cloudflared tunnel

2026-02-09 04:19:19 -08:00 · 2023-03-14 17:32:19 -07:00 · 2023-03-14 17:32:19 -07:00 · 2dda82d1dd
commit 2dda82d1dd
parent 62e97d324a
8 changed files with 51 additions and 52 deletions
--- a/nixos/systems/tewi/cloudflared.nix
+++ b/nixos/systems/tewi/cloudflared.nix
@ -0,0 +1,22 @@
+{ config, lib, ... }: with lib; {
+  sops.secrets.cloudflared-tunnel-apartment.owner = config.services.cloudflared.user;
+  services.cloudflared = {
+    enable = true;
+    tunnels = {
+      "a3ae32ce-fe82-4f2c-ad54-3adf4a45fcbc" = {
+        credentialsFile = config.sops.secrets.cloudflared-tunnel-apartment.path;
+        default = "http_status:404";
+        ingress = {
+          "gensokyo.zone" = "http://localhost:80";
+          "home.gensokyo.zone" = "http://localhost:8123";
+          "z2m.gensokyo.zone" = "http://localhost:80";
+          "login.gensokyo.zone" = "http://localhost:${toString config.services.vouch-proxy.settings.vouch.port}";
+          "id.gensokyo.zone" = {
+            service = "https://127.0.0.1:8081";
+            originRequest.noTLSVerify = true;
+          };
+        };
+      };
+    };
+  };
+}
--- a/nixos/systems/tewi/home-assistant.nix
+++ b/nixos/systems/tewi/home-assistant.nix
@ -78,6 +78,7 @@ in {
          "200::/7"
          "100.64.0.0/10"
          "fd7a:115c:a1e0:ab12::/64"
+          "::1"
        ];
      };
      recorder = {
--- a/nixos/systems/tewi/kanidm.nix
+++ b/nixos/systems/tewi/kanidm.nix
@ -15,7 +15,7 @@
  '';
 in {
  networks.gensokyo = {
-    tcp = [ 8080 636 ];
+    tcp = [ 8081 636 ];
  };

  services.kanidm =  {
@ -33,8 +33,8 @@ in {
      role = "WriteReplica";
      log_level = "default";
      db_fs_type = "zfs";
-      bindaddress = "${config.networks.tailscale.ipv4}:8080";
-      ldapbindaddress = "${config.networks.tailscale.ipv4}:636";
+      bindaddress = "0.0.0.0:8081";
+      ldapbindaddress = "0.0.0.0:636";
      tls_chain = "${unencryptedCert}/${unencryptedCert.domain}.pem";
      tls_key = "${unencryptedCert}/${unencryptedCert.domain}/key.pem";
    };
--- a/nixos/systems/tewi/nginx.nix
+++ b/nixos/systems/tewi/nginx.nix
@ -15,12 +15,12 @@ with lib;
    recommendedGzipSettings = true;
    recommendedOptimisation = true;
    recommendedProxySettings = true;
-    recommendedTlsSettings = true;
+    recommendedTlsSettings = false;
    commonHttpConfig = ''
      map $scheme $hsts_header {
          https   "max-age=31536000; includeSubdomains; preload";
      }
-      add_header Strict-Transport-Security $hsts_header;
+      #add_header Strict-Transport-Security $hsts_header;
      #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
      add_header 'Referrer-Policy' 'origin-when-cross-origin';
      #add_header X-Frame-Options DENY;
--- a/nixos/systems/tewi/nixos.nix
+++ b/nixos/systems/tewi/nixos.nix
@ -26,6 +26,7 @@ in {
  imports = with meta; [
    (modulesPath + "/installer/scan/not-detected.nix")
    hardware.local
+    services.access
    nixos.arc
    nixos.sops
    ./kanidm.nix
@ -35,6 +36,7 @@ in {
    ./mosquitto.nix
    ./postgres.nix
    ./nginx.nix
+    ./cloudflared.nix
    ../../gui/nfs.nix
  ] ++ lib.optional (meta.trusted ? nixos.systems.tewi.default) meta.trusted.nixos.systems.tewi.default;

--- a/nixos/systems/tewi/secrets.yaml
+++ b/nixos/systems/tewi/secrets.yaml
@ -8,6 +8,7 @@ vouch-jwt: ENC[AES256_GCM,data:XDalZtedsBNnDYApmWpdYR9yHBvNXA2DlMmKyCPmcMlqTlbAI
 openscsi-config: ENC[AES256_GCM,data:pLfiDNSx3ghibiWgfV8vXqgXHJaA7dYwl7Tlqs11+XOGQ7gZPFavmhQfak6/LrD0boyM/vj6oXgp,iv:wuG4BIZeyxT3RXmXpvItByf3NDiKpCpMWWhsmmsG4l0=,tag:brFZh8mLv2WHQHPtK70bxQ==,type:str]
 z2m-secret: ENC[AES256_GCM,data:SCxz8nbB/QhfPcAzSEDHMpiQnjv+j0xLtg/20qf5ZEe3P5YRaiKXMSqdw6MX7uQtGh8T44raEgS8PFuGKXY423GV/MNPSzMl16DLBwU5P7TL6lYT97uVYRIqWMKqtPy/1f155743wH8HsJvslmg=,iv:Yw9dvH1dBq+vxHvKm0eeHlqVHRdUuzL71mDTbIF7DDg=,tag:bCiDNSwq7P21TwblvVGq6A==,type:str]
 ha-secrets: ENC[AES256_GCM,data:/VW9zlFgFbwoFohnmg3f1fYG4qSg32LvA5eapWXXhH5ppFHnIt+2MO1HCzzETuy4EHN/nv1I6hZRwvM52wuF15UrkWjWOu4Xhaz3q7sQbjUVecJAXuG51cKeFryFTq0Tb0zh,iv:SWrMUlLbQAm9qVGK79O6I3tB+pcPBsLitOpn89NBZpQ=,tag:WGYAqID1NvtQJx/w0RqrZQ==,type:str]
+cloudflared-tunnel-apartment: ENC[AES256_GCM,data:r3NbCbdA9sGqjhij/lUFqszpLvtzP9xasQ+LfCc4UPkt767/rjMrls496k59fLuh5iovHq4U6IXhdFica/gg0KdVR++osbXDZe0NlD3H54zQsqLNTlceU3SOok7HfwUcsmtYAsTN7u+SIv5bXJsdfqS7SYbCi9624Gz8xk0BU9rDkI4pXt9FA+4kVhgArSH7NbcgZ6oo4sOn6G1SsK5OzAb1BLOC4g==,iv:3KOU5jTUqD434GckPXV8teiThfagIinEGGZrVSR17xk=,tag:GKoO1904PxwUAkyY3X9S7Q==,type:str]
 ha-integration: ENC[AES256_GCM,data:iW/hnCuXWKeZ43CNf2KKISPY1N2uqHHGQcCpfBojN4kTCi6VvsAZveUS8v28SrrPsh/2+vXoj1STj+N4COkFn7NANP6q946H7VaEgOTBvf9wykJ+WGYDMUgd8Ce8yLjnJpf+q6Rm5BHWMBrE53bB6YCbU9CIOCFF1mm4b6SXdJSuK0DOXZjsoYAc2TjHFb3K3/+74YRiRLgGSnE7MT8sPQ3Bojg9VRNFDZbxRejRjwDGZlRIHM/imeoTSwsWB/sLryR1HKEvyXSWy7MG0v2YqyAloxa/4uFpOdQ37NG4tegzCYwdybnEdW2wv+bZXfDq/csAIpRIyegpkjZeAhfAA5LptYaXxdzFhtFS6NJ6ROW+scbOhS0snoOrg7CqiiB8Y7ad6VFco6dJKCdr+A/92pH3y/+gq6LxOOpIxzbnqkIDV41VVRK61tHafZsXEMXkyRCPbYuVIcVlK4xuw3OryzfUUTW0UFUm0qgIP04L6bI0Zay2NYxL42T7DgLbeddOBEYvBJefQVS1Yk/Q7ql9gnj4EsFMbvKGANhT182kkwKGN+kbVW3Gh63kploRB6AOjGJe+2+2zZnJrKBot+AHJ0Fj8e3n00kvXQtYccVsvD1NREABg0O6xtTjgUoPw+C0lbRgoh/mouyny6f+1jSUF9xDIU8M8YUHOku/VtmSxrMGc5HDPeGjSs/0IMzJJXbt3x9if2Db4zW50XbGFkZDEceJwqulqR7ca0BKeUPUurYnCqh7YGTPe1zc+xkH6Ew/KWlH6bY/YC1hL1fqlqWVWktW3StwAOIzZoytvjtdxifc7Gy4YPKzOi4njLbyvyB+lRMkzvBfyVguGyHvpGbSSog6lxUTmbOqDbl3qCRY2ZJXcuBza6e90Qf1GF1oGjrOIVfNAmJCz7BaNfjtKIc8asql36pRzjFXwPlbfgNHXjQEAUAqiAEyabhaCnqZVbhk0i8PrT/jrHCj/COXgHUT8As3t1Tmipcel7OwqiE23lpTp//bQ4dRuVs59RzyElaLsj9cehiEzIys0bzlPDmQzbgxw48yKRhtrwkY5J0zPWe7OkrFwkbLHfNFisU4qPvoTwOIMvCjTHdMZZ3TrXeuEPH3gEkIYeItd0o7NyJ0FekK1N9YLN6r0lWKHhWvz/dOaR2RRb22bsO24gn12xXHb0idEQ6D+AQxSLywW6DKjb6ZBAihZd9dJ3fIYcaB81C8W7dJ5o0J060MVX/ngRpB0Us916BBUoXRT3/7HbXen+Bn3i87fSXdFStXUXPwnNLATVOOKcq++h9we1yScPdVg2IWPGmryc6RoS1PjKGzlUE5XAXQKuyGbZQtgqV9Da5wktWkJFeZpuP9oQzC+37AP9fZM3BZHGK1siZ5USPbxwwszWWn0lHDdmQyor/IhKSBVh+4CkqOY0SV/P73OzhfyS+JtcBIrTJgMWHPOc5jsSf+5l904XhApg7KYxYwZHaDrbooG+YXu5eZ8QSqz04BmG6ErgQZ3f29mg6e7OT1Ikt2Q1M7MePSnSMZuvQKJ4dVYwFmo1nO0HnkObA6rMPd7XVUYDmWOyzUcRUBukU2w0XfHELLzid0odLHZsXCH+RTaRoXvwXVz1eRWu5guzeafsxDpTW5Z/AqR785jYGgL116sGSJ5806p01IqDBg0aS+oEtSpfaXw1AZXT4GkxoQM3vAUeRAc+B/twtjJ38UFMisWXBbss4Q6wxRcXFzNtSkZMchUfGS4XMJ43FajrHlFKG9uZQ4G7IXYbliFkjZ5F2zwXr3sDsVFxeYIuws1yYCEYFtisduad6kOnZCTQjAMw1YYKtTM7TYeMt4TNutR+AAOqGMx0p11lZmAFYRlsoqGs+by+vC8BO1gCkAcr7s8MAoh5CuG56zs16gnSRlMbQAciIjaRptKkYh+zLEXYI9kmMlr3hWQYlHNtBtU6w2+n+1y7EYlh+PiFB+xrGJisgPePfx7+VqEH3UiPVVv8bAN9Mh0RwjaOGXAYMEgsN1smhsKm1h0K3Z8tcZUx/OJFHgHDo3bi0eE3REz/Mxh56PVx/1vhpGj9TGZuanynEP5q7iYh3ETYBHdK89we4uw4tEkDnt9JRXNuofYmXyw44AbO8UNMy6jt/2Joc55egSU5oiexrLVUSQaM3vVdvfz4u7Whv1O31hRPt8hDccHM6KSFkXRLmI3m02vKQs7gEqjjZH+6sOI1ciY8LcmePzFefVG/xGRlH9yPpV1bDUdxBgpSFT8N9Xm+yqBKhuwT0MUhUoEpaiZht7iDPMshXXX3j80TO1csgD8gWY4L9YPTgHngRtLS+LZfdlDb9gvgJ7WwD6i3r/X4lLvLy2fKplSbCHJprlGY4YJWnmVJyFGOShPm0yOkZgBgfKT6CeoeTL+h+tGWuML1+Tbt0p6QRNP9djhoznMPMVxLWOZXa7Sbnb6PurddDG7eKPyadasc174BqdWNPzlu+nAQV8s6UlB8y9hmjqevpx+HAwbMWhIFtsuXAxS7jMe7FsQyjf0I7YUySS4sCH+1vsFpZDTxjPmatGT5g1vJAMKBfXEpMuR3KQpIftVrON/Wp+rS2kpSCpcPt6+8g8FMP1/OVM6B2Kmj4LeZvS1LHp8FktQrPXav3i8aIpjEstsCPWFJTgBEjuUxGmodks+Zo64R1XxhtAQzXmwUltGRpx3aCiDoDP94uKicEY/+k60ucECLx3sQEcpu6nE53JEELveAHVgwIyXLmik/MclvaZMZu5kjh8QaiPEzL1/r1trYVQiJ63IHpriDThRQqnFSYiQ74BJnheXsU/5mlUUwNT+TinsiwP8JCarTm0XyXrHYW7KxJW7ZXud9Sc7/bYrkQ4hvtz+XtFpZs7UHmHjBDF0DHqHPxUdudKV548tyh2Uc8LwzNgRCXrFswUme/dVTcGGRHZPIgO8P9SBvPbakyN8Xjpm7CC+bGEl3jV4DfMfXH79Y25mlw4s8nbi06mpYp1T938jfrVIgE7Tvp3C+miLblKbwA14IYI3ZiLwiea+Nb36/jkG198yZfsmkqqPZPMMq9+kkA3NEWk+BlPA3m75mCltCXJY6BMrFVQWVMiwroQ8aq4medx1Nsc6w==,iv:tRzbBW/YFMp2vw26M9ediGY49GuxvyV2ijZ1W7mjURQ=,tag:L4ACYnVzdarztrjlsX3cAQ==,type:str]
 sops:
    shamir_threshold: 1
@ -34,8 +35,8 @@ sops:
            VndVTG0zQWhsUHcwTkFjK2ZPdzRPUUEKJ3flgZ6/s+TjlFgzsANYaOFiEPQuE4zR
            7npNUDFLe26Q32G3j/lLSBzZZfKoOC5SOSp9TB8eWMYSxfNnXEIu0g==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-03-10T17:59:59Z"
-    mac: ENC[AES256_GCM,data:cEQnqvtfPWDR9lcI37k52mPuFhqW+4TTs2LghRn9NiJkcLUSJNCrNUJE2Q/YMrQD6Ks5m7jRik/x3ryMdvVSiG4KC/Uk5pviZOCwDhRpDG4I8EqJHRhXLyxxptHV+D4y4+txPyXelOaY9FLU+0X+yHNLGRdURb7PqXfBZhmU56E=,iv:IvFaSROIH6OtpOOL53nn0CGTjLRpuCndBHDr1mIETNU=,tag:r2WzjoIC3jZvedgLcYaLfg==,type:str]
+    lastmodified: "2023-03-14T23:12:48Z"
+    mac: ENC[AES256_GCM,data:07zr/KHyLHvS7v+BMrY3uC9YZ0y6U7H6SMpYSWt3pR07Z36P9ZijOn2kgLmWnR1BzwwBW+L2t83kyegpZzLiqNniA9YDiHxtg3ovJCjkXjyhGEzDnLjZrGordf0qxC8mh+wuaSLueeR2Yj2xzdTDAoRCZTmuugipunYc2jazaOI=,iv:pJXn5g7CgYEZC8Z7LIQ+nmMzq5XA5imRa9U9nDLr2cM=,tag:L+gMyJo5Sj67ApOMnR7zog==,type:str]
    pgp:
        - created_at: "2023-03-10T17:06:53Z"
          enc: |
--- a/nixos/systems/tewi/vouch.nix
+++ b/nixos/systems/tewi/vouch.nix
@ -10,6 +10,10 @@
              type = types.nullOr types.str;
              default = "gensokyo.zone";
            };
+            secure = mkOption {
+              type = types.bool;
+              default = true;
+            };
          };
          port = mkOption {
            type = lib.types.port;
@ -17,7 +21,7 @@
          };
          listen = mkOption {
            type = types.nullOr types.str;
-            default = config.networks.tailscale.ipv4;
+            default = "127.0.0.1";
          };
          allowAllUsers = mkOption {
            type = types.bool;
@ -62,6 +66,10 @@
    };
  };
  config = {
+    services.vouch-proxy.settings = {
+      vouch.cookie.secure = false;
+    };
+
    sops.secrets = {
      vouch-jwt.owner = "vouch-proxy";
      vouch-client-secret.owner = "vouch-proxy";
--- a/services/access.nix
+++ b/services/access.nix
@ -49,24 +49,12 @@
  };

  services.nginx.virtualHosts = mkMerge [
-  (mkIf tf.state.enable {
+  (mkIf (tf.state.enable && config.networking.hostName == "tewi") {
    "gensokyo.zone" = {
      locations."/" = {
        root = pkgs.gensokyoZone;
      };
    };
-    "home.gensokyo.zone" = {
-      locations = {
-        "/" = {
-          proxyPass = meta.tailnet.tewi.pp 4 8123;
-          extraConfig = ''
-            proxy_set_header Upgrade $http_upgrade;
-          proxy_set_header Connection "upgrade";
-          proxy_http_version 1.1;
-          '';
-        };
-      };
-    };
    "z2m.gensokyo.zone" = {
      extraConfig = ''
        auth_request /validate;
@ -74,7 +62,7 @@
      '';
      locations = {
        "/" = {
-          proxyPass = meta.tailnet.tewi.pp 4 8072;
+          proxyPass = "http://127.0.0.1:8072";
          extraConfig = ''
            add_header Access-Control-Allow-Origin https://login.gensokyo.zone;
            add_header Access-Control-Allow-Origin https://id.gensokyo.zone;
@ -91,7 +79,7 @@
        };
        "/validate" = {
          recommendedProxySettings = false;
-          proxyPass = meta.tailnet.tewi.ppp 4 30746 "validate";
+          proxyPass = "http://127.0.0.1:30746/validate";
          extraConfig = ''
            proxy_set_header Host $http_host;
            proxy_pass_request_body off;
@ -104,31 +92,8 @@
        };
      };
    };
-    "id.gensokyo.zone" = {
-      locations = {
-        "/" = {
-          proxyPass = meta.tailnet.tewi.pp 4 8080;
-          extraConfig = ''
-            proxy_set_header Host $host;
-            add_header Access-Control-Allow-Origin https://id.gensokyo.zone;
-            proxy_set_header Upgrade $http_upgrade;
-            proxy_set_header Connection "upgrade";
-            proxy_http_version 1.1;
-          '';
-        };
-      };
-    };
-    "login.gensokyo.zone" = {
-      locations = {
-        "/" = {
-          proxyPass = meta.tailnet.tewi.pp 4 30746;
-          recommendedProxySettings = false;
-          extraConfig = ''
-            proxy_set_header Host $http_host;
-          '';
-        };
-      };
-    };
+  })
+  (mkIf (config.networking.hostName != "tewi") {
    "home.${config.networking.domain}" = {
      locations = {
        "/" = {