Initial commit: Cloudflare infrastructure with WAF Intelligence
- Complete Cloudflare Terraform configuration (DNS, WAF, tunnels, access) - WAF Intelligence MCP server with threat analysis and ML classification - GitOps automation with PR workflows and drift detection - Observatory monitoring stack with Prometheus/Grafana - IDE operator rules for governed development - Security playbooks and compliance frameworks - Autonomous remediation and state reconciliation
This commit is contained in:
Vault Sovereign
35
systemd/tunnel-rotation.service
Normal file
35
systemd/tunnel-rotation.service
Normal file
@@ -0,0 +1,35 @@
|
||||
[Unit]
|
||||
Description=Cloudflare Tunnel Rotation - Credential renewal cycle
|
||||
Documentation=https://vaultmesh.org/docs/cloudflare-binding
|
||||
After=network-online.target
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
User=cloudflare-mesh
|
||||
Group=cloudflare-mesh
|
||||
|
||||
# Environment
|
||||
EnvironmentFile=/etc/cloudflare-mesh/environment
|
||||
Environment=PYTHONUNBUFFERED=1
|
||||
|
||||
# Execution
|
||||
ExecStart=/usr/bin/python3 /opt/cloudflare-mesh/scripts/tunnel-rotation-scheduler.py \
|
||||
--account-id ${CLOUDFLARE_ACCOUNT_ID} \
|
||||
--zone-id ${CLOUDFLARE_ZONE_ID} \
|
||||
--max-age 90
|
||||
|
||||
# Security hardening
|
||||
NoNewPrivileges=yes
|
||||
PrivateTmp=yes
|
||||
ProtectSystem=strict
|
||||
ProtectHome=yes
|
||||
ReadOnlyPaths=/
|
||||
ReadWritePaths=/var/lib/cloudflare-mesh
|
||||
ReadWritePaths=/var/log/cloudflare-mesh
|
||||
CapabilityBoundingSet=
|
||||
AmbientCapabilities=
|
||||
|
||||
# Logging
|
||||
StandardOutput=journal
|
||||
StandardError=journal
|
||||
SyslogIdentifier=tunnel-rotation
|
||||
Reference in New Issue
Block a user