feat: add DOKS, managed postgres/redis, WAF rules, external-dns

terraform/waf.tf

@@ -0,0 +1,25 @@
+# ─── Cloudflare WAF — restrict admin subdomains to admin IP ───────────────────
+
+resource "cloudflare_ruleset" "admin_ip_allowlist" {
+  zone_id     = data.cloudflare_zone.main.id
+  name        = "Admin IP allowlist"
+  description = "Block access to admin subdomains from non-admin IPs"
+  kind        = "zone"
+  phase       = "http_request_firewall_custom"
+
+  rules {
+    action      = "block"
+    description = "Block non-admin IPs from admin subdomains"
+    enabled     = true
+    expression  = <<-EOT
+      (
+        http.host in {
+          "git.${var.domain}"
+          "vault.${var.domain}"
+          "argocd.${var.domain}"
+        }
+        and not ip.src eq ${var.admin_ip}
+      )
+    EOT
+  }
+}