From b4191c56aa7d6926e1dbce1a3901158e7caea4b2 Mon Sep 17 00:00:00 2001 From: SebastianStork Date: Thu, 1 Jan 2026 23:46:15 +0100 Subject: [PATCH] nebula: Configure ssh server --- modules/system/services/nebula/default.nix | 8 +++-- modules/system/services/nebula/sshd.nix | 34 ++++++++++++++++++++++ 2 files changed, 39 insertions(+), 3 deletions(-) create mode 100644 modules/system/services/nebula/sshd.nix diff --git a/modules/system/services/nebula/default.nix b/modules/system/services/nebula/default.nix index 54c0884..eb080dc 100644 --- a/modules/system/services/nebula/default.nix +++ b/modules/system/services/nebula/default.nix @@ -61,11 +61,11 @@ in }; sops.secrets."nebula/host-key" = { - owner = config.users.users.nebula-main.name; - restartUnits = [ "nebula@main.service" ]; + owner = config.users.users.nebula-mesh.name; + restartUnits = [ "nebula@mesh.service" ]; }; - services.nebula.networks.main = { + services.nebula.networks.mesh = { enable = true; ca = ./ca.crt; @@ -106,5 +106,7 @@ in logging.level = "warning"; }; }; + + networking.firewall.trustedInterfaces = [ "nebula.mesh" ]; }; } diff --git a/modules/system/services/nebula/sshd.nix b/modules/system/services/nebula/sshd.nix new file mode 100644 index 0000000..857611f --- /dev/null +++ b/modules/system/services/nebula/sshd.nix @@ -0,0 +1,34 @@ +{ config, lib, ... }: +let + cfg = config.custom.services.nebula.node; +in +{ + options.custom.services.nebula.node.sshd = { + enable = lib.mkEnableOption "" // { + default = true; + }; + port = lib.mkOption { + type = lib.types.port; + default = 22; + }; + }; + + config = lib.mkIf (cfg.enable && cfg.sshd.enable) { + meta.ports.tcp = [ cfg.sshd.port ]; + + services.openssh = { + enable = true; + openFirewall = false; + ports = [ ]; + listenAddresses = lib.singleton { + addr = cfg.address; + inherit (cfg.sshd) port; + }; + }; + + systemd.services.sshd = { + requires = [ "nebula@mesh.service" ]; + after = [ "nebula@mesh.service" ]; + }; + }; +}