diff --git a/hosts/swan/default.nix b/hosts/swan/default.nix index 72fa0dd..58e2997 100644 --- a/hosts/swan/default.nix +++ b/hosts/swan/default.nix @@ -40,6 +40,7 @@ nixpkgs.lib.nixosSystem { neovim.enable = true; caddy.enable = true; cloudflare.enable = true; + cloudflareTunnel.enable = true; streamServer = "stream.masu.rs"; nextcloudServer = "cloud.masu.rs"; bookServer = "books.masu.rs"; diff --git a/modules/nixos/services/cloudflare-tunnel.nix b/modules/nixos/services/cloudflare-tunnel.nix new file mode 100644 index 0000000..35aed87 --- /dev/null +++ b/modules/nixos/services/cloudflare-tunnel.nix @@ -0,0 +1,67 @@ +{ config, lib, ... }: + +# First time setup: + +# nix-shell -p cloudflared +# cloudflared tunnel login +# cloudflared tunnel create +# nix run github:nmasur/dotfiles#encrypt-secret > private/cloudflared.age +# Paste ~/.cloudflared/.json +# Set tunnelId = "" +# Remove ~/.cloudflared/ + +let tunnelId = "646754ac-2149-4a58-b51a-e1d0a1f3ade2"; + +in { + + options.cloudflareTunnel.enable = lib.mkEnableOption "Use Cloudflare Tunnel"; + + config = lib.mkIf config.cloudflare.enable { + + services.cloudflared = { + enable = true; + tunnels = { + "${tunnelId}" = { + credentialsFile = config.secrets.cloudflared.dest; + default = "http_status:404"; + ingress = { "*.masu.rs" = "ssh://localhost:22"; }; + }; + }; + }; + + environment.etc = { + "ssh/ca.pub".text = '' + ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCHF/UMtJqPFrf6f6GRY0ZFnkCW7b6sYgUTjTtNfRj1RdmNic1NoJZql7y6BrqQinZvy7nsr1UFDNWoHn6ah3tg= open-ssh-ca@cloudflareaccess.org + ''; + + # Must match the username of the email address in Cloudflare Access + "ssh/authorized_principals".text = '' + ${config.user} + ''; + }; + + services.openssh.extraConfig = '' + PubkeyAuthentication yes + TrustedUserCAKeys /etc/ssh/ca.pub + Match User '${config.user}' + AuthorizedPrincipalsFile /etc/ssh/authorized_principals + # if there is no existing AuthenticationMethods + AuthenticationMethods publickey + ''; + + # Create credentials file for Cloudflare + secrets.cloudflared = { + source = ../../../private/cloudflared.age; + dest = "${config.secretsDirectory}/cloudflared"; + owner = "cloudflared"; + group = "cloudflared"; + permissions = "0440"; + }; + systemd.services.cloudflared-secret = { + requiredBy = [ "cloudflared-tunnel-${tunnelId}.service" ]; + before = [ "cloudflared-tunnel-${tunnelId}.service" ]; + }; + + }; + +} diff --git a/modules/nixos/services/default.nix b/modules/nixos/services/default.nix index 9fb0c07..834f260 100644 --- a/modules/nixos/services/default.nix +++ b/modules/nixos/services/default.nix @@ -5,6 +5,7 @@ ./backups.nix ./caddy.nix ./calibre.nix + ./cloudflare-tunnel.nix ./cloudflare.nix ./gitea.nix ./gnupg.nix diff --git a/private/cloudflared.age b/private/cloudflared.age new file mode 100644 index 0000000..2d1a00a --- /dev/null +++ b/private/cloudflared.age @@ -0,0 +1,15 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE1nSGFPdyBDL0tZ +TG9JTEdCMkJ2SnRvaFVLalZIM05JWEc1U0JSK0Q5aEg3TTRscVhRCjhJRGJYL3M5 +T24yRGVQZG1heTJveU1qWCthZ1RJVkRtTksxVGhhR3dIMWcKLT4gc3NoLWVkMjU1 +MTkgWXlTVU1RIGk2RDZjMEtDblNDcCtvRnFkNnQ1elEzUkdyWWg3M1hNcXBTaEdN +VGtLM2sKK09Sa3NZNnc3SWlHRXBjcVE0Z3ZHSnY0Zk5pS2UyQ3NSMWh2VzNJeTNm +NAotPiBzc2gtZWQyNTUxOSBuanZYNUEgWDhkN1B6ajNYcTBGeCtlbHhacnB4Ly9a +ejJCSVhPcndST0dkN1VZZE1nRQpKeUhCWEk1RkdjajlFMFgzajdmclB3a3FORkp5 +ZTRQK3JXcWE0YUIvL2UwCi0tLSBBYkFQcmwvM0hZbEtBWG1oVUZ5NVhoT2p3U2pF +VzhGL25La2lJRElDL0o4CtVNQVuouGOOXtVTwdeBd4+CJyglCjFoDoOpXdH35fni +Azr6JyfKbBlcavrghACWVDem24WIKq7uh9BSL2yHd+sj4umDybuCk9RZWmLgSaHV +g7Y3jiHa/NTvqd+Wr0PBas4TcOLcICQ0rg9gWnYH+QQDdnv+At4Eqp2/X1ztTI8O +PRJr7O6HJJasPZSsQldjs3O3fMiLiYPSywCTmgU/gstnv2YhbA3m4vhqOeRskuNg +X0qAd8jso4Bo7jHohmLLzl1c +-----END AGE ENCRYPTED FILE-----