get cloudflared client real ip and fix crowdsec mw

2025-11-29 17:24:51 +01:00
parent 72628f0f0e
commit f7bfe2f71d
6 changed files with 33 additions and 26 deletions
--- a/ansible/arcodange/factory/playbooks/01_system.yml
+++ b/ansible/arcodange/factory/playbooks/01_system.yml
@@ -291,6 +291,9 @@
                traefik:
                  expose:
                    default: true
+                web:
+                  forwardedHeaders:
+                    trustedIPs: ["10.42.0.0/16"] #default k3s cidr
              ingressRoute:
                dashboard:
                  enabled: true
@@ -343,7 +346,7 @@
              additionalArguments:
                - '--providers.file.filename=/config/dynamic.yaml'
                - '--providers.kubernetesingress.ingressendpoint.publishedservice=kube-system/traefik'
-                - "--providers.kubernetescrd"
+                - "--providers.kubernetescrd.allowcrossnamespace=true"
              certificatesResolvers:
                letsencrypt:
                  acme:
--- a/iac/README.md
+++ b/iac/README.md
@@ -3,3 +3,6 @@
 Provisionne un utilisateur gitea "tofu_module_reader",
 autorisé à lire certains projets il est utilisé par la CI pour récupérer des blueprints terraform
 via sa clé ssh répertoriée dans vault.
+
+#
+configure les tokens ovh et cloudflare pour permettre aux autre projet de gérer des resources du cloud
--- a/iac/cloudflare.tf
+++ b/iac/cloudflare.tf
@@ -68,7 +68,9 @@ module "cf_arcodange_cms_token" {
      "account:Account DNS Settings Write",
      "account:Account Settings Read",
      "zone:Zone Write",
+      "zone:Zone Settings Write",
      "zone:DNS Write",
+      "account:Cloudflare Tunnel Write",
    ]
  }
 }
--- a/iac/modules/cloudflare_token/main.tf
+++ b/iac/modules/cloudflare_token/main.tf
@@ -75,7 +75,7 @@ resource "cloudflare_account_token" "token" {

 resource "null_resource" "cloudflare_account_token_replace" { # replace token when permission names change
  triggers = {
-    "account_permissions" = sha256(join("",sort([for p_id in local.selected_account_permissions: lookup(local.permission_map_from_id, p_id)])))
-    "bucket_permissions"  = sha256(join("",sort([for p_id in local.selected_bucket_permissions: lookup(local.permission_map_from_id, p_id)])))
+    "account_permissions" = sha256(join("", sort([for p_id in local.selected_account_permissions : lookup(local.permission_map_from_id, p_id)])))
+    "bucket_permissions"  = sha256(join("", sort([for p_id in local.selected_bucket_permissions : lookup(local.permission_map_from_id, p_id)])))
  }
 }
--- a/iac/ovh.tf
+++ b/iac/ovh.tf
@@ -3,7 +3,7 @@ data "ovh_iam_reference_actions" "domain" {
  type = "domain"
 }
 locals {
-  domain_read_permissions = [ for a in data.ovh_iam_reference_actions.domain.actions: a if contains(a.categories, "READ") ]
+  domain_read_permissions = [for a in data.ovh_iam_reference_actions.domain.actions : a if contains(a.categories, "READ")]
 }

 resource "ovh_me_api_oauth2_client" "cms" {
--- a/iac/providers.tf
+++ b/iac/providers.tf
@@ -30,11 +30,10 @@ provider "gitea" { # https://registry.terraform.io/providers/go-gitea/gitea/late

 provider "vault" {
  address = "https://vault.arcodange.duckdns.org"
-  token = "hvs.CAESIH6uB0AKBdNoX5HdY4FQ8NlF1Dvrxoxo6fbMEnkhQ2zJGh4KHGh2cy40cFU1UHAzejl0bXB4VElJWGpobTNaQ3U"
-  # auth_login_jwt { # TERRAFORM_VAULT_AUTH_JWT environment variable
-  #   mount = "gitea_jwt"
-  #   role  = "gitea_cicd"
-  # }
+  auth_login_jwt { # TERRAFORM_VAULT_AUTH_JWT environment variable
+    mount = "gitea_jwt"
+    role  = "gitea_cicd"
+  }
 }

 provider "google" {