get cloudflared client real ip and fix crowdsec mw

2025-11-29 17:24:51 +01:00
parent 72628f0f0e
commit f7bfe2f71d
6 changed files with 33 additions and 26 deletions
--- a/ansible/arcodange/factory/playbooks/01_system.yml
+++ b/ansible/arcodange/factory/playbooks/01_system.yml
@@ -291,6 +291,9 @@
                traefik:
                  expose:
                    default: true
+                web:
+                  forwardedHeaders:
+                    trustedIPs: ["10.42.0.0/16"] #default k3s cidr
              ingressRoute:
                dashboard:
                  enabled: true
@@ -343,7 +346,7 @@
              additionalArguments:
                - '--providers.file.filename=/config/dynamic.yaml'
                - '--providers.kubernetesingress.ingressendpoint.publishedservice=kube-system/traefik'
-                - "--providers.kubernetescrd"
+                - "--providers.kubernetescrd.allowcrossnamespace=true"
              certificatesResolvers:
                letsencrypt:
                  acme:
--- a/iac/README.md
+++ b/iac/README.md
@@ -3,3 +3,6 @@
 Provisionne un utilisateur gitea "tofu_module_reader",
 autorisé à lire certains projets il est utilisé par la CI pour récupérer des blueprints terraform
 via sa clé ssh répertoriée dans vault.
+
+#
+configure les tokens ovh et cloudflare pour permettre aux autre projet de gérer des resources du cloud
--- a/iac/cloudflare.tf
+++ b/iac/cloudflare.tf
@@ -68,7 +68,9 @@ module "cf_arcodange_cms_token" {
      "account:Account DNS Settings Write",
      "account:Account Settings Read",
      "zone:Zone Write",
+      "zone:Zone Settings Write",
      "zone:DNS Write",
+      "account:Cloudflare Tunnel Write",
    ]
  }
 }
--- a/iac/providers.tf
+++ b/iac/providers.tf
@@ -30,11 +30,10 @@ provider "gitea" { # https://registry.terraform.io/providers/go-gitea/gitea/late

 provider "vault" {
  address = "https://vault.arcodange.duckdns.org"
-  token = "hvs.CAESIH6uB0AKBdNoX5HdY4FQ8NlF1Dvrxoxo6fbMEnkhQ2zJGh4KHGh2cy40cFU1UHAzejl0bXB4VElJWGpobTNaQ3U"
-  # auth_login_jwt { # TERRAFORM_VAULT_AUTH_JWT environment variable
-  #   mount = "gitea_jwt"
-  #   role  = "gitea_cicd"
-  # }
+  auth_login_jwt { # TERRAFORM_VAULT_AUTH_JWT environment variable
+    mount = "gitea_jwt"
+    role  = "gitea_cicd"
+  }
 }

 provider "google" {