        name = "@";
+        content = "$argon2id$v=19$m=512,t=256,p=1$AlA6W5fP7J14zMsw0W5KFQ$EQz/NCE0/TQpE64r2Eo/yOpjtMZ9WXevHsv3YYP7CXg";
+        type = "TXT";
+        zone_id = getchoo_com;
+      };
+    }
+    // blockEmailSpoofingFor "getchoo_com";
+}
diff --git a/terranix/cloudflare/pages_domains.nix b/terranix/cloudflare/pages_domains.nix
new file mode 100644
index 0000000..531b2de
--- /dev/null
+++ b/terranix/cloudflare/pages_domains.nix
@@ -0,0 +1,32 @@
+{ lib, ... }:
+let
+  setDomainsFor =
+    {
+      account_id,
+      project,
+      domains,
+    }:
+    lib.listToAttrs (
+      map (domain: {
+        name = "${project}_${builtins.replaceStrings [ "." ] [ "_" ] domain}";
+        value = {
+          inherit account_id;
+          project_name = lib.tfRef "resource.cloudflare_pages_project.${project}.name";
+          inherit domain;
+        };
+      }) domains
+    );
+in
+{
+  resource.cloudflare_pages_domain =
+    setDomainsFor {
+      account_id = lib.tfRef "var.account_id";
+      project = "personal_website";
+      domains = [ "getchoo.com" ];
+    }
+    // setDomainsFor {
+      account_id = lib.tfRef "var.account_id";
+      project = "teawie_api";
+      domains = [ "api.getchoo.com" ];
+    };
+}
diff --git a/terranix/cloudflare/pages_projects.nix b/terranix/cloudflare/pages_projects.nix
new file mode 100644
index 0000000..4c0b076
--- /dev/null
+++ b/terranix/cloudflare/pages_projects.nix
@@ -0,0 +1,60 @@
+{ lib, ... }:
+let
+  getGitHubRepo =
+    { owner, repo_name }:
+    {
+      type = "github";
+      config = {
+        inherit owner repo_name;
+        production_branch = "main";
+      };
+    };
+in
+{
+  resource.cloudflare_pages_project = {
+    personal_website = {
+      account_id = lib.tfRef "var.account_id";
+      name = "getchoo-website";
+      production_branch = "main";
+
+      source = getGitHubRepo {
+        owner = "getchoo";
+        repo_name = "website";
+      };
+
+      build_config = {
+        build_caching = true;
+        build_command = "./build-site.sh";
+        destination_dir = "/dist";
+      };
+
+      deployment_configs =
+        let
+          environment_variables = {
+            ZOLA_VERSION = "0.19.2";
+          };
+        in
+        {
+          production = [ { inherit environment_variables; } ];
+          preview = [ { inherit environment_variables; } ];
+        };
+    };
+
+    teawie_api = {
+      account_id = lib.tfRef "var.account_id";
+      name = "teawie-api";
+      production_branch = "main";
+
+      source = getGitHubRepo {
+        owner = "getchoo";
+        repo_name = "teawieAPI";
+      };
+
+      build_config = {
+        build_caching = true;
+        build_command = "pnpm run lint && pnpm run build";
+        destination_dir = "/dist";
+      };
+    };
+  };
+}
diff --git a/terranix/cloudflare/ruleset.nix b/terranix/cloudflare/ruleset.nix
new file mode 100644
index 0000000..98364d9
--- /dev/null
+++ b/terranix/cloudflare/ruleset.nix
@@ -0,0 +1,29 @@
+{ lib, ... }:
+{
+  resource.cloudflare_ruleset = {
+    getchoo_com_redirects = {
+      kind = "zone";
+      name = "default";
+      phase = "http_request_dynamic_redirect";
+      zone_id = lib.tfRef "var.getchoo_com_zone_id";
+
+      rules = [
+        {
+          action = "redirect";
+          action_parameters = {
+            from_value = {
+              preserve_query_string = false;
+              status_code = 301;
+              target_url = {
+                value = "https://www.youtube.com/watch?v=RvVdFXOFcjw";
+              };
+            };
+          };
+          description = "funny";
+          enabled = true;
+          expression = "(http.request.uri.path eq \"/hacks\" and http.host eq \"getchoo.com\")";
+        }
+      ];
+    };
+  };
+}
diff --git a/terranix/cloudflare/tls.nix b/terranix/cloudflare/tls.nix
new file mode 100644
index 0000000..77450ad
--- /dev/null
+++ b/terranix/cloudflare/tls.nix
@@ -0,0 +1,15 @@
+{ lib, ... }:
+let
+  baseSettings = {
+    always_use_https = "on";
+    ssl = "strict";
+  };
+in
+{
+  resource.cloudflare_zone_settings_override = {
+    getchoo_com_settings = {
+      zone_id = lib.tfRef "var.getchoo_com_zone_id";
+      settings = baseSettings;
+    };
+  };
+}
diff --git a/terranix/cloudflare/tunnels.nix b/terranix/cloudflare/tunnels.nix
new file mode 100644
index 0000000..717a887
--- /dev/null
+++ b/terranix/cloudflare/tunnels.nix
@@ -0,0 +1,14 @@
+{ lib, ... }:
+{
+  data.cloudflare_zero_trust_tunnel_cloudflared = lib.genAttrs [ "atlas-nginx" ] (name: {
+    inherit name;
+    account_id = lib.tfRef "var.account_id";
+  });
+
+  resource.cloudflare_authenticated_origin_pulls = {
+    getchoo_com_origin = {
+      zone_id = lib.tfRef "var.getchoo_com_zone_id";
+      enabled = true;
+    };
+  };
+}