From 435a70a4e926cc646ff1095c967409c3eda125d2 Mon Sep 17 00:00:00 2001
From: SebastianStork <git@sstork.dev>
Date: Tue, 23 Dec 2025 14:43:18 +0100
Subject: [PATCH] nebula: Test with desktop and vps-private

---
 hosts/desktop/default.nix         | 4 ++++
 hosts/desktop/keys/nebula.crt     | 6 ++++++
 hosts/desktop/keys/nebula.pub     | 3 +++
 hosts/desktop/secrets.json        | 9 ++++++---
 hosts/vps-private/default.nix     | 6 ++++++
 hosts/vps-private/keys/nebula.crt | 6 ++++++
 hosts/vps-private/keys/nebula.pub | 3 +++
 hosts/vps-private/secrets.json    | 7 +++++--
 8 files changed, 39 insertions(+), 5 deletions(-)
 create mode 100644 hosts/desktop/keys/nebula.crt
 create mode 100644 hosts/desktop/keys/nebula.pub
 create mode 100644 hosts/vps-private/keys/nebula.crt
 create mode 100644 hosts/vps-private/keys/nebula.pub

diff --git a/hosts/desktop/default.nix b/hosts/desktop/default.nix
index 4cb4d43..2763555 100644
--- a/hosts/desktop/default.nix
+++ b/hosts/desktop/default.nix
@@ -33,6 +33,10 @@
         enable = true;
         ssh.enable = true;
       };
+      nebula.node = {
+        enable = true;
+        address = "10.254.250.1";
+      };
       syncthing = {
         enable = true;
         deviceId = "FAJS5WM-UAWGW2U-FXCGPSP-VAUOTGM-XUKSEES-D66PMCJ-WBODJLV-XTNCRA7";
diff --git a/hosts/desktop/keys/nebula.crt b/hosts/desktop/keys/nebula.crt
new file mode 100644
index 0000000..03613b7
--- /dev/null
+++ b/hosts/desktop/keys/nebula.crt
@@ -0,0 +1,6 @@
+-----BEGIN NEBULA CERTIFICATE V2-----
+MIGmoECAB2Rlc2t0b3ChBwQFCv76ARiFBGlIaqqGBGsoffSHIBVD/hlbqt7XLMVq
+DE4DhIQzJRBaXtQIwm5gRTI7c0VogiAWuCbaQyz2y1A+OrT1+mI2U2EdQ3X3HPzA
+SkjZQ+zAG4NANTlPvjlzVHXcvSnZpWO0HVFFLlFKkPav33SUb51KaOt+HX0Xyu3r
+3EvhBuRRS6pc6x5/ZawfxWakQwb5dTuhDg==
+-----END NEBULA CERTIFICATE V2-----
diff --git a/hosts/desktop/keys/nebula.pub b/hosts/desktop/keys/nebula.pub
new file mode 100644
index 0000000..944fe81
--- /dev/null
+++ b/hosts/desktop/keys/nebula.pub
@@ -0,0 +1,3 @@
+-----BEGIN NEBULA X25519 PUBLIC KEY-----
+Frgm2kMs9stQPjq09fpiNlNhHUN19xz8wEpI2UPswBs=
+-----END NEBULA X25519 PUBLIC KEY-----
diff --git a/hosts/desktop/secrets.json b/hosts/desktop/secrets.json
index 78b937f..31957b1 100644
--- a/hosts/desktop/secrets.json
+++ b/hosts/desktop/secrets.json
@@ -7,6 +7,9 @@
     "cert": "ENC[AES256_GCM,data:Rf6Pgni4jkcFC0pYC+CBJnCRfsNqSBR2yStaFngefb2/rQd3za2h7o7fp2IPVLs9fYmUG5r8/mP9K0m46xA/2wVLp+ddyNA2wndSwk7ZqNEs2BA/GAdelX8gtcPV74CkB/NJa4E42qH7aTVcgrBZVIM27RxO6e/8r8JSXb/HOczYpLAVdW2DHXjGrzi43cjEcn8UK+dNeNsp0AlEZqN9eRRbqh3JQr7+WOYKkk0R0VP3SLH4O9ROLzSJ4Pw4BoLArR3lvp7pOLOrmXvazToKkMInnLZsH0oV7Zvpu1kTz2KrvhIZdNoUZOV2L/laoS7nc/MFixEwpMy4gqszhiADXlNEbslZyZPcq9KxLgIH0W3xKuQDwrC/RWfjMAwnpucByKy9dR4+9C7maVYp5rvBdRbhNM/Yp6U465d8qJVG5YmURG5NBudAsXkfkp8/AqGSK8RQk/F2b28SfqVCfd/Kga1SINcbdEY7P9nNxx3sbVhncQ3pZXY2tZhYJiSuZ/hGMuPa3yMJPgDPJV8tPIUASCNxbeLOKp7HVghb9IIHSDhhiZmFTFB9xT8X9w05w0afLgQQCybG81YGXvXTiA/xLriA2AzQqg4KzdjUgs+lv7rPL9fsP5V7LAoBZamTirsOCoApMrP7L+QP0OTFyHBakf+GBEREwn5dygos+/vBXne4RtDmji/+zh9U1CqwwCIbx/rdVODzYusYV0lvDjYPyVnTWjEGQN5uGCgEBozQWUkaR1KlmamzcXS9ihPsIa1VNu/aLRrb66hS99wuALFdHJPg5XgHNKEA+Re/lXqUwups/A1RQ9bymqXUj8lIK1hDWsC3DCqDsL54x2BIodyvBBB8hyHFnBC3xg+W8yC0SQLivkFLdNMTRdAgyREFEZp3Nvi19B9+njnciFjcbRj+sG1L9X2OSvDZ2e7273DYtXAVsI9977VBtQYHmjXeyDVBnK53sri/8P2ofniPmBM/ZQ9X1UtMI+vrKIj/o4jcTaEcAmqA9bI2YbG5p84rIH6mBA4SvPCHGz6s48XhaYLzCJbOIR+eqwjbvBA=,iv:72+0+hlBxKtuhjhrLD1EMlx8LcJtskxO+MCpYj7rpes=,tag:qnQlahuimpMoVY1hbTGI6g==,type:str]",
     "key": "ENC[AES256_GCM,data:A/Am53gADkKNOn1kAgNoJmirRhIDtysyX8+ubtpyKTQKhTzEJfEKFrVw5BjJ8rYRS31DgMYV20FQs7HOfoRsR3MFdSGDFUgePnbIcNGpHD6EY8GJ9TblT+NyPsYsKG4WgFZElOjQYT3X9Rr0IWoNnDJoOaaI5sCpOumfLKWrekWvYfTUT+SiFfkCebeEQs7ZF7G6ZQJF73upaeKdbd8/uBdcfVc/c6PdjGvY1xnCOAqW39S9K2fK0RibqHs8BiuzPBTCYjBg6euYXi+XGrZjmHLFnj/ZflroiPJr/qFhMDVnmiaW7M3sWYDQYYPd6rk6Adam+ylEAU8BXwIjmdHNkR48WbdIDYWCHHdv4iZ8MLTj6MaX/ksIZvev2M19Eiyi,iv:lkGS4uR0Xd7FnahXLjVc8g0PiRPxyUS6YQY3EM3B5G0=,tag:NZYybe/MgP+LNlJ09AiV6g==,type:str]"
   },
+  "nebula": {
+    "host-key": "ENC[AES256_GCM,data:Udr9Frsmn5krgFHgjTbtUoziUCL9eRgFpslWL8Pfx6Y/iHaLg2zuuH8OnsU1wRr68VZVxJ8lhhPInG2Q+SFOaUt9LHAxRc+GxeBq0kRw+Slqd8dOyvFC+Q9IBlgf9dynF/gyyCNsaec9arggvK0BJiHuCZeJ15gCE9nUQJspAw==,iv:fZQOFH+iFWUu+Vap7irn0i265NuFwwzvaK0J1tRdbl4=,tag:d6uWFpM77RsPAyKwCES8zg==,type:str]"
+  },
   "sops": {
     "age": [
       {
@@ -18,9 +21,9 @@
         "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2Qmh4TnU2U0toYXZlaUpU\nZWdBVFMwRVpxelBTb3FvMHVDQkFMMkVlOEVjCjNaTEJDaGlkcUJtem43aDZ6Yk9j\nZGhmWFFvbm1HN0N1VkUyN1lQLzM2c0UKLS0tIHhEeFNyaXI0UDB0ZDBydW80djRX\nSmpyNDlLSFMvaXRsZGdWcS9nVTRzbk0KNryo5P1+bu9vntBafSgAAHxSsYXG2ELj\nQQM6kP+eaSoEFXfWxp7dhxHcjoTjQ9DmCgzVaDUD8nLzFsiJsgbjIg==\n-----END AGE ENCRYPTED FILE-----\n"
       }
     ],
-    "lastmodified": "2025-10-11T15:48:45Z",
-    "mac": "ENC[AES256_GCM,data:JXwbZJDo7yDhTPA7QfJ83dWuIJovwyijqcU6XtLMToN6LQnqsdD0mJ9blZDXFT6X+Z/LIlkeK/LOZURYLp73FiAPV5I8S9D7iq/PCGiB6HZOIAzZbwD4s3/0lw+0FhcpVK6obS1gMqr1si6vDm5mM4XvhMifOCx9Dxic8IuGoTg=,iv:QbxT/6oNQa598yeAFBrYnNn/N8uNsMoIZNJMPAaijH8=,tag:1IgkVIJlcpQ9TNW/javbmg==,type:str]",
+    "lastmodified": "2025-12-21T01:21:48Z",
+    "mac": "ENC[AES256_GCM,data:tn8lgEn8Sp2YYFUVRUa+yOND7oISGld22+otWBB9U1she28JZ+g+vvdpCPRPevkqWHA+BawKUKkaD8Iaoe732HQukpbIBrVgK+g6YpaSnakhSZPGV2oE3z7KdSDeYdBF/La0ml1OKs67hldFfN9D2Sl5RdTROwBWaVaJesNTFS4=,iv:BCbSXBAUqb/LoDfLXLi6UB+CRuJOKEXuHFjITAdaH+E=,tag:f570BuZv30rL45m4y1IwJg==,type:str]",
     "unencrypted_suffix": "_unencrypted",
-    "version": "3.10.2"
+    "version": "3.11.0"
   }
 }
diff --git a/hosts/vps-private/default.nix b/hosts/vps-private/default.nix
index 0e267d5..4ffc15f 100644
--- a/hosts/vps-private/default.nix
+++ b/hosts/vps-private/default.nix
@@ -33,6 +33,12 @@
           ssh.enable = true;
           exitNode.enable = true;
         };
+        nebula.node = {
+          enable = true;
+          address = "10.254.250.2";
+          isLighthouse = true;
+          routableAddress = "49.13.231.235";
+        };
 
         syncthing = {
           enable = true;
diff --git a/hosts/vps-private/keys/nebula.crt b/hosts/vps-private/keys/nebula.crt
new file mode 100644
index 0000000..12e3761
--- /dev/null
+++ b/hosts/vps-private/keys/nebula.crt
@@ -0,0 +1,6 @@
+-----BEGIN NEBULA CERTIFICATE V2-----
+MIGqoESAC3Zwcy1wcml2YXRloQcEBQr++gIYhQRpSG/KhgRrKH30hyAVQ/4ZW6re
+1yzFagxOA4SEMyUQWl7UCMJuYEUyO3NFaIIgxxdwQe3CJkEjhN6lB0dWCNqjNug5
+oIN9KQTTTCp0dguDQHynn1xdarsZsfvF6ZJB01HrOVgLs2kVod3ZZZD3L8Fe/hfF
+TryU5SxJ8MH6irDdtgTs+9pU+BaNWms1X4zfkAQ=
+-----END NEBULA CERTIFICATE V2-----
diff --git a/hosts/vps-private/keys/nebula.pub b/hosts/vps-private/keys/nebula.pub
new file mode 100644
index 0000000..c835b45
--- /dev/null
+++ b/hosts/vps-private/keys/nebula.pub
@@ -0,0 +1,3 @@
+-----BEGIN NEBULA X25519 PUBLIC KEY-----
+xxdwQe3CJkEjhN6lB0dWCNqjNug5oIN9KQTTTCp0dgs=
+-----END NEBULA X25519 PUBLIC KEY-----
diff --git a/hosts/vps-private/secrets.json b/hosts/vps-private/secrets.json
index aed6713..46b3167 100644
--- a/hosts/vps-private/secrets.json
+++ b/hosts/vps-private/secrets.json
@@ -21,6 +21,9 @@
   "radicale": {
     "htpasswd": "ENC[AES256_GCM,data:PaN9mAYR8slQQpojnZpCPMNxgQtvCa0pj90tfUgQr9MFgout7RpbWs97XMzbmWws6ov3g91+0U5l1tcS68O4rQ==,iv:Je68Sg1b5qkx1WYJ5y11yx+ASNd5bk43YpY8axzqNGI=,tag:Ce84ptIiCIRHpZHSoozoyg==,type:str]"
   },
+  "nebula": {
+    "host-key": "ENC[AES256_GCM,data:dS3tXWUK+POzTZ98wLETaWz4ief/yFULCfI5Y3EbK26KQpwxzw6cpLXUNOSZeUwz9brN/4JcwUgewJR08Uq3HZhKZKoMPZfPRtZMDe51I4RYg4hZd1mMWXQn82KmSytZCiDIL/9qCwYvObVRiNCpAOKRj6JBpgpoQ1u5hgn1EA==,iv:G25EpAnvoLfYXAdPyJVqS3ocUPg5LQlUoi7fA+XFOZ8=,tag:/BNhuxJCunM85H9DnPF5Kg==,type:str]"
+  },
   "sops": {
     "age": [
       {
@@ -32,8 +35,8 @@
         "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqU01heng3NHdrYnZFZmZn\nZlJtUUIyd1ExTmhzeU5iZFZadFcwR25GOEVZCmxHOXNWQVh1ZlJSRHJtaDVHNVUv\nbTY0TlNmZ2hESDkzS2M3WHdlamxwclkKLS0tIEEvOFd3TDFkQmQwbjBodHhpb1BD\nZ2NvTnNqQmtrLy9aVDdGRGxZbVgrZG8KdnnjJWcjZFu3R8fVKToj6THHHRCFou9k\njQoedCZAML2A2FZIhHugH9wnDUPQQjG86WbcCBuFWcOTGiTF2gN+Qg==\n-----END AGE ENCRYPTED FILE-----\n"
       }
     ],
-    "lastmodified": "2025-12-09T12:25:40Z",
-    "mac": "ENC[AES256_GCM,data:S9WbziGg3LInSZ0ClNa7AKAOHxmYN12K/8Gw0EEWU/Sw5drdQ0UUPapU6r2FJRssQhjw03tOfwylEHO0fFZx9ra0bk9ZX+QrNnktSWNzpJE3XAg9/OzApOoyWptvfxEFLWdYb7FgB4qlK+goNYTiC7sPe1Z4j9Ct25ARfFQYKFc=,iv:7vehA/fdtEJ3B+vnsP2EkaO0L8h4B/gmXudFgJCyyAA=,tag:wBYlqvWDQobqPutTVFbfEA==,type:str]",
+    "lastmodified": "2025-12-21T22:05:56Z",
+    "mac": "ENC[AES256_GCM,data:i6N/BeTtqkiYz5igk7mHxa69Z8MEe2cRF9541P93utNBddrTGev4VQ5VoqEQEkcOpKWvH5DbQcfsa8k60/zaGXJZ9tWbmbBiBTrbjdslpPJTbVkIwMXWYVhbS87WhfAsyQbRzXu73/jArGKVfDPzcdl2FuRmzXZKQkVjRc7x+Rc=,iv:HxjT6ppxY6jkrSPrcP9m84dd2gy2rGCGKV8MdjGy7FA=,tag:KPWQ2nhsGFuhX8ddFhEZow==,type:str]",
     "unencrypted_suffix": "_unencrypted",
     "version": "3.11.0"
   }