From 1735b5074c1d8ac09703e3de900f0d291d266360 Mon Sep 17 00:00:00 2001 From: min Date: Tue, 15 Oct 2024 17:02:42 -0400 Subject: [PATCH] Deployment of Nebula --- flake.nix | 4 +- nixos/hosts/eidola/configuration.nix | 1 + nixos/hosts/silver/services/default.nix | 1 + nixos/hosts/silver/services/nebula.nix | 50 +++++++++++++++++++++++++ nixos/keys/ca.crt | 5 +++ nixos/keys/lh-silver.crt | 6 +++ nixos/keys/n-srv-eidola.crt | 6 +++ secrets/eidola.yaml | 5 ++- secrets/silver.yaml | 5 ++- 9 files changed, 77 insertions(+), 6 deletions(-) create mode 100644 nixos/hosts/silver/services/nebula.nix create mode 100644 nixos/keys/ca.crt create mode 100644 nixos/keys/lh-silver.crt create mode 100644 nixos/keys/n-srv-eidola.crt diff --git a/flake.nix b/flake.nix index ced3934..c2ac07f 100644 --- a/flake.nix +++ b/flake.nix @@ -35,15 +35,15 @@ systems = ["x86_64-linux"]; perSystem = { - pkgs, system, + pkgs, ... }: { devShells.default = pkgs.mkShell { packages = with pkgs; [ sops ssh-to-age - # not included: age, gpg, pcscd, etc. + # not included: age, gpg, pcscd, scdaemon, etc. deploy-rs nixos-anywhere diff --git a/nixos/hosts/eidola/configuration.nix b/nixos/hosts/eidola/configuration.nix index 8f2d856..6df6bd4 100644 --- a/nixos/hosts/eidola/configuration.nix +++ b/nixos/hosts/eidola/configuration.nix @@ -8,6 +8,7 @@ ./disk-config.nix ./mounts.nix ./secrets.nix + ./nebula.nix ]; networking.hostName = "eidola"; # Define your hostname. diff --git a/nixos/hosts/silver/services/default.nix b/nixos/hosts/silver/services/default.nix index 3ba2625..1850d78 100644 --- a/nixos/hosts/silver/services/default.nix +++ b/nixos/hosts/silver/services/default.nix @@ -6,6 +6,7 @@ ./min-rip.nix ./gitea.nix ./synapse.nix + ./nebula.nix ]; security.acme = { diff --git a/nixos/hosts/silver/services/nebula.nix b/nixos/hosts/silver/services/nebula.nix new file mode 100644 index 0000000..52e2c56 --- /dev/null +++ b/nixos/hosts/silver/services/nebula.nix @@ -0,0 +1,50 @@ +{config, ...}: let + netName = "m-infra"; + # https://github.com/NixOS/nixpkgs/blob/nixos-24.05/nixos/modules/services/networking/nebula.nix#L12 + userGroup = "nebula-${netName}"; +in { + sops.secrets."svc-nebula-key" = { + mode = "0440"; + owner = userGroup; + group = userGroup; + }; + + services.nebula.networks.${netName} = { + ca = ../../../keys/ca.crt; + cert = ../../../keys/lh-silver.crt; + key = config.sops.secrets."svc-nebula-key".path; + + isLighthouse = true; + isRelay = true; + + listen = { + host = "0.0.0.0"; + port = 4242; + }; + + firewall.outbound = [ + { + port = "any"; + proto = "any"; + host = "any"; + } + ]; + + firewall.inbound = [ + # Allow pings from anyone + { + port = "any"; + proto = "icmp"; + host = "any"; + } + # Allow SSH from `internal` group + { + port = 12208; + proto = "tcp"; + groups = ["internal"]; + } + ]; + }; + + networking.firewall.allowedUDPPorts = [4242]; +} diff --git a/nixos/keys/ca.crt b/nixos/keys/ca.crt new file mode 100644 index 0000000..283441f --- /dev/null +++ b/nixos/keys/ca.crt @@ -0,0 +1,5 @@ +-----BEGIN NEBULA CERTIFICATE----- +CjkKB20uaW5mcmEorIy3uAYwrPO7xwY6ILUb5mS0HBCYrAhWPXwqvtnBmmqz1lKc +NOG84dEk3/biQAESQAEi7CVxFVDlG7ihV3nuosvEpodNZqS/RJ8GGKUBuLMz1BfE +XdnMkMj44YQ2owDKYKgvZFc3nQGsrq5/4cWAdgs= +-----END NEBULA CERTIFICATE----- diff --git a/nixos/keys/lh-silver.crt b/nixos/keys/lh-silver.crt new file mode 100644 index 0000000..6fa777f --- /dev/null +++ b/nixos/keys/lh-silver.crt @@ -0,0 +1,6 @@ +-----BEGIN NEBULA CERTIFICATE----- +CnAKCWxoLXNpbHZlchIJgYC0UICA/P8PIghpbnRlcm5hbCjGoru4BjCr87vHBjog +c8vXd3esFyA3adiEHolGzUyi3u4IztrRCVl3T8uzmztKIC9yiWnXjCJT2HfiClMu ++en3Out6l4ReySH/GXaXDNbjEkChm/cVEgVeg86Q9Qipm+bAJ2tKYwwmdxQMMRAz +fT+XLQ+jKzGLeOIRiDW6ZLyL/mHv4iqQBCNyUIjVqQcTD38D +-----END NEBULA CERTIFICATE----- diff --git a/nixos/keys/n-srv-eidola.crt b/nixos/keys/n-srv-eidola.crt new file mode 100644 index 0000000..d15a359 --- /dev/null +++ b/nixos/keys/n-srv-eidola.crt @@ -0,0 +1,6 @@ +-----BEGIN NEBULA CERTIFICATE----- +CnMKDG4tc3J2LWVpZG9sYRIJgYK0UICA/P8PIghpbnRlcm5hbCj8mbe4BjCr87vH +BjogwyipoSTT04BJ0zVCsdR8eNanj8hcyHeNabRtfq8M+QRKIC9yiWnXjCJT2Hfi +ClMu+en3Out6l4ReySH/GXaXDNbjEkDvzr+71yUMW3GzCIMy9j2Z1ov8zw8h0s52 +FDIyYijYWK8jc7cJBqbdaRhE39zv0vrpfTpH4byWKVOFgVqeViMB +-----END NEBULA CERTIFICATE----- diff --git a/secrets/eidola.yaml b/secrets/eidola.yaml index 2bfcfb1..17d6cce 100644 --- a/secrets/eidola.yaml +++ b/secrets/eidola.yaml @@ -1,5 +1,6 @@ root-pw: ENC[AES256_GCM,data:g/dIT5d5w+FCAbxgGRJoMISgVTySEqXoBCV/jopu9Cgm4db9zAFWzZ7kUqOr8IQpEpCXyguYClIGExt0SztbRze8YPu9NilcUmYH7QmI+8oaEanYkvwpT5jyBU/M2eG0U9pMzcGI6hl2Ew==,iv:2HmGvFkRrnwYi5gjB4Na/ZayGoCFEsM4TDoqKlzhZUg=,tag:NLuval5PJ6AnDLvPGVvm7w==,type:str] user-pw: ENC[AES256_GCM,data:gr+Dis3c5NWLWnfJG4eJUxwt574R3n40djeK68hukMNPx0qwGRAT5a7UQ5doxtDBgafcH1uCgqrsWwEmy9H5dS6WfLMivE5Uy213EcEk3YNUwI9d5vbdcbCcXWvPsyCu6sxS3x731EVVYA==,iv:4AHzVLoJD95d2UwwEAwxWP0G2gekHahBt4hDDA9ZSx0=,tag:03L3Ql070mt3oDV5YdrETg==,type:str] +nebula-key: ENC[AES256_GCM,data:YnGtqqWXbwkMYFJAKcBXmbRE+lsW9DwRnsseocTAVVIAqw84o3Qny2LO1vzoErtP7Fx9vPaI2bzvJTICNSTBw2jH4thzLR71XpHZI7mo+FSXzpZx8pxv6pfVcCW4tNK7KXx/PyvzCU21npsPDoVlM1rE/LKPxu2PLoGBd6u+,iv:g5BIpHXXrHZovSWnLURhJzTCaZC6fjVNS1QXwnSlxVs=,tag:9D/wTzaJOd5Vls/l33jZSg==,type:str] sops: kms: [] gcp_kms: [] @@ -15,8 +16,8 @@ sops: dVh4dFgrcWxtMFdUVVZTTm4rczVLaE0KBhCAwRHxtedfNZapyR3lbkxaiWxZR5lW SQMhh9sUTnc/4B6StOhZEn+S7bVSRjPgvn9F+W7nCzcq/fpRYTcWvw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-08-23T20:15:55Z" - mac: ENC[AES256_GCM,data:l/9IHeMTgA7hzF2EEcWW+wkKa4eRWCRLAmdee371qhipLzgJMKrme+qK2RkJd2txVIgz7m7FJG4HWEo4hVpjvcloY1H0U86dJndwKwGKYTmJPdcEH3HQgKVcx8b5pdkww1g98vnLfY/jwbMBkx3CrPliJw86QVglkmWWHR6W92w=,iv:cYlpkLN4PwHghbRn6KIWgUGEymdbFBsnUZ8xUBgif5g=,tag:jqLa5Nl74DUYFqDpuQPfUA==,type:str] + lastmodified: "2024-10-15T20:21:41Z" + mac: ENC[AES256_GCM,data:UFxO3wb/gAg5hiYkp4lfGeO0gZA6F5sEv6jiwI+GA6BidCkrGMAaYLQm6wvJ9sPHANdzSS72oi+7fUyoQ1M7ukpocpA+qbpC5RjGWQusxrrJK+J7khSWGfP5X8qkJTxFs+FK1D2HcfTIPcwsR4LOHwK/chWg4As4aEgGHcUIZBw=,iv:6RE/Y24jIt5PVlzc8PHIYFCgpEt0QLNeXa0uAk4vWIs=,tag:JrBltUtb7hqr2LsJr2oXRQ==,type:str] pgp: - created_at: "2024-09-02T19:43:07Z" enc: |- diff --git a/secrets/silver.yaml b/secrets/silver.yaml index 6fc2aa7..248cc01 100644 --- a/secrets/silver.yaml +++ b/secrets/silver.yaml @@ -5,6 +5,7 @@ svc-vcnotifier-env: ENC[AES256_GCM,data:8DwT17Aosvu7/Q2ecbir/t9HOtanPlFeBgLOzxtc svc-breeze-upload_key: ENC[AES256_GCM,data:qNNH4/Q0rk2lsMImzpVe54+DbSAOiGjo,iv:rX9zvcPt6qSbPs6sKYO0T8EVaHU/u9QDoT/ISHdQSV4=,tag:kivJyeJGtuBP0l54qJ0t9w==,type:str] svc-synapse-synapse-config: ENC[AES256_GCM,data:r8ZYi67CfftGheassCFiLOVcFUho+sNNe0XCkyQETHT6Q/w2jqO9eAVA2EDJyK4Vk3S4MP6ppcGxwocMmTYzkAjmtwf6a7GzUyh14+Lj5VTybvIKOze0wuLlsEUUYgU=,iv:HTnPaS5/ZvdJIMKiTfPffZmemp5IGTo/mIWrpafk/Fk=,tag:2HusbhzmxqsTMz5/78WCRA==,type:str] svc-gitea-runner-env: ENC[AES256_GCM,data:M2hV8YM03dcBcgpJqbpiW6RGlhDvkfF/ExF+J1GF+39GnOsBWwPKteM5EAUB2Wrl/zRFifgfNLLdYgSEWhJsT1cBLhI3vwE5,iv:9/nvC3sS6XcLxgeKrEg/AaFhptXCm3uvGgSUMAz4p5Y=,tag:A1MnoJP6aekXuWHhlONnkw==,type:str] +svc-nebula-key: ENC[AES256_GCM,data:kqVqnsEgEsMGz2Ud0CS4DnVDd7claVoFyB3grV8TWK/mGdtJwysIYsQRmpbwXcOTTfgdX6vLKxJvleLLHFQGTjf/7QwBrmhfUKryd7CEukaZUsmkJAx3fH5y0mMd84nJucyQk5NqXZhyXQNwg9zmyH20XdaLqrdr0dtkQzIf,iv:OHoIHRKJt4kqbQye6SHLD9wVbLl7wTvs5CheIeOObeg=,tag:4AG0sSlOdTrqtXj3UqzaHQ==,type:str] sops: kms: [] gcp_kms: [] @@ -20,8 +21,8 @@ sops: Z1dZRXNCRkQ5cktZRGNpUXJaWHhrYTQKXQ1VOLDgptLJ8JKSBF8CWzyEGHnlbB+4 6nZlCHid4AFPRdAZ7cgEvJViBTSV05NOWE0pKYO3WZyWVKysfBKtgg== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-10-13T07:04:09Z" - mac: ENC[AES256_GCM,data:/Mn3G6qHRPSZ1vt1ks30EYZ7UxhjmC7hdkZCl0ifipEfrl//zcsgtB96Q0V/35JWPVcVVoirLJsUmMcJZaevjAgIBys9jIjLgw5AN5R9QhVdRJ25tp/qX/JlKHuj9IVOM7n9hzVjauJYoWy6ftSeTmzyWoqTJrKvF6etaU4AUYs=,iv:Wcfr3sbVqOo7JTMH4kooLFDSQGTTV6ZMnKcWJqF6gK0=,tag:Dp9fEDTN4ko1YZp4O4EtWg==,type:str] + lastmodified: "2024-10-15T20:33:06Z" + mac: ENC[AES256_GCM,data:0WuZQxRXih9XRWGwT01eiEppEIPfGOjSpKEthmY3v+kumM6ydpueCroxqIuQoLXke8eKzZ6Xg34C2AvHgCdkHTgYbC9wGf9h8cV7L2xD4F9sLQ2scGThCynG0AGcLRXm152wzSdR5dGr1h4p49WO9XGbLEXD/JzfyPIcENDTPAs=,iv:LIPHnjWJYPlvs+VBvrRpczYD6ncwqTs1Jyz+VdWFaxY=,tag:Cdu7pKIzqi5H4Qo1eW66HQ==,type:str] pgp: - created_at: "2024-10-13T01:11:54Z" enc: |-