From 532500d7e83900d508d0cdbee503bc4501dc2440 Mon Sep 17 00:00:00 2001
From: Marc Cataford <mcat@riseup.net>
Date: Tue, 4 Jul 2023 23:07:47 -0400
Subject: [PATCH] infra: cloudflare-based tunnel service (#22)

---
 .gitignore                          |  1 +
 README.md                           |  1 +
 services/bastion/README.md          | 13 +++++++++++++
 services/bastion/docker-compose.yml | 16 ++++++++++++++++
 4 files changed, 31 insertions(+)
 create mode 100644 services/bastion/README.md
 create mode 100644 services/bastion/docker-compose.yml

diff --git a/.gitignore b/.gitignore
index 0af62c6..266f8cf 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,5 +1,6 @@
 spadinaistan.venv
 
+**/*.env
 **/.env
 pyinfra-debug.log
 deluge/config
diff --git a/README.md b/README.md
index 74bdaed..b8abb63 100644
--- a/README.md
+++ b/README.md
@@ -14,6 +14,7 @@ anyone else.
 |[Traefik](./services/traefik)|Traefik API Gateway|
 |[Bitwarden](./services/bitwarden)|Bitwarden secrets management|
 |[Auth](./services/auth-service)|Microservice handling authentication, gates access to certain resources.|
+|[Bastion](./services/bastion)|Tunnel service exposing the services to the internet through Cloudflare.|
 
 ## Getting started
 
diff --git a/services/bastion/README.md b/services/bastion/README.md
new file mode 100644
index 0000000..215b603
--- /dev/null
+++ b/services/bastion/README.md
@@ -0,0 +1,13 @@
+# Bastion
+
+This service is the tunnel through which all traffic flows. It communicates with Cloudflare so that no ports on the
+machine need to be exposed.
+
+## Installation
+
+A `secrets.env` file containing the token provided by Cloudflare (`TUNNEL_TOKEN`) must be provided.
+
+### Making services visible
+
+Services should be on the same network (`internal`) as the bastion for Cloudflare to route traffic to them
+properly.
diff --git a/services/bastion/docker-compose.yml b/services/bastion/docker-compose.yml
new file mode 100644
index 0000000..91165aa
--- /dev/null
+++ b/services/bastion/docker-compose.yml
@@ -0,0 +1,16 @@
+version: '3.7'
+
+services:
+  tunnel:
+    # Last updated: 4/7/2023
+    image: cloudflare/cloudflared:1414-cb4bd8d06572
+    command: tunnel run
+    restart: always
+    env_file:
+      # The secrets.env file is expected to contain
+      # the TUNNEL_TOKEN value from Cloudflare.
+      - secrets.env
+
+networks:
+  default:
+    name: internal