Using cloudflared dashboard-managed existing tunnel

Hello There!

I am new to NixOS, just installed yesterday. I have a fully dashboard-managed cloudflared tunnel ready to go with all the rules and public hostnames already setup and everything that i used to use with my old archlinux setup.

Long story short, after a painstaking search through the entirety of google, github and nixos discourse, i have come to find that there is not much there for using cloudflared dashboard-managed existing tunnels.

I currently do not use home-manager OR flakes. I have the following service config for cloudflared in my configuration.nix

{
  "<tunnel-id>" = {
    credentialsFile = "/home/<username>/.cloudflared/<tunnel-id>.json";
    default = "http_status:404";
  };
}

After a lot of search i found out how to get the tunnel credentials file going:

1. cloudflared tunnel token <tunnel-name/id>
2. echo | base64 -d
3. save the output in /home/<username>/.cloudflared/<tunnel-id>.json

Now the only problem remaining is: the cloudflared service just CANNOT manage to find the damn file somehow. How do i know?
I used:
journalctl -u <service-name> and its logs is filled with:
tunnel credentials file <...> doesn't exist or is not a file

I just cannot find out why it cant find the file itself since i have confirmed the file exists at the exact place i have marked.

The cloudflared user won’t have directory listing permissions for your home directory. Create a /etc/secrets or such, put the file in there, and chown it so cloudflared has access.

Ahh I see, i did chmod to allow public read access to the file but i think i didn’t chown it. I’ll try that first, if even that doesn’t work I’ll move it to /etc.
Thanks for the tip, I’ll reply when i try it out.

Directory listings require the user to also have +x permissions on all parent directories as well. See e.g.:

tlater ~ $ mkdir -p test/test
tlater ~ $ touch test/test/test
tlater ~ $ chmod -x test/test
tlater ~ $ chmod -x test
tlater ~ $ cat test/test/test
cat: test/test/test: Permission denied

I think this is probably why this isn’t working, your home directory should not have a+x set.

Hence my suggestion to put it in /etc, which is globally readable without requiring any weird file permissions on your user directory that may or may not be harmful to your privacy

I’m using this module for dashboard-managed tunnels.

For example, this will start mytunnel instance:

  services.cloudflared-stateless = {
    enable = true;
    tunnels.mytunnel.environmentFile = "/run/secrets/envfile";
  };

The /run/secrets/envfile file should contain something like this:

TUNNEL_TOKEN=eyJhIjoiYj.....

Where eyJhIjoiYj..... is a string after the sudo cloudflared service install command which you can find in the Install and run a connector section

Welp putting the credentials file inside /etc did help remove that error, but it seems i still cannot connect to my tunnel. It just says “context cancelled” and closes the connection within like seconds of me starting the service.

I am going to try out what @misuzu send ig.

Which version of cloudflared do you have?

unfortunately i dont have flakes setup yet neither have i changed the branch, so its whatever the stable branch has ( 2024.10.0 )

holy … this just worked. I dont know what’s wrong with the current stable’s service but i guess this will have to do for now, until i get flakes or something idk. thank you.