Deployment of Nebula

2024-10-15 17:02:42 -04:00 · 2024-10-15 17:02:42 -04:00 · 1735b5074c
parent 4507d9bdc8
commit 1735b5074c
9 changed files with 77 additions and 6 deletions
--- a/flake.nix
+++ b/flake.nix
@ -35,15 +35,15 @@
      systems = ["x86_64-linux"];

      perSystem = {
-        pkgs,
        system,
+        pkgs,
        ...
      }: {
        devShells.default = pkgs.mkShell {
          packages = with pkgs; [
            sops
            ssh-to-age
-            # not included: age, gpg, pcscd, etc.
+            # not included: age, gpg, pcscd, scdaemon, etc.

            deploy-rs
            nixos-anywhere
--- a/nixos/hosts/eidola/configuration.nix
+++ b/nixos/hosts/eidola/configuration.nix
@ -8,6 +8,7 @@
    ./disk-config.nix
    ./mounts.nix
    ./secrets.nix
+    ./nebula.nix
  ];

  networking.hostName = "eidola"; # Define your hostname.
--- a/nixos/hosts/silver/services/default.nix
+++ b/nixos/hosts/silver/services/default.nix
@ -6,6 +6,7 @@
    ./min-rip.nix
    ./gitea.nix
    ./synapse.nix
+    ./nebula.nix
  ];

  security.acme = {
--- a/nixos/hosts/silver/services/nebula.nix
+++ b/nixos/hosts/silver/services/nebula.nix
@ -0,0 +1,50 @@
+{config, ...}: let
+  netName = "m-infra";
+  # https://github.com/NixOS/nixpkgs/blob/nixos-24.05/nixos/modules/services/networking/nebula.nix#L12
+  userGroup = "nebula-${netName}";
+in {
+  sops.secrets."svc-nebula-key" = {
+    mode = "0440";
+    owner = userGroup;
+    group = userGroup;
+  };
+
+  services.nebula.networks.${netName} = {
+    ca = ../../../keys/ca.crt;
+    cert = ../../../keys/lh-silver.crt;
+    key = config.sops.secrets."svc-nebula-key".path;
+
+    isLighthouse = true;
+    isRelay = true;
+
+    listen = {
+      host = "0.0.0.0";
+      port = 4242;
+    };
+
+    firewall.outbound = [
+      {
+        port = "any";
+        proto = "any";
+        host = "any";
+      }
+    ];
+
+    firewall.inbound = [
+      # Allow pings from anyone
+      {
+        port = "any";
+        proto = "icmp";
+        host = "any";
+      }
+      # Allow SSH from `internal` group
+      {
+        port = 12208;
+        proto = "tcp";
+        groups = ["internal"];
+      }
+    ];
+  };
+
+  networking.firewall.allowedUDPPorts = [4242];
+}
--- a/nixos/keys/ca.crt
+++ b/nixos/keys/ca.crt
@ -0,0 +1,5 @@
+-----BEGIN NEBULA CERTIFICATE-----
+CjkKB20uaW5mcmEorIy3uAYwrPO7xwY6ILUb5mS0HBCYrAhWPXwqvtnBmmqz1lKc
+NOG84dEk3/biQAESQAEi7CVxFVDlG7ihV3nuosvEpodNZqS/RJ8GGKUBuLMz1BfE
+XdnMkMj44YQ2owDKYKgvZFc3nQGsrq5/4cWAdgs=
+-----END NEBULA CERTIFICATE-----
--- a/nixos/keys/lh-silver.crt
+++ b/nixos/keys/lh-silver.crt
@ -0,0 +1,6 @@
+-----BEGIN NEBULA CERTIFICATE-----
+CnAKCWxoLXNpbHZlchIJgYC0UICA/P8PIghpbnRlcm5hbCjGoru4BjCr87vHBjog
+c8vXd3esFyA3adiEHolGzUyi3u4IztrRCVl3T8uzmztKIC9yiWnXjCJT2HfiClMu
+en3Out6l4ReySH/GXaXDNbjEkChm/cVEgVeg86Q9Qipm+bAJ2tKYwwmdxQMMRAz
+fT+XLQ+jKzGLeOIRiDW6ZLyL/mHv4iqQBCNyUIjVqQcTD38D
+-----END NEBULA CERTIFICATE-----
--- a/nixos/keys/n-srv-eidola.crt
+++ b/nixos/keys/n-srv-eidola.crt
@ -0,0 +1,6 @@
+-----BEGIN NEBULA CERTIFICATE-----
+CnMKDG4tc3J2LWVpZG9sYRIJgYK0UICA/P8PIghpbnRlcm5hbCj8mbe4BjCr87vH
+BjogwyipoSTT04BJ0zVCsdR8eNanj8hcyHeNabRtfq8M+QRKIC9yiWnXjCJT2Hfi
+ClMu+en3Out6l4ReySH/GXaXDNbjEkDvzr+71yUMW3GzCIMy9j2Z1ov8zw8h0s52
+FDIyYijYWK8jc7cJBqbdaRhE39zv0vrpfTpH4byWKVOFgVqeViMB
+-----END NEBULA CERTIFICATE-----
--- a/secrets/eidola.yaml
+++ b/secrets/eidola.yaml
@ -1,5 +1,6 @@
 root-pw: ENC[AES256_GCM,data:g/dIT5d5w+FCAbxgGRJoMISgVTySEqXoBCV/jopu9Cgm4db9zAFWzZ7kUqOr8IQpEpCXyguYClIGExt0SztbRze8YPu9NilcUmYH7QmI+8oaEanYkvwpT5jyBU/M2eG0U9pMzcGI6hl2Ew==,iv:2HmGvFkRrnwYi5gjB4Na/ZayGoCFEsM4TDoqKlzhZUg=,tag:NLuval5PJ6AnDLvPGVvm7w==,type:str]
 user-pw: ENC[AES256_GCM,data:gr+Dis3c5NWLWnfJG4eJUxwt574R3n40djeK68hukMNPx0qwGRAT5a7UQ5doxtDBgafcH1uCgqrsWwEmy9H5dS6WfLMivE5Uy213EcEk3YNUwI9d5vbdcbCcXWvPsyCu6sxS3x731EVVYA==,iv:4AHzVLoJD95d2UwwEAwxWP0G2gekHahBt4hDDA9ZSx0=,tag:03L3Ql070mt3oDV5YdrETg==,type:str]
+nebula-key: ENC[AES256_GCM,data:YnGtqqWXbwkMYFJAKcBXmbRE+lsW9DwRnsseocTAVVIAqw84o3Qny2LO1vzoErtP7Fx9vPaI2bzvJTICNSTBw2jH4thzLR71XpHZI7mo+FSXzpZx8pxv6pfVcCW4tNK7KXx/PyvzCU21npsPDoVlM1rE/LKPxu2PLoGBd6u+,iv:g5BIpHXXrHZovSWnLURhJzTCaZC6fjVNS1QXwnSlxVs=,tag:9D/wTzaJOd5Vls/l33jZSg==,type:str]
 sops:
    kms: []
    gcp_kms: []
@ -15,8 +16,8 @@ sops:
            dVh4dFgrcWxtMFdUVVZTTm4rczVLaE0KBhCAwRHxtedfNZapyR3lbkxaiWxZR5lW
            SQMhh9sUTnc/4B6StOhZEn+S7bVSRjPgvn9F+W7nCzcq/fpRYTcWvw==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-08-23T20:15:55Z"
-    mac: ENC[AES256_GCM,data:l/9IHeMTgA7hzF2EEcWW+wkKa4eRWCRLAmdee371qhipLzgJMKrme+qK2RkJd2txVIgz7m7FJG4HWEo4hVpjvcloY1H0U86dJndwKwGKYTmJPdcEH3HQgKVcx8b5pdkww1g98vnLfY/jwbMBkx3CrPliJw86QVglkmWWHR6W92w=,iv:cYlpkLN4PwHghbRn6KIWgUGEymdbFBsnUZ8xUBgif5g=,tag:jqLa5Nl74DUYFqDpuQPfUA==,type:str]
+    lastmodified: "2024-10-15T20:21:41Z"
+    mac: ENC[AES256_GCM,data:UFxO3wb/gAg5hiYkp4lfGeO0gZA6F5sEv6jiwI+GA6BidCkrGMAaYLQm6wvJ9sPHANdzSS72oi+7fUyoQ1M7ukpocpA+qbpC5RjGWQusxrrJK+J7khSWGfP5X8qkJTxFs+FK1D2HcfTIPcwsR4LOHwK/chWg4As4aEgGHcUIZBw=,iv:6RE/Y24jIt5PVlzc8PHIYFCgpEt0QLNeXa0uAk4vWIs=,tag:JrBltUtb7hqr2LsJr2oXRQ==,type:str]
    pgp:
        - created_at: "2024-09-02T19:43:07Z"
          enc: |-
--- a/secrets/silver.yaml
+++ b/secrets/silver.yaml
@ -5,6 +5,7 @@ svc-vcnotifier-env: ENC[AES256_GCM,data:8DwT17Aosvu7/Q2ecbir/t9HOtanPlFeBgLOzxtc
 svc-breeze-upload_key: ENC[AES256_GCM,data:qNNH4/Q0rk2lsMImzpVe54+DbSAOiGjo,iv:rX9zvcPt6qSbPs6sKYO0T8EVaHU/u9QDoT/ISHdQSV4=,tag:kivJyeJGtuBP0l54qJ0t9w==,type:str]
 svc-synapse-synapse-config: ENC[AES256_GCM,data:r8ZYi67CfftGheassCFiLOVcFUho+sNNe0XCkyQETHT6Q/w2jqO9eAVA2EDJyK4Vk3S4MP6ppcGxwocMmTYzkAjmtwf6a7GzUyh14+Lj5VTybvIKOze0wuLlsEUUYgU=,iv:HTnPaS5/ZvdJIMKiTfPffZmemp5IGTo/mIWrpafk/Fk=,tag:2HusbhzmxqsTMz5/78WCRA==,type:str]
 svc-gitea-runner-env: ENC[AES256_GCM,data:M2hV8YM03dcBcgpJqbpiW6RGlhDvkfF/ExF+J1GF+39GnOsBWwPKteM5EAUB2Wrl/zRFifgfNLLdYgSEWhJsT1cBLhI3vwE5,iv:9/nvC3sS6XcLxgeKrEg/AaFhptXCm3uvGgSUMAz4p5Y=,tag:A1MnoJP6aekXuWHhlONnkw==,type:str]
+svc-nebula-key: ENC[AES256_GCM,data:kqVqnsEgEsMGz2Ud0CS4DnVDd7claVoFyB3grV8TWK/mGdtJwysIYsQRmpbwXcOTTfgdX6vLKxJvleLLHFQGTjf/7QwBrmhfUKryd7CEukaZUsmkJAx3fH5y0mMd84nJucyQk5NqXZhyXQNwg9zmyH20XdaLqrdr0dtkQzIf,iv:OHoIHRKJt4kqbQye6SHLD9wVbLl7wTvs5CheIeOObeg=,tag:4AG0sSlOdTrqtXj3UqzaHQ==,type:str]
 sops:
    kms: []
    gcp_kms: []
@ -20,8 +21,8 @@ sops:
            Z1dZRXNCRkQ5cktZRGNpUXJaWHhrYTQKXQ1VOLDgptLJ8JKSBF8CWzyEGHnlbB+4
            6nZlCHid4AFPRdAZ7cgEvJViBTSV05NOWE0pKYO3WZyWVKysfBKtgg==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-10-13T07:04:09Z"
-    mac: ENC[AES256_GCM,data:/Mn3G6qHRPSZ1vt1ks30EYZ7UxhjmC7hdkZCl0ifipEfrl//zcsgtB96Q0V/35JWPVcVVoirLJsUmMcJZaevjAgIBys9jIjLgw5AN5R9QhVdRJ25tp/qX/JlKHuj9IVOM7n9hzVjauJYoWy6ftSeTmzyWoqTJrKvF6etaU4AUYs=,iv:Wcfr3sbVqOo7JTMH4kooLFDSQGTTV6ZMnKcWJqF6gK0=,tag:Dp9fEDTN4ko1YZp4O4EtWg==,type:str]
+    lastmodified: "2024-10-15T20:33:06Z"
+    mac: ENC[AES256_GCM,data:0WuZQxRXih9XRWGwT01eiEppEIPfGOjSpKEthmY3v+kumM6ydpueCroxqIuQoLXke8eKzZ6Xg34C2AvHgCdkHTgYbC9wGf9h8cV7L2xD4F9sLQ2scGThCynG0AGcLRXm152wzSdR5dGr1h4p49WO9XGbLEXD/JzfyPIcENDTPAs=,iv:LIPHnjWJYPlvs+VBvrRpczYD6ncwqTs1Jyz+VdWFaxY=,tag:Cdu7pKIzqi5H4Qo1eW66HQ==,type:str]
    pgp:
        - created_at: "2024-10-13T01:11:54Z"
          enc: |-