hosts/atlas+p-body: use cloudflared

5 files changed, 65 insertions, 28 deletions

diff --git a/hosts/atlas/nginx.nix b/hosts/atlas/nginx.nix
index 2356e1d..05cf3db 100644
--- a/hosts/atlas/nginx.nix
+++ b/hosts/atlas/nginx.nix
@@ -1,14 +1,13 @@
-{config, ...}: {
-  getchoo.server.acme.enable = true;
-  networking.firewall.allowedTCPPorts = [443];
-
-  security.acme = {
-    acceptTerms = true;
-    defaults = {
-      email = "[email protected]";
-      dnsProvider = "cloudflare";
-      credentialsFile = config.age.secrets.cloudflareApiKey.path;
-    };
+{
+  config,
+  lib,
+  ...
+}: let
+  inherit (config.networking) domain;
+in {
+  getchoo.server = {
+    acme.enable = true;
+    services.cloudflared.enable = true;
   };
 
   services.nginx = {
@@ -20,8 +19,6 @@
     recommendedTlsSettings = true;
 
     virtualHosts = let
-      inherit (config.networking) domain;
-
       mkProxy = endpoint: port: {
         "${endpoint}" = {
           proxyPass = "http://localhost:${port}";
@@ -29,14 +26,16 @@
         };
       };
 
-      mkVHosts = builtins.mapAttrs (_: v:
-        v
-        // {
+      mkVHosts = let
+        commonSettings = {
           enableACME = true;
           # workaround for https://github.com/NixOS/nixpkgs/issues/210807
           acmeRoot = null;
-          forceSSL = true;
-        });
+
+          addSSL = true;
+        };
+      in
+        builtins.mapAttrs (_: lib.recursiveUpdate commonSettings);
     in
       mkVHosts {
         "miniflux.${domain}" = {
diff --git a/hosts/p-body/nginx.nix b/hosts/p-body/nginx.nix
index 1d491d2..3278870 100644
--- a/hosts/p-body/nginx.nix
+++ b/hosts/p-body/nginx.nix
@@ -1,8 +1,14 @@
-{config, ...}: let
+{
+  config,
+  lib,
+  ...
+}: let
   inherit (config.networking) domain;
 in {
-  getchoo.server.acme.enable = true;
-  networking.firewall.allowedTCPPorts = [443];
+  getchoo.server = {
+    acme.enable = true;
+    services.cloudflared.enable = true;
+  };
 
   services.nginx = {
     enable = true;
@@ -12,8 +18,6 @@ in {
     recommendedProxySettings = true;
     recommendedTlsSettings = true;
 
-    statusPage = true;
-
     virtualHosts = let
       mkProxy = endpoint: port: {
         "${endpoint}" = {
@@ -22,14 +26,16 @@ in {
         };
       };
 
-      mkVHosts = builtins.mapAttrs (_: v:
-        v
-        // {
+      mkVHosts = let
+        commonSettings = {
           enableACME = true;
           # workaround for https://github.com/NixOS/nixpkgs/issues/210807
           acmeRoot = null;
-          forceSSL = true;
-        });
+
+          addSSL = true;
+        };
+      in
+        builtins.mapAttrs (_: lib.recursiveUpdate commonSettings);
     in
       mkVHosts {
         "api.${domain}" = {
diff --git a/secrets/hosts/atlas/cloudflaredCreds.age b/secrets/hosts/atlas/cloudflaredCreds.age
new file mode 100644
index 0000000..6fb3bab
--- /dev/null
+++ b/secrets/hosts/atlas/cloudflaredCreds.age
@@ -0,0 +1,14 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IGxXSVVGUSBPL3Ay
+eHVCWE51amRZY2ZIaGpYNDZpYzgwMk02c3MwNnJxT3dORVlaL2xVCjhPakdiTmwy
+NDZ3QlljQkFSNG5zWEgydURST2VtdnE4OXVUWjg4Yjd0aEUKLT4gc3NoLWVkMjU1
+MTkgSTkyQTNRIFpTRWZXSS9keDl0WkRzeVc5b3U4R1RxQ0ZuRFVsN1NsQjB0czk2
+YXArbWMKTFhYQnQvMVY4RlQ4akNSU2RyZ1Y5S09Tc2FJUy8wZVE2eEdCYXNxTnFu
+cwotPiBfJDVHLWdyZWFzZSAjIj9Icgp3WG5lNG5jZTBqdWZtOUxYSlk2eDRna2Ro
+d2lwWWtFSVVMK09NZzR1OS9aUFFhMk1qOXBkOFVmdlhGeXYKLS0tIDBSdkIxMWQ0
+NTZYT1N0ZTZlT203aXFmak85ZDV2SFRXeWtEemZmVURNSjAKiiApER/dMKCQK3Sk
+OiuFg4Xa9pLz+pdiTOpLQh6cRWoxY2cmQ3voU371JKarrHcrFPQn8mKM32Rxvfjs
+YBsPhceB2l5xjy6wKbhJVU+GzUDtFfMext4+OQlEERWwE5pMoNe+nCeeIm1rbBiW
+VkYFfLBDlr39/9B/JeUO6vvhxbBXvkjREgbtkHQJzgrhss9UVD3VAFxcxXgzGjK0
+vem9zM1+StKwuLQuyjg/yx90/nr46vnFeKdAhUUtfcaLs3ccX3w=
+-----END AGE ENCRYPTED FILE-----
diff --git a/secrets/hosts/p-body/cloudflaredCreds.age b/secrets/hosts/p-body/cloudflaredCreds.age
new file mode 100644
index 0000000..92de437
--- /dev/null
+++ b/secrets/hosts/p-body/cloudflaredCreds.age
@@ -0,0 +1,16 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IDJybTN3ZyBKeXFl
+ckJ2UStYUDZtUEpvSXNtMUNiUXd1NHIxeElaeDRZWTgrSm1tUkRNCi8wcXlqVnBH
+UlRaNGpVV3ovRWh4K0R6RXhGSWZISUFPRVY2QU1scVI1TUUKLT4gc3NoLWVkMjU1
+MTkgSTkyQTNRIExBbk9OMHNIakhLN3M2UHpwVndYVTNvTC9tQXdUVXZlSGpIUUl6
+MGtaalkKS3ZCSjZlUzIrVHdiemIzbW5IYnlOTjBGbHVPVXVDeWUwK3pPVmVsckp4
+SQotPiBkTkhYdi1ncmVhc2UgV0I0NgoxUXlzUktFcER5ZmVCVTFzNDlUNlo3V1k0
+cDNCQ0NBeVhZZTRBSnIzZHhadWpLc2JiMHBUbDdpYnhYQlRIakdtCnNPcEZLekZN
+ekpZS0lpNHladVNhNHE3U0NDejFFYmZIVnI3MDlyK09sQkdEY0JPWS93S0VXOTUz
+Y2cKLS0tIGVhODlkZ0V2dDl1b2N1NXlRcGdkcWxSRkJpRERQampZM3RNZ1pUUGpX
+VVEKHP2CEMgipxc6olgCyR2q4vd4tuQQ1bkzzGujK/5jy4H2P5CClb2ktQpG1Ns9
+BudlMQcL2pNLK9YcAMWLhkSG7oRIL2RfswbatZdYxEWvTqGl1fRlm+qqitBXMVlK
+30mAS8ey1cUCkCLeCvej4tF9bAgCnp/K1c/2VQgNnrorE6K/3n4eEwT1zDW9/AuX
+8JTieb7EWwSnEN9h//UbMAwbR2ePVXW3J1Et8ziIgBXLZmqHoYe8AeyZm22gOk/f
+0l81We4=
+-----END AGE ENCRYPTED FILE-----
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 40a4e79..aa57c27 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -17,6 +17,7 @@ in {
   "hosts/atlas/secretsJson.age".publicKeys = atlas;
   "hosts/atlas/miniflux.age".publicKeys = atlas;
   "hosts/atlas/tailscaleAuthKey.age".publicKeys = atlas;
+  "hosts/atlas/cloudflaredCreds.age".publicKeys = atlas;
 
   "hosts/p-body/rootPassword.age".publicKeys = p-body;
   "hosts/p-body/userPassword.age".publicKeys = p-body;
@@ -25,4 +26,5 @@ in {
   "hosts/p-body/clusterToken.age".publicKeys = p-body;
   "hosts/p-body/secretsJson.age".publicKeys = p-body;
   "hosts/p-body/tailscaleAuthKey.age".publicKeys = p-body;
+  "hosts/p-body/cloudflaredCreds.age".publicKeys = p-body;
 }