Deployment of Nebula
This commit is contained in:
parent
4507d9bdc8
commit
1735b5074c
|
@ -35,15 +35,15 @@
|
|||
systems = ["x86_64-linux"];
|
||||
|
||||
perSystem = {
|
||||
pkgs,
|
||||
system,
|
||||
pkgs,
|
||||
...
|
||||
}: {
|
||||
devShells.default = pkgs.mkShell {
|
||||
packages = with pkgs; [
|
||||
sops
|
||||
ssh-to-age
|
||||
# not included: age, gpg, pcscd, etc.
|
||||
# not included: age, gpg, pcscd, scdaemon, etc.
|
||||
|
||||
deploy-rs
|
||||
nixos-anywhere
|
||||
|
|
|
@ -8,6 +8,7 @@
|
|||
./disk-config.nix
|
||||
./mounts.nix
|
||||
./secrets.nix
|
||||
./nebula.nix
|
||||
];
|
||||
|
||||
networking.hostName = "eidola"; # Define your hostname.
|
||||
|
|
|
@ -6,6 +6,7 @@
|
|||
./min-rip.nix
|
||||
./gitea.nix
|
||||
./synapse.nix
|
||||
./nebula.nix
|
||||
];
|
||||
|
||||
security.acme = {
|
||||
|
|
|
@ -0,0 +1,50 @@
|
|||
{config, ...}: let
|
||||
netName = "m-infra";
|
||||
# https://github.com/NixOS/nixpkgs/blob/nixos-24.05/nixos/modules/services/networking/nebula.nix#L12
|
||||
userGroup = "nebula-${netName}";
|
||||
in {
|
||||
sops.secrets."svc-nebula-key" = {
|
||||
mode = "0440";
|
||||
owner = userGroup;
|
||||
group = userGroup;
|
||||
};
|
||||
|
||||
services.nebula.networks.${netName} = {
|
||||
ca = ../../../keys/ca.crt;
|
||||
cert = ../../../keys/lh-silver.crt;
|
||||
key = config.sops.secrets."svc-nebula-key".path;
|
||||
|
||||
isLighthouse = true;
|
||||
isRelay = true;
|
||||
|
||||
listen = {
|
||||
host = "0.0.0.0";
|
||||
port = 4242;
|
||||
};
|
||||
|
||||
firewall.outbound = [
|
||||
{
|
||||
port = "any";
|
||||
proto = "any";
|
||||
host = "any";
|
||||
}
|
||||
];
|
||||
|
||||
firewall.inbound = [
|
||||
# Allow pings from anyone
|
||||
{
|
||||
port = "any";
|
||||
proto = "icmp";
|
||||
host = "any";
|
||||
}
|
||||
# Allow SSH from `internal` group
|
||||
{
|
||||
port = 12208;
|
||||
proto = "tcp";
|
||||
groups = ["internal"];
|
||||
}
|
||||
];
|
||||
};
|
||||
|
||||
networking.firewall.allowedUDPPorts = [4242];
|
||||
}
|
|
@ -0,0 +1,5 @@
|
|||
-----BEGIN NEBULA CERTIFICATE-----
|
||||
CjkKB20uaW5mcmEorIy3uAYwrPO7xwY6ILUb5mS0HBCYrAhWPXwqvtnBmmqz1lKc
|
||||
NOG84dEk3/biQAESQAEi7CVxFVDlG7ihV3nuosvEpodNZqS/RJ8GGKUBuLMz1BfE
|
||||
XdnMkMj44YQ2owDKYKgvZFc3nQGsrq5/4cWAdgs=
|
||||
-----END NEBULA CERTIFICATE-----
|
|
@ -0,0 +1,6 @@
|
|||
-----BEGIN NEBULA CERTIFICATE-----
|
||||
CnAKCWxoLXNpbHZlchIJgYC0UICA/P8PIghpbnRlcm5hbCjGoru4BjCr87vHBjog
|
||||
c8vXd3esFyA3adiEHolGzUyi3u4IztrRCVl3T8uzmztKIC9yiWnXjCJT2HfiClMu
|
||||
+en3Out6l4ReySH/GXaXDNbjEkChm/cVEgVeg86Q9Qipm+bAJ2tKYwwmdxQMMRAz
|
||||
fT+XLQ+jKzGLeOIRiDW6ZLyL/mHv4iqQBCNyUIjVqQcTD38D
|
||||
-----END NEBULA CERTIFICATE-----
|
|
@ -0,0 +1,6 @@
|
|||
-----BEGIN NEBULA CERTIFICATE-----
|
||||
CnMKDG4tc3J2LWVpZG9sYRIJgYK0UICA/P8PIghpbnRlcm5hbCj8mbe4BjCr87vH
|
||||
BjogwyipoSTT04BJ0zVCsdR8eNanj8hcyHeNabRtfq8M+QRKIC9yiWnXjCJT2Hfi
|
||||
ClMu+en3Out6l4ReySH/GXaXDNbjEkDvzr+71yUMW3GzCIMy9j2Z1ov8zw8h0s52
|
||||
FDIyYijYWK8jc7cJBqbdaRhE39zv0vrpfTpH4byWKVOFgVqeViMB
|
||||
-----END NEBULA CERTIFICATE-----
|
|
@ -1,5 +1,6 @@
|
|||
root-pw: ENC[AES256_GCM,data:g/dIT5d5w+FCAbxgGRJoMISgVTySEqXoBCV/jopu9Cgm4db9zAFWzZ7kUqOr8IQpEpCXyguYClIGExt0SztbRze8YPu9NilcUmYH7QmI+8oaEanYkvwpT5jyBU/M2eG0U9pMzcGI6hl2Ew==,iv:2HmGvFkRrnwYi5gjB4Na/ZayGoCFEsM4TDoqKlzhZUg=,tag:NLuval5PJ6AnDLvPGVvm7w==,type:str]
|
||||
user-pw: ENC[AES256_GCM,data:gr+Dis3c5NWLWnfJG4eJUxwt574R3n40djeK68hukMNPx0qwGRAT5a7UQ5doxtDBgafcH1uCgqrsWwEmy9H5dS6WfLMivE5Uy213EcEk3YNUwI9d5vbdcbCcXWvPsyCu6sxS3x731EVVYA==,iv:4AHzVLoJD95d2UwwEAwxWP0G2gekHahBt4hDDA9ZSx0=,tag:03L3Ql070mt3oDV5YdrETg==,type:str]
|
||||
nebula-key: ENC[AES256_GCM,data:YnGtqqWXbwkMYFJAKcBXmbRE+lsW9DwRnsseocTAVVIAqw84o3Qny2LO1vzoErtP7Fx9vPaI2bzvJTICNSTBw2jH4thzLR71XpHZI7mo+FSXzpZx8pxv6pfVcCW4tNK7KXx/PyvzCU21npsPDoVlM1rE/LKPxu2PLoGBd6u+,iv:g5BIpHXXrHZovSWnLURhJzTCaZC6fjVNS1QXwnSlxVs=,tag:9D/wTzaJOd5Vls/l33jZSg==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
|
@ -15,8 +16,8 @@ sops:
|
|||
dVh4dFgrcWxtMFdUVVZTTm4rczVLaE0KBhCAwRHxtedfNZapyR3lbkxaiWxZR5lW
|
||||
SQMhh9sUTnc/4B6StOhZEn+S7bVSRjPgvn9F+W7nCzcq/fpRYTcWvw==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2024-08-23T20:15:55Z"
|
||||
mac: ENC[AES256_GCM,data:l/9IHeMTgA7hzF2EEcWW+wkKa4eRWCRLAmdee371qhipLzgJMKrme+qK2RkJd2txVIgz7m7FJG4HWEo4hVpjvcloY1H0U86dJndwKwGKYTmJPdcEH3HQgKVcx8b5pdkww1g98vnLfY/jwbMBkx3CrPliJw86QVglkmWWHR6W92w=,iv:cYlpkLN4PwHghbRn6KIWgUGEymdbFBsnUZ8xUBgif5g=,tag:jqLa5Nl74DUYFqDpuQPfUA==,type:str]
|
||||
lastmodified: "2024-10-15T20:21:41Z"
|
||||
mac: ENC[AES256_GCM,data:UFxO3wb/gAg5hiYkp4lfGeO0gZA6F5sEv6jiwI+GA6BidCkrGMAaYLQm6wvJ9sPHANdzSS72oi+7fUyoQ1M7ukpocpA+qbpC5RjGWQusxrrJK+J7khSWGfP5X8qkJTxFs+FK1D2HcfTIPcwsR4LOHwK/chWg4As4aEgGHcUIZBw=,iv:6RE/Y24jIt5PVlzc8PHIYFCgpEt0QLNeXa0uAk4vWIs=,tag:JrBltUtb7hqr2LsJr2oXRQ==,type:str]
|
||||
pgp:
|
||||
- created_at: "2024-09-02T19:43:07Z"
|
||||
enc: |-
|
||||
|
|
|
@ -5,6 +5,7 @@ svc-vcnotifier-env: ENC[AES256_GCM,data:8DwT17Aosvu7/Q2ecbir/t9HOtanPlFeBgLOzxtc
|
|||
svc-breeze-upload_key: ENC[AES256_GCM,data:qNNH4/Q0rk2lsMImzpVe54+DbSAOiGjo,iv:rX9zvcPt6qSbPs6sKYO0T8EVaHU/u9QDoT/ISHdQSV4=,tag:kivJyeJGtuBP0l54qJ0t9w==,type:str]
|
||||
svc-synapse-synapse-config: ENC[AES256_GCM,data:r8ZYi67CfftGheassCFiLOVcFUho+sNNe0XCkyQETHT6Q/w2jqO9eAVA2EDJyK4Vk3S4MP6ppcGxwocMmTYzkAjmtwf6a7GzUyh14+Lj5VTybvIKOze0wuLlsEUUYgU=,iv:HTnPaS5/ZvdJIMKiTfPffZmemp5IGTo/mIWrpafk/Fk=,tag:2HusbhzmxqsTMz5/78WCRA==,type:str]
|
||||
svc-gitea-runner-env: ENC[AES256_GCM,data:M2hV8YM03dcBcgpJqbpiW6RGlhDvkfF/ExF+J1GF+39GnOsBWwPKteM5EAUB2Wrl/zRFifgfNLLdYgSEWhJsT1cBLhI3vwE5,iv:9/nvC3sS6XcLxgeKrEg/AaFhptXCm3uvGgSUMAz4p5Y=,tag:A1MnoJP6aekXuWHhlONnkw==,type:str]
|
||||
svc-nebula-key: ENC[AES256_GCM,data:kqVqnsEgEsMGz2Ud0CS4DnVDd7claVoFyB3grV8TWK/mGdtJwysIYsQRmpbwXcOTTfgdX6vLKxJvleLLHFQGTjf/7QwBrmhfUKryd7CEukaZUsmkJAx3fH5y0mMd84nJucyQk5NqXZhyXQNwg9zmyH20XdaLqrdr0dtkQzIf,iv:OHoIHRKJt4kqbQye6SHLD9wVbLl7wTvs5CheIeOObeg=,tag:4AG0sSlOdTrqtXj3UqzaHQ==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
|
@ -20,8 +21,8 @@ sops:
|
|||
Z1dZRXNCRkQ5cktZRGNpUXJaWHhrYTQKXQ1VOLDgptLJ8JKSBF8CWzyEGHnlbB+4
|
||||
6nZlCHid4AFPRdAZ7cgEvJViBTSV05NOWE0pKYO3WZyWVKysfBKtgg==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2024-10-13T07:04:09Z"
|
||||
mac: ENC[AES256_GCM,data:/Mn3G6qHRPSZ1vt1ks30EYZ7UxhjmC7hdkZCl0ifipEfrl//zcsgtB96Q0V/35JWPVcVVoirLJsUmMcJZaevjAgIBys9jIjLgw5AN5R9QhVdRJ25tp/qX/JlKHuj9IVOM7n9hzVjauJYoWy6ftSeTmzyWoqTJrKvF6etaU4AUYs=,iv:Wcfr3sbVqOo7JTMH4kooLFDSQGTTV6ZMnKcWJqF6gK0=,tag:Dp9fEDTN4ko1YZp4O4EtWg==,type:str]
|
||||
lastmodified: "2024-10-15T20:33:06Z"
|
||||
mac: ENC[AES256_GCM,data:0WuZQxRXih9XRWGwT01eiEppEIPfGOjSpKEthmY3v+kumM6ydpueCroxqIuQoLXke8eKzZ6Xg34C2AvHgCdkHTgYbC9wGf9h8cV7L2xD4F9sLQ2scGThCynG0AGcLRXm152wzSdR5dGr1h4p49WO9XGbLEXD/JzfyPIcENDTPAs=,iv:LIPHnjWJYPlvs+VBvrRpczYD6ncwqTs1Jyz+VdWFaxY=,tag:Cdu7pKIzqi5H4Qo1eW66HQ==,type:str]
|
||||
pgp:
|
||||
- created_at: "2024-10-13T01:11:54Z"
|
||||
enc: |-
|
||||
|
|
Loading…
Reference in New Issue