get cloudflared client real ip and fix crowdsec mw

ansible/arcodange/factory/playbooks/01_system.yml

@@ -291,6 +291,9 @@
                 traefik:
                   expose:
                     default: true
+                web:
+                  forwardedHeaders:
+                    trustedIPs: ["10.42.0.0/16"] #default k3s cidr
               ingressRoute:
                 dashboard:
                   enabled: true
@@ -343,7 +346,7 @@
               additionalArguments:
                 - '--providers.file.filename=/config/dynamic.yaml'
                 - '--providers.kubernetesingress.ingressendpoint.publishedservice=kube-system/traefik'
-                - "--providers.kubernetescrd"
+                - "--providers.kubernetescrd.allowcrossnamespace=true"
               certificatesResolvers:
                 letsencrypt:
                   acme:

iac/README.md

@@ -3,3 +3,6 @@
 Provisionne un utilisateur gitea "tofu_module_reader",
 autorisé à lire certains projets il est utilisé par la CI pour récupérer des blueprints terraform
 via sa clé ssh répertoriée dans vault.
+
+#
+configure les tokens ovh et cloudflare pour permettre aux autre projet de gérer des resources du cloud

iac/cloudflare.tf

@@ -68,7 +68,9 @@ module "cf_arcodange_cms_token" {
       "account:Account DNS Settings Write",
       "account:Account Settings Read",
       "zone:Zone Write",
+      "zone:Zone Settings Write",
       "zone:DNS Write",
+      "account:Cloudflare Tunnel Write",
     ]
   }
 }
@@ -86,7 +88,7 @@ resource "gitea_repository_actions_secret" "cf_account_id_cms" {
 }
 
 output "token" {
-  value = module.cf_arcodange_cms_token.token
+  value     = module.cf_arcodange_cms_token.token
   sensitive = true
 }
 

iac/modules/cloudflare_token/main.tf

@@ -64,7 +64,7 @@ resource "cloudflare_account_token" "token" {
   expires_on = null
 
   lifecycle {
-    ignore_changes       = [expires_on, policies] # ignore permission id change as unstable
+    ignore_changes       = [expires_on, policies]                           # ignore permission id change as unstable
     replace_triggered_by = [null_resource.cloudflare_account_token_replace] # replace permission name change d
     precondition {
       condition     = length(local.missing_permissions) == 0
@@ -75,7 +75,7 @@ resource "cloudflare_account_token" "token" {
 
 resource "null_resource" "cloudflare_account_token_replace" { # replace token when permission names change
   triggers = {
-    "account_permissions" = sha256(join("",sort([for p_id in local.selected_account_permissions: lookup(local.permission_map_from_id, p_id)])))
+    "account_permissions" = sha256(join("", sort([for p_id in local.selected_account_permissions : lookup(local.permission_map_from_id, p_id)])))
-    "bucket_permissions"  = sha256(join("",sort([for p_id in local.selected_bucket_permissions: lookup(local.permission_map_from_id, p_id)])))
+    "bucket_permissions"  = sha256(join("", sort([for p_id in local.selected_bucket_permissions : lookup(local.permission_map_from_id, p_id)])))
   }
 }

iac/ovh.tf

@@ -1,21 +1,21 @@
 data "ovh_me" "account" {}
 data "ovh_iam_reference_actions" "domain" {
-    type = "domain"
+  type = "domain"
 }
 locals {
-  domain_read_permissions = [ for a in data.ovh_iam_reference_actions.domain.actions: a if contains(a.categories, "READ") ]
+  domain_read_permissions = [for a in data.ovh_iam_reference_actions.domain.actions : a if contains(a.categories, "READ")]
 }
 
 resource "ovh_me_api_oauth2_client" "cms" {
-  name = "cms repo"
+  name        = "cms repo"
   description = "arcodange.fr management"
-  flow = "CLIENT_CREDENTIALS"
+  flow        = "CLIENT_CREDENTIALS"
 }
 resource "ovh_iam_policy" "cms" {
   name        = "cms_manager"
   description = "Permissions related to www.arcodange.fr domain"
   identities  = [ovh_me_api_oauth2_client.cms.identity]
-  resources   = [
+  resources = [
     data.ovh_me.account.urn,
     # ovh_me_api_oauth2_client.cms.identity,
     "urn:v1:eu:resource:domain:arcodange.fr",
@@ -27,10 +27,10 @@ resource "ovh_iam_policy" "cms" {
     "account:apiovh:me/certificates/get",
     "account:apiovh:me/tag/get",
     "account:apiovh:services/get",
-  ],
+    ],
-  local.domain_read_permissions[*].action,
+    local.domain_read_permissions[*].action,
-  [
+    [
-    "domain:apiovh:nameServer/edit",
+      "domain:apiovh:nameServer/edit",
   ])
 }
 
@@ -50,8 +50,8 @@ resource "gitea_repository_actions_secret" "ovh_cms_client_secret" {
 resource "vault_kv_secret" "ovh_cms_token" {
   path = "kvv1/ovh/cms/app"
   data_json = jsonencode({
-    client_id = ovh_me_api_oauth2_client.cms.client_id
+    client_id     = ovh_me_api_oauth2_client.cms.client_id
     client_secret = ovh_me_api_oauth2_client.cms.client_secret
-    urn = ovh_me_api_oauth2_client.cms.identity
+    urn           = ovh_me_api_oauth2_client.cms.identity
   })
 }

iac/providers.tf

@@ -17,7 +17,7 @@ terraform {
       version = "~> 5"
     }
     ovh = {
-      source = "ovh/ovh"
+      source  = "ovh/ovh"
       version = "2.8.0"
     }
   }
@@ -30,11 +30,10 @@ provider "gitea" { # https://registry.terraform.io/providers/go-gitea/gitea/late
 
 provider "vault" {
   address = "https://vault.arcodange.duckdns.org"
-  token = "hvs.CAESIH6uB0AKBdNoX5HdY4FQ8NlF1Dvrxoxo6fbMEnkhQ2zJGh4KHGh2cy40cFU1UHAzejl0bXB4VElJWGpobTNaQ3U"
+  auth_login_jwt { # TERRAFORM_VAULT_AUTH_JWT environment variable
-  # auth_login_jwt { # TERRAFORM_VAULT_AUTH_JWT environment variable
+    mount = "gitea_jwt"
-  #   mount = "gitea_jwt"
+    role  = "gitea_cicd"
-  #   role  = "gitea_cicd"
+  }
-  # }
 }
 
 provider "google" {
@@ -45,5 +44,5 @@ provider "google" {
 provider "cloudflare" {} # CLOUDFLARE_API_TOKEN environment variable required
 
 provider "ovh" { # OVH_APPLICATION_KEY OVH_APPLICATION_SECRET OVH_CONSUMER_KEY
-  endpoint      = "ovh-eu"
+  endpoint = "ovh-eu"
 }