From 79de75f8741688b7e4ddcb2f869481078dd920a2 Mon Sep 17 00:00:00 2001
From: Daniel Kempkens <daniel+git@kempkens.io>
Date: Mon, 6 Feb 2023 11:47:54 +0100
Subject: [PATCH] cloudflared: access token using agenix

---
 agenix/hosts/sail/cloudflared/environment.age | Bin 0 -> 674 bytes
 agenix/hosts/sail/config.nix                  |   6 ++++
 flake.lock                                    |  30 +++++++++---------
 home/config/wezterm/config.fnl                |   2 ++
 home/programs/nvim/plugins.nix                |  18 +++++------
 secret/hosts/sail.nix                         | Bin 1630 -> 1406 bytes
 secrets.nix                                   |   2 ++
 system/hosts/sail.nix                         |   2 +-
 system/nixos/cloudflared.nix                  |  10 +++---
 9 files changed, 41 insertions(+), 29 deletions(-)
 create mode 100644 agenix/hosts/sail/cloudflared/environment.age

diff --git a/agenix/hosts/sail/cloudflared/environment.age b/agenix/hosts/sail/cloudflared/environment.age
new file mode 100644
index 0000000000000000000000000000000000000000..84848e0ccd24f9ac809a4bb4dfe3baa44088a23c
GIT binary patch
literal 674
zcmZ9|-AfYz008hHN;pNquqZ6ngJc}%zT9myDsP|e_I2BCpK0#4-R`#CZFjeM=PCG-
zk74zYfrbc0MUW_(WJm;tq?J@AEUO18#t8ZXK?<Rd*ZzVZ{0NGK$b3?exl*Q(Zz~9t
zQd9%b8AY*3Lu5*$)2WRLcgfDdl!D9JOm1^X7QL)H@52!#9KdAWZ#Q~MCW}Mx7!WgK
zCGDCVodfJK*_T8I0=zv8Vy1k7g7b2h06Ss5M`Sg$l?sb_%$>-iRPKMxlL)obl7d17
zRwn%njRu7PsP(9DYeK6uhfN|DZU?i0C|U9aCA*GSQ2^_JO|DQtW1-oop-U_#OT{!Q
zTKrjZ0Hg>m)*qIgT8j%bx~P8|22lb@6iLMis-#GF0NO$yi%@8c2^qufyp30r5jjQ1
zILukhBGHK5?k~jxT^^mQ;4`GnxVDc`TWFQ!Ai%r@%juH<RY1&$+G&drrewllU?oX*
zS~E(Xcj`HTle8Fv+jM@NNry+7{z%pVyA669j9`fj6YbagKtMnM2!a$AFU_a_zEQHr
z7{qxphR~?ih7!)SEfn_9Dn?SLy*^0_OGzMj{M}&v>_#6nJy=~^j+JjY%%&R))Q8kj
z?)%6v)^M+`&irvT&NVMCx_+>q&&A#jiO}|_|K{Vd3V|Pb64j}f;)I)Q?5S4H8<)D7
z-U;y}v%Jw<rqh$Ri5l-#=e|dm>L=q?6r7dHQ%x<Km5Xy+Vo%TM^2*lJI}Kw^_}ul0
z_v^#_$mSKcbzJG3wlrMmzJK=l#Qw|GncXVun_?EOzUck>ptzg)b@*DF)!Oz2zPr5g
ydhJ+e>gDS1+Lra1@%X7mfSBLe!E5HWk5s<3zB%~m)z1#{z}|;LO||o*&;9_pr~~2v

literal 0
HcmV?d00001

diff --git a/agenix/hosts/sail/config.nix b/agenix/hosts/sail/config.nix
index 80597e8..681c843 100644
--- a/agenix/hosts/sail/config.nix
+++ b/agenix/hosts/sail/config.nix
@@ -1,5 +1,11 @@
 {
   age.secrets = {
+    cloudflared-environment = {
+      file = ./cloudflared/environment.age;
+      owner = "cloudflared";
+      group = "cloudflared";
+    };
+
     mastodon-database-password = {
       file = ./mastodon/databasePassword.age;
       owner = "mastodon";
diff --git a/flake.lock b/flake.lock
index fa37ca4..84cd206 100644
--- a/flake.lock
+++ b/flake.lock
@@ -140,11 +140,11 @@
         "utils": "utils"
       },
       "locked": {
-        "lastModified": 1675595366,
-        "narHash": "sha256-WoQkwaaoZqrhWpIrMxA+2j8CgxgyvjHzCyEZAQu06rQ=",
+        "lastModified": 1675637696,
+        "narHash": "sha256-tilJS8zCS3PaDfVOfsBZ4zspuam8tc7IMZxtGa/K/uo=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "9621e9ab80a038cd11c7cfcae4df46a59d62b16a",
+        "rev": "c43d4a3d6d9ef8ddbe2438362f5c775b4186000b",
         "type": "github"
       },
       "original": {
@@ -163,11 +163,11 @@
       },
       "locked": {
         "dir": "contrib",
-        "lastModified": 1675561032,
-        "narHash": "sha256-0BnsvvebFprjoi1Vz8xF6F9RJVaxJwbAeS7FdRDzeIs=",
+        "lastModified": 1675657440,
+        "narHash": "sha256-UkEa4LKXLNglbn5U2o/zee9AePaVVzLkhe06rv6jtDg=",
         "owner": "neovim",
         "repo": "neovim",
-        "rev": "5c4b503d3cb4a48d083bcf50d4932927e6eb749d",
+        "rev": "6c39edaa7e5060cedfbbf61e88f4aad20fdff73d",
         "type": "github"
       },
       "original": {
@@ -184,11 +184,11 @@
         "nixpkgs": "nixpkgs"
       },
       "locked": {
-        "lastModified": 1675584806,
-        "narHash": "sha256-e3Be4OA16rgsQI881yrejy/wrjX62WQLOK3z1UfbTZk=",
+        "lastModified": 1675671305,
+        "narHash": "sha256-AUcqYR+hZsGz0LCA+FNXejCEToLRceFXia4zMqxh2KE=",
         "owner": "nix-community",
         "repo": "neovim-nightly-overlay",
-        "rev": "6690d543402dea98fd975709ed3be6d6b778f302",
+        "rev": "3660ca973f7f9608855abc497626776745c701e3",
         "type": "github"
       },
       "original": {
@@ -204,11 +204,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1675585357,
-        "narHash": "sha256-AIXHHZxtj2sUV8jlYtZ4p09TAmD/EkJ5E8+YWfCbmDM=",
+        "lastModified": 1675671894,
+        "narHash": "sha256-Kpt06wlPeQ83JhaWFliMjelpLyV652Y13XZdENgGi6Y=",
         "owner": "nifoc",
         "repo": "nix-overlay",
-        "rev": "fecfe2b744653563d90904847d474378e839f7d3",
+        "rev": "1207e81469356b607bc39e4f8368264cd0e33917",
         "type": "github"
       },
       "original": {
@@ -235,11 +235,11 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1675584158,
-        "narHash": "sha256-SBkchaDzCHxnPNRDdtZ5ko5caHio9iS0Mbyn/xXbXxs=",
+        "lastModified": 1675614288,
+        "narHash": "sha256-i3Rc/ENnz62BcrSloeVmAyPicEh4WsrEEYR+INs9TYw=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "d840126a0890621e7b220894d749132dd4bde6a0",
+        "rev": "d25de6654a34d99dceb02e71e6db516b3b545be6",
         "type": "github"
       },
       "original": {
diff --git a/home/config/wezterm/config.fnl b/home/config/wezterm/config.fnl
index 54d4f86..82e668e 100644
--- a/home/config/wezterm/config.fnl
+++ b/home/config/wezterm/config.fnl
@@ -102,6 +102,8 @@
           {:key :RightArrow
            :mods :CMD
            :action (wezterm.action.ActivateTabRelative 1)}]
+   :send_composed_key_when_left_alt_is_pressed true
+   :send_composed_key_when_right_alt_is_pressed true
    ;; Mouse
    :mouse_bindings [; Only select text and don't open hyperlinks
                     {:event {:Up {:streak 1 :button :Left}}
diff --git a/home/programs/nvim/plugins.nix b/home/programs/nvim/plugins.nix
index 5153281..a055312 100644
--- a/home/programs/nvim/plugins.nix
+++ b/home/programs/nvim/plugins.nix
@@ -112,12 +112,12 @@ rec {
     };
   };
   nvim-treesitter = pkgs.vimPlugins.nvim-treesitter.overrideAttrs (_: {
-    version = "2023-02-05";
+    version = "2023-02-06";
     src = pkgs.fetchFromGitHub {
       owner = "nvim-treesitter";
       repo = "nvim-treesitter";
-      rev = "24d5be6e7192a855a0eba21829717614fa1cf54e";
-      sha256 = "0mk81rjjg4z86kc5wh400j3hvhfq5fflmv0w7daxbxz83133xnxx";
+      rev = "d3a68725e8349212a359d1914fc6e86ff31e4142";
+      sha256 = "1ccbbbvv2w2vwn9r6z2yc6479sjzm4zx89vzn555b26qazpjmxwn";
       fetchSubmodules = false;
     };
   });
@@ -225,12 +225,12 @@ rec {
   };
   nvim-lspconfig = pkgs.vimUtils.buildVimPluginFrom2Nix {
     pname = "nvim-lspconfig";
-    version = "2023-01-31";
+    version = "2023-02-06";
     src = pkgs.fetchFromGitHub {
       owner = "neovim";
       repo = "nvim-lspconfig";
-      rev = "902d6aa31450d26e11bedcbef8af5b6fe2e1ffe8";
-      sha256 = "1hmkm3znqm7c6fi0qai1i424qjm5b9dh9l0srzyy7cax3629yyfr";
+      rev = "255e07ce2a05627d482d2de77308bba51b90470c";
+      sha256 = "15lgwqwk6c6rkagbjakylfaq4v49ib7ahp4mcw121k3i5akj1hh7";
       fetchSubmodules = false;
     };
   };
@@ -445,12 +445,12 @@ rec {
   };
   nvim-autopairs = pkgs.vimUtils.buildVimPluginFrom2Nix {
     pname = "nvim-autopairs";
-    version = "2023-01-30";
+    version = "2023-02-06";
     src = pkgs.fetchFromGitHub {
       owner = "windwp";
       repo = "nvim-autopairs";
-      rev = "5a3523ddb573804752de6c021c5cb82e267b79ca";
-      sha256 = "1s17rmxgnadz6wbcd21x8504ra8crbxf27qjdxh6b4a1g0w75hy1";
+      rev = "0e065d423f9cf649e1d92443c939a4b5073b6768";
+      sha256 = "174krjkvhcfn25pq9aqwm36cy40dkcxs2rx5y6lbhysizw09gq9s";
       fetchSubmodules = false;
     };
   };
diff --git a/secret/hosts/sail.nix b/secret/hosts/sail.nix
index e29dca36e21edca04887e410dbe9a216c3e986e0..b58d6dd855596bc22a778eb6b07f6e0fad7a1a8f 100644
GIT binary patch
literal 1406
zcmV-^1%dhiM@dveQdv+`0IZO5y|a@tHrP*{o~*bJ8~$)1h6lO2wbPfr!iS4T){4GT
zuUo0}kbb$^ZNJtjjAG$CtJnDU1YDDYks2{&B~-?*0u}7vMDuk6_4XjCi~xDhM<)u%
zg~0ep?k()yQ6+UfITP>+?+p)4WOhd<*|MRx);HaDldg;%s)Bd%pddfH!9frgy4Hyq
zNi9N_E9I1alj7MZ37lh(I#jzwPp?h(6qo;DrZ)88Et<Ak&9V?glGq@&6(7>|Tk#5b
zpz}IWyEGRsPeTqaE=hv|!Byg2Gs~yw_EW?8%&MM34-(m3oC<6<q_^eoq6zZIQZed~
z%SOt2o<%LJmpVK><jI4hL>5Hv5h*3iB%D)uKFrz;&q#)$HmgS&zM(nYe23=I#r8BT
zE@W_Ycpy_s)3+YT&MVi4%G$6#`lZq9XZ1h~P`@%&B-JBzTPRmZUD+7ON*w5jQ7sx$
z$Qzt_m9)#*YxoN3y%;;iV(@<n{+V-6;0J%bn4aY1TA(Xnr6?tTtnG;jJy1S;r%rL;
z#NcITttyHqQE?Z9ENW{=j4)81%RVY)Eq#qfPGJ6Rm#w?l-6|4?JkQ`b^51{N2QFS^
z06@04u#qvpmmvJ@;7rH`X*xAICPt`(G}(%A3T5rQhwkT|t-C3kOJheCWuVk=F+ezb
zf}Ty6t^x2>Z?M|@V(7oy!u&5Hbp4SeeIy|$6<1#{w+PW|`)sQk>kK=+=7`GPJzA)$
z=h0YwT7HJ^^PJ}BE+iwt>3#VgTnRj0x#p9e&F&PK%?GIU6LI*<c|{63qycJ+F|U=_
z9H}f(8M!LHrB(j6UxF=WHBmU30v4KH;QMa}IP5ecgMV4UT`bA!&7n<Ulit&`5M@2D
z(IPc2jGiY-VAE)HJWi4@%Gbof!Syg;!e1s}4zw}PG|~3Q_L@j>`Ex_Bm@M_b?F?D@
zs|b}+wZzsvDseeoKsDLn+T~<Y%ZU^9=`rJBRy+F7@EfJ>ZTXvkTMMCOB^PYKA5x0c
z^SfkB<o1I(Og`SA<8BD3SbIGv@HRb`gLVG9R*4L#V5B!!^*DGxLX_)Izvy%gCqK@K
zjWkANK?<LA)%T<GdB$pp2}m1j3Z2pO7qQh+xFTy9gEX)f-CJ>AcRUQyO^7YlRq^~k
zT4UCD6;pygD!%H33KqJA+YcZr&>l6GW+S4APbw!RY=VigI8`-uiOZBdwSii?{1`x$
zsu@qMF;1o<-V1b^4xA-NY^|q*JF)dL8|(GEmc)0U^ta{a$nph-UVg-B4~|-IDV5s9
zD281Z|H?_^@4Z0X1w=@8(zTWV(vP5?xt+<9y2w!g@+$y{tv6S7-vD13|2`hHn=MSX
zlh_mJPL;e6pL>dME`zcKOGJ6o2--f#dlg!W+cLO5k_dW58g37`I6WQM&t7ez+-1s7
z^I3F}6x|n&KHT+{(wJ}2Wq<22JBW7v4;DAOWT>l?U4AJ`@V|&22cP{syXa?A-A<50
z)WaeMK|(SAZ^C%Hgd-4f*7#(Da*$}Rw+9a;Qm%VUrasIUPj4s>0N}NfLM@?{;jm;8
ziof;M@KF%12;)R?<#^9$pE+vmmk^6|u~(h>l@ng#kGiH$dK;0iQLJ1xA<>ZxLm-n3
z_E(mdEj#Q5*5vMd?|*kVH~W5fHj;LnjX~KSdU}?dfRKl@!``#`?X5O^S<z+>e1KIR
z>J69MFj`ds=U9Sh1Hk<)`sUXfHTUhp(U9D-uskAKrVA`FQNp5#YX-#QX=c)rcVE&!
zhlc_njdekjsERp*FA4#nu}lPlvc@#PGNMDDkCs}#Uo#K<@Kn^D$OH!U&!(=Hrs(r_
Mq3i#OFfA@@#bv&<fdBvi

literal 1630
zcmV-k2BG-?M@dveQdv+`0MQ@_i{QMUJQs;6%he@p3WacPzY9dDZ@XdGe7745Tj1lD
zBV~jLxQczhdu(q_<DZ4;-?<wCF8NsAg4BY%*}{^tk*HhsQ?y(2*q@*<aytJI67EOk
zTxj|&IeeyybzV~83wd8W!|zn<rO3%K_J}-L{r}DmQlVJ4__WTflL6SBfk!`N|CH}9
zabCdjB7vUJLMzutKLxa)h>_5G@<{Bb4?Ur#kkERAW{=SJsU}^o3;bJrpWzW|@8!UP
zWzrlo7rES*^`!6c?Y(5iZv3;cfEb{D3IfeR^zX`j44#vubN^si<jc1}QiC~#;*EPS
zglktBH=)k(GUoJS68W>G30Xk4mS9}%==IbJwpnagsHTjQ^x|SBEDW}(9~@Iv{$k$P
z2jrUAPml%Isz5a96(UTV1t<-XO=Me36{FmR*a{o&l_L_U{s@qDH&8GYov%GUUjs!Q
zegBL!%6uWlEc*$g-ApIXXxe*k^*Xqeg406~FDQYEswSg$KZ)VWCU3AiH@re>#{Bwt
zh|p<c*Gt6iftr1TS`Obs=s6mIl^wqGx&#HfF_@dMib<l+9c_;Ywyiq>PD&BT+ZY)C
z*7Yzk_aJWuR}EJNU46w-p@riAnKr1Gv7YO1D6*6Xkr<>{r&omMW8C+9%=;F!EbqJ>
z8?g6K3yJ1DdT;n9Pks~a{c^I<E=w}Y^IkAN1}^15Y3O%`K_bRuO8xQhY2wMurfFEs
z@xN5U=k*;}PEx%Bm3>IfjXUhZOxF$5&a`<DRb3%ZrjhiIREl!V6;bPDL0Zr129B5O
z=zGnkoQ~;DeG&4OcR_K>Sqy=h1SD;=Ijc#R`O_paZ>(B&sZ!l^V)u}zL(nk6o`aQ?
zN-?6J+R11E({g3F^tdLok%kSBvD|5@ZB_6XA_>{eqr!!Q$unQYF92C84`b(7hh9_b
zmg@mp^HdYcCcpOpp7tWaZpd-bX{DKM(sg#z>;TgSUC5y1{Wl`|(TF5?0Dx(m?NOE;
zxR@bc8A6g|=!aZn-=BffX{VQ7jx{};ic7kQiJ=4B3OOh;yUr1U<1X309TRBnWt}n<
z68x2s<}seK?(vm+SmOgKjqrWl1sA4Kp#&VYTyV#^d`g>9^F>Nm-uN{;Q+@L7l!*C$
z#JLZDlE}zEktZ$r(gl5OEc~BG9deGFPs}v#ZemucSDnv>*Jy_Sqh3Y-pe=M|pEkxx
z`M~ML0CQas^u=)Qn#2J)9TXd$oDDu21nJhY_~QzMTwwq#cyMptX?HqvTRq<~S?g!P
z)uRhG&rP6ii_h;tVxRAonlEqWmG#bo6#@iq9C^WsL*0(90hyQjHC8?=@y1JMs#>3s
z9|ugOiqe$)aH1=DSlR1iS#EhY<4Nh>EXQLB*G7_Riy*Ba79iDdV=>tAS?iW*kySuu
z)RzU;p-uYBI{4g0$hbm@1x$y+a9;oSyM}E25AdT%$~>F9Eul)kIfBye1{_UTM_ttC
z%q)G^`*}SJk>ud==jn{70O##6xva?v#M;o`FhFZ@`s_m6@~0B;mmQsS<RwSlgs*jx
zdd1Y<c;oQ=mqkg{A{RVR2%uEW^y{^kj~=@&Yp0L0|BS~$##16wrgr|J;@+p-zAZaS
zW-l%iK6W4!C8~y2!+2FX6|JEks6EE*4=B4;8(MJUeP^+CKMD7}gdTLcOGY%?C&nQH
zeenvS$4}?5`P5<f_RXWn({V5=R4l|r+OqncHq)V`kb6I%L2HgVG9OwnCavaSty;cN
z$B;pItW7Wvljb8*f?egaoVPhE@eb2*VvrHFQML@jW=(6`;NBBCrzm#NwPHp=yl|}S
z2N*SnPeUC(4cw(6SO@L0Tl8a))l63v^qdMIyunFq+#DJV{4~ov!A0|rr?i10;kZ9%
z(ed~QN}~>IYnfa6Og3_srtP%n_GVb+ZRTd5-+Nw2nlZvS3||23uh%K+sf%+Wp)mGW
z{BE;BR@-Z0chfJ3NJCk+@;WU=Xr@p%-IrWRZ#3$3T|bqvequJ9qSPhVTnPV~T&kVr
z99(z+c52nLZM{jBzJrD$yS|6N{ew4l&n@>TIQy)HT7NN9aNpm+4lzfc6||^<R_`W+
cUI5HgODEms)fAOgvndhx6y&>OKJ4pD3=(KNS^xk5

diff --git a/secrets.nix b/secrets.nix
index 88504a8..5cfdceb 100644
--- a/secrets.nix
+++ b/secrets.nix
@@ -7,6 +7,8 @@ let
 in
 {
   # sail
+  "agenix/hosts/sail/cloudflared/environment.age".publicKeys = sail;
+
   "agenix/hosts/sail/mastodon/databasePassword.age".publicKeys = sail;
   "agenix/hosts/sail/mastodon/smtpPassword.age".publicKeys = sail;
   "agenix/hosts/sail/mastodon/otpSecret.age".publicKeys = sail;
diff --git a/system/hosts/sail.nix b/system/hosts/sail.nix
index 35f8d70..faf354b 100644
--- a/system/hosts/sail.nix
+++ b/system/hosts/sail.nix
@@ -14,7 +14,7 @@ in
 
     ../nixos/git.nix
 
-    (import ../nixos/cloudflared.nix (args // { inherit secret; }))
+    ../nixos/cloudflared.nix
 
     (import ../nixos/freshrss.nix (args // { inherit secret; }))
 
diff --git a/system/nixos/cloudflared.nix b/system/nixos/cloudflared.nix
index da562b9..20fa6e4 100644
--- a/system/nixos/cloudflared.nix
+++ b/system/nixos/cloudflared.nix
@@ -1,4 +1,4 @@
-{ pkgs, secret, ... }:
+{ pkgs, config, ... }:
 
 {
   users.users.cloudflared = {
@@ -10,10 +10,12 @@
 
   systemd.services.cloudflared-sail = {
     wantedBy = [ "multi-user.target" ];
-    after = [ "network-online.target" "systemd-resolved.service" ];
+    after = [ "network.target" "network-online.target" ];
+    wants = [ "network.target" "network-online.target" ];
     serviceConfig = {
-      ExecStart = "${pkgs.cloudflared}/bin/cloudflared tunnel --no-autoupdate run --token=${secret.cloudflared.token}";
-      Restart = "always";
+      ExecStart = "${pkgs.cloudflared}/bin/cloudflared tunnel --no-autoupdate run";
+      EnvironmentFile = [ config.age.secrets.cloudflared-environment.path ];
+      Restart = "on-failure";
       User = "cloudflared";
       Group = "cloudflared";
     };