blob: 9905d333eef9e7632377cb3969a7c1823a9c6bb7 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
|
{
config,
lib,
secretsDir,
...
}: let
cfg = config.traits.cloudflared;
inherit (config.services) nginx;
in {
options.traits.cloudflared = {
enable = lib.mkEnableOption "cloudflared";
manageSecrets =
lib.mkEnableOption "automatically managed secrets"
// {
default = config.traits.secrets.enable;
};
};
config = lib.mkIf cfg.enable (
lib.mkMerge [
{
services.cloudflared = {
enable = true;
tunnels = {
"${config.networking.hostName}-nginx" =
{
default = "http_status:404";
ingress = lib.genAttrs (builtins.attrNames nginx.virtualHosts) (
_: {service = "http://localhost:${toString nginx.defaultHTTPListenPort}";}
);
}
// lib.optionalAttrs cfg.manageSecrets {
credentialsFile = config.age.secrets.cloudflaredCreds.path;
};
};
};
}
(lib.mkIf cfg.manageSecrets {
age.secrets.cloudflaredCreds = {
file = secretsDir + "/cloudflaredCreds.age";
mode = "400";
owner = "cloudflared";
group = "cloudflared";
};
})
]
);
}
|
