From 85a1c2c3b145d833bd83fa441fd54c5c7f2ffbd4 Mon Sep 17 00:00:00 2001
From: Franck Cuny <franck@fcuny.net>
Date: Sun, 6 Jul 2025 12:48:10 -0700
Subject: add secrets and configurations for cloudflared

---
 nix/machines/vm-synology/default.nix |  7 +++++++
 nix/machines/vm-synology/ingress.nix | 16 ++++++++++++++++
 nix/users/fcuny/ssh.nix              |  5 ++++-
 3 files changed, 27 insertions(+), 1 deletion(-)
 create mode 100644 nix/machines/vm-synology/ingress.nix

(limited to 'nix')

diff --git a/nix/machines/vm-synology/default.nix b/nix/machines/vm-synology/default.nix
index dd004f6..8f3b725 100644
--- a/nix/machines/vm-synology/default.nix
+++ b/nix/machines/vm-synology/default.nix
@@ -8,6 +8,12 @@
       restic_password = {
         file = ../../../secrets/restic_password.age;
       };
+      cloudflared-tunnel = {
+        file = ../../../secrets/cloudflared_cragmont.age;
+      };
+      cloudflared-cert = {
+        file = ../../../secrets/cloudflared_cert.age;
+      };
     };
   };
 
@@ -15,6 +21,7 @@
     ./backups.nix
     ./git.nix
     ./hardware.nix
+    ./ingress.nix
   ];
 
   # Use the systemd-boot EFI boot loader.
diff --git a/nix/machines/vm-synology/ingress.nix b/nix/machines/vm-synology/ingress.nix
new file mode 100644
index 0000000..b6ae596
--- /dev/null
+++ b/nix/machines/vm-synology/ingress.nix
@@ -0,0 +1,16 @@
+{ config, ... }:
+{
+  services.cloudflared = {
+    enable = true;
+    certificateFile = config.age.secrets.cloudflared-cert.path;
+    tunnels = {
+      "cragmont" = {
+        credentialsFile = config.age.secrets.cloudflared-tunnel.path;
+        default = "http_status:404";
+        ingress = {
+          "git.fcuny.net".service = "ssh://127.0.0.1:22";
+        };
+      };
+    };
+  };
+}
diff --git a/nix/users/fcuny/ssh.nix b/nix/users/fcuny/ssh.nix
index ec407ce..322a8bc 100644
--- a/nix/users/fcuny/ssh.nix
+++ b/nix/users/fcuny/ssh.nix
@@ -1,4 +1,4 @@
-{ config, ... }:
+{ pkgs, config, ... }:
 {
   # https://github.com/nix-community/home-manager/blob/master/modules/programs/ssh.nix
   programs.ssh = {
@@ -10,6 +10,9 @@
     controlPath = "${config.home.homeDirectory}/.ssh/sockets/S.%r@%h:%p";
 
     matchBlocks = {
+      "git.fcuny.net" = {
+        proxyCommand = "${pkgs.cloudflared}/bin/cloudflared access ssh --hostname %h";
+      };
       "github.com" = {
         hostname = "github.com";
         user = "git";
-- 
cgit v1.2.3