mirror of
https://github.com/nmasur/dotfiles
synced 2024-11-22 13:25:38 +00:00
enable cloudflare tunnel for ssh
This commit is contained in:
parent
a6551ce043
commit
6518db291f
@ -40,6 +40,7 @@ nixpkgs.lib.nixosSystem {
|
|||||||
neovim.enable = true;
|
neovim.enable = true;
|
||||||
caddy.enable = true;
|
caddy.enable = true;
|
||||||
cloudflare.enable = true;
|
cloudflare.enable = true;
|
||||||
|
cloudflareTunnel.enable = true;
|
||||||
streamServer = "stream.masu.rs";
|
streamServer = "stream.masu.rs";
|
||||||
nextcloudServer = "cloud.masu.rs";
|
nextcloudServer = "cloud.masu.rs";
|
||||||
bookServer = "books.masu.rs";
|
bookServer = "books.masu.rs";
|
||||||
|
67
modules/nixos/services/cloudflare-tunnel.nix
Normal file
67
modules/nixos/services/cloudflare-tunnel.nix
Normal file
@ -0,0 +1,67 @@
|
|||||||
|
{ config, lib, ... }:
|
||||||
|
|
||||||
|
# First time setup:
|
||||||
|
|
||||||
|
# nix-shell -p cloudflared
|
||||||
|
# cloudflared tunnel login
|
||||||
|
# cloudflared tunnel create <mytunnel>
|
||||||
|
# nix run github:nmasur/dotfiles#encrypt-secret > private/cloudflared.age
|
||||||
|
# Paste ~/.cloudflared/<id>.json
|
||||||
|
# Set tunnelId = "<id>"
|
||||||
|
# Remove ~/.cloudflared/
|
||||||
|
|
||||||
|
let tunnelId = "646754ac-2149-4a58-b51a-e1d0a1f3ade2";
|
||||||
|
|
||||||
|
in {
|
||||||
|
|
||||||
|
options.cloudflareTunnel.enable = lib.mkEnableOption "Use Cloudflare Tunnel";
|
||||||
|
|
||||||
|
config = lib.mkIf config.cloudflare.enable {
|
||||||
|
|
||||||
|
services.cloudflared = {
|
||||||
|
enable = true;
|
||||||
|
tunnels = {
|
||||||
|
"${tunnelId}" = {
|
||||||
|
credentialsFile = config.secrets.cloudflared.dest;
|
||||||
|
default = "http_status:404";
|
||||||
|
ingress = { "*.masu.rs" = "ssh://localhost:22"; };
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
environment.etc = {
|
||||||
|
"ssh/ca.pub".text = ''
|
||||||
|
ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCHF/UMtJqPFrf6f6GRY0ZFnkCW7b6sYgUTjTtNfRj1RdmNic1NoJZql7y6BrqQinZvy7nsr1UFDNWoHn6ah3tg= open-ssh-ca@cloudflareaccess.org
|
||||||
|
'';
|
||||||
|
|
||||||
|
# Must match the username of the email address in Cloudflare Access
|
||||||
|
"ssh/authorized_principals".text = ''
|
||||||
|
${config.user}
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
services.openssh.extraConfig = ''
|
||||||
|
PubkeyAuthentication yes
|
||||||
|
TrustedUserCAKeys /etc/ssh/ca.pub
|
||||||
|
Match User '${config.user}'
|
||||||
|
AuthorizedPrincipalsFile /etc/ssh/authorized_principals
|
||||||
|
# if there is no existing AuthenticationMethods
|
||||||
|
AuthenticationMethods publickey
|
||||||
|
'';
|
||||||
|
|
||||||
|
# Create credentials file for Cloudflare
|
||||||
|
secrets.cloudflared = {
|
||||||
|
source = ../../../private/cloudflared.age;
|
||||||
|
dest = "${config.secretsDirectory}/cloudflared";
|
||||||
|
owner = "cloudflared";
|
||||||
|
group = "cloudflared";
|
||||||
|
permissions = "0440";
|
||||||
|
};
|
||||||
|
systemd.services.cloudflared-secret = {
|
||||||
|
requiredBy = [ "cloudflared-tunnel-${tunnelId}.service" ];
|
||||||
|
before = [ "cloudflared-tunnel-${tunnelId}.service" ];
|
||||||
|
};
|
||||||
|
|
||||||
|
};
|
||||||
|
|
||||||
|
}
|
@ -5,6 +5,7 @@
|
|||||||
./backups.nix
|
./backups.nix
|
||||||
./caddy.nix
|
./caddy.nix
|
||||||
./calibre.nix
|
./calibre.nix
|
||||||
|
./cloudflare-tunnel.nix
|
||||||
./cloudflare.nix
|
./cloudflare.nix
|
||||||
./gitea.nix
|
./gitea.nix
|
||||||
./gnupg.nix
|
./gnupg.nix
|
||||||
|
15
private/cloudflared.age
Normal file
15
private/cloudflared.age
Normal file
@ -0,0 +1,15 @@
|
|||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE1nSGFPdyBDL0tZ
|
||||||
|
TG9JTEdCMkJ2SnRvaFVLalZIM05JWEc1U0JSK0Q5aEg3TTRscVhRCjhJRGJYL3M5
|
||||||
|
T24yRGVQZG1heTJveU1qWCthZ1RJVkRtTksxVGhhR3dIMWcKLT4gc3NoLWVkMjU1
|
||||||
|
MTkgWXlTVU1RIGk2RDZjMEtDblNDcCtvRnFkNnQ1elEzUkdyWWg3M1hNcXBTaEdN
|
||||||
|
VGtLM2sKK09Sa3NZNnc3SWlHRXBjcVE0Z3ZHSnY0Zk5pS2UyQ3NSMWh2VzNJeTNm
|
||||||
|
NAotPiBzc2gtZWQyNTUxOSBuanZYNUEgWDhkN1B6ajNYcTBGeCtlbHhacnB4Ly9a
|
||||||
|
ejJCSVhPcndST0dkN1VZZE1nRQpKeUhCWEk1RkdjajlFMFgzajdmclB3a3FORkp5
|
||||||
|
ZTRQK3JXcWE0YUIvL2UwCi0tLSBBYkFQcmwvM0hZbEtBWG1oVUZ5NVhoT2p3U2pF
|
||||||
|
VzhGL25La2lJRElDL0o4CtVNQVuouGOOXtVTwdeBd4+CJyglCjFoDoOpXdH35fni
|
||||||
|
Azr6JyfKbBlcavrghACWVDem24WIKq7uh9BSL2yHd+sj4umDybuCk9RZWmLgSaHV
|
||||||
|
g7Y3jiHa/NTvqd+Wr0PBas4TcOLcICQ0rg9gWnYH+QQDdnv+At4Eqp2/X1ztTI8O
|
||||||
|
PRJr7O6HJJasPZSsQldjs3O3fMiLiYPSywCTmgU/gstnv2YhbA3m4vhqOeRskuNg
|
||||||
|
X0qAd8jso4Bo7jHohmLLzl1c
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
Loading…
Reference in New Issue
Block a user