From cd0c93c6d9a7dfa5ed061a850140f7f4f8bc9323 Mon Sep 17 00:00:00 2001
From: Noah Masur <7386960+nmasur@users.noreply.github.com>
Date: Mon, 3 Jul 2023 09:49:21 -0600
Subject: [PATCH] cloudflare tunnel for flame

---
 hosts/flame/default.nix                      |  8 ++++++++
 modules/nixos/services/cloudflare-tunnel.nix |  5 +++++
 private/cloudflared-flame.age                | 15 +++++++++++++++
 3 files changed, 28 insertions(+)
 create mode 100644 private/cloudflared-flame.age

diff --git a/hosts/flame/default.nix b/hosts/flame/default.nix
index 3d249eb..4eaee89 100644
--- a/hosts/flame/default.nix
+++ b/hosts/flame/default.nix
@@ -52,6 +52,14 @@ inputs.nixpkgs.lib.nixosSystem {
       neovim.enable = true;
       vaultwardenServer = "vault.masu.rs";
 
+      cloudflareTunnel = {
+        enable = true;
+        id = "bd250ee1-ed2e-42d2-b627-039f1eb5a4d2";
+        credentialsFile = ../../private/cloudflared-flame.age;
+        ca =
+          "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBK/6oyVqjFGX3Uvrc3VS8J9sphxzAnRzKC85xgkHfYgR3TK6qBGXzHrknEj21xeZrr3G2y1UsGzphWJd9ZfIcdA= open-ssh-ca@cloudflareaccess.org";
+      };
+
       # Nextcloud backup config
       backup.s3 = {
         endpoint = "s3.us-west-002.backblazeb2.com";
diff --git a/modules/nixos/services/cloudflare-tunnel.nix b/modules/nixos/services/cloudflare-tunnel.nix
index 192e761..f98d5e2 100644
--- a/modules/nixos/services/cloudflare-tunnel.nix
+++ b/modules/nixos/services/cloudflare-tunnel.nix
@@ -10,6 +10,11 @@
 # Set tunnel.id = "<id>"
 # Remove ~/.cloudflared/
 
+# For SSH access:
+# Cloudflare Zero Trust -> Access -> Applications -> Create Application
+# Service Auth -> SSH -> Select Application -> Generate Certificate
+# Set ca = "<public key>"
+
 {
 
   options.cloudflareTunnel = {
diff --git a/private/cloudflared-flame.age b/private/cloudflared-flame.age
new file mode 100644
index 0000000..5d49577
--- /dev/null
+++ b/private/cloudflared-flame.age
@@ -0,0 +1,15 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE1nSGFPdyBQVzVy
+ZmRldHhVenI3RVdOQXkyQ3pQUWM3N2l0bFBqT3ozakp3Nk5nS1dVCmoxb1lzVWd1
+YWZ0UWd4TExELzJ1cElsQ0o2L1g4TVBpZW16TmxvT05GaFEKLT4gc3NoLWVkMjU1
+MTkgWXlTVU1RIDR2TjdhbG1MelVVTXF3WUhFRWZKRGVoYUNwdy9hc05uajg2enlY
+S0x5eWcKSlM2YjFCRi9yN3ozVkhScXM5S0dNRnhpeisvNlE1Q09CNVFvN0YwL2JR
+NAotPiBzc2gtZWQyNTUxOSBuanZYNUEgMEJtR2JpVk5PZnRpOUVuZHZJTDI3Z0Fa
+UUdwWXFLT1gxZ0c3WFBlU2dDawpreE0yYUxoUktveGF5NXE4VHRva1hNdjdpYmZn
+R08wQ0l6cXpvYmhRMXRvCi0tLSB0UmFTdVBlR3NTSkVzdGtzOTdmSFVERC85dU1z
+cHdMVFdYSTFWUGRDTm1nCrengYn1phCUDmVH29uRjKMLNDIucrpi1s4t8ciQ3ILG
+sz605ztO3UUlm4SQTJnXmktRDBlLu/xICzEo5okkNl9HwK7s2Ok2DAoz8K/KeFbS
+65K3a3RcZEdWryZyu/N12HAqu5FDw0wIbvLJP4X+EcpUJXYHr8FluLUSEQg+sORW
+FnL5tr1vK32ZQY4GIHZXh4hQbNoZo1v2ezkcK21siDkeA3e3PT6Bi0I90nuXS9Pc
+0rZFZeYlNtI1Y4aeg6NEWytt
+-----END AGE ENCRYPTED FILE-----