2026-03-23 20:08:28 +01:00
9 changed files with 37 additions and 39 deletions
--- a/hosts/desktop/keys/nebula.crt
+++ b/hosts/desktop/keys/nebula.crt
@ -1,6 +1,6 @@
 -----BEGIN NEBULA CERTIFICATE V2-----
-MIG7oFWAB2Rlc2t0b3ChBwQFCv76ARijEwwGY2xpZW50DAlzeW5jdGhpbmeFBGmF
+MIGmoECAB2Rlc2t0b3ChBwQFCv76ARiFBGlIaqqGBGsoffSHIBVD/hlbqt7XLMVq
-Hk6GBGsoffSHIBVD/hlbqt7XLMVqDE4DhIQzJRBaXtQIwm5gRTI7c0VogiAWuCba
+DE4DhIQzJRBaXtQIwm5gRTI7c0VogiAWuCbaQyz2y1A+OrT1+mI2U2EdQ3X3HPzA
-Qyz2y1A+OrT1+mI2U2EdQ3X3HPzASkjZQ+zAG4NAT5t62Hk0O6IlwmVM0e99G/s2
+SkjZQ+zAG4NANTlPvjlzVHXcvSnZpWO0HVFFLlFKkPav33SUb51KaOt+HX0Xyu3r
-GwO6Y2TXbl+g1T8eat4upiIftMkNdBJVgiDz7XbE4zgpfUuTv1LCzrNwipc6Cg==
+3EvhBuRRS6pc6x5/ZawfxWakQwb5dTuhDg==
 -----END NEBULA CERTIFICATE V2-----
--- a/hosts/laptop/keys/nebula.crt
+++ b/hosts/laptop/keys/nebula.crt
@ -1,6 +1,6 @@
 -----BEGIN NEBULA CERTIFICATE V2-----
-MIG6oFSABmxhcHRvcKEHBAUK/voDGKMTDAZjbGllbnQMCXN5bmN0aGluZ4UEaYUe
+MIGloD+ABmxhcHRvcKEHBAUK/voDGIUEaUsu2oYEayh99IcgFUP+GVuq3tcsxWoM
-UoYEayh99IcgFUP+GVuq3tcsxWoMTgOEhDMlEFpe1AjCbmBFMjtzRWiCIDQsjID+
+TgOEhDMlEFpe1AjCbmBFMjtzRWiCIDQsjID+DOXgSXkAkkIySZqpe8qDwc/RSe9/
-DOXgSXkAkkIySZqpe8qDwc/RSe9/rUqoGr07g0DhbaORjxVBfwI9Un1woUJPv2lA
+rUqoGr07g0DDH0+/63YpveHA2JKKvl8T5/1kPm2Tp4SKLLy6i5g01dw4QSwaRGlW
-7/0O5G29fhEGsyR7N4e4ZFeHPTbCXQYKVJIo0B6nM12kriUCTymrtjMJjjQB
+nrPxsi9gbci2Jdw2AiOZmshHA7tJOpoL
 -----END NEBULA CERTIFICATE V2-----
--- a/hosts/vps-monitor/keys/nebula.crt
+++ b/hosts/vps-monitor/keys/nebula.crt
@ -1,6 +1,6 @@
 -----BEGIN NEBULA CERTIFICATE V2-----
-MIG0oE6AC3Zwcy1tb25pdG9yoQcEBQr++gUYowgMBnNlcnZlcoUEaYUeVoYEayh9
+MIGqoESAC3Zwcy1tb25pdG9yoQcEBQr++gUYhQRpWTmKhgRrKH30hyAVQ/4ZW6re
-9IcgFUP+GVuq3tcsxWoMTgOEhDMlEFpe1AjCbmBFMjtzRWiCIBLB+BjOzKDB0QPV
+1yzFagxOA4SEMyUQWl7UCMJuYEUyO3NFaIIgEsH4GM7MoMHRA9Ua4racnsVImNb4
-GuK2nJ7FSJjW+NH4SDHZcdmPBsd4g0Ctqv9hgMdJuXpKgy0HIU7eRhjMYDr22AUb
+0fhIMdlx2Y8Gx3iDQJo2nQl5Atwka8UCU3FteaMSrgSxQW6HhBE7pwYMhlWdrusn
-e5nHcocsCe3mqPvHeTOPpluPeQcVXBnalFXwUHbpYmV/8pZFiNkI
+KUloRoe8tDpEWEO3qc+iQsgpr5Tuo27QUD77igs=
 -----END NEBULA CERTIFICATE V2-----
--- a/hosts/vps-private/keys/nebula.crt
+++ b/hosts/vps-private/keys/nebula.crt
@ -1,7 +1,6 @@
 -----BEGIN NEBULA CERTIFICATE V2-----
-MIG/oFmAC3Zwcy1wcml2YXRloQcEBQr++gIYoxMMBnNlcnZlcgwJc3luY3RoaW5n
+MIGqoESAC3Zwcy1wcml2YXRloQcEBQr++gIYhQRpSG/KhgRrKH30hyAVQ/4ZW6re
-hQRphR5bhgRrKH30hyAVQ/4ZW6re1yzFagxOA4SEMyUQWl7UCMJuYEUyO3NFaIIg
+1yzFagxOA4SEMyUQWl7UCMJuYEUyO3NFaIIgxxdwQe3CJkEjhN6lB0dWCNqjNug5
-xxdwQe3CJkEjhN6lB0dWCNqjNug5oIN9KQTTTCp0dguDQIfEL9VOzRXRvfIYqQIE
+oIN9KQTTTCp0dguDQHynn1xdarsZsfvF6ZJB01HrOVgLs2kVod3ZZZD3L8Fe/hfF
-N17rITJJXUIV0zV1JY/GF2xuxGYnwqRbdpbzjwWiZn3kBvj3j/q2jC9ciA3+nnoc
+TryU5SxJ8MH6irDdtgTs+9pU+BaNWms1X4zfkAQ=
 iwE=
 -----END NEBULA CERTIFICATE V2-----
--- a/hosts/vps-public/keys/nebula.crt
+++ b/hosts/vps-public/keys/nebula.crt
@ -1,6 +1,6 @@
 -----BEGIN NEBULA CERTIFICATE V2-----
-MIGzoE2ACnZwcy1wdWJsaWOhBwQFCv76BBijCAwGc2VydmVyhQRphR5fhgRrKH30
+MIGpoEOACnZwcy1wdWJsaWOhBwQFCv76BBiFBGlZOWqGBGsoffSHIBVD/hlbqt7X
-hyAVQ/4ZW6re1yzFagxOA4SEMyUQWl7UCMJuYEUyO3NFaIIgdnIqsdm+3dZlD0Z6
+LMVqDE4DhIQzJRBaXtQIwm5gRTI7c0VogiB2ciqx2b7d1mUPRnrtM5sN+X4Pohtb
-7TObDfl+D6IbW5ATTzxVA8cF+0qDQBE3+pZ54sbLravpoUt01ukqAsHAZ2kuQcrY
+kBNPPFUDxwX7SoNAWUNPjR8iSib9C52wEmTzolYIvwbAUnOjMytH01xHUgPhiiTv
-DaZgtdjp1z0U7FkdqWAYlNeMVzjyXf4MQQJZH5ANu5tsofRtGw4=
+Cm4CTtS9vWllCCH682evxo+0I3+PKDRp8DKxCQ==
 -----END NEBULA CERTIFICATE V2-----
--- a/modules/system/services/nebula/default.nix
+++ b/modules/system/services/nebula/default.nix
@ -15,12 +15,6 @@ in
    enable = lib.mkEnableOption "" // {
      default = netCfg.overlay.implementation == "nebula";
    };
    groups = lib.mkOption {
      type = lib.types.nonEmptyListOf lib.types.nonEmptyStr;
      default =
        lib.singleton netCfg.overlay.role
        ++ lib.optional config.custom.services.syncthing.enable "syncthing";
    };
    publicKeyPath = lib.mkOption {
      type = lib.types.path;
--- a/modules/system/services/sshd.nix
+++ b/modules/system/services/sshd.nix
@ -28,11 +28,14 @@ in
        };
      };
-      nebula.networks.mesh.firewall.inbound = lib.singleton {
+      nebula.networks.mesh.firewall.inbound =
        netCfg.peers
        |> lib.filter (node: node.overlay.role == "client")
        |> lib.map (client: {
          port = 22;
          proto = "tcp";
-        group = "client";
+          host = client.hostName;
-      };
+        });
    };
    systemd.services.sshd = {
--- a/modules/system/services/syncthing.nix
+++ b/modules/system/services/syncthing.nix
@ -118,11 +118,14 @@ in
        };
      };
-      nebula.networks.mesh.firewall.inbound = lib.singleton {
+      nebula.networks.mesh.firewall.inbound =
        config.services.syncthing.settings.devices
        |> lib.attrNames
        |> lib.map (name: {
          port = cfg.syncPort;
          proto = "tcp";
-        group = "syncthing";
+          host = name;
-      };
+        });
    };
    custom = {
--- a/scripts/nebula-regen-host-cert.nix
+++ b/scripts/nebula-regen-host-cert.nix
@ -15,7 +15,6 @@ pkgs.writeShellApplication {
    host="$1"
    address="$(nix eval --raw ".#nixosConfigurations.$host.config.custom.networking.overlay.cidr")"
    groups="$(nix eval --raw ".#nixosConfigurations.$host.config.custom.services.nebula.groups" --apply 'builtins.concatStringsSep ","')"
    ca_cert='modules/system/services/nebula/ca.crt'
    host_pub="$(nix eval --raw ".#nixosConfigurations.$host.config.custom.services.nebula.publicKeyPath")"
    host_cert="$(nix eval --raw ".#nixosConfigurations.$host.config.custom.services.nebula.certificatePath")"
@ -36,6 +35,6 @@ pkgs.writeShellApplication {
    fi
    rm -f "$host_cert"
-    nebula-cert sign -name "$host" -networks "$address" -groups "$groups" -ca-crt "$ca_cert" -ca-key "$ca_key" -in-pub "$host_pub" -out-crt "$host_cert"
+    nebula-cert sign -name "$host" -networks "$address" -ca-crt "$ca_cert" -ca-key "$ca_key" -in-pub "$host_pub" -out-crt "$host_cert"
  '';
 }