Cloudflared: Difference between revisions
m clarified steps 3 |
|||
| (3 intermediate revisions by 2 users not shown) | |||
| Line 1: | Line 1: | ||
[https://github.com/cloudflare/cloudflared Cloudflared] is a command line client | [https://github.com/cloudflare/cloudflared Cloudflared] is a command line client that can be used to establish a network tunnel from the Cloudflare network to a server. | ||
== Cloudflare Tunnel == | |||
== | === Prerequisites === | ||
* A Cloudflare account | |||
<syntaxhighlight lang=" | * A domain registered on Cloudflare (see https://developers.cloudflare.com/fundamentals/manage-domains/add-site/) | ||
cloudflared tunnel login <the | |||
cloudflared tunnel create | If you do not wish to install cloudflared you may use a nix-shell to use it for the following steps without adding it to your configuration.<syntaxhighlight lang="console"> | ||
</syntaxhighlight> | $ nix-shell -p cloudflared | ||
</syntaxhighlight>You will need to log in to your Cloudflare account through the command line, the following command will open a web browser to allow you to log in:<syntaxhighlight lang="console"> | |||
$ cloudflared tunnel login | |||
</syntaxhighlight>You can use the link it provides on any machine that has a browser in order to get the needed cert.pem file. | |||
Afterwards you will need to create the tunnel from the machine.<syntaxhighlight lang="console"> | |||
$ cloudflared tunnel create <tunnel-name-of-choice> | |||
</syntaxhighlight>The command will output the tunnel ID in the format 00000000-0000-0000-0000-000000000000, which will be needed for setting up the tunnel service. The following example uses flakes and [https://github.com/Mic92/sops-nix sops-nix] to hide the credentials file secret. | |||
{{File|3={ | |||
inputs, | |||
config, | |||
... | |||
}: { | |||
imports = [ | |||
inputs.sops-nix.nixosModules.sops | |||
]; | |||
sops = { | |||
age.keyFile = "/home/username/.config/sops/age/keys.txt"; | |||
defaultSopsFile = secrets/secrets.yaml; | |||
secrets."cloudflared-creds" = { | |||
owner = "username"; | |||
group = "users"; | |||
mode = "0400"; | |||
}; | |||
}; | |||
services.cloudflared = { | services.cloudflared = { | ||
enable = true; | enable = true; | ||
| Line 18: | Line 43: | ||
"00000000-0000-0000-0000-000000000000" = { | "00000000-0000-0000-0000-000000000000" = { | ||
credentialsFile = "${config.sops.secrets.cloudflared-creds.path}"; | credentialsFile = "${config.sops.secrets.cloudflared-creds.path}"; | ||
}; | }; | ||
}; | }; | ||
}; | }; | ||
} | }|name=cloudflare_tunnel.nix|lang=nix}} | ||
You can now use the Cloudflare dashboard to add your public hosts. | |||
==== Declarative igress ==== | |||
However, if you would instead like to do so in your configuration file you may specify ingress rules in your configuration file.{{File|3={ | |||
inputs, | |||
config, | |||
... | |||
}: { | |||
imports = [ | |||
inputs.sops-nix.nixosModules.sops | |||
]; | |||
sops = { | |||
age.keyFile = "/home/username/.config/sops/age/keys.txt"; | |||
defaultSopsFile = secrets/secrets.yaml; | |||
secrets."cloudflared-creds" = { | |||
owner = "username"; | |||
group = "users"; | |||
mode = "0400"; | |||
}; | |||
}; | |||
services.cloudflared = { | services.cloudflared = { | ||
enable = true; | enable = true; | ||
| Line 38: | Line 79: | ||
credentialsFile = "${config.sops.secrets.cloudflared-creds.path}"; | credentialsFile = "${config.sops.secrets.cloudflared-creds.path}"; | ||
ingress = { | ingress = { | ||
" | "your-registered-domain.com" = "http://localhost:PORT"; | ||
}; | }; | ||
default = "http_status:404"; | default = "http_status:404"; | ||
}; | }; | ||
}; | }; | ||
}; | }; | ||
} | }|name=cloudflare_tunnel.nix|lang=nix}}Finally, create a CNAME record with the following command.<syntaxhighlight lang="console"> | ||
$ cloudflared tunnel route dns <your-tunnel> <your-public-domain> | |||
</syntaxhighlight> | </syntaxhighlight> | ||
| Line 57: | Line 96: | ||
<syntaxhighlight lang="nix"> | <syntaxhighlight lang="nix"> | ||
services.openssh.settings.Macs = [ | services.openssh.settings.Macs = [ | ||
# Current defaults: | # Current defaults: | ||
"hmac-sha2-512-etm@openssh.com" | "hmac-sha2-512-etm@openssh.com" | ||