refactor: cloudflared

2026-02-09 04:19:19 -08:00 · 2024-01-13 13:49:42 -08:00 · 2024-01-13 13:49:42 -08:00 · 859d60cd81
commit 859d60cd81
parent d87b210c46
3 changed files with 61 additions and 21 deletions
--- a/modules/nixos/cloudflared.nix
+++ b/modules/nixos/cloudflared.nix
@ -4,6 +4,7 @@
  inherit (lib.modules) mkIf mkMerge mkForce;
  inherit (lib.options) mkOption mkEnableOption;
  cfg = config.services.cloudflared;
+  settingsFormat = pkgs.formats.json { };
 in {
  options.services.cloudflared = with lib.types; {
    tunnels = let
@ -14,7 +15,7 @@ in {
              default = config.extraTunnel.ingress != { };
            };
            ingress = mkOption {
-              type = attrs;
+              inherit (settingsFormat) type;
              default = { };
            };
          };
--- a/nixos/reisen-ct/network.nix
+++ b/nixos/reisen-ct/network.nix
@ -1,9 +1,10 @@
 {
  lib,
  config,
+  options,
  ...
 }: let
-  inherit (lib) mkDefault;
+  inherit (lib.modules) mkIf mkDefault;
 in {
  services.resolved.enable = true;
  services.avahi = {
@ -17,4 +18,14 @@ in {
    };
    wideArea = mkDefault false;
  };
+  systemd.services.avahi-daemon = mkIf (options ? proxmoxLXC && config.services.avahi.enable) {
+    serviceConfig.ExecStartPre = mkIf config.services.resolved.enable [
+      "+-${config.systemd.package}/bin/resolvectl mdns eth0 yes"
+    ];
+  };
+  systemd.network.networks.eth0 = mkIf (! options ? proxmoxLXC) {
+    matchConfig.Name = "eth0";
+    linkConfig.Multicast = true;
+    networkConfig.MulticastDNS = true;
+  };
 }
--- a/systems/tewi/cloudflared.nix
+++ b/systems/tewi/cloudflared.nix
@ -1,34 +1,62 @@
 {
+  meta,
  config,
  lib,
  ...
 }: let
-  inherit (config) services;
+  inherit (lib.modules) mkMerge;
+  inherit (lib.attrsets) listToAttrs nameValuePair;
+  inherit (config.networking) hostName;
+  cfg = config.services.cloudflared;
  apartment = "131222b0-9db0-4168-96f5-7d45ec51c3be";
+  systemFor = hostName: if hostName == config.networking.hostName
+    then config
+    else meta.network.nodes.${hostName};
+  accessHostFor = { hostName, access ? "local", ... }: let
+    host = {
+      local = "${hostName}.local";
+      tail = "${hostName}.tail.cutie.moe";
+    }.${access} or (throw "unsupported access ${access}");
+  in if hostName == config.networking.hostName then "localhost" else host;
+  ingressForNginx = { host ? system.networking.fqdn, port ? 80, hostName, system ? systemFor hostName }@args: nameValuePair host {
+    service = "http://${accessHostFor args}:${toString port}";
+  };
+  ingressForHass = { host ? system.services.home-assistant.domain, port ? system.services.home-assistant.config.http.server_port, hostName, system ? systemFor hostName, ... }@args: nameValuePair host {
+    service = "http://${accessHostFor args}:${toString port}";
+  };
+  ingressForVouch = { host ? system.services.vouch-proxy.domain, port ? system.services.vouch-proxy.settings.vouch.port, hostName, system ? systemFor hostName, ... }@args: nameValuePair host {
+    service = "http://${accessHostFor args}:${toString port}";
+  };
+  ingressForKanidm = { host ? system.services.kanidm.server.frontend.domain, port ? system.services.kanidm.server.frontend.port, hostName, system ? systemFor hostName, ... }@args: nameValuePair host {
+    service = "https://${accessHostFor args}:${toString port}";
+    originRequest.noTLSVerify = true;
+  };
+  ingressForDeluge = { host, port ? system.services.deluge.web.port, hostName, system ? systemFor hostName, ... }@args: nameValuePair host {
+    service = "http://${accessHostFor args}:${toString port}";
+  };
 in {
-  sops.secrets.cloudflared-tunnel-apartment.owner = services.cloudflared.user;
-  sops.secrets.cloudflared-tunnel-apartment-deluge.owner = services.cloudflared.user;
+  sops.secrets.cloudflared-tunnel-apartment.owner = cfg.user;
+  sops.secrets.cloudflared-tunnel-apartment-deluge.owner = cfg.user;
  services.cloudflared = {
    tunnels = {
      ${apartment} = {
        credentialsFile = config.sops.secrets.cloudflared-tunnel-apartment.path;
        default = "http_status:404";
-        ingress = {
-          ${config.networking.domain}.service = "http://localhost:80";
-          ${services.home-assistant.domain}.service = "http://localhost:${toString services.home-assistant.config.http.server_port}";
-          ${services.zigbee2mqtt.domain}.service = "http://localhost:80";
-          ${services.vouch-proxy.domain}.service = "http://localhost:${toString services.vouch-proxy.settings.vouch.port}";
-          ${services.kanidm.server.frontend.domain} = {
-            service = "https://127.0.0.1:${toString services.kanidm.server.frontend.port}";
-            originRequest.noTLSVerify = true;
-          };
-        };
-        extraTunnel.ingress = {
-          deluge = {
-            hostname._secret = config.sops.secrets.cloudflared-tunnel-apartment-deluge.path;
-            service = "http://localhost:${toString services.deluge.web.port}";
-          };
-        };
+        ingress = listToAttrs [
+          (ingressForNginx { host = config.networking.domain; inherit hostName; })
+          (ingressForNginx { host = config.services.zigbee2mqtt.domain; inherit hostName; })
+          (ingressForHass { inherit hostName; })
+          (ingressForVouch { inherit hostName; })
+          (ingressForKanidm { inherit hostName; })
+        ];
+        extraTunnel.ingress = mkMerge [
+          (listToAttrs [
+            (ingressForDeluge { host = "deluge"; inherit hostName; })
+          ])
+          {
+            deluge.hostname._secret = config.sops.secrets.cloudflared-tunnel-apartment-deluge.path;
+          }
+        ];
      };
    };
  };