Deployment of Nebula

This commit is contained in:
minish 2024-10-15 17:02:42 -04:00
parent 4507d9bdc8
commit 1735b5074c
Signed by: min
SSH Key Fingerprint: SHA256:NFjjdbkd6u7aoMlcrDCVvz6o2UBtlAuPm8IQ2vhZ3Fg
9 changed files with 77 additions and 6 deletions

View File

@ -35,15 +35,15 @@
systems = ["x86_64-linux"]; systems = ["x86_64-linux"];
perSystem = { perSystem = {
pkgs,
system, system,
pkgs,
... ...
}: { }: {
devShells.default = pkgs.mkShell { devShells.default = pkgs.mkShell {
packages = with pkgs; [ packages = with pkgs; [
sops sops
ssh-to-age ssh-to-age
# not included: age, gpg, pcscd, etc. # not included: age, gpg, pcscd, scdaemon, etc.
deploy-rs deploy-rs
nixos-anywhere nixos-anywhere

View File

@ -8,6 +8,7 @@
./disk-config.nix ./disk-config.nix
./mounts.nix ./mounts.nix
./secrets.nix ./secrets.nix
./nebula.nix
]; ];
networking.hostName = "eidola"; # Define your hostname. networking.hostName = "eidola"; # Define your hostname.

View File

@ -6,6 +6,7 @@
./min-rip.nix ./min-rip.nix
./gitea.nix ./gitea.nix
./synapse.nix ./synapse.nix
./nebula.nix
]; ];
security.acme = { security.acme = {

View File

@ -0,0 +1,50 @@
{config, ...}: let
netName = "m-infra";
# https://github.com/NixOS/nixpkgs/blob/nixos-24.05/nixos/modules/services/networking/nebula.nix#L12
userGroup = "nebula-${netName}";
in {
sops.secrets."svc-nebula-key" = {
mode = "0440";
owner = userGroup;
group = userGroup;
};
services.nebula.networks.${netName} = {
ca = ../../../keys/ca.crt;
cert = ../../../keys/lh-silver.crt;
key = config.sops.secrets."svc-nebula-key".path;
isLighthouse = true;
isRelay = true;
listen = {
host = "0.0.0.0";
port = 4242;
};
firewall.outbound = [
{
port = "any";
proto = "any";
host = "any";
}
];
firewall.inbound = [
# Allow pings from anyone
{
port = "any";
proto = "icmp";
host = "any";
}
# Allow SSH from `internal` group
{
port = 12208;
proto = "tcp";
groups = ["internal"];
}
];
};
networking.firewall.allowedUDPPorts = [4242];
}

5
nixos/keys/ca.crt Normal file
View File

@ -0,0 +1,5 @@
-----BEGIN NEBULA CERTIFICATE-----
CjkKB20uaW5mcmEorIy3uAYwrPO7xwY6ILUb5mS0HBCYrAhWPXwqvtnBmmqz1lKc
NOG84dEk3/biQAESQAEi7CVxFVDlG7ihV3nuosvEpodNZqS/RJ8GGKUBuLMz1BfE
XdnMkMj44YQ2owDKYKgvZFc3nQGsrq5/4cWAdgs=
-----END NEBULA CERTIFICATE-----

6
nixos/keys/lh-silver.crt Normal file
View File

@ -0,0 +1,6 @@
-----BEGIN NEBULA CERTIFICATE-----
CnAKCWxoLXNpbHZlchIJgYC0UICA/P8PIghpbnRlcm5hbCjGoru4BjCr87vHBjog
c8vXd3esFyA3adiEHolGzUyi3u4IztrRCVl3T8uzmztKIC9yiWnXjCJT2HfiClMu
+en3Out6l4ReySH/GXaXDNbjEkChm/cVEgVeg86Q9Qipm+bAJ2tKYwwmdxQMMRAz
fT+XLQ+jKzGLeOIRiDW6ZLyL/mHv4iqQBCNyUIjVqQcTD38D
-----END NEBULA CERTIFICATE-----

View File

@ -0,0 +1,6 @@
-----BEGIN NEBULA CERTIFICATE-----
CnMKDG4tc3J2LWVpZG9sYRIJgYK0UICA/P8PIghpbnRlcm5hbCj8mbe4BjCr87vH
BjogwyipoSTT04BJ0zVCsdR8eNanj8hcyHeNabRtfq8M+QRKIC9yiWnXjCJT2Hfi
ClMu+en3Out6l4ReySH/GXaXDNbjEkDvzr+71yUMW3GzCIMy9j2Z1ov8zw8h0s52
FDIyYijYWK8jc7cJBqbdaRhE39zv0vrpfTpH4byWKVOFgVqeViMB
-----END NEBULA CERTIFICATE-----

View File

@ -1,5 +1,6 @@
root-pw: ENC[AES256_GCM,data:g/dIT5d5w+FCAbxgGRJoMISgVTySEqXoBCV/jopu9Cgm4db9zAFWzZ7kUqOr8IQpEpCXyguYClIGExt0SztbRze8YPu9NilcUmYH7QmI+8oaEanYkvwpT5jyBU/M2eG0U9pMzcGI6hl2Ew==,iv:2HmGvFkRrnwYi5gjB4Na/ZayGoCFEsM4TDoqKlzhZUg=,tag:NLuval5PJ6AnDLvPGVvm7w==,type:str] root-pw: ENC[AES256_GCM,data:g/dIT5d5w+FCAbxgGRJoMISgVTySEqXoBCV/jopu9Cgm4db9zAFWzZ7kUqOr8IQpEpCXyguYClIGExt0SztbRze8YPu9NilcUmYH7QmI+8oaEanYkvwpT5jyBU/M2eG0U9pMzcGI6hl2Ew==,iv:2HmGvFkRrnwYi5gjB4Na/ZayGoCFEsM4TDoqKlzhZUg=,tag:NLuval5PJ6AnDLvPGVvm7w==,type:str]
user-pw: ENC[AES256_GCM,data:gr+Dis3c5NWLWnfJG4eJUxwt574R3n40djeK68hukMNPx0qwGRAT5a7UQ5doxtDBgafcH1uCgqrsWwEmy9H5dS6WfLMivE5Uy213EcEk3YNUwI9d5vbdcbCcXWvPsyCu6sxS3x731EVVYA==,iv:4AHzVLoJD95d2UwwEAwxWP0G2gekHahBt4hDDA9ZSx0=,tag:03L3Ql070mt3oDV5YdrETg==,type:str] user-pw: ENC[AES256_GCM,data:gr+Dis3c5NWLWnfJG4eJUxwt574R3n40djeK68hukMNPx0qwGRAT5a7UQ5doxtDBgafcH1uCgqrsWwEmy9H5dS6WfLMivE5Uy213EcEk3YNUwI9d5vbdcbCcXWvPsyCu6sxS3x731EVVYA==,iv:4AHzVLoJD95d2UwwEAwxWP0G2gekHahBt4hDDA9ZSx0=,tag:03L3Ql070mt3oDV5YdrETg==,type:str]
nebula-key: ENC[AES256_GCM,data:YnGtqqWXbwkMYFJAKcBXmbRE+lsW9DwRnsseocTAVVIAqw84o3Qny2LO1vzoErtP7Fx9vPaI2bzvJTICNSTBw2jH4thzLR71XpHZI7mo+FSXzpZx8pxv6pfVcCW4tNK7KXx/PyvzCU21npsPDoVlM1rE/LKPxu2PLoGBd6u+,iv:g5BIpHXXrHZovSWnLURhJzTCaZC6fjVNS1QXwnSlxVs=,tag:9D/wTzaJOd5Vls/l33jZSg==,type:str]
sops: sops:
kms: [] kms: []
gcp_kms: [] gcp_kms: []
@ -15,8 +16,8 @@ sops:
dVh4dFgrcWxtMFdUVVZTTm4rczVLaE0KBhCAwRHxtedfNZapyR3lbkxaiWxZR5lW dVh4dFgrcWxtMFdUVVZTTm4rczVLaE0KBhCAwRHxtedfNZapyR3lbkxaiWxZR5lW
SQMhh9sUTnc/4B6StOhZEn+S7bVSRjPgvn9F+W7nCzcq/fpRYTcWvw== SQMhh9sUTnc/4B6StOhZEn+S7bVSRjPgvn9F+W7nCzcq/fpRYTcWvw==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2024-08-23T20:15:55Z" lastmodified: "2024-10-15T20:21:41Z"
mac: ENC[AES256_GCM,data:l/9IHeMTgA7hzF2EEcWW+wkKa4eRWCRLAmdee371qhipLzgJMKrme+qK2RkJd2txVIgz7m7FJG4HWEo4hVpjvcloY1H0U86dJndwKwGKYTmJPdcEH3HQgKVcx8b5pdkww1g98vnLfY/jwbMBkx3CrPliJw86QVglkmWWHR6W92w=,iv:cYlpkLN4PwHghbRn6KIWgUGEymdbFBsnUZ8xUBgif5g=,tag:jqLa5Nl74DUYFqDpuQPfUA==,type:str] mac: ENC[AES256_GCM,data:UFxO3wb/gAg5hiYkp4lfGeO0gZA6F5sEv6jiwI+GA6BidCkrGMAaYLQm6wvJ9sPHANdzSS72oi+7fUyoQ1M7ukpocpA+qbpC5RjGWQusxrrJK+J7khSWGfP5X8qkJTxFs+FK1D2HcfTIPcwsR4LOHwK/chWg4As4aEgGHcUIZBw=,iv:6RE/Y24jIt5PVlzc8PHIYFCgpEt0QLNeXa0uAk4vWIs=,tag:JrBltUtb7hqr2LsJr2oXRQ==,type:str]
pgp: pgp:
- created_at: "2024-09-02T19:43:07Z" - created_at: "2024-09-02T19:43:07Z"
enc: |- enc: |-

View File

@ -5,6 +5,7 @@ svc-vcnotifier-env: ENC[AES256_GCM,data:8DwT17Aosvu7/Q2ecbir/t9HOtanPlFeBgLOzxtc
svc-breeze-upload_key: ENC[AES256_GCM,data:qNNH4/Q0rk2lsMImzpVe54+DbSAOiGjo,iv:rX9zvcPt6qSbPs6sKYO0T8EVaHU/u9QDoT/ISHdQSV4=,tag:kivJyeJGtuBP0l54qJ0t9w==,type:str] svc-breeze-upload_key: ENC[AES256_GCM,data:qNNH4/Q0rk2lsMImzpVe54+DbSAOiGjo,iv:rX9zvcPt6qSbPs6sKYO0T8EVaHU/u9QDoT/ISHdQSV4=,tag:kivJyeJGtuBP0l54qJ0t9w==,type:str]
svc-synapse-synapse-config: ENC[AES256_GCM,data:r8ZYi67CfftGheassCFiLOVcFUho+sNNe0XCkyQETHT6Q/w2jqO9eAVA2EDJyK4Vk3S4MP6ppcGxwocMmTYzkAjmtwf6a7GzUyh14+Lj5VTybvIKOze0wuLlsEUUYgU=,iv:HTnPaS5/ZvdJIMKiTfPffZmemp5IGTo/mIWrpafk/Fk=,tag:2HusbhzmxqsTMz5/78WCRA==,type:str] svc-synapse-synapse-config: ENC[AES256_GCM,data:r8ZYi67CfftGheassCFiLOVcFUho+sNNe0XCkyQETHT6Q/w2jqO9eAVA2EDJyK4Vk3S4MP6ppcGxwocMmTYzkAjmtwf6a7GzUyh14+Lj5VTybvIKOze0wuLlsEUUYgU=,iv:HTnPaS5/ZvdJIMKiTfPffZmemp5IGTo/mIWrpafk/Fk=,tag:2HusbhzmxqsTMz5/78WCRA==,type:str]
svc-gitea-runner-env: ENC[AES256_GCM,data:M2hV8YM03dcBcgpJqbpiW6RGlhDvkfF/ExF+J1GF+39GnOsBWwPKteM5EAUB2Wrl/zRFifgfNLLdYgSEWhJsT1cBLhI3vwE5,iv:9/nvC3sS6XcLxgeKrEg/AaFhptXCm3uvGgSUMAz4p5Y=,tag:A1MnoJP6aekXuWHhlONnkw==,type:str] svc-gitea-runner-env: ENC[AES256_GCM,data:M2hV8YM03dcBcgpJqbpiW6RGlhDvkfF/ExF+J1GF+39GnOsBWwPKteM5EAUB2Wrl/zRFifgfNLLdYgSEWhJsT1cBLhI3vwE5,iv:9/nvC3sS6XcLxgeKrEg/AaFhptXCm3uvGgSUMAz4p5Y=,tag:A1MnoJP6aekXuWHhlONnkw==,type:str]
svc-nebula-key: ENC[AES256_GCM,data:kqVqnsEgEsMGz2Ud0CS4DnVDd7claVoFyB3grV8TWK/mGdtJwysIYsQRmpbwXcOTTfgdX6vLKxJvleLLHFQGTjf/7QwBrmhfUKryd7CEukaZUsmkJAx3fH5y0mMd84nJucyQk5NqXZhyXQNwg9zmyH20XdaLqrdr0dtkQzIf,iv:OHoIHRKJt4kqbQye6SHLD9wVbLl7wTvs5CheIeOObeg=,tag:4AG0sSlOdTrqtXj3UqzaHQ==,type:str]
sops: sops:
kms: [] kms: []
gcp_kms: [] gcp_kms: []
@ -20,8 +21,8 @@ sops:
Z1dZRXNCRkQ5cktZRGNpUXJaWHhrYTQKXQ1VOLDgptLJ8JKSBF8CWzyEGHnlbB+4 Z1dZRXNCRkQ5cktZRGNpUXJaWHhrYTQKXQ1VOLDgptLJ8JKSBF8CWzyEGHnlbB+4
6nZlCHid4AFPRdAZ7cgEvJViBTSV05NOWE0pKYO3WZyWVKysfBKtgg== 6nZlCHid4AFPRdAZ7cgEvJViBTSV05NOWE0pKYO3WZyWVKysfBKtgg==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2024-10-13T07:04:09Z" lastmodified: "2024-10-15T20:33:06Z"
mac: ENC[AES256_GCM,data:/Mn3G6qHRPSZ1vt1ks30EYZ7UxhjmC7hdkZCl0ifipEfrl//zcsgtB96Q0V/35JWPVcVVoirLJsUmMcJZaevjAgIBys9jIjLgw5AN5R9QhVdRJ25tp/qX/JlKHuj9IVOM7n9hzVjauJYoWy6ftSeTmzyWoqTJrKvF6etaU4AUYs=,iv:Wcfr3sbVqOo7JTMH4kooLFDSQGTTV6ZMnKcWJqF6gK0=,tag:Dp9fEDTN4ko1YZp4O4EtWg==,type:str] mac: ENC[AES256_GCM,data:0WuZQxRXih9XRWGwT01eiEppEIPfGOjSpKEthmY3v+kumM6ydpueCroxqIuQoLXke8eKzZ6Xg34C2AvHgCdkHTgYbC9wGf9h8cV7L2xD4F9sLQ2scGThCynG0AGcLRXm152wzSdR5dGr1h4p49WO9XGbLEXD/JzfyPIcENDTPAs=,iv:LIPHnjWJYPlvs+VBvrRpczYD6ncwqTs1Jyz+VdWFaxY=,tag:Cdu7pKIzqi5H4Qo1eW66HQ==,type:str]
pgp: pgp:
- created_at: "2024-10-13T01:11:54Z" - created_at: "2024-10-13T01:11:54Z"
enc: |- enc: |-