From 85a1c2c3b145d833bd83fa441fd54c5c7f2ffbd4 Mon Sep 17 00:00:00 2001
From: Franck Cuny <franck@fcuny.net>
Date: Sun, 6 Jul 2025 12:48:10 -0700
Subject: add secrets and configurations for cloudflared

---
 nix/machines/vm-synology/default.nix |   7 +++++++
 nix/machines/vm-synology/ingress.nix |  16 ++++++++++++++++
 nix/users/fcuny/ssh.nix              |   5 ++++-
 secrets/cloudflared_cert.age         | Bin 0 -> 868 bytes
 secrets/cloudflared_cragmont.age     | Bin 0 -> 502 bytes
 secrets/secrets.nix                  |   9 +++++++++
 6 files changed, 36 insertions(+), 1 deletion(-)
 create mode 100644 nix/machines/vm-synology/ingress.nix
 create mode 100644 secrets/cloudflared_cert.age
 create mode 100644 secrets/cloudflared_cragmont.age

diff --git a/nix/machines/vm-synology/default.nix b/nix/machines/vm-synology/default.nix
index dd004f6..8f3b725 100644
--- a/nix/machines/vm-synology/default.nix
+++ b/nix/machines/vm-synology/default.nix
@@ -8,6 +8,12 @@
       restic_password = {
         file = ../../../secrets/restic_password.age;
       };
+      cloudflared-tunnel = {
+        file = ../../../secrets/cloudflared_cragmont.age;
+      };
+      cloudflared-cert = {
+        file = ../../../secrets/cloudflared_cert.age;
+      };
     };
   };
 
@@ -15,6 +21,7 @@
     ./backups.nix
     ./git.nix
     ./hardware.nix
+    ./ingress.nix
   ];
 
   # Use the systemd-boot EFI boot loader.
diff --git a/nix/machines/vm-synology/ingress.nix b/nix/machines/vm-synology/ingress.nix
new file mode 100644
index 0000000..b6ae596
--- /dev/null
+++ b/nix/machines/vm-synology/ingress.nix
@@ -0,0 +1,16 @@
+{ config, ... }:
+{
+  services.cloudflared = {
+    enable = true;
+    certificateFile = config.age.secrets.cloudflared-cert.path;
+    tunnels = {
+      "cragmont" = {
+        credentialsFile = config.age.secrets.cloudflared-tunnel.path;
+        default = "http_status:404";
+        ingress = {
+          "git.fcuny.net".service = "ssh://127.0.0.1:22";
+        };
+      };
+    };
+  };
+}
diff --git a/nix/users/fcuny/ssh.nix b/nix/users/fcuny/ssh.nix
index ec407ce..322a8bc 100644
--- a/nix/users/fcuny/ssh.nix
+++ b/nix/users/fcuny/ssh.nix
@@ -1,4 +1,4 @@
-{ config, ... }:
+{ pkgs, config, ... }:
 {
   # https://github.com/nix-community/home-manager/blob/master/modules/programs/ssh.nix
   programs.ssh = {
@@ -10,6 +10,9 @@
     controlPath = "${config.home.homeDirectory}/.ssh/sockets/S.%r@%h:%p";
 
     matchBlocks = {
+      "git.fcuny.net" = {
+        proxyCommand = "${pkgs.cloudflared}/bin/cloudflared access ssh --hostname %h";
+      };
       "github.com" = {
         hostname = "github.com";
         user = "git";
diff --git a/secrets/cloudflared_cert.age b/secrets/cloudflared_cert.age
new file mode 100644
index 0000000..3eee66a
Binary files /dev/null and b/secrets/cloudflared_cert.age differ
diff --git a/secrets/cloudflared_cragmont.age b/secrets/cloudflared_cragmont.age
new file mode 100644
index 0000000..986d699
Binary files /dev/null and b/secrets/cloudflared_cragmont.age differ
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index ce03f7f..3de69b7 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -21,4 +21,13 @@ in
     users.fcuny
     hosts.vm-synology
   ];
+  # run cloudflared tunnel token --cred-file foo.json cragmont
+  "cloudflared_cragmont.age".publicKeys = [
+    users.fcuny
+    hosts.vm-synology
+  ];
+  "cloudflared_cert.age".publicKeys = [
+    users.fcuny
+    hosts.vm-synology
+  ];
 }
-- 
cgit v1.2.3