Set up cloudflare cert filtering

2023-05-26 23:50:47 +02:00 · 2023-05-26 23:50:47 +02:00 · 57ca525d93
parent 895978dd96
commit 57ca525d93
3 changed files with 45 additions and 2 deletions
--- a/modules/cloud/traefik/config.nix
+++ b/modules/cloud/traefik/config.nix
@ -4,6 +4,10 @@ with lib;
 let
  cfg = config.cloud.traefik;

+  tlsNoCloudflare = {
+    options = "no-cloudflare";
+  };
+
  # Copied from traefik.nix
  jsonValue = with types;
    let
@ -67,6 +71,11 @@ let
        default = true;
        description = "Sets the TCP passthrough value. Defaults to `true` if the connection is tcp";
      };
+      noCloudflare = mkOption {
+        type = types.bool;
+        default = false;
+        description = "Bypasses the client cert requirement, enable if you don't route things through cloudflare";
+      };
    };
  };

@ -84,7 +93,9 @@ let
    "${host.protocol}" = {
      routers."${name}-router" = (if (host.protocol != "udp") then {
        rule = filterOfHost host;
-        tls = { certResolver = "le"; } // (if host.protocol == "tcp" then { passthrough = if (host ? tlsPassthrough) then host.tlsPassthrough else true; } else { });
+        tls = { certResolver = "le"; }
+          // (if host.protocol == "tcp" then { passthrough = if (host ? tlsPassthrough) then host.tlsPassthrough else true; } else { })
+          // (if host.noCloudflare then tlsNoCloudflare else { });
      } else { }) // {
        entryPoints = host.entrypoints;
        service = "${name}-service";
@ -119,6 +130,33 @@ let
        host.middlewares);
    } else { });
  };
+
+  tlsConfig = {
+    tls.options.default = {
+      sniStrict = true;
+      clientAuth = {
+        caFiles = [
+          (builtins.fetchurl {
+            url = "https://developers.cloudflare.com/ssl/static/authenticated_origin_pull_ca.pem";
+            sha256 = "sha256:0hxqszqfzsbmgksfm6k0gp0hsx9k1gqx24gakxqv0391wl6fsky1";
+          })
+        ];
+        clientAuthType = "RequireAndVerifyClientCert";
+      };
+    };
+    tls.options.no-cloudflare = {
+      sniStrict = true;
+      clientAuth = {
+        caFiles = [
+          (builtins.fetchurl {
+            url = "https://developers.cloudflare.com/ssl/static/authenticated_origin_pull_ca.pem";
+            sha256 = "sha256:0hxqszqfzsbmgksfm6k0gp0hsx9k1gqx24gakxqv0391wl6fsky1";
+          })
+        ];
+        clientAuthType = "VerifyClientCertIfGiven";
+      };
+    };
+  };
 in
 {

@ -128,5 +166,8 @@ in
    description = "The HTTP hosts to run on the server";
  };

-  config.cloud.traefik.config = builtins.foldl' attrsets.recursiveUpdate { } (attrsets.mapAttrsToList hostToConfig cfg.hosts);
+  config.cloud.traefik.config = builtins.foldl' attrsets.recursiveUpdate { } [
+    (builtins.foldl' attrsets.recursiveUpdate { } (attrsets.mapAttrsToList hostToConfig cfg.hosts))
+    tlsConfig
+  ];
 }
--- a/nki-personal-do/configuration.nix
+++ b/nki-personal-do/configuration.nix
@ -175,6 +175,7 @@
    host = "vpn.dtth.ch";
    port = config.cloud.firezone.httpPort;
    localHost = "127.0.0.1";
+    noCloudflare = true;
  };
  cloud.traefik.hosts.firezone-vpn = {
    host = "vpn.dtth.ch";
--- a/nki-personal-do/gitea.nix
+++ b/nki-personal-do/gitea.nix
@ -80,6 +80,7 @@ in
  # traefik
  cloud.traefik.hosts.gitea = {
    inherit port host;
+    noCloudflare = true;
  };

  services.gitea = {