mirror of
https://github.com/nmasur/dotfiles
synced 2024-11-22 18:05:37 +00:00
pass cloudflare tunnel info to module
This commit is contained in:
parent
23f72c3c2e
commit
ddf48998db
@ -53,7 +53,6 @@ nixpkgs.lib.nixosSystem {
|
|||||||
neovim.enable = true;
|
neovim.enable = true;
|
||||||
caddy.enable = true;
|
caddy.enable = true;
|
||||||
cloudflare.enable = true;
|
cloudflare.enable = true;
|
||||||
cloudflareTunnel.enable = true;
|
|
||||||
streamServer = "stream.masu.rs";
|
streamServer = "stream.masu.rs";
|
||||||
nextcloudServer = "cloud.masu.rs";
|
nextcloudServer = "cloud.masu.rs";
|
||||||
bookServer = "books.masu.rs";
|
bookServer = "books.masu.rs";
|
||||||
@ -61,6 +60,14 @@ nixpkgs.lib.nixosSystem {
|
|||||||
transmissionServer = "download.masu.rs";
|
transmissionServer = "download.masu.rs";
|
||||||
samba.enable = true;
|
samba.enable = true;
|
||||||
|
|
||||||
|
cloudflareTunnel = {
|
||||||
|
enable = true;
|
||||||
|
id = "646754ac-2149-4a58-b51a-e1d0a1f3ade2";
|
||||||
|
credentialsFile = ../../private/cloudflared-swan.age;
|
||||||
|
ca =
|
||||||
|
"ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCHF/UMtJqPFrf6f6GRY0ZFnkCW7b6sYgUTjTtNfRj1RdmNic1NoJZql7y6BrqQinZvy7nsr1UFDNWoHn6ah3tg= open-ssh-ca@cloudflareaccess.org";
|
||||||
|
};
|
||||||
|
|
||||||
backup.s3 = {
|
backup.s3 = {
|
||||||
endpoint = "s3.us-west-002.backblazeb2.com";
|
endpoint = "s3.us-west-002.backblazeb2.com";
|
||||||
bucket = "noahmasur-backup";
|
bucket = "noahmasur-backup";
|
||||||
|
@ -4,24 +4,36 @@
|
|||||||
|
|
||||||
# nix-shell -p cloudflared
|
# nix-shell -p cloudflared
|
||||||
# cloudflared tunnel login
|
# cloudflared tunnel login
|
||||||
# cloudflared tunnel create <mytunnel>
|
# cloudflared tunnel create <host>
|
||||||
# nix run github:nmasur/dotfiles#encrypt-secret > private/cloudflared.age
|
# nix run github:nmasur/dotfiles#encrypt-secret > private/cloudflared-<host>.age
|
||||||
# Paste ~/.cloudflared/<id>.json
|
# Paste ~/.cloudflared/<id>.json
|
||||||
# Set tunnelId = "<id>"
|
# Set tunnel.id = "<id>"
|
||||||
# Remove ~/.cloudflared/
|
# Remove ~/.cloudflared/
|
||||||
|
|
||||||
let tunnelId = "646754ac-2149-4a58-b51a-e1d0a1f3ade2";
|
{
|
||||||
|
|
||||||
in {
|
options.cloudflareTunnel = {
|
||||||
|
enable = lib.mkEnableOption "Use Cloudflare Tunnel";
|
||||||
options.cloudflareTunnel.enable = lib.mkEnableOption "Use Cloudflare Tunnel";
|
id = lib.mkOption {
|
||||||
|
type = lib.types.str;
|
||||||
|
description = "Cloudflare tunnel ID";
|
||||||
|
};
|
||||||
|
credentialsFile = lib.mkOption {
|
||||||
|
type = lib.types.path;
|
||||||
|
description = "Cloudflare tunnel credentials file (age-encrypted)";
|
||||||
|
};
|
||||||
|
ca = lib.mkOption {
|
||||||
|
type = lib.types.str;
|
||||||
|
description = "Cloudflare tunnel CA public key";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
config = lib.mkIf config.cloudflareTunnel.enable {
|
config = lib.mkIf config.cloudflareTunnel.enable {
|
||||||
|
|
||||||
services.cloudflared = {
|
services.cloudflared = {
|
||||||
enable = true;
|
enable = true;
|
||||||
tunnels = {
|
tunnels = {
|
||||||
"${tunnelId}" = {
|
"${config.cloudflareTunnel.id}" = {
|
||||||
credentialsFile = config.secrets.cloudflared.dest;
|
credentialsFile = config.secrets.cloudflared.dest;
|
||||||
default = "http_status:404";
|
default = "http_status:404";
|
||||||
ingress = { "*.masu.rs" = "ssh://localhost:22"; };
|
ingress = { "*.masu.rs" = "ssh://localhost:22"; };
|
||||||
@ -31,7 +43,7 @@ in {
|
|||||||
|
|
||||||
environment.etc = {
|
environment.etc = {
|
||||||
"ssh/ca.pub".text = ''
|
"ssh/ca.pub".text = ''
|
||||||
ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCHF/UMtJqPFrf6f6GRY0ZFnkCW7b6sYgUTjTtNfRj1RdmNic1NoJZql7y6BrqQinZvy7nsr1UFDNWoHn6ah3tg= open-ssh-ca@cloudflareaccess.org
|
${config.cloudflareTunnel.ca}
|
||||||
'';
|
'';
|
||||||
|
|
||||||
# Must match the username of the email address in Cloudflare Access
|
# Must match the username of the email address in Cloudflare Access
|
||||||
@ -53,15 +65,16 @@ in {
|
|||||||
|
|
||||||
# Create credentials file for Cloudflare
|
# Create credentials file for Cloudflare
|
||||||
secrets.cloudflared = {
|
secrets.cloudflared = {
|
||||||
source = ../../../private/cloudflared.age;
|
source = config.cloudflareTunnel.credentialsFile;
|
||||||
dest = "${config.secretsDirectory}/cloudflared";
|
dest = "${config.secretsDirectory}/cloudflared";
|
||||||
owner = "cloudflared";
|
owner = "cloudflared";
|
||||||
group = "cloudflared";
|
group = "cloudflared";
|
||||||
permissions = "0440";
|
permissions = "0440";
|
||||||
};
|
};
|
||||||
systemd.services.cloudflared-secret = {
|
systemd.services.cloudflared-secret = {
|
||||||
requiredBy = [ "cloudflared-tunnel-${tunnelId}.service" ];
|
requiredBy =
|
||||||
before = [ "cloudflared-tunnel-${tunnelId}.service" ];
|
[ "cloudflared-tunnel-${config.cloudflareTunnel.id}.service" ];
|
||||||
|
before = [ "cloudflared-tunnel-${config.cloudflareTunnel.id}.service" ];
|
||||||
};
|
};
|
||||||
|
|
||||||
};
|
};
|
||||||
|
Loading…
Reference in New Issue
Block a user