diff --git a/servers/legion/gitea-access.tf b/servers/legion/gitea-access.tf new file mode 100644 index 0000000..2dc5d66 --- /dev/null +++ b/servers/legion/gitea-access.tf @@ -0,0 +1,42 @@ +# Cloudflare Zero Trust Access — git.neuralplatform.ai (Gitea) +# +# The Gitea Access application itself is currently managed in the Cloudflare +# dashboard, NOT in Terraform. This file only manages the *service token* the +# Gitea Actions runners use to authenticate through CF Access while still +# keeping the human Google-OAuth gate for browser users. +# +# Why not import the application here? +# - Importing the existing dashboard app risks drifting the human-auth +# policy (Google IdP, allowed emails) which is settled and working. +# - Service tokens can be added to a dashboard-managed app without +# importing the app itself; the token resource lives at the account +# level and is referenced from a policy. +# - We pay only the cost we need to. If we later want all Access apps +# in TF we can do a focused import pass. +# +# After `terraform apply` produces the token id/secret, Will must: +# 1. Run `vault kv put secret/gitea-runner-cf-access ...` (see outputs). +# 2. In the Cloudflare dashboard, edit the existing "Gitea" Access +# application's policies and add a new policy: +# Action: Service Auth (decision = non_identity) +# Include: Service Token = "gitea-runner" +# This grants the service token bypass through CF Access on +# git.neuralplatform.ai without changing the human-auth flow. + +resource "cloudflare_zero_trust_access_service_token" "gitea_runner" { + account_id = var.cloudflare_account_id + name = "gitea-runner" + # Default duration is "8760h" (1 year). Rotate via re-apply when needed. + duration = "forever" +} + +output "gitea_runner_cf_access_client_id" { + description = "CF Access service token client ID for the Gitea Actions runner. Store in Vault at secret/gitea-runner-cf-access." + value = cloudflare_zero_trust_access_service_token.gitea_runner.client_id +} + +output "gitea_runner_cf_access_client_secret" { + description = "CF Access service token client secret. Store in Vault at secret/gitea-runner-cf-access. Only emitted at creation time." + value = cloudflare_zero_trust_access_service_token.gitea_runner.client_secret + sensitive = true +}