cf-updater.sh

tee /usr/local/bin/cloudflare-update >/dev/null << EOF
#!/usr/bin/env bash
curl -s "https://www.cloudflare.com/ips-v{4,6}" | tee >(awk '{print "set_real_ip_from " \$0 ";"} END {print "real_ip_header CF-Connecting-IP;\nproxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;\nproxy_set_header X-Real-IP \$http_cf_connecting_ip;"}' >/etc/nginx/snippets/cf-realip.conf) >(awk '{print "allow " \$0 ";"} END {print "deny all;"}' >/etc/nginx/snippets/cf-restrict.conf) >/dev/null 2>&1
EOF
chown root:root /usr/local/bin/cloudflare-update
chmod 775 /usr/local/bin/cloudflare-update
tee /etc/systemd/system/cf-updater.service >/dev/null << EOF
[Unit]
Description=updates nginx's snippets using cloudflare ips

[Service]
Type=oneshot
User=root
WorkingDirectory=/etc/nginx/snippets
ExecStart=/usr/local/bin/cloudflare-update
EOF
tee /etc/systemd/system/cf-updater.timer >/dev/null << EOF
[Unit]
Description=Run cf-updater every week.

[Timer]
OnCalendar=weekly
Persistent=true

[Install]
WantedBy=timers.target
EOF
systemctl enable cf-updater.timer
systemctl start cf-updater.service