nebula: Switch to group-based firewall rules

2026-03-22 22:29:06 +01:00 · 2026-02-05 23:32:52 +01:00 · 2026-02-05 23:32:52 +01:00 · dfdabfb5b1
commit dfdabfb5b1
parent ec0d5b839e
9 changed files with 39 additions and 37 deletions
--- a/hosts/desktop/keys/nebula.crt
+++ b/hosts/desktop/keys/nebula.crt
@ -1,6 +1,6 @@
 -----BEGIN NEBULA CERTIFICATE V2-----
-MIGmoECAB2Rlc2t0b3ChBwQFCv76ARiFBGlIaqqGBGsoffSHIBVD/hlbqt7XLMVq
+MIG9oFeAB2Rlc2t0b3ChBwQFCv76ARijFQwHImNsaWVudAwKc3luY3RoaW5nIoUE
-DE4DhIQzJRBaXtQIwm5gRTI7c0VogiAWuCbaQyz2y1A+OrT1+mI2U2EdQ3X3HPzA
+aYUZ9YYEayh99IcgFUP+GVuq3tcsxWoMTgOEhDMlEFpe1AjCbmBFMjtzRWiCIBa4
-SkjZQ+zAG4NANTlPvjlzVHXcvSnZpWO0HVFFLlFKkPav33SUb51KaOt+HX0Xyu3r
+JtpDLPbLUD46tPX6YjZTYR1Ddfcc/MBKSNlD7MAbg0BGe2eiIAFhf0s/Gn54OfAV
-3EvhBuRRS6pc6x5/ZawfxWakQwb5dTuhDg==
+O1Pb2pvUUgg40MJS4+jTyltESru3sku3/obntXS46R8uSb17yAvSGbAtHkm6gfoM
 -----END NEBULA CERTIFICATE V2-----
--- a/hosts/laptop/keys/nebula.crt
+++ b/hosts/laptop/keys/nebula.crt
@ -1,6 +1,6 @@
 -----BEGIN NEBULA CERTIFICATE V2-----
-MIGloD+ABmxhcHRvcKEHBAUK/voDGIUEaUsu2oYEayh99IcgFUP+GVuq3tcsxWoM
+MIG8oFaABmxhcHRvcKEHBAUK/voDGKMVDAciY2xpZW50DApzeW5jdGhpbmcihQRp
-TgOEhDMlEFpe1AjCbmBFMjtzRWiCIDQsjID+DOXgSXkAkkIySZqpe8qDwc/RSe9/
+hRn5hgRrKH30hyAVQ/4ZW6re1yzFagxOA4SEMyUQWl7UCMJuYEUyO3NFaIIgNCyM
-rUqoGr07g0DDH0+/63YpveHA2JKKvl8T5/1kPm2Tp4SKLLy6i5g01dw4QSwaRGlW
+gP4M5eBJeQCSQjJJmql7yoPBz9FJ73+tSqgavTuDQNNN/BJUnq2BC7t8SwdZT3nE
-nrPxsi9gbci2Jdw2AiOZmshHA7tJOpoL
+a2N9Ie2JK2TSCJbAaTv5mDQC/ObqSOsJfIX49oRtFmu1apVUcyYzAKq0W8sl3gE=
 -----END NEBULA CERTIFICATE V2-----
--- a/hosts/vps-monitor/keys/nebula.crt
+++ b/hosts/vps-monitor/keys/nebula.crt
@ -1,6 +1,6 @@
 -----BEGIN NEBULA CERTIFICATE V2-----
-MIGqoESAC3Zwcy1tb25pdG9yoQcEBQr++gUYhQRpWTmKhgRrKH30hyAVQ/4ZW6re
+MIG2oFCAC3Zwcy1tb25pdG9yoQcEBQr++gUYowoMCCJzZXJ2ZXIihQRphRn9hgRr
-1yzFagxOA4SEMyUQWl7UCMJuYEUyO3NFaIIgEsH4GM7MoMHRA9Ua4racnsVImNb4
+KH30hyAVQ/4ZW6re1yzFagxOA4SEMyUQWl7UCMJuYEUyO3NFaIIgEsH4GM7MoMHR
-0fhIMdlx2Y8Gx3iDQJo2nQl5Atwka8UCU3FteaMSrgSxQW6HhBE7pwYMhlWdrusn
+A9Ua4racnsVImNb40fhIMdlx2Y8Gx3iDQHJU+DbIPKSh5Uc9/SzKsM3LtUZ+Yt7a
-KUloRoe8tDpEWEO3qc+iQsgpr5Tuo27QUD77igs=
+7gfQQJj3BgY0S5Ae3qa7Uo+zFTo6RtyJpefz4fJI4kS4kw2oUeB/1wo=
 -----END NEBULA CERTIFICATE V2-----
--- a/hosts/vps-private/keys/nebula.crt
+++ b/hosts/vps-private/keys/nebula.crt
@ -1,6 +1,7 @@
 -----BEGIN NEBULA CERTIFICATE V2-----
-MIGqoESAC3Zwcy1wcml2YXRloQcEBQr++gIYhQRpSG/KhgRrKH30hyAVQ/4ZW6re
+MIHBoFuAC3Zwcy1wcml2YXRloQcEBQr++gIYoxUMByJzZXJ2ZXIMCnN5bmN0aGlu
-1yzFagxOA4SEMyUQWl7UCMJuYEUyO3NFaIIgxxdwQe3CJkEjhN6lB0dWCNqjNug5
+ZyKFBGmFGgKGBGsoffSHIBVD/hlbqt7XLMVqDE4DhIQzJRBaXtQIwm5gRTI7c0Vo
-oIN9KQTTTCp0dguDQHynn1xdarsZsfvF6ZJB01HrOVgLs2kVod3ZZZD3L8Fe/hfF
+giDHF3BB7cImQSOE3qUHR1YI2qM26Dmgg30pBNNMKnR2C4NAs88H9BxfXXBirWag
-TryU5SxJ8MH6irDdtgTs+9pU+BaNWms1X4zfkAQ=
+bF3+NXvxSKYrR1xR9Z4yBzl7JHXBRbkG4GJ29k4bL3dXrng1+yRnhZox3txUu2uR
 +46ABA==
 -----END NEBULA CERTIFICATE V2-----
--- a/hosts/vps-public/keys/nebula.crt
+++ b/hosts/vps-public/keys/nebula.crt
@ -1,6 +1,6 @@
 -----BEGIN NEBULA CERTIFICATE V2-----
-MIGpoEOACnZwcy1wdWJsaWOhBwQFCv76BBiFBGlZOWqGBGsoffSHIBVD/hlbqt7X
+MIG1oE+ACnZwcy1wdWJsaWOhBwQFCv76BBijCgwIInNlcnZlciKFBGmFGgaGBGso
-LMVqDE4DhIQzJRBaXtQIwm5gRTI7c0VogiB2ciqx2b7d1mUPRnrtM5sN+X4Pohtb
+ffSHIBVD/hlbqt7XLMVqDE4DhIQzJRBaXtQIwm5gRTI7c0VogiB2ciqx2b7d1mUP
-kBNPPFUDxwX7SoNAWUNPjR8iSib9C52wEmTzolYIvwbAUnOjMytH01xHUgPhiiTv
+RnrtM5sN+X4PohtbkBNPPFUDxwX7SoNAIM5yXTNoekP81KhalEV4A50WmAFINP0a
-Cm4CTtS9vWllCCH682evxo+0I3+PKDRp8DKxCQ==
+EP5Xz4ajYTHuFy/ZOnaKLCCyyRW77mJunUkWdFas6W0GFJwTkbchDA==
 -----END NEBULA CERTIFICATE V2-----
--- a/modules/system/services/nebula/default.nix
+++ b/modules/system/services/nebula/default.nix
@ -15,6 +15,12 @@ in
    enable = lib.mkEnableOption "" // {
      default = netCfg.overlay.implementation == "nebula";
    };
    groups = lib.mkOption {
      type = lib.types.nonEmptyListOf lib.types.nonEmptyStr;
      default =
        lib.singleton netCfg.overlay.role
        ++ lib.optional config.custom.services.syncthing.enable "syncthing";
    };
    publicKeyPath = lib.mkOption {
      type = lib.types.path;
--- a/modules/system/services/sshd.nix
+++ b/modules/system/services/sshd.nix
@ -28,14 +28,11 @@ in
        };
      };
-      nebula.networks.mesh.firewall.inbound =
+      nebula.networks.mesh.firewall.inbound = lib.singleton {
        netCfg.peers
        |> lib.filter (node: node.overlay.role == "client")
        |> lib.map (client: {
        port = 22;
        proto = "tcp";
-          host = client.hostName;
+        group = "client";
-        });
+      };
    };
    systemd.services.sshd = {
--- a/modules/system/services/syncthing.nix
+++ b/modules/system/services/syncthing.nix
@ -118,14 +118,11 @@ in
        };
      };
-      nebula.networks.mesh.firewall.inbound =
+      nebula.networks.mesh.firewall.inbound = lib.singleton {
        config.services.syncthing.settings.devices
        |> lib.attrNames
        |> lib.map (name: {
        port = cfg.syncPort;
        proto = "tcp";
-          host = name;
+        group = "syncthing";
-        });
+      };
    };
    custom = {
--- a/scripts/nebula-regen-host-cert.nix
+++ b/scripts/nebula-regen-host-cert.nix
@ -15,6 +15,7 @@ pkgs.writeShellApplication {
    host="$1"
    address="$(nix eval --raw ".#nixosConfigurations.$host.config.custom.networking.overlay.cidr")"
    groups="$(nix eval ".#nixosConfigurations.$host.config.custom.services.nebula.groups" --apply 'builtins.concatStringsSep ","')"
    ca_cert='modules/system/services/nebula/ca.crt'
    host_pub="$(nix eval --raw ".#nixosConfigurations.$host.config.custom.services.nebula.publicKeyPath")"
    host_cert="$(nix eval --raw ".#nixosConfigurations.$host.config.custom.services.nebula.certificatePath")"
@ -35,6 +36,6 @@ pkgs.writeShellApplication {
    fi
    rm -f "$host_cert"
-    nebula-cert sign -name "$host" -networks "$address" -ca-crt "$ca_cert" -ca-key "$ca_key" -in-pub "$host_pub" -out-crt "$host_cert"
+    nebula-cert sign -name "$host" -networks "$address" -groups "$groups" -ca-crt "$ca_cert" -ca-key "$ca_key" -in-pub "$host_pub" -out-crt "$host_cert"
  '';
 }