Using cloudflared with Zero Trust Dashboard on NixOS

OK so I installed the cloudflared package but I don’t see any options for configuring it :frowning:

Does anybody have a handy guide I could use? I just want to get cloudflared working with Zero Trust Dashboard, hoping not to do any config in the CLI or anything like that.

FWIW I was able to login using cloudflared tunnel list but I don’t know how to run cloudflared as a daemon on NixOS.

1 Like

We have a nix module in the works. I don’t know how the dashboard work yet, but I can take a look.

https://github.com/NixOS/nixpkgs/pull/171875

Do you mean tunnels created in this UI?

@bbigras Yes!

(Here is 20 characters)

There’s a token if you check the instructions for docker. I’m guessing you should be able to run the tunnel with:

cloudflared tunnel --no-autoupdate run --token <token>

If it works, you could use something like this in your config:

{
  users.users.cloudflared = {
    group = "cloudflared";
    isSystemUser = true;
  };
  users.groups.cloudflared = { };

  systemd.services.my_tunnel = {
    wantedBy = [ "multi-user.target" ];
    after = [ "network.target" ];
    serviceConfig = {
      ExecStart = "${pkgs.cloudflared}/bin/cloudflared tunnel --no-autoupdate run --token=<token>";
      Restart = "always";
      User = "cloudflared";
      Group = "cloudflared";
    };
  };
}

Note that ideally, --credentials-file should be used instead of --token since that token is sensitive.

I’ll take a look to see how it could work with the WIP nixos module.

2 Likes

@bbigras that worked! Like magic :slight_smile:

@bbigras OK I spoke little too soon.

Tunnel works great when started up manually from command line. But it doesn’t start correctly when the machine boots:

May 12 07:42:50 nixos systemd[1]: Started cloudflared.service.
May 12 07:42:50 nixos cloudflared[726]: 2022-05-12T11:42:50Z INF Starting tunnel tunnelID=*****
May 12 07:42:50 nixos cloudflared[726]: 2022-05-12T11:42:50Z INF Cannot determine default configuration path. No file [config.yml config.yaml] in [~/.cloudflared ~>
May 12 07:42:50 nixos cloudflared[726]: 2022-05-12T11:42:50Z INF Version 2022.5.0
May 12 07:42:50 nixos cloudflared[726]: 2022-05-12T11:42:50Z INF GOOS: linux, GOVersion: go1.17.9, GoArch: amd64
May 12 07:42:50 nixos cloudflared[726]: 2022-05-12T11:42:50Z INF Settings: map[no-autoupdate:true token:*****]
May 12 07:42:50 nixos cloudflared[726]: 2022-05-12T11:42:50Z INF Generated Connector ID: *****
May 12 07:42:50 nixos cloudflared[726]: 2022-05-12T11:42:50Z INF Will be fetching remotely managed configuration from Cloudflare API. Defaulting to protocol: quic
May 12 07:42:50 nixos cloudflared[726]: 2022-05-12T11:42:50Z INF Initial protocol quic
May 12 07:42:50 nixos cloudflared[726]: 2022-05-12T11:42:50Z ERR update check failed error="Get \"https://update.argotunnel.com?arch=amd64&clientVersion=2022.5.0&o>
May 12 07:42:50 nixos cloudflared[726]: 2022-05-12T11:42:50Z ERR Error looking up Cloudflare edge IPs: the DNS query failed error="lookup _origintunneld._tcp.argot>
May 12 07:42:50 nixos cloudflared[726]: 2022-05-12T11:42:50Z ERR Please try the following things to diagnose this issue:
May 12 07:42:50 nixos cloudflared[726]: 2022-05-12T11:42:50Z ERR   1. ensure that argotunnel.com is returning "origintunneld" service records.
May 12 07:42:50 nixos cloudflared[726]: 2022-05-12T11:42:50Z ERR      Run your system's equivalent of: dig srv _origintunneld._tcp.argotunnel.com
May 12 07:42:50 nixos cloudflared[726]: 2022-05-12T11:42:50Z ERR   2. ensure that your DNS resolver is not returning compressed SRV records.
May 12 07:42:50 nixos cloudflared[726]: 2022-05-12T11:42:50Z ERR      See GitHub issue https://github.com/golang/go/issues/27546
May 12 07:42:50 nixos cloudflared[726]: 2022-05-12T11:42:50Z ERR      For example, you could use Cloudflare's 1.1.1.1 as your resolver:
May 12 07:42:50 nixos cloudflared[726]: 2022-05-12T11:42:50Z ERR      https://developers.cloudflare.com/1.1.1.1/setting-up-1.1.1.1/
May 12 07:42:50 nixos cloudflared[726]: 2022-05-12T11:42:50Z INF Tunnel server stopped
May 12 07:42:50 nixos cloudflared[726]: 2022-05-12T11:42:50Z ERR Initiating shutdown error="Could not lookup srv records on _origintunneld._tcp.argotunnel.com: loo>
May 12 07:42:50 nixos cloudflared[726]: 2022-05-12T11:42:50Z INF Starting metrics server on 127.0.0.1:35203/metrics
May 12 07:42:51 nixos cloudflared[726]: 2022-05-12T11:42:51Z INF Metrics server stopped
May 12 07:42:51 nixos cloudflared[726]: Could not lookup srv records on _origintunneld._tcp.argotunnel.com: lookup _origintunneld._tcp.argotunnel.com on [::1]:53: >
May 12 07:42:51 nixos systemd[1]: cloudflared.service: Main process exited, code=exited, status=1/FAILURE
May 12 07:42:51 nixos systemd[1]: cloudflared.service: Failed with result 'exit-code'.
May 12 07:42:51 nixos systemd[1]: cloudflared.service: Consumed 52ms CPU time, received 0B IP traffic, sent 160B IP traffic.
May 12 07:42:51 nixos systemd[1]: cloudflared.service: Scheduled restart job, restart counter is at 5.
May 12 07:42:51 nixos systemd[1]: Stopped cloudflared.service.
May 12 07:42:51 nixos systemd[1]: cloudflared.service: Consumed 52ms CPU time, received 0B IP traffic, sent 160B IP traffic.
May 12 07:42:51 nixos systemd[1]: cloudflared.service: Start request repeated too quickly.
May 12 07:42:51 nixos systemd[1]: cloudflared.service: Failed with result 'exit-code'.
May 12 07:42:51 nixos systemd[1]: Failed to start cloudflared.service.

Seems like DNS resolver isn’t accepting queries when cloudflared service tries to start?

maybe try with:

after = [ "network-online.target" "systemd-resolved.service" ];

1 Like

That did the trick. Thanks again!

@bbigras hey there just checking in, is the solution above still the preferred way to use cloudflared tunnels?

You might want to try nixos/cloudflared: init by bbigras · Pull Request #171875 · NixOS/nixpkgs · GitHub which was recently merged.

1 Like