admin/ab.dem.tf.changemaker
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
ab.dem.tf.changemaker/add-cname-records.sh
admin 57684a8a83 inital commit
2025-05-30 12:43:55 -06:00

291 lines
9.6 KiB
Bash
Executable File
Raw Permalink Blame History

#!/bin/bash
echo "#############################################################"
echo "# "
echo "# DNS Setup for Changemaker.lite Services "
echo "# "
echo "# This script will ADD DNS records for your services. "
echo "# Existing DNS records will NOT be deleted. "
echo "# "
echo "#############################################################"
echo ""
echo "-------------------------------------------------------------"
echo "Cloudflare Credentials Required"
echo "Please ensure your .env file contains the following variables:"
echo " CF_API_TOKEN=your_cloudflare_api_token"
echo " CF_ZONE_ID=your_cloudflare_zone_id"
echo " CF_TUNNEL_ID=your_cloudflared_tunnel_id"
echo " CF_DOMAIN=yourdomain.com"
echo ""
echo "You can find these values in your Cloudflare dashboard:"
echo " - API Token: https://dash.cloudflare.com/profile/api-tokens (Create a token with Zone:DNS:Edit and Access:Apps:Edit permissions for your domain)"
echo " - Zone ID: On your domain's overview page"
echo " - Tunnel ID: In the Zero Trust dashboard under Access > Tunnels"
echo " - Domain: The domain you want to use for your services"
echo ""
echo "-------------------------------------------------------------"
echo ""
read -p "Type 'y' to continue or any other key to abort: " consent
if [[ "$consent" != "y" && "$consent" != "Y" ]]; then
echo "Aborted by user."
exit 1
fi
# Source environment variables from the .env file in the same directory
ENV_FILE="$(dirname "$0")/.env"
if [ -f "$ENV_FILE" ]; then
export $(grep -v '^#' "$ENV_FILE" | xargs)
else
echo "Error: .env file not found at $ENV_FILE"
exit 1
fi
# Check if required Cloudflare variables are set
if [ -z "$CF_API_TOKEN" ] || [ -z "$CF_ZONE_ID" ] || [ -z "$CF_TUNNEL_ID" ] || [ -z "$CF_DOMAIN" ]; then
echo "Error: One or more required Cloudflare environment variables (CF_API_TOKEN, CF_ZONE_ID, CF_TUNNEL_ID, CF_DOMAIN) are not set in $ENV_FILE."
exit 1
fi
# Check if jq is installed
if ! command -v jq &> /dev/null; then
echo "Error: jq is required but not installed. Please install jq to continue."
echo "On Debian/Ubuntu: sudo apt-get install jq"
echo "On RHEL/CentOS: sudo yum install jq"
exit 1
fi
# Array of subdomains that need DNS records - updated to match our active services
SUBDOMAINS=(
"dashboard"
"code"
"listmonk"
"docs"
"n8n"
"db"
"git"
)
# Function to check if DNS record already exists
record_exists() {
local subdomain=$1
local records=$(curl -s -X GET "https://api.cloudflare.com/client/v4/zones/$CF_ZONE_ID/dns_records?name=$subdomain.$CF_DOMAIN" \
-H "Authorization: Bearer $CF_API_TOKEN" \
-H "Content-Type: application/json")
local count=$(echo $records | jq -r '.result | length')
[ "$count" -gt 0 ]
}
# Add CNAME records for each subdomain (only if they don't exist)
echo "Adding DNS records for services..."
for subdomain in "${SUBDOMAINS[@]}"; do
if record_exists "$subdomain"; then
echo "DNS record for $subdomain.$CF_DOMAIN already exists, skipping..."
else
echo "Adding CNAME record for $subdomain.$CF_DOMAIN..."
response=$(curl -s -X POST "https://api.cloudflare.com/client/v4/zones/$CF_ZONE_ID/dns_records" \
-H "Authorization: Bearer $CF_API_TOKEN" \
-H "Content-Type: application/json" \
--data "{
\"type\": \"CNAME\",
\"name\": \"$subdomain\",
\"content\": \"$CF_TUNNEL_ID.cfargotunnel.com\",
\"ttl\": 1,
\"proxied\": true
}")
success=$(echo $response | jq -r '.success')
if [ "$success" == "true" ]; then
echo "✓ Successfully added CNAME record for $subdomain.$CF_DOMAIN"
else
echo "✗ Failed to add CNAME record for $subdomain.$CF_DOMAIN"
echo "Error: $(echo $response | jq -r '.errors[0].message')"
fi
fi
done
# Add root domain record if it doesn't exist
if record_exists "@"; then
echo "Root domain DNS record already exists, skipping..."
else
echo "Adding root domain CNAME record..."
response=$(curl -s -X POST "https://api.cloudflare.com/client/v4/zones/$CF_ZONE_ID/dns_records" \
-H "Authorization: Bearer $CF_API_TOKEN" \
-H "Content-Type: application/json" \
--data "{
\"type\": \"CNAME\",
\"name\": \"@\",
\"content\": \"$CF_TUNNEL_ID.cfargotunnel.com\",
\"ttl\": 1,
\"proxied\": true
}")
success=$(echo $response | jq -r '.success')
if [ "$success" == "true" ]; then
echo "✓ Successfully added root domain CNAME record"
else
echo "✗ Failed to add root domain CNAME record"
echo "Error: $(echo $response | jq -r '.errors[0].message')"
fi
fi
echo ""
echo "DNS records setup complete!"
echo ""
# Prompt for admin email for secured services
echo "-------------------------------------------------------------"
echo "Setting up Cloudflare Access Protection"
echo "-------------------------------------------------------------"
echo ""
echo "The following services will be protected with authentication:"
echo " - dashboard.$CF_DOMAIN"
echo " - code.$CF_DOMAIN"
echo ""
echo "Please enter the admin email address that should have access:"
read ADMIN_EMAIL
# Validate email format
if [[ ! "$ADMIN_EMAIL" =~ ^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$ ]]; then
echo "Error: Invalid email format. Please provide a valid email address."
exit 1
fi
# Services that require authentication - updated for our use case
PROTECTED_SERVICES=("dashboard" "code")
# Services that should have bypass policies (public access) - updated for our use case
BYPASS_SERVICES=("listmonk" "docs" "n8n" "db" "git")
# Function to create access application with email authentication
create_protected_app() {
local service=$1
echo "Setting up authentication for $service.$CF_DOMAIN..."
app_response=$(curl -s -X POST "https://api.cloudflare.com/client/v4/zones/$CF_ZONE_ID/access/apps" \
-H "Authorization: Bearer $CF_API_TOKEN" \
-H "Content-Type: application/json" \
--data "{
\"name\": \"$service $CF_DOMAIN\",
\"domain\": \"$service.$CF_DOMAIN\",
\"type\": \"self_hosted\",
\"session_duration\": \"24h\",
\"app_launcher_visible\": true,
\"skip_interstitial\": true
}")
app_id=$(echo $app_response | jq -r '.result.id')
if [ -z "$app_id" ] || [ "$app_id" == "null" ]; then
echo "✗ Error creating access application for $service"
return 1
fi
echo "✓ Created access application for $service (ID: $app_id)"
# Create authentication policy
policy_response=$(curl -s -X POST "https://api.cloudflare.com/client/v4/zones/$CF_ZONE_ID/access/apps/$app_id/policies" \
-H "Authorization: Bearer $CF_API_TOKEN" \
-H "Content-Type: application/json" \
--data "{
\"name\": \"Admin Access\",
\"decision\": \"allow\",
\"include\": [{
\"email\": {
\"email\": \"$ADMIN_EMAIL\"
}
}],
\"require\": [],
\"exclude\": []
}")
policy_success=$(echo $policy_response | jq -r '.success')
if [ "$policy_success" == "true" ]; then
echo "✓ Created authentication policy for $service"
else
echo "✗ Failed to create authentication policy for $service"
fi
}
# Function to create bypass application (public access)
create_bypass_app() {
local service=$1
echo "Setting up public access for $service.$CF_DOMAIN..."
app_response=$(curl -s -X POST "https://api.cloudflare.com/client/v4/zones/$CF_ZONE_ID/access/apps" \
-H "Authorization: Bearer $CF_API_TOKEN" \
-H "Content-Type: application/json" \
--data "{
\"name\": \"$service $CF_DOMAIN\",
\"domain\": \"$service.$CF_DOMAIN\",
\"type\": \"self_hosted\",
\"session_duration\": \"24h\",
\"app_launcher_visible\": false,
\"skip_interstitial\": true
}")
app_id=$(echo $app_response | jq -r '.result.id')
if [ -z "$app_id" ] || [ "$app_id" == "null" ]; then
echo "✗ Error creating access application for $service"
return 1
fi
echo "✓ Created access application for $service (ID: $app_id)"
# Create bypass policy
policy_response=$(curl -s -X POST "https://api.cloudflare.com/client/v4/zones/$CF_ZONE_ID/access/apps/$app_id/policies" \
-H "Authorization: Bearer $CF_API_TOKEN" \
-H "Content-Type: application/json" \
--data "{
\"name\": \"Public Access\",
\"decision\": \"bypass\",
\"include\": [{
\"everyone\": {}
}],
\"require\": [],
\"exclude\": []
}")
policy_success=$(echo $policy_response | jq -r '.success')
if [ "$policy_success" == "true" ]; then
echo "✓ Created public access policy for $service"
else
echo "✗ Failed to create public access policy for $service"
fi
}
echo "Creating Cloudflare Access applications..."
echo ""
# Create protected applications
for service in "${PROTECTED_SERVICES[@]}"; do
create_protected_app "$service"
echo ""
done
# Create bypass applications for public services
for service in "${BYPASS_SERVICES[@]}"; do
create_bypass_app "$service"
echo ""
done
echo "-------------------------------------------------------------"
echo "Setup Complete!"
echo "-------------------------------------------------------------"
echo ""
echo "Protected services (require authentication with $ADMIN_EMAIL):"
for service in "${PROTECTED_SERVICES[@]}"; do
echo " - https://$service.$CF_DOMAIN"
done
echo ""
echo "Public services (no authentication required):"
for service in "${BYPASS_SERVICES[@]}"; do
echo " - https://$service.$CF_DOMAIN"
done
echo ""
echo "All services should be accessible through your Cloudflare tunnel."
Reference in New Issue View Git Blame Copy Permalink