SebastianStork/nixos-config
1
0
Fork 0
mirror of https://github.com/SebastianStork/nixos-config.git synced 2026-03-22 14:19:08 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

nebula: Add caCertificatePath and privateKeyPath options

Browse source 
For future usage in nixos tests
This commit is contained in:
SebastianStork 2026-02-14 21:18:41 +01:00
parent 42c49e8249
commit cb4c268550
Signed by: SebastianStork
SSH key fingerprint: SHA256:iEM011ogNMG1q8+U500adGu/9rpPuZ2KnFtbdLeqTiI
1 changed files with 15 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

18
modules/system/services/nebula/default.nix
View file

@ -27,6 +27,10 @@ in
++ lib.optional config.custom.services.syncthing.enable "syncthing";
};
caCertificatePath = lib.mkOption {
type = lib.types.path;
default = ./ca.crt;
};
publicKeyPath = lib.mkOption {
type = lib.types.path;
default = "${self}/hosts/${netCfg.hostName}/keys/nebula.pub";
@ -35,6 +39,10 @@ in
type = lib.types.path;
default = "${self}/hosts/${netCfg.hostName}/keys/nebula.crt";
};
privateKeyPath = lib.mkOption {
type = lib.types.nullOr lib.types.path;
default = null;
};
};
config = lib.mkIf cfg.enable {
@ -50,14 +58,14 @@ in
systemdUnit = "nebula@mesh.service";
};
sops.secrets."nebula/host-key" = {
sops.secrets."nebula/host-key" = lib.mkIf (cfg.privateKeyPath == null) {
owner = config.users.users.nebula-mesh.name;
restartUnits = [ "nebula@mesh.service" ];
};
environment.etc = {
"nebula/ca.crt" = {
source = ./ca.crt;
source = cfg.caCertificatePath;
mode = "0440";
user = config.systemd.services."nebula@mesh".serviceConfig.User;
};
@ -73,7 +81,11 @@ in
ca = "/etc/nebula/ca.crt";
cert = "/etc/nebula/host.crt";
key = config.sops.secrets."nebula/host-key".path;
key =
if (cfg.privateKeyPath != null) then
cfg.privateKeyPath
else
config.sops.secrets."nebula/host-key".path;
tun.device = netCfg.overlay.interface;
listen = {