Add nix-serve-ng behind Cloudflare Tunnel (#98)

2025-12-26 15:04:59 +08:00 · 2025-10-01 12:37:10 -04:00 · 2025-10-01 12:37:10 -04:00 · 381a661586
commit 381a661586
parent 04c6b3c1e1
7 changed files with 73 additions and 0 deletions
--- a/configurations/nixos/pureintent/default.nix
+++ b/configurations/nixos/pureintent/default.nix
@ -12,6 +12,7 @@ in
    ./configuration.nix
    (self + /modules/nixos/linux/eternal-terminal.nix)
    (self + /modules/nixos/shared/github-runner.nix)
+    inputs.nix-serve-cloudflared.nixosModules.default
  ];

  home-manager.sharedModules = [
@ -27,6 +28,28 @@ in
    }
  ];

+  # Cache key: cache.srid.ca:EGydqsWFaTZeW6vsXnOHclTXrmJ58gq/bkVYhRpuzQ8=
+  age.secrets."nix-serve-cloudflared/cache-key.pem" = {
+    file = self + /secrets/nix-serve-cloudflared/cache-key.pem.age;
+    mode = "0400";
+  };
+
+  age.secrets."nix-serve-cloudflared/cloudflared-credentials.json" = {
+    file = self + /secrets/nix-serve-cloudflared/cloudflared-credentials.json.age;
+    mode = "0400";
+  };
+
+  services.nix-serve-cloudflared = {
+    enable = true;
+    secretKeyFile = config.age.secrets."nix-serve-cloudflared/cache-key.pem".path;
+    cloudflare = {
+      tunnelId = "55569b77-5482-47c7-bf25-53d93b64d0c8";
+      credentialsFile = config.age.secrets."nix-serve-cloudflared/cloudflared-credentials.json".path;
+      domain = "cache.srid.ca";
+    };
+  };
+
+
  nix.settings.sandbox = "relaxed";

  services.openssh.enable = true;
--- a/flake.lock
+++ b/flake.lock
@ -525,6 +525,22 @@
        "type": "github"
      }
    },
+    "nix-serve-cloudflared": {
+      "locked": {
+        "lastModified": 1759335502,
+        "narHash": "sha256-Dp15B4ou67oV+UiadNdJ5FIC4DBussh18uj0CWoMnd4=",
+        "owner": "srid",
+        "repo": "nix-serve-cloudflared",
+        "rev": "835228fbfeea670691bb738c911bdf24a7d304ea",
+        "type": "github"
+      },
+      "original": {
+        "owner": "srid",
+        "ref": "init",
+        "repo": "nix-serve-cloudflared",
+        "type": "github"
+      }
+    },
    "nixos-hardware": {
      "locked": {
        "lastModified": 1743167577,
@ -831,6 +847,7 @@
        "nix-darwin": "nix-darwin",
        "nix-doom-emacs-unstraightened": "nix-doom-emacs-unstraightened",
        "nix-index-database": "nix-index-database",
+        "nix-serve-cloudflared": "nix-serve-cloudflared",
        "nixos-hardware": "nixos-hardware",
        "nixos-unified": "nixos-unified",
        "nixos-vscode-server": "nixos-vscode-server",
--- a/flake.nix
+++ b/flake.nix
@ -1,6 +1,13 @@
 {
  description = "Srid's NixOS / nix-darwin configuration";

+  nixConfig = {
+    substituters = [ "https://cache.srid.ca" ];
+    trusted-public-keys = [
+      "cache.srid.ca:EGydqsWFaTZeW6vsXnOHclTXrmJ58gq/bkVYhRpuzQ8="
+    ];
+  };
+
  inputs = {
    flake-parts.url = "github:hercules-ci/flake-parts";

@ -33,6 +40,7 @@
    };
    try.url = "github:tobi/try";
    vira.url = "github:juspay/vira/shared-clone";
+    nix-serve-cloudflared.url = "github:srid/nix-serve-cloudflared/init";

    # Neovim
    nixvim.url = "github:nix-community/nixvim";
--- a/modules/home/all/vira.nix
+++ b/modules/home/all/vira.nix
@ -29,6 +29,7 @@ in
        imako = "https://github.com/srid/imako.git";
        emanote = "https://github.com/srid/emanote.git";
        ny = "https://github.com/nammayatri/nammayatri.git";
+        nix-serve-cloudflared = "https://github.com/srid/nix-serve-cloudflared.git";
      };
    };
  };
--- a/secrets/nix-serve-cloudflared/cache-key.pem.age
+++ b/secrets/nix-serve-cloudflared/cache-key.pem.age
@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> ssh-ed25519 96IXNQ eOTGv7ZtSQllk+esZuxPRMcPb/ih/OPSUu1iWS+Stlc
+2taEhnjDLY5LMoTfKpHvpd8Oi9DPEsrsRxR1wiGAxOQ
+-> ssh-ed25519 Ysxvmg uk3DygJEdt0f0BT3IaZWMV1Y7+HfIAnwRJrGzzHu7Rw
+jOgpde4upZmucuWAFYfwcuwn2KZe7wR5egYSzxcKgqo
+-> ssh-ed25519 HQ+y9w u1SCNgeYWb4bzfP2YaQ4zAVjbLn4DjBmGtS1xMfEJiY
+OuVkqVdmtV2QOjiSGaBQpH0q2GdvopvnCXeAX8T9dU8
+-> ssh-ed25519 p0qplg OSQQqK71R7hqWjuX7CU0gCx4luSsThLRq9hYwBszdWw
+aZMcw0KVsSJw+K8U6h24O7ayjZbGmY+HlvlEZuwrIbs
+--- /pZ7brPYwugM8s4muiCLI0u/mPLNiXWRhiC2gXzhMQc
+rºÑ(†QŠyÇcš‹	Ä;—ûìZÕêõÜ**…¾ÃÕ<C383>òÇîÐü$„!Õ<>ô-KŽ&¸Šé|<×Œ³/Ä¼Ìñé¸wçc‰R{Ú P€oYÞGà~þõ×'ê³ÇÑiŸŸNbCoeÅáœ˜R´7(™aˆì_BçBGFC-5çØ_&Ø‰Ãt
--- a/secrets/nix-serve-cloudflared/cloudflared-credentials.json.age
+++ b/secrets/nix-serve-cloudflared/cloudflared-credentials.json.age
@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> ssh-ed25519 96IXNQ 7mc1bNt7+SlS80zWIcESS3BDDbGX/Nzcv/HmpiJXPzk
+6BQtl69t0UcoaMZvYMydi5Ssn66DaRTbEYOE0zmnOS8
+-> ssh-ed25519 Ysxvmg nv9ndyVO9helRdywQnW+INIFfkR1eT17kfLIy9+PHlM
+7TGdyOl8Kac83H4L+6PgIOuYLJEwuoyDzN4aWjUhEqk
+-> ssh-ed25519 HQ+y9w g+FGOsvLMob1RaFOMdf8sWXwLwJenY9mUhGw0W6yYQg
+Y2Iix4zOUGRnpRca3HAiex22tNAc2EGEFqODMrEVj2U
+-> ssh-ed25519 p0qplg +5abAIfm6WBmQh+uGJSKX/wjn+kJZ4/zC++kRodwOGw
+HNLIOKPkelMnkkObjvALmYUxFiYBfmHmYm2eNNghPik
+--- RU/y77v3sDBXEmPlc4AOzAtUaNClgqq/Bqo1gXsrS+U
+‘s§+F|ž<>UoTý <C3BD>†ý¢œÛg¤7ó72<37>‘<EFBFBD>ÝˆTxÒ›y€Ý¯²Fôšðûu8éRûp=¡Øþ$Äü×®Xýé³@.	ð<>W–Æ×w¬‰K-ÈOy: ¹<>›p»ÖHz]¹ž€ÛhU$Võ»ýŸjÍöV×¤1ŠËÒ`Í¬JeVzÅV~í1¸(LK[ÇF[VœÌj‹Özd_lFJ3&äîu„›´™!2$Òå×Î®Ðºž y@ï‡‡¡}Uª0JN©e|{WPnóð‡[òÏO“Ó
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -14,4 +14,6 @@ in
  "pureintent-basic-auth.age".publicKeys = users ++ systems;
  "gmail-app-password.age".publicKeys = users ++ systems;
  "hackage-password.age".publicKeys = users ++ systems;
+  "nix-serve-cloudflared/cache-key.pem.age".publicKeys = users ++ systems;
+  "nix-serve-cloudflared/cloudflared-credentials.json.age".publicKeys = users ++ systems;
 }