min
/
infra
1
0
Fork 0
Code Issues 15 Pull Requests Packages Projects Releases Wiki Activity

24.11 -> 25.05

This commit is contained in:
minish 2025-05-27 18:54:20 -04:00
parent c28f6adcc2
commit 71e55e9fb4
Signed by: min
SSH Key Fingerprint: SHA256:UD/wIBTyCGmuqRq6a1PsiwTehUPikHbuClpnk0U1mdo
6 changed files with 27 additions and 55 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
flake.lock
View File

@ -5,7 +5,7 @@
"crane": "crane", "crane": "crane",
"flake-utils": "flake-utils", "flake-utils": "flake-utils",
"nixpkgs": [ "nixpkgs": [
"nixpkgs-unstable" "nixpkgs"
] ]
}, },
"locked": { "locked": {
@ -181,16 +181,16 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1748037224, "lastModified": 1748162331,
"narHash": "sha256-92vihpZr6dwEMV6g98M5kHZIttrWahb9iRPBm1atcPk=", "narHash": "sha256-rqc2RKYTxP3tbjA+PB3VMRQNnjesrT0pEofXQTrMsS8=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "f09dede81861f3a83f7f06641ead34f02f37597f", "rev": "7c43f080a7f28b2774f3b3f43234ca11661bf334",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "nixos", "owner": "nixos",
"ref": "nixos-24.11", "ref": "nixos-25.05",
"repo": "nixpkgs", "repo": "nixpkgs",
"type": "github" "type": "github"
} }
@ -210,22 +210,6 @@
"type": "github" "type": "github"
} }
}, },
"nixpkgs-unstable": {
"locked": {
"lastModified": 1747744144,
"narHash": "sha256-W7lqHp0qZiENCDwUZ5EX/lNhxjMdNapFnbErcbnP11Q=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "2795c506fe8fb7b03c36ccb51f75b6df0ab2553f",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"root": { "root": {
"inputs": { "inputs": {
"breeze": "breeze", "breeze": "breeze",
@ -234,7 +218,6 @@
"flake-parts": "flake-parts", "flake-parts": "flake-parts",
"impermanence": "impermanence", "impermanence": "impermanence",
"nixpkgs": "nixpkgs", "nixpkgs": "nixpkgs",
"nixpkgs-unstable": "nixpkgs-unstable",
"sim-breeze": "sim-breeze", "sim-breeze": "sim-breeze",
"sops-nix": "sops-nix" "sops-nix": "sops-nix"
} }

9
flake.nix
View File

@ -2,8 +2,7 @@
description = "computer systems infrastructure"; description = "computer systems infrastructure";
inputs = { inputs = {
nixpkgs.url = "github:nixos/nixpkgs/nixos-24.11"; nixpkgs.url = "github:nixos/nixpkgs/nixos-25.05";
nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable";
flake-parts.url = "github:hercules-ci/flake-parts"; flake-parts.url = "github:hercules-ci/flake-parts";
@ -19,7 +18,7 @@
impermanence.url = "github:nix-community/impermanence"; impermanence.url = "github:nix-community/impermanence";
breeze.url = "git+https://git.min.rip/min/breeze.git"; breeze.url = "git+https://git.min.rip/min/breeze.git";
breeze.inputs.nixpkgs.follows = "nixpkgs-unstable"; breeze.inputs.nixpkgs.follows = "nixpkgs";
sim-breeze.url = "git+ssh://git@git.min.rip/min/sim-breeze.git"; sim-breeze.url = "git+ssh://git@git.min.rip/min/sim-breeze.git";
sim-breeze.inputs.nixpkgs.follows = "nixpkgs"; sim-breeze.inputs.nixpkgs.follows = "nixpkgs";
@ -43,10 +42,10 @@
}: { }: {
devShells.default = pkgs.mkShell { devShells.default = pkgs.mkShell {
packages = with pkgs; [ packages = with pkgs; [
inputs'.nixpkgs-unstable.legacyPackages.sops sops
ssh-to-age ssh-to-age
openssl openssl
inputs'.nixpkgs-unstable.legacyPackages.nebula nebula
# not included: age, age-plugin-yubikey, pcscd # not included: age, age-plugin-yubikey, pcscd
wireguard-tools wireguard-tools

3
nixos/hosts/eidola/nebula.nix
View File

@ -1,11 +1,10 @@
{config, ...}: let {config, ...}: let
inherit (import ../../modules/nebula/shared.nix) userGroup service; inherit (import ../../modules/nebula/shared.nix) userGroup;
in { in {
sops.secrets."nebula-key" = { sops.secrets."nebula-key" = {
mode = "0440"; mode = "0440";
owner = userGroup; owner = userGroup;
group = userGroup; group = userGroup;
restartUnits = [service];
}; };
# TODO: why? # TODO: why?

3
nixos/hosts/silver/services/nebula.nix
View File

@ -1,11 +1,10 @@
{config, ...}: let {config, ...}: let
inherit (import ../../../modules/nebula/shared.nix) userGroup service; inherit (import ../../../modules/nebula/shared.nix) userGroup;
in { in {
sops.secrets."svc-nebula-key" = { sops.secrets."svc-nebula-key" = {
mode = "0440"; mode = "0440";
owner = userGroup; owner = userGroup;
group = userGroup; group = userGroup;
restartUnits = [service];
}; };
networking.firewall.allowedUDPPorts = [4242]; networking.firewall.allowedUDPPorts = [4242];

39
nixos/modules/nebula/default.nix
View File

@ -4,7 +4,7 @@
... ...
}: }:
with lib; let with lib; let
inherit (import ./shared.nix) netName interface service; inherit (import ./shared.nix) netName interface;
ca = ../../keys/ca.crt; ca = ../../keys/ca.crt;
@ -81,28 +81,21 @@ in {
}; };
}; };
config = mkMerge [ config = mkIf cfg.enable {
(mkIf cfg.enable { networking.firewall.trustedInterfaces = [interface];
networking.firewall.trustedInterfaces = [interface];
services.nebula.networks.${netName} = mkMerge [ services.nebula.networks.${netName} = mkMerge [
{ {
inherit ca; inherit ca;
inherit (cfg) cert key; inherit (cfg) cert key;
firewall = { firewall = {
inherit (baseFirewall) outbound; inherit (baseFirewall) outbound;
inbound = baseFirewall.inbound ++ cfg.extraInbound; inbound = baseFirewall.inbound ++ cfg.extraInbound;
}; };
} }
(mkIf cfg.enableLighthouse baseServer) (mkIf cfg.enableLighthouse baseServer)
(mkIf (!cfg.enableLighthouse) baseClient) (mkIf (!cfg.enableLighthouse) baseClient)
]; ];
}) };
(mkIf config.services.openssh.enable {
# Make sure sshd starts after nebula
# TODO: is this necessary?
systemd.services.sshd.after = [service];
})
];
} }

1
nixos/modules/nebula/shared.nix
View File

@ -4,5 +4,4 @@ rec {
# https://github.com/NixOS/nixpkgs/blob/nixos-24.05/nixos/modules/services/networking/nebula.nix # https://github.com/NixOS/nixpkgs/blob/nixos-24.05/nixos/modules/services/networking/nebula.nix
interface = "nebula.${netName}"; interface = "nebula.${netName}";
userGroup = "nebula-${netName}"; userGroup = "nebula-${netName}";
service = "nebula@${netName}.service";
} }