From 0cd4947282faafc860b5934f140bacd1c91b89c9 Mon Sep 17 00:00:00 2001
From: DannyDannyDanny <dth@taiga.ai>
Date: Mon, 20 Apr 2026 10:36:15 +0200
Subject: [PATCH] =?UTF-8?q?feat(sunken-ship):=20retire=20Cloudflare=20Tunn?=
 =?UTF-8?q?el=20for=20navidrome=20=E2=98=81=EF=B8=8F=F0=9F=92=A5?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Stage 4d of the clan migration. Navidrome is now reachable only over
the ZeroTier mesh (port 4533 on sunken-ship's ZT IPv6 address, or via
the sunken-ship-zt SSH alias). Dropped:

- systemd.services.cloudflare-tunnel
- clan.core.vars.generators.cloudflare-tunnel
- cloudflared from environment.systemPackages
- vars/per-machine/sunken-ship/cloudflare-tunnel/

Manual follow-ups still needed on sunken-ship:
- rm /home/danny/.secrets/cloudflare-tunnel-token  (old unmanaged token)
- delete the tunnel itself in the Cloudflare Zero Trust dashboard
- unlink the DNS record music.dannydannydanny.me if it was separate
---
 nixos/hosts/sunken-ship.nix                   | 38 +++----------------
 .../tunnel-token/machines/sunken-ship         |  1 -
 .../cloudflare-tunnel/tunnel-token/secret     | 18 ---------
 .../tunnel-token/users/danny                  |  1 -
 4 files changed, 5 insertions(+), 53 deletions(-)
 delete mode 120000 vars/per-machine/sunken-ship/cloudflare-tunnel/tunnel-token/machines/sunken-ship
 delete mode 100644 vars/per-machine/sunken-ship/cloudflare-tunnel/tunnel-token/secret
 delete mode 120000 vars/per-machine/sunken-ship/cloudflare-tunnel/tunnel-token/users/danny

diff --git a/nixos/hosts/sunken-ship.nix b/nixos/hosts/sunken-ship.nix
index f7d32b2..0ec4783 100644
--- a/nixos/hosts/sunken-ship.nix
+++ b/nixos/hosts/sunken-ship.nix
@@ -60,7 +60,6 @@
     brightnessctl # manual backlight; replaces removed `light` from nixpkgs
     uxplay # AirPlay mirroring receiver
     alsa-utils # aplay, amixer, arecord for audio debugging
-    cloudflared # Cloudflare Tunnel for external access
   ];
 
   # Avahi (mDNS) — required for AirPlay discovery.
@@ -95,38 +94,11 @@
     options = [ "bind" "ro" ];
   };
 
-  # Cloudflare Tunnel — exposes services to the internet without port forwarding.
-  # Token managed as a clan var (see generator below); prompted interactively
-  # on first `clan vars generate` and stored SOPS-encrypted under vars/.
-  # Routes configured in Cloudflare Zero Trust dashboard:
-  #   music.dannydannydanny.me → http://localhost:4533
-  # Scheduled for retirement in stage 4d — ZeroTier-only access after that.
-  clan.core.vars.generators.cloudflare-tunnel = {
-    files.tunnel-token = {
-      secret = true;
-      deploy = true;
-      owner = "danny";
-    };
-    prompts.tunnel-token = {
-      description = "Cloudflare Tunnel token (Zero Trust dashboard → Networks → Tunnels → your tunnel → refresh token)";
-      type = "hidden";
-      persist = true;
-    };
-    script = "cp $prompts/tunnel-token $out/tunnel-token";
-  };
-
-  systemd.services.cloudflare-tunnel = {
-    description = "Cloudflare Tunnel for sunken-ship";
-    after = [ "network-online.target" ];
-    wants = [ "network-online.target" ];
-    wantedBy = [ "multi-user.target" ];
-    serviceConfig = {
-      ExecStart = "/bin/sh -c '${pkgs.cloudflared}/bin/cloudflared tunnel --no-autoupdate run --token $(cat ${config.clan.core.vars.generators.cloudflare-tunnel.files.tunnel-token.path})'";
-      Restart = "on-failure";
-      RestartSec = 10;
-      User = "danny";
-    };
-  };
+  # Navidrome is now reachable only over the ZeroTier mesh — see the
+  # sunken-ship-zt SSH alias on the mac, or hit http://[fdd5:53a2:de33:
+  # d269:6499:93d5:53a2:de33]:4533 directly from any ZT-joined device.
+  # The Cloudflare Tunnel + its clan vars generator were retired in 4d;
+  # delete the tunnel itself in the Cloudflare Zero Trust dashboard.
 
   # UxPlay AirPlay receiver — audio-only, outputs directly to Scarlett Solo via ALSA.
   # Runs as a system service (no PipeWire needed on a headless server).
diff --git a/vars/per-machine/sunken-ship/cloudflare-tunnel/tunnel-token/machines/sunken-ship b/vars/per-machine/sunken-ship/cloudflare-tunnel/tunnel-token/machines/sunken-ship
deleted file mode 120000
index 94c85c7..0000000
--- a/vars/per-machine/sunken-ship/cloudflare-tunnel/tunnel-token/machines/sunken-ship
+++ /dev/null
@@ -1 +0,0 @@
-../../../../../../sops/machines/sunken-ship
\ No newline at end of file
diff --git a/vars/per-machine/sunken-ship/cloudflare-tunnel/tunnel-token/secret b/vars/per-machine/sunken-ship/cloudflare-tunnel/tunnel-token/secret
deleted file mode 100644
index cb4cccd..0000000
--- a/vars/per-machine/sunken-ship/cloudflare-tunnel/tunnel-token/secret
+++ /dev/null
@@ -1,18 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:+8Hm6/7+GXwltfCX9L4mEJP6mde8+a+kubvfjm+kIHTmd7uacrcO4LLJD43cSPUA04Enz/+gMEY1OGHKOsuOEu16UdGU6Msmh+J+gjtqQRjTXwitoLCJDAb5u785IcqhL9j0dyP0bwCV+NRIZ95n/YXaI9ykDgVKSWLzHgVFXRfXeG8Nbjvc7yJ77yFxXgszwzZTb4NLYl2+JC0zEhVBagSv6uJbFxuABd1tq+gpGTfOy/dWIoF8JvDuX9oKkpbQefRN606oHyOFjrXq19Z2cVvkyp8+WLZixKG+8lzBCot/htEqj4eS4w11rys88CVTWXPuKc2atJE=,iv:0saZY5dGAnDFYpTTgPi10ulF0TCtIwI6PLwxt0Wm9MQ=,tag:ugBpe40mpI1VsLgwLR24CQ==,type:str]",
-	"sops": {
-		"age": [
-			{
-				"recipient": "age1g6y8gvcampqj5y3yzdajke2h5n7k6ckdg6a424cghy5325px7cmqjmmd28",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2cE9hVUtKUU1la0w2YmtF\nc1RyNEM5c2t4cEZBU242bHhzNUl5WVB0Qkc4CkRhNlk1ZG9NSDdxOUUxaW5RajQx\naW5McFlCNmN2dmxRdDM0WGNQbUJYZk0KLS0tIDRMSFpGUlk5ZDVFanZvZkZrN1Fz\na0ZXa1dnNFkzOGtDYS9rcE5Zd2VXTVUKA1bV5ERPVOo4jRnZEt4A7HECyid2UomQ\nD1nc95fPZgy5tEpL/P2SveEitOsk9HEdvudxvWdHtnUbD4GdFIftEQ==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1zy3q73pujauyajgfqwu0pnyy8732lzwvw87tu7p2xg3xuzaujc2qh6ql77",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBldDYrQ0NSdHBkampCdG1k\na21DK0JyMmttYllnRkJLUWJQUXFmZzJqT3pZCnB0Z0puVGdEU0NGVEVCNmQ3TDFt\nRG9ZdTgyZldhRGl6bUVESmVISEFnUEkKLS0tIHJWWGtpU3dkL25LbWttUk96ZTJD\ncWVQMmZkclptM2RBWC9PZldaM2RlM0EKOg+Yn+Lq/6fUrVlXP+C8EdpGouyBM3Jk\nspZvUN4+nTD3zcIEz/pW42Q13icXcBj+3AA4Dz2awiO+00xhwPxerA==\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2026-04-19T19:05:26Z",
-		"mac": "ENC[AES256_GCM,data:bUQ2ZtBkaxpGLSvYTQOtutY6R0+2SWj3PoICgr/tN+sRbO2rAJSblUzbUwdfwZhHbHt05lPYmskvzfBmPc9X3FDeKJvxc8+W183EonuJRG4k2/irH0mTL1wTw+2ziFHQA6x+UpPDvmb1q06sB0ftEF3EoKgiPdsBQjdVVhb+BZs=,iv:wurrdazSS9sdh6RD1zkNPmb7503aksTr7fgVBVo91ZQ=,tag:7q/UypkYosmrMPbUE+y8Pw==,type:str]",
-		"version": "3.12.2"
-	}
-}
diff --git a/vars/per-machine/sunken-ship/cloudflare-tunnel/tunnel-token/users/danny b/vars/per-machine/sunken-ship/cloudflare-tunnel/tunnel-token/users/danny
deleted file mode 120000
index 48e5c60..0000000
--- a/vars/per-machine/sunken-ship/cloudflare-tunnel/tunnel-token/users/danny
+++ /dev/null
@@ -1 +0,0 @@
-../../../../../../sops/users/danny
\ No newline at end of file