Changes to rpi setup

modules/cloudflared.nix

@@ -46,32 +46,43 @@ in
 
     # -----------------------------------------------------------------------
     # cloudflared service
-    # NixOS 24.11 ships services.cloudflared natively.
+    #
+    # We use the token-based tunnel approach (cloudflared tunnel run --token).
+    # This needs no credentials file and no local tunnel config — just the
+    # token from the Cloudflare dashboard.
+    #
+    # Rather than using services.cloudflared.tunnels (which requires a
+    # credentialsFile), we create a plain systemd service that runs cloudflared
+    # directly with the token read from the sops secret.
     # -----------------------------------------------------------------------
-    services.cloudflared = {
-      enable = true;
-      tunnels = {
-        "pi-main" = {
-          # credentialsFile is not used with token-based auth;
-          # the token is passed via environment variable instead.
-          # We override the systemd unit below to inject it.
-          default = "http_status:404";
-        };
-      };
+    users.users.cloudflared = {
+      isSystemUser = true;
+      group        = "cloudflared";
+      description  = "cloudflared tunnel daemon";
     };
+    users.groups.cloudflared = {};
 
-    # Inject the tunnel token from the sops secret file
-    systemd.services."cloudflared-tunnel-pi-main" = {
+    systemd.services."cloudflared-tunnel" = {
+      description = "Cloudflare Tunnel (token-based)";
+      wantedBy    = [ "multi-user.target" ];
+      after       = [ "network-online.target" "caddy.service" ];
+      wants       = [ "network-online.target" "caddy.service" ];
       serviceConfig = {
-        ExecStart = lib.mkForce (pkgs.writeShellScript "cloudflared-start" ''
+        Type            = "simple";
+        User            = "cloudflared";
+        Group           = "cloudflared";
+        Restart         = "on-failure";
+        RestartSec      = "5s";
+        ExecStart       = pkgs.writeShellScript "cloudflared-start" ''
           exec ${pkgs.cloudflared}/bin/cloudflared tunnel \
             --no-autoupdate \
             run \
             --token "$(cat ${config.sops.secrets."cloudflare/tunnel_token".path})"
-        '');
+        '';
+        # Hardening
+        NoNewPrivileges = true;
+        PrivateTmp      = true;
       };
-      after = lib.mkAfter [ "caddy.service" ];
-      wants = lib.mkAfter [ "caddy.service" ];
     };
   };
 }