From d76706c2e07e75ad61e0cf29446fde43c9130517 Mon Sep 17 00:00:00 2001
From: John Lancaster <32917998+jsl12@users.noreply.github.com>
Date: Tue, 27 May 2025 01:52:15 -0500
Subject: [PATCH] added cloudflared

---
 nixosModules/caddy.nix         |  7 ++++++-
 nixosModules/cloudflared.nix   | 38 ++++++++++++++++++++++++++++++++++
 nixosModules/default.nix       |  3 ++-
 secrets/encrypted_secrets.yaml |  5 +++--
 4 files changed, 49 insertions(+), 4 deletions(-)
 create mode 100644 nixosModules/cloudflared.nix

diff --git a/nixosModules/caddy.nix b/nixosModules/caddy.nix
index a4f728d..bbdc956 100644
--- a/nixosModules/caddy.nix
+++ b/nixosModules/caddy.nix
@@ -6,7 +6,7 @@
   services.caddy = {
     enable = true;
     environmentFile = config.sops.secrets.cloudflare-api-key.path;
-    virtualHosts."paperless.john-stream.com".extraConfig = ''
+    virtualHosts."panoptes.john-stream.com".extraConfig = ''
       reverse_proxy 192.168.1.110:8000
       tls {
         dns cloudflare {env.CF_API_TOKEN}
@@ -19,4 +19,9 @@
   };
 
   networking.firewall.allowedTCPPorts = [ 80 443 ];
+
+  # systemd.services.caddy.serviceConfig = {
+  #   # EnvironmentFile = "/etc/caddy/cloudflare.env";
+  #   AmbientCapabilities = "CAP_NET_BIND_SERVICE";
+  # };
 }
\ No newline at end of file
diff --git a/nixosModules/cloudflared.nix b/nixosModules/cloudflared.nix
new file mode 100644
index 0000000..6c248e6
--- /dev/null
+++ b/nixosModules/cloudflared.nix
@@ -0,0 +1,38 @@
+{ config, pkgs, lib, ... }:
+# https://wiki.nixos.org/wiki/Cloudflared
+{
+  boot.kernel.sysctl."net.ipv4.ping_group_range" = "0 65535";
+  users.groups.cloudflared = {};
+  users.users.cloudflared = {
+    isSystemUser = true;
+    group = "cloudflared"; # Match allowed range
+  };
+
+  sops.secrets.cloudflared-creds = {};
+  environment.systemPackages = with pkgs; [ cloudflared ];
+  services.cloudflared = {
+    enable = true;
+    tunnels = {
+      "panoptes-nix" = {
+        credentialsFile = config.sops.secrets.cloudflared-creds.path;
+        # credentialsFile = /root/.cloudflared/c5d343b4-c12c-4490-9d92-9a2345738dc2.json;
+        default = "http_status:404";
+        ingress = {
+          "panoptes.john-stream.com" = {
+            service = "https://localhost:443";
+            # path = ".*";
+            originRequest = {
+              originServerName = "panoptes.john-stream.com";
+              noTLSVerify = true;
+            };
+          };
+        };
+      };
+    };
+  };
+  systemd.services.cloudflared-tunnel-panoptes-nix.serviceConfig = {
+    DynamicUser = lib.mkForce false;
+    User = "cloudflared";
+    Group = "cloudflared";
+  };
+}
diff --git a/nixosModules/default.nix b/nixosModules/default.nix
index 8198705..04ca036 100644
--- a/nixosModules/default.nix
+++ b/nixosModules/default.nix
@@ -1,7 +1,8 @@
 { ... }: {
   imports =
     [
-      ./caddy.nix
+      # ./caddy.nix
+      ./cloudflared.nix
       ./services/loki.nix
       ./users.nix
     ];
diff --git a/secrets/encrypted_secrets.yaml b/secrets/encrypted_secrets.yaml
index 90775e1..4c35d63 100644
--- a/secrets/encrypted_secrets.yaml
+++ b/secrets/encrypted_secrets.yaml
@@ -1,4 +1,5 @@
 cloudflare-api-key: ENC[AES256_GCM,data:ktlEznpdv7H6+w7vPe+0ylHdNR9ODZe2TMRiKs5RMEmblqMsvZTiCG5J/54cjaGwgwPHdw02pwc=,iv:H4YoS7sqxl9MBmwYb6N7pA/hGm21AyYgBQv64dSQU/o=,tag:93Ah+xReidRHuhvnuMWqdQ==,type:str]
+cloudflared-creds: ENC[AES256_GCM,data:O0gfegXK/qCZRwgf6I3PTu6wV8dcvLE8Bz4vdoNAqofY3SKVuP0O1xgP+tOZ4kI9Eow/q9EOmDR5sVUTls89515EY9PE/3PG7OmGMK1hRFH63kvXAa9ElUP0W2NU2mtz48qex8DQ12cMBX49C2gvJ9ezhPp930nB+deGb4XOzBuzvixexiEXixyTdOVzjxDULEQL+C2v+HFJP8XncoqjReNSwUg0Xv13TobQdnzHRlM=,iv:bHBu+vGvOKtIb1asfxOlRPk27/3b5vqyqPjV02Z7xk8=,tag:04ey2e4txAoQzhuqWjjmWw==,type:str]
 sops:
     age:
         - recipient: age102mctuw7xvs3fakft0mlfh740kc6rdaqqgmmwf400c4g3spefyjqrfmwct
@@ -10,7 +11,7 @@ sops:
             ZnExa3NseGRrdXcrNTN4YkVSa2d6SDAKlzXHOUKAjNxY/okZJQurTpeaZUjjnyp/
             OrvFMTxuMfK+EIIgj6WTm23ZKV4vmk0q0yboS4eXgDZTEB79tKxgyA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-05-27T05:32:23Z"
-    mac: ENC[AES256_GCM,data:ogFHQuKe2RkkaZRdbkUWaF61+bmyCAoesJuCDCPgKLEoCaLSfnQ/gSI5eNbrKvBGc7UsMjl86iTkLksPVHKOZQi4dCETVxbxh5ASSxTTREgBHKRGx4Vx+3aWjhyU/ympHKiAQ58Q1FnkwaF38ub42BszfqMTnjmODNTL75mz/9k=,iv:Q4514nGzCWJaDn+Lk4w6OOasnIafHHK0WxSAn6B8WLc=,tag:E8vEGwXPk1CfFSUS3xeHBA==,type:str]
+    lastmodified: "2025-05-27T06:37:54Z"
+    mac: ENC[AES256_GCM,data:RWtEhFz2rVae8RZImbcMCwRjv1Zmn0CAKa3O+RU4dEujLxLbu8NGyqJUi5iCloubetTzdAIvYd43Z0bxLQSPyZzCrRAwe6M7t0MMAwpbJnM8oPWzdciotCz4JRiegKTfpYMWx6s+Ixa+b7Dohj76zpToU3c39+llbN1/suGPIUw=,iv:+6cAZt6Nf514YK5yFTVmjL+XE85+bSb7phjFcKe+4j8=,tag:KAYnzouBVLSUI9ScX9tnog==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.10.2