Cloudflared: Difference between revisions

Phobos (talk | contribs)
m clarified steps 3
 
(3 intermediate revisions by 2 users not shown)
Line 1: Line 1:
[https://github.com/cloudflare/cloudflared Cloudflared] is a command line client for a network tunnel from the cloudflare network to a server.
[https://github.com/cloudflare/cloudflared Cloudflared] is a command line client that can be used to establish a network tunnel from the Cloudflare network to a server.


Introduced in https://github.com/NixOS/nixpkgs/pull/171875
== Cloudflare Tunnel ==


== Example ==
=== Prerequisites ===


To get credentialsFile (e.g. tunnel-ID.json) do:
* A Cloudflare account
<syntaxhighlight lang="sh">
* A domain registered on Cloudflare (see https://developers.cloudflare.com/fundamentals/manage-domains/add-site/)
cloudflared tunnel login <the-token-you-see-in-dashboard>
 
cloudflared tunnel create ConvenientTunnelName
If you do not wish to install cloudflared you may use a nix-shell to use it for the following steps without adding it to your configuration.<syntaxhighlight lang="console">
</syntaxhighlight>
$ nix-shell -p cloudflared
</syntaxhighlight>You will need to log in to your Cloudflare account through the command line, the following command will open a web browser to allow you to log in:<syntaxhighlight lang="console">
$ cloudflared tunnel login
</syntaxhighlight>You can use the link it provides on any machine that has a browser in order to get the needed cert.pem file.
 
Afterwards you will need to create the tunnel from the machine.<syntaxhighlight lang="console">
$ cloudflared tunnel create <tunnel-name-of-choice>
</syntaxhighlight>The command will output the tunnel ID in the format 00000000-0000-0000-0000-000000000000, which will be needed for setting up the tunnel service. The following example uses flakes and [https://github.com/Mic92/sops-nix sops-nix] to hide the credentials file secret.
{{File|3={
  inputs,
  config,
  ...
}: {
 
  imports = [
    inputs.sops-nix.nixosModules.sops
  ];
 
  sops = {
    age.keyFile = "/home/username/.config/sops/age/keys.txt";
    defaultSopsFile = secrets/secrets.yaml;
 
    secrets."cloudflared-creds" = {
      owner = "username";
      group = "users";
      mode = "0400";
    };
  };


<syntaxhighlight lang="nix">
{
   services.cloudflared = {
   services.cloudflared = {
     enable = true;
     enable = true;
Line 18: Line 43:
       "00000000-0000-0000-0000-000000000000" = {
       "00000000-0000-0000-0000-000000000000" = {
         credentialsFile = "${config.sops.secrets.cloudflared-creds.path}";
         credentialsFile = "${config.sops.secrets.cloudflared-creds.path}";
        default = "http_status:404";
       };
       };
     };
     };
   };
   };
}
}|name=cloudflare_tunnel.nix|lang=nix}}
You can now use the Cloudflare dashboard to add your public hosts.


</syntaxhighlight>
==== Declarative igress ====
 
 
However, if you would instead like to do so in your configuration file you may specify ingress rules in your configuration file.{{File|3={
  inputs,
  config,
  ...
}: {


Then you can use dashboard to add your public hosts (will need to convert the new tunnel to dashboard-managed).
  imports = [
    inputs.sops-nix.nixosModules.sops
  ];


Alternatively, save the <code>cert.pem</code> to cloudflared user's %home%/.cloudflared/cert.pem, and instead of using dashboard specify ingress rules in your configuration.nix like this:
  sops = {
    age.keyFile = "/home/username/.config/sops/age/keys.txt";
    defaultSopsFile = secrets/secrets.yaml;
 
    secrets."cloudflared-creds" = {
      owner = "username";
      group = "users";
      mode = "0400";
    };
  };


<syntaxhighlight lang="nix">
{
   services.cloudflared = {
   services.cloudflared = {
     enable = true;
     enable = true;
Line 38: Line 79:
         credentialsFile = "${config.sops.secrets.cloudflared-creds.path}";
         credentialsFile = "${config.sops.secrets.cloudflared-creds.path}";
         ingress = {
         ingress = {
           "*.domain1.com" = {
           "your-registered-domain.com" = "http://localhost:PORT";
            service = "http://localhost:80";
            path = "/*.(jpg|png|css|js)";
          };
          "*.domain2.com" = "http://localhost:80";
         };
         };
         default = "http_status:404";
         default = "http_status:404";
       };
       };
     };
     };
   };
   };
}
}|name=cloudflare_tunnel.nix|lang=nix}}Finally, create a CNAME record with the following command.<syntaxhighlight lang="console">
$ cloudflared tunnel route dns <your-tunnel> <your-public-domain>
</syntaxhighlight>
</syntaxhighlight>


Line 57: Line 96:
<syntaxhighlight lang="nix">
<syntaxhighlight lang="nix">
services.openssh.settings.Macs = [
services.openssh.settings.Macs = [
[
   # Current defaults:
   # Current defaults:
   "hmac-sha2-512-etm@openssh.com"
   "hmac-sha2-512-etm@openssh.com"