dotfiles/modules/nixos/services/cloudflare.nix

# This module is necessary for hosts that are serving through Cloudflare.

{ config, pkgs, lib, ... }:

let

  cloudflareIpRanges = [

    # Cloudflare IPv4: https://www.cloudflare.com/ips-v4
    "173.245.48.0/20"
    "103.21.244.0/22"
    "103.22.200.0/22"
    "103.31.4.0/22"
    "141.101.64.0/18"
    "108.162.192.0/18"
    "190.93.240.0/20"
    "188.114.96.0/20"
    "197.234.240.0/22"
    "198.41.128.0/17"
    "162.158.0.0/15"
    "104.16.0.0/13"
    "104.24.0.0/14"
    "172.64.0.0/13"
    "131.0.72.0/22"

    # Cloudflare IPv6: https://www.cloudflare.com/ips-v6
    "2400:cb00::/32"
    "2606:4700::/32"
    "2803:f800::/32"
    "2405:b500::/32"
    "2405:8100::/32"
    "2a06:98c0::/29"
    "2c0f:f248::/32"

  ];

in {

  options.cloudflare.enable = lib.mkEnableOption "Use Cloudflare.";

  config = lib.mkIf config.cloudflare.enable {

    # Forces Caddy to error if coming from a non-Cloudflare IP
    caddy.cidrAllowlist = cloudflareIpRanges;

    # Tell Caddy to use Cloudflare DNS for ACME challenge validation
    services.caddy.package = pkgs.caddy-cloudflare; # Patched overlay
    caddy.tlsPolicies = [{
      issuers = [{
        module = "acme";
        challenges = {
          dns = {
            provider = {
              name = "cloudflare";
              api_token = "{env.CF_API_TOKEN}";
            };
            resolvers = [ "1.1.1.1" ];
          };
        };
      }];
    }];
    systemd.services.caddy.serviceConfig.EnvironmentFile =
      config.secrets.cloudflareApi.dest;
    systemd.services.caddy.serviceConfig.AmbientCapabilities =
      "CAP_NET_BIND_SERVICE";

    # API key must have access to modify Cloudflare DNS records
    secrets.cloudflareApi = {
      source = ../../../private/cloudflare-api.age;
      dest = "${config.secretsDirectory}/cloudflare-api";
      owner = "caddy";
      group = "caddy";
    };

    # Allows Nextcloud to trust Cloudflare IPs
    services.nextcloud.config.trustedProxies = cloudflareIpRanges;

  };
}
move cloudflare to separate file 2022-10-15 19:00:37 +00:00			`# This module is necessary for hosts that are serving through Cloudflare.`

cloudflare caddy module for dns validation 2023-06-01 01:03:08 +00:00			`{ config, pkgs, lib, ... }:`
move cloudflare to separate file 2022-10-15 19:00:37 +00:00
			`let`

			`cloudflareIpRanges = [`

			`# Cloudflare IPv4: https://www.cloudflare.com/ips-v4`
			`"173.245.48.0/20"`
			`"103.21.244.0/22"`
			`"103.22.200.0/22"`
			`"103.31.4.0/22"`
			`"141.101.64.0/18"`
			`"108.162.192.0/18"`
			`"190.93.240.0/20"`
			`"188.114.96.0/20"`
			`"197.234.240.0/22"`
			`"198.41.128.0/17"`
			`"162.158.0.0/15"`
			`"104.16.0.0/13"`
			`"104.24.0.0/14"`
			`"172.64.0.0/13"`
			`"131.0.72.0/22"`

			`# Cloudflare IPv6: https://www.cloudflare.com/ips-v6`
			`"2400:cb00::/32"`
			`"2606:4700::/32"`
			`"2803:f800::/32"`
			`"2405:b500::/32"`
			`"2405:8100::/32"`
			`"2a06:98c0::/29"`
			`"2c0f:f248::/32"`

			`];`

			`in {`

convert to proper module layout 2022-12-21 21:18:03 +00:00			`options.cloudflare.enable = lib.mkEnableOption "Use Cloudflare.";`
move cloudflare to separate file 2022-10-15 19:00:37 +00:00
convert to proper module layout 2022-12-21 21:18:03 +00:00			`config = lib.mkIf config.cloudflare.enable {`
move cloudflare to separate file 2022-10-15 19:00:37 +00:00
			`# Forces Caddy to error if coming from a non-Cloudflare IP`
use bind for local dns 2023-07-18 03:52:37 +00:00			`caddy.cidrAllowlist = cloudflareIpRanges;`
move cloudflare to separate file 2022-10-15 19:00:37 +00:00
cloudflare caddy module for dns validation 2023-06-01 01:03:08 +00:00			`# Tell Caddy to use Cloudflare DNS for ACME challenge validation`
try refactoring overlays into flake inputs 2023-08-02 15:51:11 +00:00			`services.caddy.package = pkgs.caddy-cloudflare; # Patched overlay`
cloudflare caddy module for dns validation 2023-06-01 01:03:08 +00:00			`caddy.tlsPolicies = [{`
			`issuers = [{`
			`module = "acme";`
			`challenges = {`
fix: compiling cloudflare caddy module actually compile locally since xcaddy is impure 2023-06-01 03:44:43 +00:00			`dns = {`
			`provider = {`
			`name = "cloudflare";`
			`api_token = "{env.CF_API_TOKEN}";`
			`};`
			`resolvers = [ "1.1.1.1" ];`
cloudflare caddy module for dns validation 2023-06-01 01:03:08 +00:00			`};`
			`};`
			`}];`
			`}];`
			`systemd.services.caddy.serviceConfig.EnvironmentFile =`
			`config.secrets.cloudflareApi.dest;`
fix: compiling cloudflare caddy module actually compile locally since xcaddy is impure 2023-06-01 03:44:43 +00:00			`systemd.services.caddy.serviceConfig.AmbientCapabilities =`
			`"CAP_NET_BIND_SERVICE";`
cloudflare caddy module for dns validation 2023-06-01 01:03:08 +00:00
			`# API key must have access to modify Cloudflare DNS records`
			`secrets.cloudflareApi = {`
			`source = ../../../private/cloudflare-api.age;`
			`dest = "${config.secretsDirectory}/cloudflare-api";`
			`owner = "caddy";`
			`group = "caddy";`
			`};`

move cloudflare to separate file 2022-10-15 19:00:37 +00:00			`# Allows Nextcloud to trust Cloudflare IPs`
			`services.nextcloud.config.trustedProxies = cloudflareIpRanges;`

			`};`
			`}`