diff --git a/hosts/swan/default.nix b/hosts/swan/default.nix index bf65e2a..575dc7c 100644 --- a/hosts/swan/default.nix +++ b/hosts/swan/default.nix @@ -53,7 +53,6 @@ nixpkgs.lib.nixosSystem { neovim.enable = true; caddy.enable = true; cloudflare.enable = true; - cloudflareTunnel.enable = true; streamServer = "stream.masu.rs"; nextcloudServer = "cloud.masu.rs"; bookServer = "books.masu.rs"; @@ -61,6 +60,14 @@ nixpkgs.lib.nixosSystem { transmissionServer = "download.masu.rs"; samba.enable = true; + cloudflareTunnel = { + enable = true; + id = "646754ac-2149-4a58-b51a-e1d0a1f3ade2"; + credentialsFile = ../../private/cloudflared-swan.age; + ca = + "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCHF/UMtJqPFrf6f6GRY0ZFnkCW7b6sYgUTjTtNfRj1RdmNic1NoJZql7y6BrqQinZvy7nsr1UFDNWoHn6ah3tg= open-ssh-ca@cloudflareaccess.org"; + }; + backup.s3 = { endpoint = "s3.us-west-002.backblazeb2.com"; bucket = "noahmasur-backup"; diff --git a/modules/nixos/services/cloudflare-tunnel.nix b/modules/nixos/services/cloudflare-tunnel.nix index 8ee75a7..192e761 100644 --- a/modules/nixos/services/cloudflare-tunnel.nix +++ b/modules/nixos/services/cloudflare-tunnel.nix @@ -4,24 +4,36 @@ # nix-shell -p cloudflared # cloudflared tunnel login -# cloudflared tunnel create -# nix run github:nmasur/dotfiles#encrypt-secret > private/cloudflared.age +# cloudflared tunnel create +# nix run github:nmasur/dotfiles#encrypt-secret > private/cloudflared-.age # Paste ~/.cloudflared/.json -# Set tunnelId = "" +# Set tunnel.id = "" # Remove ~/.cloudflared/ -let tunnelId = "646754ac-2149-4a58-b51a-e1d0a1f3ade2"; +{ -in { - - options.cloudflareTunnel.enable = lib.mkEnableOption "Use Cloudflare Tunnel"; + options.cloudflareTunnel = { + enable = lib.mkEnableOption "Use Cloudflare Tunnel"; + id = lib.mkOption { + type = lib.types.str; + description = "Cloudflare tunnel ID"; + }; + credentialsFile = lib.mkOption { + type = lib.types.path; + description = "Cloudflare tunnel credentials file (age-encrypted)"; + }; + ca = lib.mkOption { + type = lib.types.str; + description = "Cloudflare tunnel CA public key"; + }; + }; config = lib.mkIf config.cloudflareTunnel.enable { services.cloudflared = { enable = true; tunnels = { - "${tunnelId}" = { + "${config.cloudflareTunnel.id}" = { credentialsFile = config.secrets.cloudflared.dest; default = "http_status:404"; ingress = { "*.masu.rs" = "ssh://localhost:22"; }; @@ -31,7 +43,7 @@ in { environment.etc = { "ssh/ca.pub".text = '' - ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCHF/UMtJqPFrf6f6GRY0ZFnkCW7b6sYgUTjTtNfRj1RdmNic1NoJZql7y6BrqQinZvy7nsr1UFDNWoHn6ah3tg= open-ssh-ca@cloudflareaccess.org + ${config.cloudflareTunnel.ca} ''; # Must match the username of the email address in Cloudflare Access @@ -53,15 +65,16 @@ in { # Create credentials file for Cloudflare secrets.cloudflared = { - source = ../../../private/cloudflared.age; + source = config.cloudflareTunnel.credentialsFile; dest = "${config.secretsDirectory}/cloudflared"; owner = "cloudflared"; group = "cloudflared"; permissions = "0440"; }; systemd.services.cloudflared-secret = { - requiredBy = [ "cloudflared-tunnel-${tunnelId}.service" ]; - before = [ "cloudflared-tunnel-${tunnelId}.service" ]; + requiredBy = + [ "cloudflared-tunnel-${config.cloudflareTunnel.id}.service" ]; + before = [ "cloudflared-tunnel-${config.cloudflareTunnel.id}.service" ]; }; }; diff --git a/private/cloudflared.age b/private/cloudflared-swan.age similarity index 100% rename from private/cloudflared.age rename to private/cloudflared-swan.age