diff --git a/add-cname-records.sh b/add-cname-records.sh index dc5f105..4109cac 100755 --- a/add-cname-records.sh +++ b/add-cname-records.sh @@ -135,55 +135,78 @@ curl -X POST "https://api.cloudflare.com/client/v4/zones/$CF_ZONE_ID/dns_records echo -e "\n" echo "Root domain CNAME record has been added." +# Prompt for admin email +echo "Please enter the admin email address that should have access to protected services:" +read ADMIN_EMAIL + +# Validate email format +if [[ ! "$ADMIN_EMAIL" =~ ^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$ ]]; then + echo "Error: Invalid email format. Please provide a valid email address." + exit 1 +fi + # Now create the Cloudflare Access applications echo "Creating Cloudflare Access applications..." -# 1. Create wildcard access application for all subdomains -echo "Creating wildcard access application for *.$CF_DOMAIN..." -WILDCARD_APP_RESPONSE=$(curl -s -X POST "https://api.cloudflare.com/client/v4/zones/$CF_ZONE_ID/access/apps" \ - -H "Authorization: Bearer $CF_API_TOKEN" \ - -H "Content-Type: application/json" \ - --data "{ - \"name\": \"All Applications - $CF_DOMAIN\", - \"domain\": \"*.$CF_DOMAIN\", - \"type\": \"self_hosted\", - \"session_duration\": \"24h\", - \"app_launcher_visible\": true, - \"skip_interstitial\": true - }") +# Create access applications only for specific services +PROTECTED_SERVICES=("homepage" "live" "ferdium" "convertx" "mini-qr" "ollama") -# Extract the application ID from the response -WILDCARD_APP_ID=$(echo $WILDCARD_APP_RESPONSE | jq -r '.result.id') - -if [ -z "$WILDCARD_APP_ID" ] || [ "$WILDCARD_APP_ID" == "null" ]; then - echo "Error creating wildcard access application. Response: $WILDCARD_APP_RESPONSE" -else - echo "Successfully created wildcard access application with ID: $WILDCARD_APP_ID" +for service in "${PROTECTED_SERVICES[@]}"; do + echo "Creating access application for $service.$CF_DOMAIN..." - # Create policy for emails ending with the domain - echo "Creating email domain policy for wildcard application..." - EMAIL_DOMAIN=$(echo $CF_DOMAIN | cut -d'.' -f1,2) - - curl -s -X POST "https://api.cloudflare.com/client/v4/zones/$CF_ZONE_ID/access/apps/$WILDCARD_APP_ID/policies" \ + SERVICE_APP_RESPONSE=$(curl -s -X POST "https://api.cloudflare.com/client/v4/zones/$CF_ZONE_ID/access/apps" \ -H "Authorization: Bearer $CF_API_TOKEN" \ -H "Content-Type: application/json" \ --data "{ - \"name\": \"Allow Domain Emails\", - \"decision\": \"allow\", - \"include\": [{ - \"email_domain\": { - \"domain\": \"$EMAIL_DOMAIN\" - } - }], - \"require\": [], - \"exclude\": [], - \"precedence\": 1, - \"purpose\": \"Authentication for domain users\", - \"session_duration\": \"24h\" - }" - - echo "Email domain policy created." -fi + \"name\": \"$service $CF_DOMAIN\", + \"domain\": \"$service.$CF_DOMAIN\", + \"type\": \"self_hosted\", + \"session_duration\": \"24h\", + \"app_launcher_visible\": true, + \"skip_interstitial\": true + }") + + # Extract the application ID from the response + SERVICE_APP_ID=$(echo $SERVICE_APP_RESPONSE | jq -r '.result.id') + + if [ -z "$SERVICE_APP_ID" ] || [ "$SERVICE_APP_ID" == "null" ]; then + echo "Error creating $service access application. Response: $SERVICE_APP_RESPONSE" + else + echo "Successfully created $service access application with ID: $SERVICE_APP_ID" + + # Create policy for admin email + echo "Creating admin email policy for $service application..." + + POLICY_RESPONSE=$(curl -s -X POST "https://api.cloudflare.com/client/v4/zones/$CF_ZONE_ID/access/apps/$SERVICE_APP_ID/policies" \ + -H "Authorization: Bearer $CF_API_TOKEN" \ + -H "Content-Type: application/json" \ + --data "{ + \"name\": \"Allow Admin Email\", + \"decision\": \"allow\", + \"include\": [{ + \"email\": { + \"email\": \"$ADMIN_EMAIL\" + } + }], + \"require\": [], + \"exclude\": [], + \"precedence\": 1, + \"purpose\": \"Admin Authentication\", + \"session_duration\": \"24h\" + }") + + # Check if policy creation was successful + POLICY_SUCCESS=$(echo $POLICY_RESPONSE | jq -r '.success') + + if [ "$POLICY_SUCCESS" == "true" ]; then + POLICY_ID=$(echo $POLICY_RESPONSE | jq -r '.result.id') + echo "Admin email policy for $service created successfully with ID: $POLICY_ID" + else + ERROR_MSG=$(echo $POLICY_RESPONSE | jq -r '.errors[0].message') + echo "Error creating admin email policy for $service: $ERROR_MSG" + fi + fi +done # 2. Create specific access application for Gitea echo "Creating access application for gitea.$CF_DOMAIN..."