Fix cloudflared configuration with simple direct service

2025-07-18 22:20:08 -07:00 · 2025-07-18 22:20:08 -07:00 · 12b1281e88
commit 12b1281e88
parent bddfe0b656
1 changed files with 14 additions and 72 deletions
--- a/desktop/ftl.host.nix
+++ b/desktop/ftl.host.nix
@ -1,78 +1,20 @@
-{ config, lib, pkgs, ... }:
+{ config, pkgs, ... }:
-let
+{
-  # Cloudflare tunnel definitions
+  environment.systemPackages = [ pkgs.cloudflared ];
-  tunnels = {
+
-    warp = {
+  systemd.services.cloudflared-warp-ssh = {
-      remoteHost = "warp.ftl.host";           # Cloudflare hostname
+    description = "Cloudflared SSH tunnel to warp.ftl.host → localhost:22";
-      remoteTarget = "localhost:22";          # Where traffic routes to
+    wantedBy = [ "multi-user.target" ];
-      localBindPort = 4401;                   # Local port exposed by cloudflared
+    after = [ "network-online.target" ];
-      logPath = "/var/log/cloudflared/warp.log";
+    serviceConfig = {
      ExecStart = "${pkgs.cloudflared}/bin/cloudflared access tcp --hostname warp.ftl.host --url localhost:22 --port 4401 --logfile /var/log/cloudflared-warp.log";
      Restart = "always";
      User = "root";
    };
  };
 in {
  # Install cloudflared
  environment.systemPackages = with pkgs; [ cloudflared ];
  # Ensure /var/log/cloudflared exists
  systemd.tmpfiles.rules = [
-    "d /var/log/cloudflared 0755 root root -"
+    "d /var/log 0755 root root -"
  ];
  # Systemd services per tunnel
  systemd.services = lib.mapAttrs (name: tunnel: {
    description = "Cloudflared Access TCP Tunnel for ${tunnel.remoteHost}";
    after = [ "network-online.target" ];
    wants = [ "network-online.target" ];
    wantedBy = [ "multi-user.target" ];
    # Use StateDirectory for persistent storage of logs
    serviceConfig = {
      StateDirectory = "cloudflared";
      StateDirectoryMode = "0755";
      RuntimeDirectory = "cloudflared";
      RuntimeDirectoryMode = "0700";
      # The key setting to ensure the service stays running
      Type = "simple";
      ExecStart = "${pkgs.cloudflared}/bin/cloudflared access tcp --hostname ${tunnel.remoteHost} --url ${tunnel.remoteTarget} --port ${toString tunnel.localBindPort} --logfile /var/lib/cloudflared/warp.log";
      Restart = "always";
      RestartSec = "5s";
      # Use systemd's built-in user
      User = "cloudflared";
      Group = "cloudflared";
      # Standard outputs
      StandardOutput = "journal";
      StandardError = "journal";
    };
    # Ensure the user exists
    users.users.cloudflared = {
      isSystemUser = true;
      group = "cloudflared";
      description = "Cloudflared service user";
    };
    users.groups.cloudflared = {};
  }) tunnels;
  # Activation step to ensure log directory exists
  system.activationScripts.cloudflaredLogs = lib.stringAfter [ "users" ] ''
    mkdir -p /var/log/cloudflared
    chmod 755 /var/log/cloudflared
  '';
  # Optional documentation metadata
  meta.doc = ''
    This module defines persistent cloudflared TCP tunnels using access tcp.
    Add tunnels by appending to the `tunnels` attribute set.
    Required keys:
    - remoteHost: The public hostname exposed via Cloudflare Tunnel.
    - remoteTarget: The internal service to forward traffic to (e.g. localhost:22).
    - localBindPort: The port to expose locally (e.g. 4401).
    - logPath: File path to capture logs.
  '';
 }