discourse · Supermathie · Mar 6, 2026 · Mar 6, 2026
diff --git a/templates/cloudflare.template.yml b/templates/cloudflare.template.yml
@@ -1,22 +1,12 @@
 run:
   - file:
-      path: /tmp/add-cloudflare-ips
-      chmod: +x
+      path: /etc/nginx/conf.d/outlets/server/real-ip-header.conf
+      chmod: 644
       contents: |
-        #!/bin/bash -e
-        # Download list of CloudFlare ips
-        wget -q https://www.cloudflare.com/ips-v4/ -O - > /tmp/cloudflare-ips
-        echo >> /tmp/cloudflare-ips
-        wget -q https://www.cloudflare.com/ips-v6/ -O - >> /tmp/cloudflare-ips
-        # Make into nginx commands and escape for inclusion into sed append command
-        CONTENTS=$(</tmp/cloudflare-ips sed '/^$/d; s/^.*/set_real_ip_from &;/' | tr '\n' '\\' | sed 's/\\/\\n/g')
-
-        echo CloudFlare IPs:
-        echo $(echo | sed "/^/a $CONTENTS")
-        # Insert into discourse.conf
-        sed -i "/sendfile on;/a $CONTENTS\nreal_ip_header CF-Connecting-IP;" /etc/nginx/conf.d/discourse.conf
-        # Clean up
-        rm /tmp/cloudflare-ips
-
-  - exec: "/tmp/add-cloudflare-ips"
-  - exec: "rm /tmp/add-cloudflare-ips"
+        real_ip_header cf-connecting-ip;
+  - exec:
+      cmd:
+        # avoid the trap of specifying both URLs on one curl line; the data might not have a final newline
+        # print sprintf looks dubious at first, but avoids the problem of "how many times do you backslash a \\\\n"
+        - curl -s https://www.cloudflare.com/ips-v4/ | awk '{print sprintf("set_real_ip_from %s;", $0)}' > /etc/nginx/conf.d/outlets/server/real-ip-cloudflare.conf
+        - curl -s https://www.cloudflare.com/ips-v6/ | awk '{print sprintf("set_real_ip_from %s;", $0)}' >> /etc/nginx/conf.d/outlets/server/real-ip-cloudflare.conf