From 55be394c9c0a87db382179d08376ee1f1c97ac54 Mon Sep 17 00:00:00 2001
From: Guanran Wang <guanran928@outlook.com>
Date: Fri, 21 Jun 2024 15:18:05 +0800
Subject: [PATCH] nixos: frp -> cloudflared

---
 hosts/blacksteel/Caddyfile        | 62 +++++++++++++++++++++
 hosts/blacksteel/default.nix      | 91 +++++++++++--------------------
 hosts/blacksteel/secrets.yaml     |  6 +-
 hosts/lightsail-tokyo/Caddyfile   | 48 +---------------
 hosts/lightsail-tokyo/default.nix | 20 -------
 5 files changed, 101 insertions(+), 126 deletions(-)
 create mode 100644 hosts/blacksteel/Caddyfile

diff --git a/hosts/blacksteel/Caddyfile b/hosts/blacksteel/Caddyfile
new file mode 100644
index 0000000..f7853d4
--- /dev/null
+++ b/hosts/blacksteel/Caddyfile
@@ -0,0 +1,62 @@
+(default) {
+	encode zstd gzip
+
+	header {
+		# https://observatory.mozilla.org/analyze/ny4.dev
+		# https://infosec.mozilla.org/guidelines/web_security
+		# https://caddyserver.com/docs/caddyfile/directives/header#examples
+
+		?Content-Security-Policy "default-src https: blob: 'unsafe-eval' 'unsafe-inline'; object-src 'none'"
+		?Permissions-Policy interest-Hpcohort=()
+		?Strict-Transport-Security max-age=31536000;
+		?X-Content-Type-Options nosniff
+		?X-Frame-Options DENY
+	}
+
+	handle_path /robots.txt {
+		file_server * {
+			root /var/www/robots/robots.txt
+		}
+	}
+}
+
+http://mastodon.ny4.dev:80 {
+	import default
+	handle_path /system/* {
+		root /var/lib/mastodon/public-system
+	}
+
+	handle /api/v1/streaming/* {
+		reverse_proxy unix//run/mastodon-streaming/streaming-1.socket {
+      header_up X-Forwarded-Proto "https"
+    }
+	}
+
+	route * {
+		file_server * {
+			root @mastodon@/public
+			pass_thru
+		}
+		reverse_proxy * unix//run/mastodon-web/web.socket {
+      header_up X-Forwarded-Proto "https"
+    }
+	}
+
+	handle_errors {
+		root * @mastodon@/public
+		rewrite 500.html
+		file_server
+	}
+}
+
+http://matrix.ny4.dev:80 {
+	import default
+	reverse_proxy /_matrix/* unix//run/matrix-synapse/synapse.sock
+	reverse_proxy /_synapse/client/* unix//run/matrix-synapse/synapse.sock
+	reverse_proxy /health unix//run/matrix-synapse/synapse.sock
+}
+
+http://syncv3.ny4.dev:80 {
+	import default
+	reverse_proxy unix//run/matrix-sliding-sync/sync.sock
+}
diff --git a/hosts/blacksteel/default.nix b/hosts/blacksteel/default.nix
index 1d08dc9..71bd45e 100644
--- a/hosts/blacksteel/default.nix
+++ b/hosts/blacksteel/default.nix
@@ -42,8 +42,9 @@
       "mastodon/environment" = {
         restartUnits = ["mastodon-web.service"];
       };
-      "frp/environment" = {
-        restartUnits = ["frp.service"];
+      "cloudflared/secret" = {
+        restartUnits = ["cloudflared-tunnel-6222a3e0-98da-4325-be19-0f86a7318a41.service"];
+        owner = config.systemd.services."cloudflared-tunnel-6222a3e0-98da-4325-be19-0f86a7318a41".serviceConfig.User;
       };
     };
   };
@@ -56,70 +57,42 @@
     openFirewall = true;
   };
 
-  services.frp = {
+  services.cloudflared = {
     enable = true;
-    role = "client";
-    settings = {
-      serverAddr = "18.177.132.61"; # TODO: can I use a domain name?
-      serverPort = 7000;
-      auth.method = "token";
-      auth.token = "{{ .Envs.FRP_AUTH_TOKEN }}";
-      proxies = [
-        {
-          name = "synapse";
-          type = "tcp";
-          remotePort = 8600;
-          plugin = {
-            type = "unix_domain_socket";
-            unixPath = "/run/matrix-synapse/synapse.sock";
-          };
-        }
-        {
-          name = "syncv3";
-          type = "tcp";
-          remotePort = 8700;
-          plugin = {
-            type = "unix_domain_socket";
-            unixPath = "/run/matrix-sliding-sync/sync.sock";
-          };
-        }
-        {
-          name = "mastodon-web";
-          type = "tcp";
-          remotePort = 8900;
-          plugin = {
-            type = "unix_domain_socket";
-            unixPath = "/run/mastodon-web/web.socket";
-          };
-        }
-        {
-          name = "mastodon-streaming";
-          type = "tcp";
-          remotePort = 9000;
-          plugin = {
-            type = "unix_domain_socket";
-            unixPath = "/run/mastodon-streaming/streaming-1.socket";
-          };
-        }
-        {
-          name = "mastodon-system";
-          type = "tcp";
-          remotePort = 9100;
-          plugin = {
-            # FIXME:
-            type = "static_file";
-            localPath = "/var/lib/mastodon/public-system";
-          };
-        }
-      ];
+    tunnels = {
+      "6222a3e0-98da-4325-be19-0f86a7318a41" = {
+        credentialsFile = config.sops.secrets."cloudflared/secret".path;
+        default = "http_status:404";
+        ingress = {
+          # TODO: is this safe?
+          # browser <-> cloudflare cdn <-> cloudflared <-> caddy <-> mastodon
+          #                                             ^ no tls in this part?
+          "mastodon.ny4.dev" = "http://localhost:80";
+          "matrix.ny4.dev" = "http://localhost:80";
+          "syncv3.ny4.dev" = "http://localhost:80";
+        };
+      };
     };
   };
 
-  systemd.services.frp.serviceConfig = {
-    EnvironmentFile = [config.sops.secrets."frp/environment".path];
+  services.caddy = {
+    enable = true;
+    configFile = pkgs.substituteAll {
+      src = ./Caddyfile;
+      inherit (pkgs) mastodon;
+    };
+  };
+
+  systemd.services.caddy.serviceConfig = {
     SupplementaryGroups = ["mastodon" "matrix-synapse"];
   };
 
+  systemd.tmpfiles.settings = {
+    "10-www" = {
+      "/var/www/robots/robots.txt".C.argument = toString ../lightsail-tokyo/robots.txt;
+    };
+  };
+
   services.postgresql = {
     enable = true;
     settings = {
diff --git a/hosts/blacksteel/secrets.yaml b/hosts/blacksteel/secrets.yaml
index e84685f..4b98b5f 100644
--- a/hosts/blacksteel/secrets.yaml
+++ b/hosts/blacksteel/secrets.yaml
@@ -7,6 +7,8 @@ mastodon:
     environment: ENC[AES256_GCM,data:9RjpYXbGo8lBsXKg71Vbp2iTJlvXEGhn8hTl37o8G1E28JWF5Io7+evfqUv+N7QfSk1zbA==,iv:ejfe7f941QB7iiREXx1T9Vej43cW/S9nr03P5lkw9Yg=,tag:odI7xsxoPGBrxd0GnCsnOg==,type:str]
 frp:
     environment: ENC[AES256_GCM,data:TLVqVpVMTFzvs8JS31cPhhqeLRGcUOQBeGENvBd8e1RRt2mQY5VTP8lQYrgtXMRGMHLu0ByPjmL8aFZRlukBc77wAIhtETo238Hn62vJz3I=,iv:kMRF5BAzvhKWtKQyPSIWGeSjgmcEfvcbCJa9wQxSjjU=,tag:DViCejZvRo4cqJosE28lsA==,type:str]
+cloudflared:
+    secret: ENC[AES256_GCM,data:QXIl0MqreqPH4LP7IQdA5qQCQdizjFixbOHjqQi/3RjYDt9zt0OejW9rIYnkIRyVj4hnkJBqd1ov/VgdSoNmy/iafIgwqwgsMH0e4R9J6n255p3JG3XBmiYry89xXvQ1SXyzWdUF6p3qgevwzjZnKYyYHT9TbLWc/BkTyyA8g1EGg0O1WfDXhq7u9kOPV4CaU1UX1MMpvZQnsV389PJEWYuK,iv:ASGw5dGOuukRREZ8vMLw5hgZmJhDZSJxDqvfWaxXKJk=,tag:75jf48BEDd4uHkb+2LV5Tg==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -31,8 +33,8 @@ sops:
             bGQ1cytGR09Dd2JoaU5CSW1DL1FVR0kK8F2DoJcnd+T+eQ9h39DtaAGCSpS4wXVJ
             hOZBh9fDeue1PwMWufDJ6KGeR0atPbUjn2w0dquvLEdBjt3Un9rFcA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-06-20T14:23:30Z"
-    mac: ENC[AES256_GCM,data:cgDwV6lXR+eTOFcfytKDc2cCs+w/PGDS3fASoKw5VQ95StbmvVNt0go4yAt1D86LXa5p1ReW8dVaciDovuhCFd/jZ+zJpA7sNwKBNrlye7sURW6zDiVM7ITyslPd31bSeIL5/qtiwyT+1tdnthSTjtJPrnPu9NfsRrkUsITT7WA=,iv:ComILTHFTb8lHooVemIg+Nx9ZDWr6SyweZTtmsjWALQ=,tag:7Bj38htDNkoHZdVDMgEiBA==,type:str]
+    lastmodified: "2024-06-21T06:02:58Z"
+    mac: ENC[AES256_GCM,data:PbD0uslwMgh75Ih3QnuBqq7O+wzQhHJCnWSlYWUpC3aK0Ki4LnKK/7F2eiN/PFjFMC4KX5hTqn424tfswzmMIvRd30zUn8xgTj25f6AJQwJP5fNbYqnvivQ+nOtcqYIr0dDHNATywZoNL1Mq4oFiIIO6hgCM/oGkoaxvjER5Wtg=,iv:uDmETlO6R0DAuZLZXAfbtK4cyOeLsnf0XkprSTBlSuQ=,tag:uba5xaHsf3o9IyREabCS9g==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.8.1
diff --git a/hosts/lightsail-tokyo/Caddyfile b/hosts/lightsail-tokyo/Caddyfile
index 76edaec..034c17b 100644
--- a/hosts/lightsail-tokyo/Caddyfile
+++ b/hosts/lightsail-tokyo/Caddyfile
@@ -6,7 +6,9 @@
 	}
 }
 
-(header) {
+(default) {
+	encode zstd gzip
+
 	header {
 		# https://observatory.mozilla.org/analyze/ny4.dev
 		# https://infosec.mozilla.org/guidelines/web_security
@@ -18,13 +20,7 @@
 		?X-Content-Type-Options nosniff
 		?X-Frame-Options DENY
 	}
-}
 
-(compression) {
-	encode zstd gzip
-}
-
-(robots) {
 	handle_path /robots.txt {
 		file_server * {
 			root /var/www/robots/robots.txt
@@ -32,12 +28,6 @@
 	}
 }
 
-(default) {
-	import header
-	import compression
-	import robots
-}
-
 www.ny4.dev {
 	import default
 	redir https://ny4.dev
@@ -91,13 +81,6 @@ pixiv.ny4.dev {
 	reverse_proxy unix//run/pixivfe/pixiv.sock
 }
 
-matrix.ny4.dev {
-	import default
-	reverse_proxy /_matrix/* localhost:8600
-	reverse_proxy /_synapse/client/* localhost:8600
-	reverse_proxy /health localhost:8600
-}
-
 syncv3.ny4.dev {
 	import default
 	reverse_proxy localhost:8700
@@ -114,31 +97,6 @@ element.ny4.dev {
 	file_server
 }
 
-mastodon.ny4.dev {
-	import default
-	handle_path /system/* {
-		reverse_proxy localhost:9100
-	}
-
-	handle /api/v1/streaming/* {
-		reverse_proxy localhost:9000
-	}
-
-	route * {
-		file_server * {
-			root @mastodon@/public
-			pass_thru
-		}
-		reverse_proxy * localhost:8900
-	}
-
-	handle_errors {
-		root * @mastodon@/public
-		rewrite 500.html
-		file_server
-	}
-}
-
 git.ny4.dev {
 	import default
 	reverse_proxy unix//run/forgejo/forgejo.sock
diff --git a/hosts/lightsail-tokyo/default.nix b/hosts/lightsail-tokyo/default.nix
index 4ac3a87..6397f6e 100644
--- a/hosts/lightsail-tokyo/default.nix
+++ b/hosts/lightsail-tokyo/default.nix
@@ -39,9 +39,6 @@
       "searx/environment" = {
         restartUnits = ["searx.service"];
       };
-      "frp/environment" = {
-        restartUnits = ["frp.service"];
-      };
     };
 
     templates = {
@@ -69,9 +66,6 @@
     # caddy
     80
     443
-
-    # frp
-    7000
   ];
 
   systemd.tmpfiles.settings = {
@@ -118,20 +112,6 @@
     ];
   };
 
-  services.frp = {
-    enable = true;
-    role = "server";
-    settings = {
-      bindPort = 7000;
-      auth.method = "token";
-      auth.token = "{{ .Envs.FRP_AUTH_TOKEN }}";
-    };
-  };
-
-  systemd.services.frp.serviceConfig = {
-    EnvironmentFile = [config.sops.secrets."frp/environment".path];
-  };
-
   # `journalctl -u murmur.service | grep Password`
   services.murmur = {
     enable = true;