From 7d3fd2d8cf3bc888504d5150d0df54434e815c04 Mon Sep 17 00:00:00 2001
From: DannyDannyDanny <dth@taiga.ai>
Date: Sun, 19 Apr 2026 21:07:02 +0200
Subject: [PATCH] =?UTF-8?q?feat(sunken-ship):=20migrate=20cloudflare-tunne?=
 =?UTF-8?q?l-token=20to=20clan=20vars=20=F0=9F=94=90?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Declare a clan.core.vars.generators.cloudflare-tunnel generator that
prompts for the tunnel token on first run and stores it SOPS-encrypted
under vars/per-machine/sunken-ship/cloudflare-tunnel/tunnel-token.
systemd.services.cloudflare-tunnel ExecStart now reads the decrypted
secret at runtime from \${config.clan.core.vars...path} (lives at
/run/secrets/vars/...) instead of the unmanaged
/home/danny/.secrets/cloudflare-tunnel-token file.

Stage 4c of the clan migration. The tunnel itself is slated for
retirement in 4d — ZeroTier-only access after that. Cloudflare token
was rotated during this migration; old value no longer valid.
---
 nixos/hosts/sunken-ship.nix | 20 ++++++++++++++++++--
 1 file changed, 18 insertions(+), 2 deletions(-)

diff --git a/nixos/hosts/sunken-ship.nix b/nixos/hosts/sunken-ship.nix
index db7d5f3..f7d32b2 100644
--- a/nixos/hosts/sunken-ship.nix
+++ b/nixos/hosts/sunken-ship.nix
@@ -96,16 +96,32 @@
   };
 
   # Cloudflare Tunnel — exposes services to the internet without port forwarding.
-  # Token (not in repo): ~danny/.secrets/cloudflare-tunnel-token
+  # Token managed as a clan var (see generator below); prompted interactively
+  # on first `clan vars generate` and stored SOPS-encrypted under vars/.
   # Routes configured in Cloudflare Zero Trust dashboard:
   #   music.dannydannydanny.me → http://localhost:4533
+  # Scheduled for retirement in stage 4d — ZeroTier-only access after that.
+  clan.core.vars.generators.cloudflare-tunnel = {
+    files.tunnel-token = {
+      secret = true;
+      deploy = true;
+      owner = "danny";
+    };
+    prompts.tunnel-token = {
+      description = "Cloudflare Tunnel token (Zero Trust dashboard → Networks → Tunnels → your tunnel → refresh token)";
+      type = "hidden";
+      persist = true;
+    };
+    script = "cp $prompts/tunnel-token $out/tunnel-token";
+  };
+
   systemd.services.cloudflare-tunnel = {
     description = "Cloudflare Tunnel for sunken-ship";
     after = [ "network-online.target" ];
     wants = [ "network-online.target" ];
     wantedBy = [ "multi-user.target" ];
     serviceConfig = {
-      ExecStart = "/bin/sh -c '${pkgs.cloudflared}/bin/cloudflared tunnel --no-autoupdate run --token $(cat /home/danny/.secrets/cloudflare-tunnel-token)'";
+      ExecStart = "/bin/sh -c '${pkgs.cloudflared}/bin/cloudflared tunnel --no-autoupdate run --token $(cat ${config.clan.core.vars.generators.cloudflare-tunnel.files.tunnel-token.path})'";
       Restart = "on-failure";
       RestartSec = 10;
       User = "danny";