nki/nix-home
1
0
Fork 0
Code Issues Pull requests 2 Packages Projects Releases Wiki Activity

Set up cloudflare cert filtering

Browse source
This commit is contained in:
Natsu Kagami 2023-05-26 23:50:47 +02:00
parent 895978dd96
commit 57ca525d93
Signed by: nki
GPG key ID: 7306B3D3C3AD6E51
3 changed files with 45 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

45
modules/cloud/traefik/config.nix
View file

@ -4,6 +4,10 @@ with lib;
let let
cfg = config.cloud.traefik; cfg = config.cloud.traefik;
tlsNoCloudflare = {
options = "no-cloudflare";
};
# Copied from traefik.nix # Copied from traefik.nix
jsonValue = with types; jsonValue = with types;
let let
@ -67,6 +71,11 @@ let
default = true; default = true;
description = "Sets the TCP passthrough value. Defaults to `true` if the connection is tcp"; description = "Sets the TCP passthrough value. Defaults to `true` if the connection is tcp";
}; };
noCloudflare = mkOption {
type = types.bool;
default = false;
description = "Bypasses the client cert requirement, enable if you don't route things through cloudflare";
};
}; };
}; };
@ -84,7 +93,9 @@ let
"${host.protocol}" = { "${host.protocol}" = {
routers."${name}-router" = (if (host.protocol != "udp") then { routers."${name}-router" = (if (host.protocol != "udp") then {
rule = filterOfHost host; rule = filterOfHost host;
tls = { certResolver = "le"; } // (if host.protocol == "tcp" then { passthrough = if (host ? tlsPassthrough) then host.tlsPassthrough else true; } else { }); tls = { certResolver = "le"; }
// (if host.protocol == "tcp" then { passthrough = if (host ? tlsPassthrough) then host.tlsPassthrough else true; } else { })
// (if host.noCloudflare then tlsNoCloudflare else { });
} else { }) // { } else { }) // {
entryPoints = host.entrypoints; entryPoints = host.entrypoints;
service = "${name}-service"; service = "${name}-service";
@ -119,6 +130,33 @@ let
host.middlewares); host.middlewares);
} else { }); } else { });
}; };
tlsConfig = {
tls.options.default = {
sniStrict = true;
clientAuth = {
caFiles = [
(builtins.fetchurl {
url = "https://developers.cloudflare.com/ssl/static/authenticated_origin_pull_ca.pem";
sha256 = "sha256:0hxqszqfzsbmgksfm6k0gp0hsx9k1gqx24gakxqv0391wl6fsky1";
})
];
clientAuthType = "RequireAndVerifyClientCert";
};
};
tls.options.no-cloudflare = {
sniStrict = true;
clientAuth = {
caFiles = [
(builtins.fetchurl {
url = "https://developers.cloudflare.com/ssl/static/authenticated_origin_pull_ca.pem";
sha256 = "sha256:0hxqszqfzsbmgksfm6k0gp0hsx9k1gqx24gakxqv0391wl6fsky1";
})
];
clientAuthType = "VerifyClientCertIfGiven";
};
};
};
in in
{ {
@ -128,5 +166,8 @@ in
description = "The HTTP hosts to run on the server"; description = "The HTTP hosts to run on the server";
}; };
config.cloud.traefik.config = builtins.foldl' attrsets.recursiveUpdate { } (attrsets.mapAttrsToList hostToConfig cfg.hosts); config.cloud.traefik.config = builtins.foldl' attrsets.recursiveUpdate { } [
(builtins.foldl' attrsets.recursiveUpdate { } (attrsets.mapAttrsToList hostToConfig cfg.hosts))
tlsConfig
];
} }

1
nki-personal-do/configuration.nix
View file

@ -175,6 +175,7 @@
host = "vpn.dtth.ch"; host = "vpn.dtth.ch";
port = config.cloud.firezone.httpPort; port = config.cloud.firezone.httpPort;
localHost = "127.0.0.1"; localHost = "127.0.0.1";
noCloudflare = true;
}; };
cloud.traefik.hosts.firezone-vpn = { cloud.traefik.hosts.firezone-vpn = {
host = "vpn.dtth.ch"; host = "vpn.dtth.ch";

1
nki-personal-do/gitea.nix
View file

@ -80,6 +80,7 @@ in
# traefik # traefik
cloud.traefik.hosts.gitea = { cloud.traefik.hosts.gitea = {
inherit port host; inherit port host;
noCloudflare = true;
}; };
services.gitea = { services.gitea = {