admin/Changemaker
1
0
Fork 0
Code Issues 2 Packages Projects Releases Wiki Activity

Few mroe updates to prep for new deployment. Testing now

Browse Source
This commit is contained in:
admin 2025-06-01 12:58:12 -06:00
parent 014cd6a16f
commit 2ff0072689
6 changed files with 108 additions and 174 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

253
add-cname-records.sh
View File

@ -1,11 +1,8 @@
#!/bin/bash #!/bin/bash
echo "#############################################################" echo "#############################################################"
echo "# " echo "# "
echo "# WARNING: This script will REPLACE ALL DNS records at " echo "# This script will ADD CNAME records for your services "
echo "# the target domain ($CF_DOMAIN)! " echo "# to point to your Cloudflare tunnel. "
echo "# "
echo "# All existing DNS records for the listed subdomains will "
echo "# be deleted and replaced with new CNAME records. "
echo "# " echo "# "
echo "#############################################################" echo "#############################################################"
echo "" echo ""
@ -62,7 +59,7 @@ SUBDOMAINS=(
"flatnotes" "flatnotes"
"code-server" "code-server"
"ollama" "ollama"
"open-webui" "chat"
"gitea" "gitea"
"mini-qr" "mini-qr"
"ferdium" "ferdium"
@ -73,35 +70,12 @@ SUBDOMAINS=(
"rocket" "rocket"
"live" "live"
"vw" "vw"
"docs"
) )
# First, remove existing DNS records for these subdomains
echo "Removing existing DNS records..."
for subdomain in "${SUBDOMAINS[@]}"; do
echo "Checking for existing records for $subdomain.$CF_DOMAIN..."
# Get all DNS records for this subdomain
RECORDS=$(curl -s -X GET "https://api.cloudflare.com/client/v4/zones/$CF_ZONE_ID/dns_records?name=$subdomain.$CF_DOMAIN" \
-H "Authorization: Bearer $CF_API_TOKEN" \
-H "Content-Type: application/json")
# Extract record IDs
RECORD_IDS=$(echo $RECORDS | jq -r '.result[].id')
# Delete each record
for record_id in $RECORD_IDS; do
echo "Deleting record $record_id for $subdomain.$CF_DOMAIN..."
curl -s -X DELETE "https://api.cloudflare.com/client/v4/zones/$CF_ZONE_ID/dns_records/$record_id" \
-H "Authorization: Bearer $CF_API_TOKEN" \
-H "Content-Type: application/json"
done
done
echo "All existing records have been removed."
# Add CNAME records for each subdomain # Add CNAME records for each subdomain
echo "Adding CNAME records for services..."
for subdomain in "${SUBDOMAINS[@]}"; do for subdomain in "${SUBDOMAINS[@]}"; do
echo "Adding CNAME record for $subdomain.$CF_DOMAIN..." echo "Adding CNAME record for $subdomain.$CF_DOMAIN..."
@ -146,157 +120,112 @@ if [[ ! "$ADMIN_EMAIL" =~ ^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$ ]]; t
exit 1 exit 1
fi fi
# Now create the Cloudflare Access applications # Get account ID (required for reusable policies)
echo "Creating Cloudflare Access applications..." echo "Getting Cloudflare account ID..."
ACCOUNT_RESPONSE=$(curl -s -X GET "https://api.cloudflare.com/client/v4/accounts" \
-H "Authorization: Bearer $CF_API_TOKEN" \
-H "Content-Type: application/json")
# Create access applications only for specific services ACCOUNT_ID=$(echo $ACCOUNT_RESPONSE | jq -r '.result[0].id')
PROTECTED_SERVICES=("homepage" "live" "ferdium" "convertx" "mini-qr" "ollama")
# Services that should have bypass policies (no authentication) if [ -z "$ACCOUNT_ID" ] || [ "$ACCOUNT_ID" == "null" ]; then
BYPASS_SERVICES=("excalidraw" "rocket" "listmonk" "vw" "docs") echo "Error: Could not retrieve account ID. Response: $ACCOUNT_RESPONSE"
exit 1
fi
# Function to create bypass policy for a service echo "Using account ID: $ACCOUNT_ID"
create_bypass_policy() {
local service=$1
echo "Creating access application for $service.$CF_DOMAIN with bypass policy..."
SERVICE_APP_RESPONSE=$(curl -s -X POST "https://api.cloudflare.com/client/v4/zones/$CF_ZONE_ID/access/apps" \ # Create reusable Access policy
echo "Creating reusable Access policy for admin access..."
REUSABLE_POLICY_RESPONSE=$(curl -s -X POST "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/policies" \
-H "Authorization: Bearer $CF_API_TOKEN" \ -H "Authorization: Bearer $CF_API_TOKEN" \
-H "Content-Type: application/json" \ -H "Content-Type: application/json" \
--data "{ --data "{
\"name\": \"$service $CF_DOMAIN\", \"name\": \"Admin Access Policy for $CF_DOMAIN\",
\"domain\": \"$service.$CF_DOMAIN\",
\"type\": \"self_hosted\",
\"session_duration\": \"24h\",
\"app_launcher_visible\": true,
\"skip_interstitial\": true
}")
# Extract the application ID from the response
SERVICE_APP_ID=$(echo $SERVICE_APP_RESPONSE | jq -r '.result.id')
if [ -z "$SERVICE_APP_ID" ] || [ "$SERVICE_APP_ID" == "null" ]; then
echo "Error creating $service access application. Response: $SERVICE_APP_RESPONSE"
else
echo "Successfully created $service access application with ID: $SERVICE_APP_ID"
# Create bypass policy for everyone
echo "Creating bypass policy for $service application..."
POLICY_RESPONSE=$(curl -s -X POST "https://api.cloudflare.com/client/v4/zones/$CF_ZONE_ID/access/apps/$SERVICE_APP_ID/policies" \
-H "Authorization: Bearer $CF_API_TOKEN" \
-H "Content-Type: application/json" \
--data "{
\"name\": \"Bypass for Everyone\",
\"decision\": \"bypass\",
\"include\": [{
\"everyone\": {}
}],
\"require\": [],
\"exclude\": []
}")
# Check if policy creation was successful
POLICY_SUCCESS=$(echo $POLICY_RESPONSE | jq -r '.success')
if [ "$POLICY_SUCCESS" == "true" ]; then
POLICY_ID=$(echo $POLICY_RESPONSE | jq -r '.result.id')
echo "Bypass policy for $service created successfully with ID: $POLICY_ID"
else
ERROR_MSG=$(echo $POLICY_RESPONSE | jq -r '.errors[0].message')
echo "Error creating bypass policy for $service: $ERROR_MSG"
echo "Full response: $POLICY_RESPONSE"
fi
fi
}
for service in "${PROTECTED_SERVICES[@]}"; do
echo "Creating access application for $service.$CF_DOMAIN..."
SERVICE_APP_RESPONSE=$(curl -s -X POST "https://api.cloudflare.com/client/v4/zones/$CF_ZONE_ID/access/apps" \
-H "Authorization: Bearer $CF_API_TOKEN" \
-H "Content-Type: application/json" \
--data "{
\"name\": \"$service $CF_DOMAIN\",
\"domain\": \"$service.$CF_DOMAIN\",
\"type\": \"self_hosted\",
\"session_duration\": \"24h\",
\"app_launcher_visible\": true,
\"skip_interstitial\": true
}")
# Extract the application ID from the response
SERVICE_APP_ID=$(echo $SERVICE_APP_RESPONSE | jq -r '.result.id')
if [ -z "$SERVICE_APP_ID" ] || [ "$SERVICE_APP_ID" == "null" ]; then
echo "Error creating $service access application. Response: $SERVICE_APP_RESPONSE"
else
echo "Successfully created $service access application with ID: $SERVICE_APP_ID"
# Create policy for admin email
echo "Creating admin email policy for $service application..."
POLICY_RESPONSE=$(curl -s -X POST "https://api.cloudflare.com/client/v4/zones/$CF_ZONE_ID/access/apps/$SERVICE_APP_ID/policies" \
-H "Authorization: Bearer $CF_API_TOKEN" \
-H "Content-Type: application/json" \
--data "{
\"name\": \"Allow Admin Email\",
\"decision\": \"allow\", \"decision\": \"allow\",
\"include\": [{ \"include\": [
{
\"email\": { \"email\": {
\"email\": \"$ADMIN_EMAIL\" \"email\": \"$ADMIN_EMAIL\"
} }
}], },
{
\"email_domain\": {
\"domain\": \"$CF_DOMAIN\"
}
}
],
\"require\": [], \"require\": [],
\"exclude\": [], \"exclude\": [],
\"precedence\": 1,
\"purpose\": \"Admin Authentication\",
\"session_duration\": \"24h\" \"session_duration\": \"24h\"
}") }")
# Check if policy creation was successful # Extract the reusable policy ID
POLICY_SUCCESS=$(echo $POLICY_RESPONSE | jq -r '.success') REUSABLE_POLICY_ID=$(echo $REUSABLE_POLICY_RESPONSE | jq -r '.result.id')
if [ "$POLICY_SUCCESS" == "true" ]; then if [ -z "$REUSABLE_POLICY_ID" ] || [ "$REUSABLE_POLICY_ID" == "null" ]; then
POLICY_ID=$(echo $POLICY_RESPONSE | jq -r '.result.id') echo "Error creating reusable Access policy. Response: $REUSABLE_POLICY_RESPONSE"
echo "Admin email policy for $service created successfully with ID: $POLICY_ID" exit 1
else else
ERROR_MSG=$(echo $POLICY_RESPONSE | jq -r '.errors[0].message') echo "Successfully created reusable Access policy with ID: $REUSABLE_POLICY_ID"
echo "Error creating admin email policy for $service: $ERROR_MSG" fi
fi
fi
done
# Create bypass policies for specified services # Create single Access application for the entire domain
for service in "${BYPASS_SERVICES[@]}"; do echo "Creating Access application for *.$CF_DOMAIN..."
create_bypass_policy "$service"
done
# 2. Create specific access application for Gitea DOMAIN_APP_RESPONSE=$(curl -s -X POST "https://api.cloudflare.com/client/v4/zones/$CF_ZONE_ID/access/apps" \
echo "Creating access application for gitea.$CF_DOMAIN..."
GITEA_APP_RESPONSE=$(curl -s -X POST "https://api.cloudflare.com/client/v4/zones/$CF_ZONE_ID/access/apps" \
-H "Authorization: Bearer $CF_API_TOKEN" \ -H "Authorization: Bearer $CF_API_TOKEN" \
-H "Content-Type: application/json" \ -H "Content-Type: application/json" \
--data "{ --data "{
\"name\": \"Gitea $CF_DOMAIN\", \"name\": \"Changemaker Services - $CF_DOMAIN\",
\"domain\": \"gitea.$CF_DOMAIN\", \"domain\": \"*.$CF_DOMAIN\",
\"type\": \"self_hosted\", \"type\": \"self_hosted\",
\"session_duration\": \"24h\",
\"app_launcher_visible\": true, \"app_launcher_visible\": true,
\"skip_interstitial\": true,
\"policies\": [\"$REUSABLE_POLICY_ID\"]
}")
# Extract the application ID
DOMAIN_APP_ID=$(echo $DOMAIN_APP_RESPONSE | jq -r '.result.id')
if [ -z "$DOMAIN_APP_ID" ] || [ "$DOMAIN_APP_ID" == "null" ]; then
echo "Error creating domain Access application. Response: $DOMAIN_APP_RESPONSE"
exit 1
else
echo "Successfully created domain Access application with ID: $DOMAIN_APP_ID"
fi
# Create bypass applications for public services
echo "Creating bypass applications for public services..."
PUBLIC_SERVICES=("excalidraw" "rocket" "listmonk" "vw" "docs")
for service in "${PUBLIC_SERVICES[@]}"; do
echo "Creating bypass access application for $service.$CF_DOMAIN..."
SERVICE_APP_RESPONSE=$(curl -s -X POST "https://api.cloudflare.com/client/v4/zones/$CF_ZONE_ID/access/apps" \
-H "Authorization: Bearer $CF_API_TOKEN" \
-H "Content-Type: application/json" \
--data "{
\"name\": \"$service $CF_DOMAIN (Public)\",
\"domain\": \"$service.$CF_DOMAIN\",
\"type\": \"self_hosted\",
\"session_duration\": \"24h\",
\"app_launcher_visible\": false,
\"skip_interstitial\": true \"skip_interstitial\": true
}") }")
# Extract the application ID from the response SERVICE_APP_ID=$(echo $SERVICE_APP_RESPONSE | jq -r '.result.id')
GITEA_APP_ID=$(echo $GITEA_APP_RESPONSE | jq -r '.result.id')
if [ -z "$GITEA_APP_ID" ] || [ "$GITEA_APP_ID" == "null" ]; then if [ -z "$SERVICE_APP_ID" ] || [ "$SERVICE_APP_ID" == "null" ]; then
echo "Error creating Gitea access application. Response: $GITEA_APP_RESPONSE" echo "Error creating $service access application. Response: $SERVICE_APP_RESPONSE"
else else
echo "Successfully created Gitea access application with ID: $GITEA_APP_ID" echo "Successfully created $service access application with ID: $SERVICE_APP_ID"
# Create bypass policy for everyone - Updated format # Create bypass policy
echo "Creating bypass policy for Gitea application..." POLICY_RESPONSE=$(curl -s -X POST "https://api.cloudflare.com/client/v4/zones/$CF_ZONE_ID/access/apps/$SERVICE_APP_ID/policies" \
POLICY_RESPONSE=$(curl -s -X POST "https://api.cloudflare.com/client/v4/zones/$CF_ZONE_ID/access/apps/$GITEA_APP_ID/policies" \
-H "Authorization: Bearer $CF_API_TOKEN" \ -H "Authorization: Bearer $CF_API_TOKEN" \
-H "Content-Type: application/json" \ -H "Content-Type: application/json" \
--data "{ --data "{
@ -309,17 +238,17 @@ else
\"exclude\": [] \"exclude\": []
}") }")
# Check if policy creation was successful
POLICY_SUCCESS=$(echo $POLICY_RESPONSE | jq -r '.success') POLICY_SUCCESS=$(echo $POLICY_RESPONSE | jq -r '.success')
if [ "$POLICY_SUCCESS" == "true" ]; then if [ "$POLICY_SUCCESS" == "true" ]; then
POLICY_ID=$(echo $POLICY_RESPONSE | jq -r '.result.id') echo "Bypass policy for $service created successfully"
echo "Bypass policy for Gitea created successfully with ID: $POLICY_ID"
else else
ERROR_MSG=$(echo $POLICY_RESPONSE | jq -r '.errors[0].message') echo "Error creating bypass policy for $service: $(echo $POLICY_RESPONSE | jq -r '.errors[0].message')"
echo "Error creating bypass policy for Gitea: $ERROR_MSG"
echo "Full response: $POLICY_RESPONSE"
fi fi
fi fi
done
echo "Cloudflare Access applications setup complete." echo "Cloudflare Access setup complete."
echo "Admin access configured for: $ADMIN_EMAIL and users with @$CF_DOMAIN email addresses"
echo "Public services (excalidraw, rocket, listmonk, vw) are accessible without authentication"
echo "All other services require authentication through the unified Access policy"

4
config.md
View File

@ -1,6 +1,2 @@
# Configuring Changemaker # Configuring Changemaker
The following is a configuration guide for Changemaker. The following is a configuration guide for Changemaker.
# testing
# testing again

5
config.sh
View File

@ -476,7 +476,10 @@ update_env_var "EXCALIDRAW_PUBLIC_SOCKET_URL" "https://excalidraw.$domain_name"
# Update OpenWebUI settings # Update OpenWebUI settings
echo -e "\nConfiguring OpenWebUI..." echo -e "\nConfiguring OpenWebUI..."
update_env_var "OPEN_WEBUI_PORT" "3005" update_env_var "OPEN_WEBUI_PORT" "3005"
update_env_var "OPEN_WEBUI_URL" "https://open-web-ui.$domain_name" update_env_var "OPEN_WEBUI_URL" "https://chat.$domain_name"
# Update N8N settings
update_env_var "N8N_EDITOR_BASE_URL" "n8n.$domain_name"
# Update service URLs in the services.yaml file # Update service URLs in the services.yaml file
echo -e "\nUpdating service URLs in services.yaml file..." echo -e "\nUpdating service URLs in services.yaml file..."

2
configs/homepage/services.yaml
View File

@ -32,7 +32,7 @@
description: Self-hosted Git service description: Self-hosted Git service
icon: gitea icon: gitea
- OpenWebUI: - OpenWebUI:
href: https://open-webui.test.com href: https://chat.test.com
description: UI for Ollama models description: UI for Ollama models
icon: mdi-robot-happy icon: mdi-robot-happy

0
mkdocs/docs/javascripts/extra.js Normal file
View File

6
mkdocs/mkdocs.yml
View File

@ -43,6 +43,12 @@ markdown_extensions:
copyright: Copyright © 2024 The Bunker Operations - Built with Change Maker copyright: Copyright © 2024 The Bunker Operations - Built with Change Maker
extra_javascript:
- javascripts/extra.js
extra:
generator: false
plugins: plugins:
- social - social
- search - search