{"id":35788152,"url":"https://github.com/patkub/infra","last_synced_at":"2026-03-11T16:05:37.402Z","repository":{"id":321119847,"uuid":"1084565238","full_name":"patkub/infra","owner":"patkub","description":"Cloudflare Access secured with Auth0 and passkey only login","archived":false,"fork":false,"pushed_at":"2026-03-06T17:49:22.000Z","size":262,"stargazers_count":1,"open_issues_count":0,"forks_count":1,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-03-06T21:14:10.200Z","etag":null,"topics":["auth0","cloudflare","cloudflare-access","cloudflare-tunnel","cloudflare-warp","passkeys","passwordless","terraform","zero-trust"],"latest_commit_sha":null,"homepage":"https://meerkat.patkub.vip/","language":"HCL","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/patkub.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-10-27T21:14:58.000Z","updated_at":"2026-03-06T17:44:13.000Z","dependencies_parsed_at":"2025-10-27T23:14:29.211Z","dependency_job_id":"523c7e8b-62f7-479d-8a46-eaef627b61e0","html_url":"https://github.com/patkub/infra","commit_stats":null,"previous_names":["patkub/infra"],"tags_count":30,"template":false,"template_full_name":null,"purl":"pkg:github/patkub/infra","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/patkub%2Finfra","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/patkub%2Finfra/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/patkub%2Finfra/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/patkub%2Finfra/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/patkub","download_url":"https://codeload.github.com/patkub/infra/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/patkub%2Finfra/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":30387049,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-03-11T14:10:17.325Z","status":"ssl_error","status_checked_at":"2026-03-11T14:09:37.934Z","response_time":84,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["auth0","cloudflare","cloudflare-access","cloudflare-tunnel","cloudflare-warp","passkeys","passwordless","terraform","zero-trust"],"created_at":"2026-01-07T07:22:16.343Z","updated_at":"2026-03-11T16:05:37.381Z","avatar_url":"https://github.com/patkub.png","language":"HCL","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Infrastructure\n\nCloudflare Access secured with Auth0 and passkey only login\n\n## Overview\n\nTerraform configuration for my infrastructure\n- Cloudflare Access is secured with Auth0\n- Auth0 Action and Forms enforce login with passkey only\n- A DNS based Adblock policy\n- A Cloudflare Tunnel accessible via SSH at [meerkat.patkub.vip](https://meerkat.patkub.vip/)\n\n### Description\n\nImplemented Cloudflare Zero Trust Access integrated with Auth0 OpenID Connect (OIDC), including a custom Post-Login Action that enforces passkey only authentication. Secured remote access via short-lived SSH certificates and Cloudflare Tunnels, enabling passwordless SSH/VNC access without exposing ports or managing static SSH keys. Provisioned and managed all Cloudflare and Auth0 resources using Terraform to ensure repeatable, infrastructure-as-code deployments.\n\n## Cloud Configuration\n\nReference `terraform.tfvars.example`.\n\nCreate `terraform.tfvars` with:\n\n```bash\n# Cloudflare Account Email\ncf_email                            = \"...\"\n# Cloudflare Global API Key ( https://dash.cloudflare.com/profile/api-tokens )\ncf_api_key                          = \"...\"\n# Cloudflare Domain Overview Account ID\ncf_account_id                       = \"...\"\n# Cloudflare Domain Overview API Zone ID\ncf_zone_id                          = \"...\"\n\n# Auth0 M2M Application Details\nAUTH0_DOMAIN                        = \"...\"\nAUTH0_CLIENT_ID                     = \"...\"\nAUTH0_CLIENT_SECRET                 = \"...\"\n\n# Passkey Policy Settings\n# Number of logins without a passkey (min: \"1\")\nMAX_LOGINS_WITHOUT_PASSKEY          = \"3\"\n```\n\nRun:\n\n```bash\nterraform init\nterraform apply\n```\n\n## Server Configuration\n\nFollow: [SSH with Access for Infrastructure: Configure SSH Server](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-infrastructure-access/#7-configure-ssh-server)\n\nFollow: [Short-lived certificates (legacy)](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/non-http/short-lived-certificates-legacy/)\n\nConfigure server with:\n\n```bash\nchmod +x ./scripts/server/install.sh\n./scripts/server/install.sh\n```\n\n### Individual Scripts\n- `./scripts/server/sshd/sshd.sh` - Setup sshd for Meerkat\n\n\n## Client Configuration\n\nReference: [Short-lived certificates (legacy): Connect as a user](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/non-http/short-lived-certificates-legacy/#7-connect-as-a-user)\n\nConfigure client devices with:\n\n```bash\nchmod +x ./scripts/client/install.sh\n./scripts/client/install.sh\n```\n\n- Adds client-side cloudflared SSH host for meerkat\n- Adds Cloudflare Zero Trust certificate to npmrc\n- Patches SDKMAN! to automatically import Cloudflare Zero Trust certificate when installing a Java JDK\n\n### Individual Scripts\n- `./scripts/client/ssh/ssh.sh` - Adds SSH host for meerkat\n- `./scripts/client/npm/npm.sh` - Configures npmrc\n- `./scripts/client/sdkman/patch.sh` - Patches SDKMAN!\n\n## Dev Setup\n\n[Node.js v22 LTS](https://nodejs.org/en/download), [pnpm](https://pnpm.io/installation)\n\nInstall dependencies\n\n```bash\npnpm install\n```\n\nLint\n- `pnpm lint` - Lint with biome and apply changes\n- `pnpm lint:check` - Check linting with biome\n- `pnpm format` - Format with biome and apply changes\n- `pnpm format:check` - Check formatting with biome\n\nRun tests\n- `pnpm test` - Run unit tests\n- `pnpm test:watch` - Automatically re-run tests when files change\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpatkub%2Finfra","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fpatkub%2Finfra","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpatkub%2Finfra/lists"}