get cloudflared client real ip and fix crowdsec mw

ansible/arcodange/factory/playbooks/01_system.yml

@@ -291,6 +291,9 @@
                 traefik:
                   expose:
                     default: true
+                web:
+                  forwardedHeaders:
+                    trustedIPs: ["10.42.0.0/16"] #default k3s cidr
               ingressRoute:
                 dashboard:
                   enabled: true
@@ -343,7 +346,7 @@
               additionalArguments:
                 - '--providers.file.filename=/config/dynamic.yaml'
                 - '--providers.kubernetesingress.ingressendpoint.publishedservice=kube-system/traefik'
-                - "--providers.kubernetescrd"
+                - "--providers.kubernetescrd.allowcrossnamespace=true"
               certificatesResolvers:
                 letsencrypt:
                   acme:

iac/README.md

@@ -3,3 +3,6 @@
 Provisionne un utilisateur gitea "tofu_module_reader",
 autorisé à lire certains projets il est utilisé par la CI pour récupérer des blueprints terraform
 via sa clé ssh répertoriée dans vault.
+
+#
+configure les tokens ovh et cloudflare pour permettre aux autre projet de gérer des resources du cloud

iac/cloudflare.tf

@@ -68,7 +68,9 @@ module "cf_arcodange_cms_token" {
       "account:Account DNS Settings Write",
       "account:Account Settings Read",
       "zone:Zone Write",
+      "zone:Zone Settings Write",
       "zone:DNS Write",
+      "account:Cloudflare Tunnel Write",
     ]
   }
 }

iac/modules/cloudflare_token/main.tf

@@ -75,7 +75,7 @@ resource "cloudflare_account_token" "token" {
 
 resource "null_resource" "cloudflare_account_token_replace" { # replace token when permission names change
   triggers = {
-    "account_permissions" = sha256(join("",sort([for p_id in local.selected_account_permissions: lookup(local.permission_map_from_id, p_id)])))
+    "account_permissions" = sha256(join("", sort([for p_id in local.selected_account_permissions : lookup(local.permission_map_from_id, p_id)])))
-    "bucket_permissions"  = sha256(join("",sort([for p_id in local.selected_bucket_permissions: lookup(local.permission_map_from_id, p_id)])))
+    "bucket_permissions"  = sha256(join("", sort([for p_id in local.selected_bucket_permissions : lookup(local.permission_map_from_id, p_id)])))
   }
 }

iac/ovh.tf

@@ -3,7 +3,7 @@ data "ovh_iam_reference_actions" "domain" {
   type = "domain"
 }
 locals {
-  domain_read_permissions = [ for a in data.ovh_iam_reference_actions.domain.actions: a if contains(a.categories, "READ") ]
+  domain_read_permissions = [for a in data.ovh_iam_reference_actions.domain.actions : a if contains(a.categories, "READ")]
 }
 
 resource "ovh_me_api_oauth2_client" "cms" {

iac/providers.tf

@@ -30,11 +30,10 @@ provider "gitea" { # https://registry.terraform.io/providers/go-gitea/gitea/late
 
 provider "vault" {
   address = "https://vault.arcodange.duckdns.org"
-  token = "hvs.CAESIH6uB0AKBdNoX5HdY4FQ8NlF1Dvrxoxo6fbMEnkhQ2zJGh4KHGh2cy40cFU1UHAzejl0bXB4VElJWGpobTNaQ3U"
+  auth_login_jwt { # TERRAFORM_VAULT_AUTH_JWT environment variable
-  # auth_login_jwt { # TERRAFORM_VAULT_AUTH_JWT environment variable
+    mount = "gitea_jwt"
-  #   mount = "gitea_jwt"
+    role  = "gitea_cicd"
-  #   role  = "gitea_cicd"
+  }
-  # }
 }
 
 provider "google" {