dannydannydanny/dotfiles
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(sunken-ship): migrate cloudflare-tunnel-token to clan vars 🔐

Browse source 
Declare a clan.core.vars.generators.cloudflare-tunnel generator that
prompts for the tunnel token on first run and stores it SOPS-encrypted
under vars/per-machine/sunken-ship/cloudflare-tunnel/tunnel-token.
systemd.services.cloudflare-tunnel ExecStart now reads the decrypted
secret at runtime from \${config.clan.core.vars...path} (lives at
/run/secrets/vars/...) instead of the unmanaged
/home/danny/.secrets/cloudflare-tunnel-token file.

Stage 4c of the clan migration. The tunnel itself is slated for
retirement in 4d — ZeroTier-only access after that. Cloudflare token
was rotated during this migration; old value no longer valid.
This commit is contained in:
DannyDannyDanny 2026-04-19 21:07:02 +02:00
parent c6cb19eff6
commit 7d3fd2d8cf
1 changed files with 18 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

20
nixos/hosts/sunken-ship.nix
View file

@ -96,16 +96,32 @@
}; };
# Cloudflare Tunnel — exposes services to the internet without port forwarding. # Cloudflare Tunnel — exposes services to the internet without port forwarding.
# Token (not in repo): ~danny/.secrets/cloudflare-tunnel-token # Token managed as a clan var (see generator below); prompted interactively
# on first `clan vars generate` and stored SOPS-encrypted under vars/.
# Routes configured in Cloudflare Zero Trust dashboard: # Routes configured in Cloudflare Zero Trust dashboard:
# music.dannydannydanny.me → http://localhost:4533 # music.dannydannydanny.me → http://localhost:4533
# Scheduled for retirement in stage 4d — ZeroTier-only access after that.
clan.core.vars.generators.cloudflare-tunnel = {
files.tunnel-token = {
secret = true;
deploy = true;
owner = "danny";
};
prompts.tunnel-token = {
description = "Cloudflare Tunnel token (Zero Trust dashboard Networks Tunnels your tunnel refresh token)";
type = "hidden";
persist = true;
};
script = "cp $prompts/tunnel-token $out/tunnel-token";
};
systemd.services.cloudflare-tunnel = { systemd.services.cloudflare-tunnel = {
description = "Cloudflare Tunnel for sunken-ship"; description = "Cloudflare Tunnel for sunken-ship";
after = [ "network-online.target" ]; after = [ "network-online.target" ];
wants = [ "network-online.target" ]; wants = [ "network-online.target" ];
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
serviceConfig = { serviceConfig = {
ExecStart = "/bin/sh -c '${pkgs.cloudflared}/bin/cloudflared tunnel --no-autoupdate run --token $(cat /home/danny/.secrets/cloudflare-tunnel-token)'"; ExecStart = "/bin/sh -c '${pkgs.cloudflared}/bin/cloudflared tunnel --no-autoupdate run --token $(cat ${config.clan.core.vars.generators.cloudflare-tunnel.files.tunnel-token.path})'";
Restart = "on-failure"; Restart = "on-failure";
RestartSec = 10; RestartSec = 10;
User = "danny"; User = "danny";