enable cloudflare tunnel for ssh

This commit is contained in:
Noah Masur 2023-04-29 16:00:31 +00:00
parent a6551ce043
commit 6518db291f
4 changed files with 84 additions and 0 deletions

View File

@ -40,6 +40,7 @@ nixpkgs.lib.nixosSystem {
neovim.enable = true; neovim.enable = true;
caddy.enable = true; caddy.enable = true;
cloudflare.enable = true; cloudflare.enable = true;
cloudflareTunnel.enable = true;
streamServer = "stream.masu.rs"; streamServer = "stream.masu.rs";
nextcloudServer = "cloud.masu.rs"; nextcloudServer = "cloud.masu.rs";
bookServer = "books.masu.rs"; bookServer = "books.masu.rs";

View File

@ -0,0 +1,67 @@
{ config, lib, ... }:
# First time setup:
# nix-shell -p cloudflared
# cloudflared tunnel login
# cloudflared tunnel create <mytunnel>
# nix run github:nmasur/dotfiles#encrypt-secret > private/cloudflared.age
# Paste ~/.cloudflared/<id>.json
# Set tunnelId = "<id>"
# Remove ~/.cloudflared/
let tunnelId = "646754ac-2149-4a58-b51a-e1d0a1f3ade2";
in {
options.cloudflareTunnel.enable = lib.mkEnableOption "Use Cloudflare Tunnel";
config = lib.mkIf config.cloudflare.enable {
services.cloudflared = {
enable = true;
tunnels = {
"${tunnelId}" = {
credentialsFile = config.secrets.cloudflared.dest;
default = "http_status:404";
ingress = { "*.masu.rs" = "ssh://localhost:22"; };
};
};
};
environment.etc = {
"ssh/ca.pub".text = ''
ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCHF/UMtJqPFrf6f6GRY0ZFnkCW7b6sYgUTjTtNfRj1RdmNic1NoJZql7y6BrqQinZvy7nsr1UFDNWoHn6ah3tg= open-ssh-ca@cloudflareaccess.org
'';
# Must match the username of the email address in Cloudflare Access
"ssh/authorized_principals".text = ''
${config.user}
'';
};
services.openssh.extraConfig = ''
PubkeyAuthentication yes
TrustedUserCAKeys /etc/ssh/ca.pub
Match User '${config.user}'
AuthorizedPrincipalsFile /etc/ssh/authorized_principals
# if there is no existing AuthenticationMethods
AuthenticationMethods publickey
'';
# Create credentials file for Cloudflare
secrets.cloudflared = {
source = ../../../private/cloudflared.age;
dest = "${config.secretsDirectory}/cloudflared";
owner = "cloudflared";
group = "cloudflared";
permissions = "0440";
};
systemd.services.cloudflared-secret = {
requiredBy = [ "cloudflared-tunnel-${tunnelId}.service" ];
before = [ "cloudflared-tunnel-${tunnelId}.service" ];
};
};
}

View File

@ -5,6 +5,7 @@
./backups.nix ./backups.nix
./caddy.nix ./caddy.nix
./calibre.nix ./calibre.nix
./cloudflare-tunnel.nix
./cloudflare.nix ./cloudflare.nix
./gitea.nix ./gitea.nix
./gnupg.nix ./gnupg.nix

15
private/cloudflared.age Normal file
View File

@ -0,0 +1,15 @@
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE1nSGFPdyBDL0tZ
TG9JTEdCMkJ2SnRvaFVLalZIM05JWEc1U0JSK0Q5aEg3TTRscVhRCjhJRGJYL3M5
T24yRGVQZG1heTJveU1qWCthZ1RJVkRtTksxVGhhR3dIMWcKLT4gc3NoLWVkMjU1
MTkgWXlTVU1RIGk2RDZjMEtDblNDcCtvRnFkNnQ1elEzUkdyWWg3M1hNcXBTaEdN
VGtLM2sKK09Sa3NZNnc3SWlHRXBjcVE0Z3ZHSnY0Zk5pS2UyQ3NSMWh2VzNJeTNm
NAotPiBzc2gtZWQyNTUxOSBuanZYNUEgWDhkN1B6ajNYcTBGeCtlbHhacnB4Ly9a
ejJCSVhPcndST0dkN1VZZE1nRQpKeUhCWEk1RkdjajlFMFgzajdmclB3a3FORkp5
ZTRQK3JXcWE0YUIvL2UwCi0tLSBBYkFQcmwvM0hZbEtBWG1oVUZ5NVhoT2p3U2pF
VzhGL25La2lJRElDL0o4CtVNQVuouGOOXtVTwdeBd4+CJyglCjFoDoOpXdH35fni
Azr6JyfKbBlcavrghACWVDem24WIKq7uh9BSL2yHd+sj4umDybuCk9RZWmLgSaHV
g7Y3jiHa/NTvqd+Wr0PBas4TcOLcICQ0rg9gWnYH+QQDdnv+At4Eqp2/X1ztTI8O
PRJr7O6HJJasPZSsQldjs3O3fMiLiYPSywCTmgU/gstnv2YhbA3m4vhqOeRskuNg
X0qAd8jso4Bo7jHohmLLzl1c
-----END AGE ENCRYPTED FILE-----