.gitignore

@@ -7,3 +7,6 @@ terraform/.secrets
 /terraform/exercise.tfplan
 /terraform/terraform.tfstate
 /terraform/terraform.tfstate.backup
+/host_vars/server2.yml
+/roles/cloudflared_tunnel/files/config.yml
+/roles/cloudflared_tunnel/templates/*.json

host_vars/.keep

@@ -0,0 +1 @@
+Holds generated host var files

hosts.yml

@@ -0,0 +1,7 @@
+---
+all:
+  hosts:
+    server2:
+      ansible_become_pass: "{{ become_pass }}"
+  vars:
+    ansible_user: zoe

roles/cloudflared_tunnel/files/.keep

@@ -0,0 +1 @@
+holds generated cloudflare tunnel configuration

roles/cloudflared_tunnel/tasks/main.yml

@@ -0,0 +1,57 @@
+---
+- name: Create Cloudlfared group
+  become: yes
+  group:
+    name: cloudflared
+    state: present
+- name: Create Cloudflared user
+  become: yes
+  user:
+    name: cloudflared
+    system: yes
+    password: '!'
+    shell: /bin/false
+    create_home: yes
+    home: /etc/cloudflared
+- name: Upload config file
+  become: yes
+  copy:
+    src: config.yml
+    dest: /etc/cloudflared/config.yml
+    owner: cloudflared
+    group: cloudflared
+    mode: 0640
+- name: Upload the credentials file
+  become: yes
+  template:
+    src: "{{ tunnel_id }}.json"
+    dest: /etc/cloudflared/{{ tunnel_id }}.json
+    owner: cloudflared
+    group: cloudflared
+    mode: 0640
+- name: Download Cloudflared binary
+  become: yes
+  get_url:
+    url: https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64
+    dest: /etc/cloudflared/bin/cloudflared
+    owner: cloudflared
+    group: cloudflared
+    mode: '0760'
+- name: Check if the Cloudflared service is already installed
+  become: yes
+  stat:
+    path: /etc/systemd/system/cloudflared.service
+  register: cloudflared_exists
+- name: Install the Cloudflared service
+  become: yes
+  when: not cloudflared_exists.stat.exists
+  environment:
+    PATH: /etc/cloudflared/bin:{{ ansible_env.PATH }}
+  command:
+    cmd: cloudflared service install
+- name: Start cloudflared
+  become: yes
+  systemd:
+    name: cloudflared
+    state: restarted
+

site.yml

@@ -0,0 +1 @@
+---

terraform/.keep

@@ -1 +0,0 @@
-Dir to hold Terraform config

terraform/main.tf

@@ -24,3 +24,38 @@ resource "cloudflare_record" "notfound" {
   value   = cloudflare_tunnel.tunnel.cname
   proxied = true
 }
+
+resource "local_sensitive_file" "tunnel_config" {
+  filename = "../roles/cloudflared_tunnel/files/config.yml"
+  content  = <<-EOT
+tunnel: ${cloudflare_tunnel.tunnel.id}
+credentials-file: /etc/cloudflared/${cloudflare_tunnel.tunnel.id}.json
+
+ingress:
+- service: http_status:404
+EOT
+}
+
+resource "local_sensitive_file" "tunnel_creds" {
+  filename = "../roles/cloudflared_tunnel/templates/${cloudflare_tunnel.tunnel.id}.json"
+  content  = <<-EOT
+{
+  "AccountTag": "${var.account_id}",
+  "TunnelID": "{{ tunnel_id }}",
+  "TunnelName": "mastodon",
+  "TunnelSecret": "{{ tunnel_secret }}"
+}
+EOT
+}
+
+resource "local_sensitive_file" "credentials_variables" {
+  filename = "../host_vars/server2.yml"
+  content  = <<-EOT
+---
+tunnel_id: ${cloudflare_tunnel.tunnel.id}
+tunnel_secret: ${var.tunnel_secret}
+
+EOT
+}
+
+