arcodange-org/factory
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

get cloudflared client real ip and fix crowdsec mw

Browse Source
This commit is contained in:
Gabriel Radureau
2025-11-29 17:24:51 +01:00
parent 72628f0f0e
commit f7bfe2f71d
6 changed files with 33 additions and 26 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
ansible/arcodange/factory/playbooks/01_system.yml
View File

@@ -291,6 +291,9 @@
traefik: traefik:
expose: expose:
default: true default: true
web:
forwardedHeaders:
trustedIPs: ["10.42.0.0/16"] #default k3s cidr
ingressRoute: ingressRoute:
dashboard: dashboard:
enabled: true enabled: true
@@ -343,7 +346,7 @@
additionalArguments: additionalArguments:
- '--providers.file.filename=/config/dynamic.yaml' - '--providers.file.filename=/config/dynamic.yaml'
- '--providers.kubernetesingress.ingressendpoint.publishedservice=kube-system/traefik' - '--providers.kubernetesingress.ingressendpoint.publishedservice=kube-system/traefik'
- "--providers.kubernetescrd" - "--providers.kubernetescrd.allowcrossnamespace=true"
certificatesResolvers: certificatesResolvers:
letsencrypt: letsencrypt:
acme: acme:

5
iac/README.md
View File

@@ -2,4 +2,7 @@
Provisionne un utilisateur gitea "tofu_module_reader", Provisionne un utilisateur gitea "tofu_module_reader",
autorisé à lire certains projets il est utilisé par la CI pour récupérer des blueprints terraform autorisé à lire certains projets il est utilisé par la CI pour récupérer des blueprints terraform
via sa clé ssh répertoriée dans vault. via sa clé ssh répertoriée dans vault.
#
configure les tokens ovh et cloudflare pour permettre aux autre projet de gérer des resources du cloud

8
iac/cloudflare.tf
View File

@@ -24,7 +24,7 @@ module "cf_r2_arcodange_tf_token" {
"account:Workers R2 Storage Read", "account:Workers R2 Storage Read",
"bucket:Workers R2 Storage Bucket Item Write", "bucket:Workers R2 Storage Bucket Item Write",
] ]
account = [ account = [
"account:Account Settings Read", "account:Account Settings Read",
] ]
} }
@@ -68,7 +68,9 @@ module "cf_arcodange_cms_token" {
"account:Account DNS Settings Write", "account:Account DNS Settings Write",
"account:Account Settings Read", "account:Account Settings Read",
"zone:Zone Write", "zone:Zone Write",
"zone:Zone Settings Write",
"zone:DNS Write", "zone:DNS Write",
"account:Cloudflare Tunnel Write",
] ]
} }
} }
@@ -86,7 +88,7 @@ resource "gitea_repository_actions_secret" "cf_account_id_cms" {
} }
output "token" { output "token" {
value = module.cf_arcodange_cms_token.token value = module.cf_arcodange_cms_token.token
sensitive = true sensitive = true
} }
@@ -95,4 +97,4 @@ resource "vault_kv_secret" "cf_arcodange_cms_token" {
data_json = jsonencode({ data_json = jsonencode({
token = module.cf_arcodange_cms_token.token token = module.cf_arcodange_cms_token.token
}) })
} }

6
iac/modules/cloudflare_token/main.tf
View File

@@ -64,7 +64,7 @@ resource "cloudflare_account_token" "token" {
expires_on = null expires_on = null
lifecycle { lifecycle {
ignore_changes = [expires_on, policies] # ignore permission id change as unstable ignore_changes = [expires_on, policies] # ignore permission id change as unstable
replace_triggered_by = [null_resource.cloudflare_account_token_replace] # replace permission name change d replace_triggered_by = [null_resource.cloudflare_account_token_replace] # replace permission name change d
precondition { precondition {
condition = length(local.missing_permissions) == 0 condition = length(local.missing_permissions) == 0
@@ -75,7 +75,7 @@ resource "cloudflare_account_token" "token" {
resource "null_resource" "cloudflare_account_token_replace" { # replace token when permission names change resource "null_resource" "cloudflare_account_token_replace" { # replace token when permission names change
triggers = { triggers = {
"account_permissions" = sha256(join("",sort([for p_id in local.selected_account_permissions: lookup(local.permission_map_from_id, p_id)]))) "account_permissions" = sha256(join("", sort([for p_id in local.selected_account_permissions : lookup(local.permission_map_from_id, p_id)])))
"bucket_permissions" = sha256(join("",sort([for p_id in local.selected_bucket_permissions: lookup(local.permission_map_from_id, p_id)]))) "bucket_permissions" = sha256(join("", sort([for p_id in local.selected_bucket_permissions : lookup(local.permission_map_from_id, p_id)])))
} }
} }

22
iac/ovh.tf
View File

@@ -1,21 +1,21 @@
data "ovh_me" "account" {} data "ovh_me" "account" {}
data "ovh_iam_reference_actions" "domain" { data "ovh_iam_reference_actions" "domain" {
type = "domain" type = "domain"
} }
locals { locals {
domain_read_permissions = [ for a in data.ovh_iam_reference_actions.domain.actions: a if contains(a.categories, "READ") ] domain_read_permissions = [for a in data.ovh_iam_reference_actions.domain.actions : a if contains(a.categories, "READ")]
} }
resource "ovh_me_api_oauth2_client" "cms" { resource "ovh_me_api_oauth2_client" "cms" {
name = "cms repo" name = "cms repo"
description = "arcodange.fr management" description = "arcodange.fr management"
flow = "CLIENT_CREDENTIALS" flow = "CLIENT_CREDENTIALS"
} }
resource "ovh_iam_policy" "cms" { resource "ovh_iam_policy" "cms" {
name = "cms_manager" name = "cms_manager"
description = "Permissions related to www.arcodange.fr domain" description = "Permissions related to www.arcodange.fr domain"
identities = [ovh_me_api_oauth2_client.cms.identity] identities = [ovh_me_api_oauth2_client.cms.identity]
resources = [ resources = [
data.ovh_me.account.urn, data.ovh_me.account.urn,
# ovh_me_api_oauth2_client.cms.identity, # ovh_me_api_oauth2_client.cms.identity,
"urn:v1:eu:resource:domain:arcodange.fr", "urn:v1:eu:resource:domain:arcodange.fr",
@@ -27,10 +27,10 @@ resource "ovh_iam_policy" "cms" {
"account:apiovh:me/certificates/get", "account:apiovh:me/certificates/get",
"account:apiovh:me/tag/get", "account:apiovh:me/tag/get",
"account:apiovh:services/get", "account:apiovh:services/get",
], ],
local.domain_read_permissions[*].action, local.domain_read_permissions[*].action,
[ [
"domain:apiovh:nameServer/edit", "domain:apiovh:nameServer/edit",
]) ])
} }
@@ -50,8 +50,8 @@ resource "gitea_repository_actions_secret" "ovh_cms_client_secret" {
resource "vault_kv_secret" "ovh_cms_token" { resource "vault_kv_secret" "ovh_cms_token" {
path = "kvv1/ovh/cms/app" path = "kvv1/ovh/cms/app"
data_json = jsonencode({ data_json = jsonencode({
client_id = ovh_me_api_oauth2_client.cms.client_id client_id = ovh_me_api_oauth2_client.cms.client_id
client_secret = ovh_me_api_oauth2_client.cms.client_secret client_secret = ovh_me_api_oauth2_client.cms.client_secret
urn = ovh_me_api_oauth2_client.cms.identity urn = ovh_me_api_oauth2_client.cms.identity
}) })
} }

13
iac/providers.tf
View File

@@ -17,7 +17,7 @@ terraform {
version = "~> 5" version = "~> 5"
} }
ovh = { ovh = {
source = "ovh/ovh" source = "ovh/ovh"
version = "2.8.0" version = "2.8.0"
} }
} }
@@ -30,11 +30,10 @@ provider "gitea" { # https://registry.terraform.io/providers/go-gitea/gitea/late
provider "vault" { provider "vault" {
address = "https://vault.arcodange.duckdns.org" address = "https://vault.arcodange.duckdns.org"
token = "hvs.CAESIH6uB0AKBdNoX5HdY4FQ8NlF1Dvrxoxo6fbMEnkhQ2zJGh4KHGh2cy40cFU1UHAzejl0bXB4VElJWGpobTNaQ3U" auth_login_jwt { # TERRAFORM_VAULT_AUTH_JWT environment variable
# auth_login_jwt { # TERRAFORM_VAULT_AUTH_JWT environment variable mount = "gitea_jwt"
# mount = "gitea_jwt" role = "gitea_cicd"
# role = "gitea_cicd" }
# }
} }
provider "google" { provider "google" {
@@ -45,5 +44,5 @@ provider "google" {
provider "cloudflare" {} # CLOUDFLARE_API_TOKEN environment variable required provider "cloudflare" {} # CLOUDFLARE_API_TOKEN environment variable required
provider "ovh" { # OVH_APPLICATION_KEY OVH_APPLICATION_SECRET OVH_CONSUMER_KEY provider "ovh" { # OVH_APPLICATION_KEY OVH_APPLICATION_SECRET OVH_CONSUMER_KEY
endpoint = "ovh-eu" endpoint = "ovh-eu"
} }