From 8f167672400c2b59b5c530772542d094e208121f Mon Sep 17 00:00:00 2001 From: Hadi <112569860+anotherhadi@users.noreply.github.com> Date: Sun, 4 Jan 2026 00:11:37 +0100 Subject: [PATCH] add cloudflared Signed-off-by: Hadi <112569860+anotherhadi@users.noreply.github.com> --- hosts/server/configuration.nix | 1 + hosts/server/secrets/secrets.yaml | 7 +++--- server-modules/arr.nix | 4 ++-- server-modules/cloudflared.nix | 39 +++++++++++++++++++++++++++++++ 4 files changed, 46 insertions(+), 5 deletions(-) create mode 100644 server-modules/cloudflared.nix diff --git a/hosts/server/configuration.nix b/hosts/server/configuration.nix index f32b018..4d299af 100644 --- a/hosts/server/configuration.nix +++ b/hosts/server/configuration.nix @@ -13,6 +13,7 @@ ../../server-modules/ssh.nix # ../../server-modules/bitwarden.nix ../../server-modules/firewall.nix + ../../server-modules/cloudflared.nix ../../server-modules/nginx.nix ../../server-modules/glance.nix ../../server-modules/adguardhome.nix diff --git a/hosts/server/secrets/secrets.yaml b/hosts/server/secrets/secrets.yaml index 0afcd05..6545089 100644 --- a/hosts/server/secrets/secrets.yaml +++ b/hosts/server/secrets/secrets.yaml @@ -8,6 +8,7 @@ recyclarr: ENC[AES256_GCM,data:3rZgs4Z/XaQPxbueepPQlUthHMSKn1e92FyIOpzn1MsGmEL8L wireguard-pia: ENC[AES256_GCM,data:2IvJARGhesMuH9RdWzsyrwA7eqrhLyacQqZ1RNEkGOPUkQGX4uimKBSzkxXRy/haZ4V2k73JdLSaB9rAuI0n65GmWHmarwZekOyhRZSNb+zvFgw5BPZmywG1wR2HiTGR/qILovAaz47q/VnohUnjbbMCUvarC4PytWGxMUH96GIgZar8HjHFtK8grCSxlvpHKiDeKx8VSXnY/Pxj1EplBtIqwmtAeZdf/VjtwOL0nY54doPwHdIAvJ0B8Cu0a1zJIGEbV1NlKIHEJ1YA7rmv1ODkBnbXbIHMxAR3jeqR/UDqhDmXe41KujhiJI7nNeO7FKo2v92jK3fSbxYKatLrzXktHpE9JsMYVBXzTK7yAXPgoDdgLXzWH0OrJGBSisPrvqmxUko7MPreuwVYfFlKpll6JLifk8sML4A+94UPR8b89guXn7kBkLg1Y1oIAyguCdKpNOD31nXBMFF0nTcmCwyshDySaGTfJDgox65/77AiN1wH,iv:cdu6lBjLnEEfSFmWMC4Vn2sLKsvpCaatzXlgRNkEMeA=,tag:y1rAeNPB+DNGTpnP94iQrA==,type:str] signing-key: ENC[AES256_GCM,data:FrJzuTgH/ooZkcnYL55uQcc4u+QzNnFvNVs2wDSE4nnwku+EuCJBlb8pd/6W0KPwIXzcki/8CY0YfRcRrzjExMgMa4hwxrlxS9bk3LNPzJsrRK5RJgPg3iA8L791f1zcDxNf8RuWatIqm1TCK+Vhdk/p+221zy1Gcq1dW8X+o4XzbPBzHdLagcIdB0wpjYTtIoGP2X8GoL/NJpuzIiQBK1HdGNKvUI2+ztqCQZOsxm+Fki57NteX3/Llw8AwABjdZvviOBZ62OvJ/SsOQ9NYAvKfAkog5zCn8DLvaqAPGSxRBQEYWM8GyL2imgs54YfEsOpGa4DzMiv4Sc5m398E/asaPq357eksUqh3EYpzoKZ5bIbd5+Vs3KBWKHltUCzXLHaLrIX0CuJFQFi7DCxEbYqlb04x5t3jc/c+/7uwqBHv1Y5gwAjd8JswDWmE7Q3xSk96Za57SCxWPYTo2ErsA2XdL+yxXdhmqkhDZKtUzrcHExhnYe7YLpSlBEclJ/G2BeTOFIWoAmN+1y4rh21R,iv:VaZrv5/41ZyIax702Yae4QmFKpcEaWwPmTo2Mxao3bU=,tag:HC0eqDNit7jQKeeDAKWXKg==,type:str] signing-pub-key: ENC[AES256_GCM,data:CB7uU2Q4oTEKihpTIXGLaV0fJ1cv/p4oJJ5kjaU6BZiKhsiMA1JILUw2oVIDTDb+80WPzolDzZwWM8v31d5QIrZpHcPrdRLyV0X2USfG9U4aQ/ls79QAyOOJXA==,iv:/Eb5/+p86tw3tqNiDVHGu7HS1KBtFiYIgasRYJsAiEo=,tag:dGdJlcrnuU73s+IMQ3w3hA==,type:str] +cloudflared-token: ENC[AES256_GCM,data:uavOnRWtehxWpANgeCVasQ5jEQNT4oqp/3G3PmXdEUxQ7rpBGRplW0gcWz3KfUkE23BPDwES0pPPWgOKrpNqJjnisLX5uHUw+1atA/Qqw8QIimsvtPRgBO4+6fLIY+0q05Gr2gAm/JqQGflNuY4eUEbyzIYTDlGGE7p5sUIQJR4YWJssc2NLrxv1XH47UQS9MvZkoc5y8aC7YxoxS9VpJYDci9SHThh1ZGF8+HkrQuU=,iv:yPR0ido6l/4qpWRkJQYxlPhUkr4RBseCpio0uYEPekY=,tag:NpptYmlQO3khrrZTDRNC1A==,type:str] sops: age: - recipient: age12yvtj49pfh3fqzqflscm0ek4yzrjhr6cqhn7x89gdxnlykq0xudq5c7334 @@ -19,7 +20,7 @@ sops: TEc5d01RaVFGNXc3dlljM0FTTHpENjQKOqwI+pl8UxVIVl43glnOYvW660/PsDGY yefODJGVtHrOm3yeXC2xlTi3sFW+c5wUl2yPqddbvcBt5Ud/yd4iXQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-09-14T19:20:44Z" - mac: ENC[AES256_GCM,data:nJ5lnPSVPyfMKhlNwzhxYGWY32i60P3N+jpBZKo8oEh8sqjsb4zHAECG/vMXrGTPwYzZ46m5PQQURCyeOvjuMaXK8184zMwFkehXtMJWI7/aKYbSpQqOchl8BN7QdlxH58kqtCwUkdldiW6t6cr4/VAUUPPLqpK19GDrwUYIVrY=,iv:JZBz5X8PdCFXonSPBd1hYiFG+t0aMQDmgCmAbclnpis=,tag:7Pm7V96xMRQZa/JAiDGYmQ==,type:str] + lastmodified: "2026-01-03T22:36:21Z" + mac: ENC[AES256_GCM,data:5xF+o8eyeXJBblC96xzvozDjrsrlNIo3sLep/pAcWEcYQU6ya4wg8iiE5wZh+KfqD47R0JV2jbcrrkdWTfo3j/HsDRCeFz68HRsgZRO00pV7gRJmE+tPhXvCiJRYYYQQ+TCmgraWLatPW8Ru4qt807aQiOTgCn/MCfNAvafjcBg=,iv:4XMobDIzpEGyIg8BHS51ch3bNYal5gsAI7L9epGWiaM=,tag:vwpKbJ3a/zUXyBa1txS7pw==,type:str] unencrypted_suffix: _unencrypted - version: 3.10.2 + version: 3.11.0 diff --git a/server-modules/arr.nix b/server-modules/arr.nix index ee7ccfc..085e167 100644 --- a/server-modules/arr.nix +++ b/server-modules/arr.nix @@ -53,8 +53,8 @@ in { }; services.nginx.virtualHosts = { - "jellyfin.${domain}" = mkVirtualHost 8096; - "jellyseerr.${domain}" = mkVirtualHost 5055; + "media.${domain}" = mkVirtualHost 8096; + "demandemedia.${domain}" = mkVirtualHost 5055; "bazarr.${domain}" = mkVirtualHost 6767; "prowlarr.${domain}" = mkVirtualHost 9696; "radarr.${domain}" = mkVirtualHost 7878; diff --git a/server-modules/cloudflared.nix b/server-modules/cloudflared.nix new file mode 100644 index 0000000..8915e0c --- /dev/null +++ b/server-modules/cloudflared.nix @@ -0,0 +1,39 @@ +{ + config, + pkgs, + ... +}: { + sops.secrets = { + cloudflared-token = { + mode = "0400"; + }; + }; + + services.cloudflared = { + enable = true; + tunnels = { + "f7c8f777-a36c-4b9a-b6e3-6a112bd43e73" = { + credentialsFile = config.sops.secrets."cloudflared-token".path; + default = "http_status:404"; + ingress = { + "media.hadi.diy" = "http://localhost:443"; + "demandemedia.hadi.diy" = "http://localhost:443"; + }; + }; + }; + }; + + environment.systemPackages = with pkgs; [ + cloudflared + ]; + + # At the moment (2025), for support of browser rendering of the tunnels, this line is required: + services.openssh.settings.Macs = [ + # Current defaults: + "hmac-sha2-512-etm@openssh.com" + "hmac-sha2-256-etm@openssh.com" + "umac-128-etm@openssh.com" + # Added: + "hmac-sha2-256" + ]; +}