summaryrefslogtreecommitdiff
path: root/terraform/dns.tf
blob: 31bd9d665c01e8af50b48324f89075069abf06fc (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107

locals {
  zone_ids = [var.cloudflare_getchoo_com_zone_id]

  dmarc_hardening_records = [
    {
      name    = "_dmarc"
      type    = "TXT"
      content = "'v=DMARC1; p=reject; sp=reject; adkim=s; aspf=s;'"
    },
    {
      name    = "*._domainkey"
      type    = "TXT"
      content = "'v=DKIM1; p='"
    },
    {
      name    = "@"
      type    = "TXT"
      content = "'v=spf1 -all'"
    }
  ]

  dmarc_records = flatten([for zone_id in local.zone_ids : [
    for record in local.dmarc_hardening_records : {
      zone_id = zone_id
      name    = record.name
      type    = record.type
      content = record.content
    }
  ]])

  getchoo_records = [
    {
      name    = "@"
      type    = "CNAME"
      content = resource.cloudflare_pages_project.getchoo_website.subdomain
    },
    {
      name    = "www"
      type    = "CNAME"
      content = "getchoo.com"
    },
    {
      name    = "api"
      type    = "CNAME"
      content = resource.cloudflare_pages_project.teawie_api.subdomain
    },
    {
      name    = "miniflux"
      type    = "A"
      content = resource.oci_core_instance.atlas.public_ip
    },
    {
      name    = "git"
      type    = "A"
      content = resource.oci_core_instance.atlas.public_ip
    },
    {
      name    = "@"
      content = "'$argon2id$v=19$m=512,t=256,p=1$AlA6W5fP7J14zMsw0W5KFQ$EQz/NCE0/TQpE64r2Eo/yOpjtMZ9WXevHsv3YYP7CXg'"
      type    = "TXT"
    }
  ]
}

resource "cloudflare_record" "getchoo_com" {
  for_each = { for record in local.getchoo_records : "${record.name}-${record.type}" => record }

  zone_id = var.cloudflare_getchoo_com_zone_id
  name    = each.value.name
  type    = each.value.type
  content = each.value.content

  proxied = lookup(each.value, "proxied", each.value.type != "TXT")
}

resource "cloudflare_record" "dmarc_hardening" {
  for_each = { for record in local.dmarc_records : "${record.zone_id}-${record.name}" => record }

  zone_id = each.value.zone_id
  name    = each.value.name
  type    = each.value.type
  content = each.value.content
}

resource "cloudflare_authenticated_origin_pulls" "origins" {
  for_each = toset([var.cloudflare_getchoo_com_zone_id])

  zone_id = each.key
  enabled = true
}

resource "cloudflare_zone_dnssec" "zones" {
  for_each = toset([var.cloudflare_getchoo_com_zone_id])

  zone_id = each.key
}

resource "cloudflare_zone_settings_override" "strict_ssl" {
  for_each = toset([var.cloudflare_getchoo_com_zone_id])

  zone_id = each.key

  settings {
    always_use_https = "on"
    ssl              = "strict"
  }
}
generated by cgit v1.2.3 (git 2.25.1) at 2025-12-06 13:35:12 +0000