added cloudflared

2025-05-27 01:52:15 -05:00
parent 373fc522e3
commit d76706c2e0
4 changed files with 49 additions and 4 deletions
--- a/nixosModules/caddy.nix
+++ b/nixosModules/caddy.nix
@@ -6,7 +6,7 @@
  services.caddy = {
    enable = true;
    environmentFile = config.sops.secrets.cloudflare-api-key.path;
-    virtualHosts."paperless.john-stream.com".extraConfig = ''
+    virtualHosts."panoptes.john-stream.com".extraConfig = ''
      reverse_proxy 192.168.1.110:8000
      tls {
        dns cloudflare {env.CF_API_TOKEN}
@@ -19,4 +19,9 @@
  };

  networking.firewall.allowedTCPPorts = [ 80 443 ];
+
+  # systemd.services.caddy.serviceConfig = {
+  #   # EnvironmentFile = "/etc/caddy/cloudflare.env";
+  #   AmbientCapabilities = "CAP_NET_BIND_SERVICE";
+  # };
 }
--- a/nixosModules/cloudflared.nix
+++ b/nixosModules/cloudflared.nix
@@ -0,0 +1,38 @@
+{ config, pkgs, lib, ... }:
+# https://wiki.nixos.org/wiki/Cloudflared
+{
+  boot.kernel.sysctl."net.ipv4.ping_group_range" = "0 65535";
+  users.groups.cloudflared = {};
+  users.users.cloudflared = {
+    isSystemUser = true;
+    group = "cloudflared"; # Match allowed range
+  };
+
+  sops.secrets.cloudflared-creds = {};
+  environment.systemPackages = with pkgs; [ cloudflared ];
+  services.cloudflared = {
+    enable = true;
+    tunnels = {
+      "panoptes-nix" = {
+        credentialsFile = config.sops.secrets.cloudflared-creds.path;
+        # credentialsFile = /root/.cloudflared/c5d343b4-c12c-4490-9d92-9a2345738dc2.json;
+        default = "http_status:404";
+        ingress = {
+          "panoptes.john-stream.com" = {
+            service = "https://localhost:443";
+            # path = ".*";
+            originRequest = {
+              originServerName = "panoptes.john-stream.com";
+              noTLSVerify = true;
+            };
+          };
+        };
+      };
+    };
+  };
+  systemd.services.cloudflared-tunnel-panoptes-nix.serviceConfig = {
+    DynamicUser = lib.mkForce false;
+    User = "cloudflared";
+    Group = "cloudflared";
+  };
+}
--- a/nixosModules/default.nix
+++ b/nixosModules/default.nix
@@ -1,7 +1,8 @@
 { ... }: {
  imports =
    [
-      ./caddy.nix
+      # ./caddy.nix
+      ./cloudflared.nix
      ./services/loki.nix
      ./users.nix
    ];