jet/noisebell
jet/noisebell
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat: add Cloudflare tunnel hosting

Browse source
This commit is contained in:
Jet 2026-05-28 14:50:07 -07:00
parent e6c1b82679
commit 23e087ae4b
No known key found for this signature in database
15 changed files with 839 additions and 30 deletions
Download patch file Download diff file Expand all files Collapse all files

33
hosts/noisebell-do/configuration.nix
View file

@ -9,6 +9,7 @@
{
imports = [
(modulesPath + "/virtualisation/digital-ocean-config.nix")
./public-gateway.nix
./observability.nix
];
@ -46,8 +47,10 @@
];
};
networking.firewall = {
allowedTCPPorts = [
22
# SSH is intentionally Tailscale-only via the trusted tailscale0 interface.
# Keep direct HTTP(S) open until the Cloudflare Tunnel is enabled, then all
# public web traffic enters through the tunnel instead of the droplet IP.
allowedTCPPorts = lib.optionals (!config.services.noisebell-public-gateway.enable) [
80
443
];
@ -74,6 +77,7 @@
services.openssh = {
enable = true;
openFirewall = false;
settings = {
PasswordAuthentication = false;
PermitRootLogin = "prohibit-password";
@ -98,17 +102,39 @@
security.sudo.wheelNeedsPassword = false;
age.identityPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
age.secrets.noisebell-cloudflare-api-token = lib.mkIf config.services.noisebell-public-gateway.enable {
file = ../../secrets/cloudflare-api-token.age;
mode = "0400";
};
age.secrets.noisebell-cloudflare-tunnel-secret = lib.mkIf config.services.noisebell-public-gateway.enable {
file = ../../secrets/cloudflare-tunnel-secret.age;
mode = "0400";
};
services.tailscale.enable = true;
services.caddy = {
enable = true;
openFirewall = false;
email = "postmaster@extremist.software";
globalConfig = lib.mkIf config.services.noisebell-public-gateway.enable ''
auto_https off
'';
};
# Reconciles the Cloudflare Tunnel and public DNS through the Cloudflare API.
services.noisebell-public-gateway = {
enable = true;
accountId = "9f7c0277922ab28c45cb85bf4e7838af";
zoneId = "710e3255f43066c4a6bb4081b05a6c3f";
apiTokenFile = lib.mkIf config.services.noisebell-public-gateway.enable config.age.secrets.noisebell-cloudflare-api-token.path;
tunnelSecretFile = lib.mkIf config.services.noisebell-public-gateway.enable config.age.secrets.noisebell-cloudflare-tunnel-secret.path;
};
services.noisebell-cache = {
enable = true;
domain = "noisebell.extremist.software";
httpOnly = config.services.noisebell-public-gateway.enable;
piAddress = "http://noisebell-pi";
outboundWebhooks = [
{
@ -130,7 +156,8 @@
services.noisebell-rss = {
enable = true;
domain = "rss.noisebell.extremist.software";
domain = "rss-noisebell.extremist.software";
httpOnly = config.services.noisebell-public-gateway.enable;
};
zramSwap = {