diff options
Diffstat (limited to 'tofu/cloudflare')
| -rw-r--r-- | tofu/cloudflare/default.nix | 26 | ||||
| -rw-r--r-- | tofu/cloudflare/dns.nix | 64 | ||||
| -rw-r--r-- | tofu/cloudflare/ruleset.nix | 64 | ||||
| -rw-r--r-- | tofu/cloudflare/tunnels.nix | 11 |
4 files changed, 165 insertions, 0 deletions
diff --git a/tofu/cloudflare/default.nix b/tofu/cloudflare/default.nix new file mode 100644 index 0000000..c145cb0 --- /dev/null +++ b/tofu/cloudflare/default.nix @@ -0,0 +1,26 @@ +{lib, ...}: { + imports = [ + ./dns.nix + ./ruleset.nix + ./tunnels.nix + ]; + + terraform.required_providers.cloudflare = { + source = "cloudflare/cloudflare"; + version = "~> 4"; + }; + + resource = { + cloudflare_url_normalization_settings.incoming = { + scope = "incoming"; + type = "cloudflare"; + zone_id = lib.tfRef "var.zone_id"; + }; + + cloudflare_bot_management.bots = { + enable_js = false; + fight_mode = false; + zone_id = lib.tfRef "var.zone_id"; + }; + }; +} diff --git a/tofu/cloudflare/dns.nix b/tofu/cloudflare/dns.nix new file mode 100644 index 0000000..3371566 --- /dev/null +++ b/tofu/cloudflare/dns.nix @@ -0,0 +1,64 @@ +{lib, ...}: let + mkRecord = name: { + value, + type, + ... + } @ args: + { + name = args.name or name; + zone_id = "\${var.zone_id}"; + inherit value type; + proxied = true; + } + // lib.optionalAttrs (type != "TXT") {proxied = true;}; + + atlas_tunnel = lib.tfRef "data.cloudflare_tunnel.atlas-nginx.id" + ".cfargotunnel.com"; +in { + resource.cloudflare_record = builtins.mapAttrs mkRecord { + website = { + name = "@"; + value = "website-86j.pages.dev"; + type = "CNAME"; + }; + + www = { + value = "mydadleft.me"; + type = "CNAME"; + }; + + api = { + value = atlas_tunnel; + type = "CNAME"; + }; + + miniflux = { + value = atlas_tunnel; + type = "CNAME"; + }; + + msix = { + value = atlas_tunnel; + type = "CNAME"; + }; + + # prevent email spoofing + + dmarc = { + name = "_dmarc"; + value = "v=DMARC1; p=reject; sp=reject; adkim=s; aspf=s;"; + type = "TXT"; + }; + + domainkey = { + name = "*._domainkey"; + value = "v=DKIM1; p="; + type = "TXT"; + }; + + email = { + name = "mydadleft.me"; + value = "v=spf1 -all"; + type = "TXT"; + }; + }; +} diff --git a/tofu/cloudflare/ruleset.nix b/tofu/cloudflare/ruleset.nix new file mode 100644 index 0000000..1be98aa --- /dev/null +++ b/tofu/cloudflare/ruleset.nix @@ -0,0 +1,64 @@ +{lib, ...}: { + resource.cloudflare_ruleset = { + default = { + kind = "zone"; + name = "default"; + phase = "http_config_settings"; + zone_id = lib.tfRef "var.zone_id"; + + rules = [ + { + action = "set_config"; + action_parameters = { + automatic_https_rewrites = true; + email_obfuscation = true; + opportunistic_encryption = false; + }; + description = "base redirects"; + enabled = true; + expression = "true"; + } + ]; + }; + + redirect = { + kind = "zone"; + name = "default"; + phase = "http_request_dynamic_redirect"; + zone_id = lib.tfRef "var.zone_id"; + + rules = [ + { + action = "redirect"; + action_parameters = { + from_value = { + preserve_query_string = false; + status_code = 301; + target_url = { + value = "https://www.youtube.com/watch?v=RvVdFXOFcjw"; + }; + }; + }; + description = "funny"; + enabled = true; + expression = "(http.request.uri.path eq \"/hacks\" and http.host eq \"mydadleft.me\")"; + } + { + action = "redirect"; + action_parameters = { + from_value = { + preserve_query_string = false; + status_code = 301; + target_url = { + value = "https://www.youtube.com/watch?v=RvVdFXOFcjw"; + }; + }; + }; + description = "onlyfriends"; + enabled = true; + expression = "(http.request.uri.path eq \"/onlyfriends\" and http.host eq \"mydadleft.me\")"; + } + ]; + }; + }; +} diff --git a/tofu/cloudflare/tunnels.nix b/tofu/cloudflare/tunnels.nix new file mode 100644 index 0000000..bea9811 --- /dev/null +++ b/tofu/cloudflare/tunnels.nix @@ -0,0 +1,11 @@ +{lib, ...}: { + data.cloudflare_tunnel = + lib.genAttrs + [ + "atlas-nginx" + ] + (name: { + inherit name; + account_id = lib.tfRef "var.account_id"; + }); +} |