infra: cloudflare-based tunnel service (#22)

.gitignore

@@ -1,5 +1,6 @@
 spadinaistan.venv
 
+**/*.env
 **/.env
 pyinfra-debug.log
 deluge/config

README.md

@@ -14,6 +14,7 @@ anyone else.
 |[Traefik](./services/traefik)|Traefik API Gateway|
 |[Bitwarden](./services/bitwarden)|Bitwarden secrets management|
 |[Auth](./services/auth-service)|Microservice handling authentication, gates access to certain resources.|
+|[Bastion](./services/bastion)|Tunnel service exposing the services to the internet through Cloudflare.|
 
 ## Getting started
 

services/bastion/README.md

@@ -0,0 +1,13 @@
+# Bastion
+
+This service is the tunnel through which all traffic flows. It communicates with Cloudflare so that no ports on the
+machine need to be exposed.
+
+## Installation
+
+A `secrets.env` file containing the token provided by Cloudflare (`TUNNEL_TOKEN`) must be provided.
+
+### Making services visible
+
+Services should be on the same network (`internal`) as the bastion for Cloudflare to route traffic to them
+properly.

services/bastion/docker-compose.yml

@@ -0,0 +1,16 @@
+version: '3.7'
+
+services:
+  tunnel:
+    # Last updated: 4/7/2023
+    image: cloudflare/cloudflared:1414-cb4bd8d06572
+    command: tunnel run
+    restart: always
+    env_file:
+      # The secrets.env file is expected to contain
+      # the TUNNEL_TOKEN value from Cloudflare.
+      - secrets.env
+
+networks:
+  default:
+    name: internal