From fb9b981a1dea623eb9d68d67484534d4ee15612b Mon Sep 17 00:00:00 2001
From: lightly-toasted <tooast@duck.com>
Date: Sun, 7 Dec 2025 16:12:40 +0900
Subject: [PATCH] feat(y2q): add cloudflared

- Add cloudflared runit service
- Serve opengist via Cloudflare tunnel
---
 home/modules/runit/services/cloudflared.nix   |  25 ++++++++++++++++++
 .../cb0d9c2c-48f9-4bca-9e81-ef92423c5afa.json | Bin 0 -> 198 bytes
 secrets/gitcrypt/cloudflared/cert.pem         | Bin 0 -> 288 bytes
 3 files changed, 25 insertions(+)
 create mode 100644 home/modules/runit/services/cloudflared.nix
 create mode 100644 secrets/gitcrypt/cloudflared/cb0d9c2c-48f9-4bca-9e81-ef92423c5afa.json
 create mode 100644 secrets/gitcrypt/cloudflared/cert.pem

diff --git a/home/modules/runit/services/cloudflared.nix b/home/modules/runit/services/cloudflared.nix
new file mode 100644
index 0000000..7cdd0b2
--- /dev/null
+++ b/home/modules/runit/services/cloudflared.nix
@@ -0,0 +1,25 @@
+{ pkgs, config, rootPath, ... }:
+
+let
+  tunnel = "cb0d9c2c-48f9-4bca-9e81-ef92423c5afa";
+in
+{
+  home.file.".cloudflared/${tunnel}.json".source = rootPath + /secrets/gitcrypt/cloudflared/${tunnel}.json;
+  home.file.".cloudflared/cert.pem".source = rootPath + /secrets/gitcrypt/cloudflared/cert.pem;
+  home.file.".cloudflared/config.yml".text = ''
+    tunnel: ${tunnel}
+    credentials-file: ${config.home.homeDirectory}/.cloudflared/${tunnel}.json
+
+    ingress:
+      - hostname: gist.toast.name
+        service: http://${config.runit.services.opengist.environment.OG_HTTP_HOST}:${config.runit.services.opengist.environment.OG_HTTP_PORT}
+      - service: http_status:404
+  '';
+
+  runit.services.cloudflared = {
+    script = ''
+      exec ${pkgs.cloudflared}/bin/cloudflared tunnel run
+    '';
+    log.enable = true;
+  };
+}
diff --git a/secrets/gitcrypt/cloudflared/cb0d9c2c-48f9-4bca-9e81-ef92423c5afa.json b/secrets/gitcrypt/cloudflared/cb0d9c2c-48f9-4bca-9e81-ef92423c5afa.json
new file mode 100644
index 0000000000000000000000000000000000000000..46cd7b1d2b235737b24cdf7da596094fc6644694
GIT binary patch
literal 198
zcmZQ@_Y83kiVO&0kTL(~`|{12dbO#BbvN&1FMN|<u*&_f;+bdX|F@@<O*3@4$G+~y
zvr}@*`^D$|X=!9`Qdiz%cIms^237fGPOty$FUd<zxbnF2VdTFD(kX?)n@hdU)hKXt
zdCIQa&Uhp&nTg5y?viA!?fwP@_m>)NeBH^ES3B>?-0$VR<=VG)Rn0M7RCi{<WXFxI
znwuw`zB)(j{Np}>r!hZ&WFLrWdn&YpJL-2*fYST4Jqx20d)4x{E2i$W=Dyaw*>R86
HxqU_eBZFf(

literal 0
HcmV?d00001

diff --git a/secrets/gitcrypt/cloudflared/cert.pem b/secrets/gitcrypt/cloudflared/cert.pem
new file mode 100644
index 0000000000000000000000000000000000000000..230ea5494bc2ef924081269e77fc4ff1278dce7d
GIT binary patch
literal 288
zcmZQ@_Y83kiVO&0sB~m0SQ%)y`DBY){H(RXFU^Yu57ktxnRM^MqKe61SMIT0^NcUx
zL0OmK^YYgW8EXwT==AeNE403dNYpC6>vZNni*eO{*Ax{Fiw_LbBdS+Vl9F^`cgxu9
zKc$Sb(*IIp+6xv9MFw}7i8Fc@{Z01kzNWE~e}2Hzlbde+6w33y>Lb7LZhX1Z`|3AO
z4phro7N1%2QrDPi>mrM%23}Ra3$p9pS<TWFIo?*TV!0sk?S0|5lj9k=s;`vD*$LeV
z@l?xLG_{!jYR*N+@JR)UxzBIk+Rv6$r$24lj|&NlyxDtq-@LnYPeE*J^`W(K`)YiB
xVsbNOCvWO{V8(EHPs^tJo4(jg;kdE0(QK+-m2aw)**>i+or{{kJ?v?B1OUDni9!GX

literal 0
HcmV?d00001