navidrome over cloudflared

2022-04-17 20:36:04 -04:00 · 2022-04-17 20:36:04 -04:00 · 6233ce6c0d
commit 6233ce6c0d
parent 1a4bdc4a8a
5 changed files with 72 additions and 1 deletions
--- a/common/server/cloudflared.nix
+++ b/common/server/cloudflared.nix
@ -0,0 +1,58 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  cfg = config.services.cloudflared;
+  settingsFormat = pkgs.formats.yaml { };
+in
+{
+  meta.maintainers = with maintainers; [ pmc ];
+
+  options = {
+    services.cloudflared = {
+      enable = mkEnableOption "cloudflared";
+      package = mkOption {
+        type = types.package;
+        default = pkgs.cloudflared;
+        description = "The cloudflared package to use";
+        example = literalExpression ''pkgs.cloudflared'';
+      };
+      config = mkOption {
+        type = settingsFormat.type;
+        description = "Contents of the config.yaml as an attrset; see https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/configuration/configuration-file for documentation on the contents";
+        example = literalExpression ''
+          {
+            url = "http://localhost:3000";
+            tunnel = "505c8dd1-e4fb-4ea4-b909-26b8f61ceaaf";
+            credentials-file = "/var/lib/cloudflared/505c8dd1-e4fb-4ea4-b909-26b8f61ceaaf.json";
+          }
+        '';
+      };
+
+      configFile = mkOption {
+        type = types.path;
+        description = "Path to cloudflared config.yaml.";
+        example = literalExpression ''"/etc/cloudflared/config.yaml"'';
+      };
+    };
+  };
+
+  config = mkIf cfg.enable ({
+    # Prefer the config file over settings if both are set.
+    services.cloudflared.configFile = mkDefault (settingsFormat.generate "cloudflared.yaml" cfg.config);
+
+    systemd.services.cloudflared = {
+      wantedBy = [ "multi-user.target" ];
+      after = [ "network.target" ];
+      description = "Cloudflare Argo Tunnel";
+      serviceConfig = {
+        TimeoutStartSec = 0;
+        Type = "notify";
+        ExecStart = "${cfg.package}/bin/cloudflared --config ${cfg.configFile} --no-autoupdate tunnel run";
+        Restart = "on-failure";
+        RestartSec = "5s";
+      };
+    };
+  });
+}
--- a/common/server/default.nix
+++ b/common/server/default.nix
@ -13,5 +13,6 @@
    ./privatebin/privatebin.nix
    ./radio.nix
    ./samba.nix
+    ./cloudflared.nix
  ];
 }
--- a/machines/storage/s0/configuration.nix
+++ b/machines/storage/s0/configuration.nix
@ -143,6 +143,17 @@
    proxyWebsockets = true;
  };

+  # navidrome over cloudflare
+  services.cloudflared = {
+    enable = true;
+    config = {
+      url = config.services.nginx.virtualHosts."music.s0".locations."/".proxyPass;
+      tunnel = "5975c2f1-d1f4-496a-a704-6d89ccccae0d";
+      credentials-file = "/run/agenix/cloudflared-navidrome.json";
+    };
+  };
+  age.secrets."cloudflared-navidrome.json".file = ../../../secrets/cloudflared-navidrome.json.age;
+
  nixpkgs.overlays = [
    (final: prev: {
      radarr = prev.radarr.overrideAttrs (old: rec {
--- a/secrets/cloudflared-navidrome.json.age
+++ b/secrets/cloudflared-navidrome.json.age
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -16,4 +16,5 @@ in
  "iodine.age".publicKeys = all;
  "spotifyd.age".publicKeys = all;
  "wolframalpha.age".publicKeys = all;
+  "cloudflared-navidrome.json.age".publicKeys = all;
 }