Cloudflare Access

All public heezy sites are protected by Cloudflare Zero Trust Access. This provides a centralized authentication layer using Google OAuth.

Protected Sites

Site	URL	Purpose
Finance Dashboard	https://finance.heezy.info	Spending analytics + transaction tracking
Receipts	https://receipts.heezy.info	Receipt OCR + upload
CS1.6 Leaderboard	https://cs16.heezy.info	Game statistics
Blog	https://heezy.blog	Personal blog
Documentation	https://docs.heezy.info	Homelab reference
Home	https://heezy.info	Landing page

Authentication

Provider: Google OAuth
Allowed users: - trentnielsen84@gmail.com (primary) - brdrgrl18@gmail.com (secondary)

Session duration: 24 hours
Auto-redirect: Enabled - unauthenticated requests redirect to Google login

Public Exceptions

These endpoints are intentionally not behind Access:

• oauth.heezy.info - OAuth callback endpoint (must be public for Google redirect)
• /tos - Terms of Service (public)
• /privacy - Privacy policy (public)

Configuration

All CF Access policies are managed via Terraform:

terraform-heezy/environments/production/cloudflare/access.tf

Resource Names

Deprecation

Terraform currently uses cloudflare_access_application to define Access apps. This resource is deprecated in newer Terraform providers. Future updates will rename to cloudflare_zero_trust_access_application.

Example Policy

resource "cloudflare_access_application" "finance" {
  account_id = var.cloudflare_account_id
  name       = "finance.heezy.info"
  domain     = "finance.heezy.info"

  # Session expiry
  session_duration = "24h"
  auto_redirect_to_identity = true
}

resource "cloudflare_access_policy" "finance_allow" {
  account_id     = var.cloudflare_account_id
  application_id = cloudflare_access_application.finance.id
  name           = "Allow heezy users"
  precedence     = 1
  decision       = "allow"

  include {
    email = ["trentnielsen84@gmail.com", "brdrgrl18@gmail.com"]
  }
}

Deployment

Access policies are deployed via the cloudflare-terraform pipeline:

Push to gitea:heezy-admin/cloudflare-terraform
  -> .gitea/workflows/deploy.yaml triggers
  -> terraform plan (review)
  -> terraform apply
  -> CF Access updated

Careful with Access policies

Be cautious when modifying policies - incorrect configuration can lock you out. Always review terraform plan output before applying.

Troubleshooting

I'm locked out

If you're locked out after a failed deployment:

1. Check the terraform state in Cloudflare dashboard
2. If the policy is deleted, manual restore via Terraform is easiest
3. Alternative: SSH to a node on-net and modify via Cloudflare API

Session expired

Sessions expire after 24 hours. Simply re-authenticate with Google.

New user access

To add a new user:

1. Edit access.tf - add email to the include block
2. Commit and push to gitea:heezy-admin/cloudflare-terraform
3. Pipeline deploys automatically
4. New user can access within minutes

Related

• Cloudflare Zero Trust
• Access setup guide
• heezy infrastructure