pass cloudflare tunnel info to module

2024-09-19 15:54:47 +00:00 · 2023-06-19 08:30:30 -04:00 · 2023-06-19 08:30:30 -04:00 · ddf48998db
commit ddf48998db
parent 23f72c3c2e
3 changed files with 33 additions and 13 deletions
--- a/hosts/swan/default.nix
+++ b/hosts/swan/default.nix
@ -53,7 +53,6 @@ nixpkgs.lib.nixosSystem {
      neovim.enable = true;
      caddy.enable = true;
      cloudflare.enable = true;
      cloudflareTunnel.enable = true;
      streamServer = "stream.masu.rs";
      nextcloudServer = "cloud.masu.rs";
      bookServer = "books.masu.rs";
@ -61,6 +60,14 @@ nixpkgs.lib.nixosSystem {
      transmissionServer = "download.masu.rs";
      samba.enable = true;
      cloudflareTunnel = {
        enable = true;
        id = "646754ac-2149-4a58-b51a-e1d0a1f3ade2";
        credentialsFile = ../../private/cloudflared-swan.age;
        ca =
          "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCHF/UMtJqPFrf6f6GRY0ZFnkCW7b6sYgUTjTtNfRj1RdmNic1NoJZql7y6BrqQinZvy7nsr1UFDNWoHn6ah3tg= open-ssh-ca@cloudflareaccess.org";
      };
      backup.s3 = {
        endpoint = "s3.us-west-002.backblazeb2.com";
        bucket = "noahmasur-backup";
--- a/modules/nixos/services/cloudflare-tunnel.nix
+++ b/modules/nixos/services/cloudflare-tunnel.nix
@ -4,24 +4,36 @@
 # nix-shell -p cloudflared
 # cloudflared tunnel login
-# cloudflared tunnel create <mytunnel>
+# cloudflared tunnel create <host>
-# nix run github:nmasur/dotfiles#encrypt-secret > private/cloudflared.age
+# nix run github:nmasur/dotfiles#encrypt-secret > private/cloudflared-<host>.age
 # Paste ~/.cloudflared/<id>.json
-# Set tunnelId = "<id>"
+# Set tunnel.id = "<id>"
 # Remove ~/.cloudflared/
-let tunnelId = "646754ac-2149-4a58-b51a-e1d0a1f3ade2";
+{
-in {
+  options.cloudflareTunnel = {
-
+    enable = lib.mkEnableOption "Use Cloudflare Tunnel";
-  options.cloudflareTunnel.enable = lib.mkEnableOption "Use Cloudflare Tunnel";
+    id = lib.mkOption {
      type = lib.types.str;
      description = "Cloudflare tunnel ID";
    };
    credentialsFile = lib.mkOption {
      type = lib.types.path;
      description = "Cloudflare tunnel credentials file (age-encrypted)";
    };
    ca = lib.mkOption {
      type = lib.types.str;
      description = "Cloudflare tunnel CA public key";
    };
  };
  config = lib.mkIf config.cloudflareTunnel.enable {
    services.cloudflared = {
      enable = true;
      tunnels = {
-        "${tunnelId}" = {
+        "${config.cloudflareTunnel.id}" = {
          credentialsFile = config.secrets.cloudflared.dest;
          default = "http_status:404";
          ingress = { "*.masu.rs" = "ssh://localhost:22"; };
@ -31,7 +43,7 @@ in {
    environment.etc = {
      "ssh/ca.pub".text = ''
-        ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCHF/UMtJqPFrf6f6GRY0ZFnkCW7b6sYgUTjTtNfRj1RdmNic1NoJZql7y6BrqQinZvy7nsr1UFDNWoHn6ah3tg= open-ssh-ca@cloudflareaccess.org
+        ${config.cloudflareTunnel.ca}
      '';
      # Must match the username of the email address in Cloudflare Access
@ -53,15 +65,16 @@ in {
    # Create credentials file for Cloudflare
    secrets.cloudflared = {
-      source = ../../../private/cloudflared.age;
+      source = config.cloudflareTunnel.credentialsFile;
      dest = "${config.secretsDirectory}/cloudflared";
      owner = "cloudflared";
      group = "cloudflared";
      permissions = "0440";
    };
    systemd.services.cloudflared-secret = {
-      requiredBy = [ "cloudflared-tunnel-${tunnelId}.service" ];
+      requiredBy =
-      before = [ "cloudflared-tunnel-${tunnelId}.service" ];
+        [ "cloudflared-tunnel-${config.cloudflareTunnel.id}.service" ];
      before = [ "cloudflared-tunnel-${config.cloudflareTunnel.id}.service" ];
    };
  };
--- a/private/cloudflared-swan.age
+++ b/private/cloudflared-swan.age