From ca28c3dfa6e8fcdc2cf88c2c45b30d6c21045ebe Mon Sep 17 00:00:00 2001
From: "Gustavo \"Guz\" L de Mello" <contact@guz.one>
Date: Thu, 14 May 2026 19:43:05 -0300
Subject: [PATCH] feat(services): cloudflare tunnel service

---
 flake.nix                |  3 +++
 secrets.yaml             |  3 +++
 services/cloudflared.nix | 15 +++++++++++++++
 3 files changed, 21 insertions(+)
 create mode 100644 services/cloudflared.nix

diff --git a/flake.nix b/flake.nix
index 2a3efdb..738d2ae 100644
--- a/flake.nix
+++ b/flake.nix
@@ -193,6 +193,9 @@
     nixosModules = {
       neovim = inputs.neovim.nixosModules.default;
       playit = ./modules/playit.nix;
+      services = {
+        cloudflared = ./services/cloudflared.nix;
+      };
     };
 
     homeManagerModules = {
diff --git a/secrets.yaml b/secrets.yaml
index 7573a1a..509d08a 100644
--- a/secrets.yaml
+++ b/secrets.yaml
@@ -1,4 +1,7 @@
 services:
+    cloudflared:
+        guzone-cert: ENC[AES256_GCM,data:zFwtLBIb5S5XvduuK2hbVsq9YHkvKuyy25KtOHN3YQeHuWMZQzDXw4ICE6/YaJzfDhZNxcpQvRNt6OXqqBzHB74oEeKvOZC9owfMzNufWHxcFRpwNSl5LUq57ciC+6wnizhrdKwtk3v5lZk9ToCjURYbZ/RqkZKgYfrrv7Xh22Qns+H9rYg6B06MtglXSHciXnigc5ofkyd9mY3yoCCooteKaix13ZJYzt+LHfJlur/+tGz8pvAZGN/beOdkX/kp6QD3+7JPeOt6KeNkdGY4TvdM2fpMSK0JZekGHgHQVSQJLDkSlNY9SOPuqgZYleRi0fy2Ve9tA9SpGatWXhcuUZTbbNf0SRf/by5n6mUF9a3kPOjkJq/4Jeoi,iv:0wobompJLwaxVQnJAntKSF2pxIebDxxZ2lgEpw3iT1o=,tag:Ef3QZ6vebHzzSsTLUOWYyw==,type:str]
+        guzone-cred: ENC[AES256_GCM,data:UVsBMQMB2yrS2TnzyqSh57Hyr13ONfC81gJO2iT5EDkUu1XoocJcd1G0TEhSODmMvTfx6FrI5GSGRbHX0Z/AK1IBIeLBBQ9zDqhvL/2i+0EltBaIw/HMDusWvFLQMBBQiJ0uDqpBTEUAidUEe/qX248bGdL3d9EfYcxp7ivplMOZ5ocNJhDXqF0M1odfcia6J5xvehBeBeO6B8t5tDoDIIpA39bHge5IgMvQ9GwB4tE=,iv:YFbB8Wmgnzwdw0BZjWIrkP5FQ09iKeiW/eIIbBdNEgk=,tag:v7u6cAf8JM2KT/jxxb0tYg==,type:str]
     minio:
         credentialsFile: ENC[AES256_GCM,data:b3ZS3dJOjUMTFNY0vnCr+u5SZaUtf2DR4zCIGH/OpZWWjJIxjRPKp6aPM5ok/XnYu8cv/4FHwMM=,iv:ZnzLCTI0cEVHGy7mMUNGiQlseOXxvNgWrD1mkthwkNE=,tag:8Ii6fNg2syJcyxNAww+6SQ==,type:str]
 guz:
diff --git a/services/cloudflared.nix b/services/cloudflared.nix
new file mode 100644
index 0000000..617f6dc
--- /dev/null
+++ b/services/cloudflared.nix
@@ -0,0 +1,15 @@
+{config, ...}: {
+  services.cloudflared.enable = true;
+  services.cloudflared.tunnels = {
+    "9ed8b48f-9585-4a67-9895-114b162172fb" = {
+      certificateFile = config.sops.secrets."services/cloudflared/guzone-cert".path;
+      credentialsFile = config.sops.secrets."services/cloudflared/guzone-cred".path;
+      default = "http_status:404";
+    };
+  };
+
+  sops.secrets = {
+    "services/cloudflared/guzone-cert" = {};
+    "services/cloudflared/guzone-cred" = {};
+  };
+}