enable cloudflare tunnel for ssh

2025-07-05 13:50:13 +00:00 · 2023-04-29 16:00:31 +00:00
parent a6551ce043
commit 6518db291f
4 changed files with 84 additions and 0 deletions
--- a/modules/nixos/services/cloudflare-tunnel.nix
+++ b/modules/nixos/services/cloudflare-tunnel.nix
@ -0,0 +1,67 @@
+{ config, lib, ... }:
+
+# First time setup:
+
+# nix-shell -p cloudflared
+# cloudflared tunnel login
+# cloudflared tunnel create <mytunnel>
+# nix run github:nmasur/dotfiles#encrypt-secret > private/cloudflared.age
+# Paste ~/.cloudflared/<id>.json
+# Set tunnelId = "<id>"
+# Remove ~/.cloudflared/
+
+let tunnelId = "646754ac-2149-4a58-b51a-e1d0a1f3ade2";
+
+in {
+
+  options.cloudflareTunnel.enable = lib.mkEnableOption "Use Cloudflare Tunnel";
+
+  config = lib.mkIf config.cloudflare.enable {
+
+    services.cloudflared = {
+      enable = true;
+      tunnels = {
+        "${tunnelId}" = {
+          credentialsFile = config.secrets.cloudflared.dest;
+          default = "http_status:404";
+          ingress = { "*.masu.rs" = "ssh://localhost:22"; };
+        };
+      };
+    };
+
+    environment.etc = {
+      "ssh/ca.pub".text = ''
+        ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCHF/UMtJqPFrf6f6GRY0ZFnkCW7b6sYgUTjTtNfRj1RdmNic1NoJZql7y6BrqQinZvy7nsr1UFDNWoHn6ah3tg= open-ssh-ca@cloudflareaccess.org
+      '';
+
+      # Must match the username of the email address in Cloudflare Access
+      "ssh/authorized_principals".text = ''
+        ${config.user}
+      '';
+    };
+
+    services.openssh.extraConfig = ''
+      PubkeyAuthentication yes
+      TrustedUserCAKeys /etc/ssh/ca.pub
+      Match User '${config.user}'
+        AuthorizedPrincipalsFile /etc/ssh/authorized_principals
+        # if there is no existing AuthenticationMethods
+        AuthenticationMethods publickey
+    '';
+
+    # Create credentials file for Cloudflare
+    secrets.cloudflared = {
+      source = ../../../private/cloudflared.age;
+      dest = "${config.secretsDirectory}/cloudflared";
+      owner = "cloudflared";
+      group = "cloudflared";
+      permissions = "0440";
+    };
+    systemd.services.cloudflared-secret = {
+      requiredBy = [ "cloudflared-tunnel-${tunnelId}.service" ];
+      before = [ "cloudflared-tunnel-${tunnelId}.service" ];
+    };
+
+  };
+
+}
--- a/modules/nixos/services/default.nix
+++ b/modules/nixos/services/default.nix
@ -5,6 +5,7 @@
    ./backups.nix
    ./caddy.nix
    ./calibre.nix
+    ./cloudflare-tunnel.nix
    ./cloudflare.nix
    ./gitea.nix
    ./gnupg.nix