diff --git a/flake.lock b/flake.lock index 44eed20..add0a56 100644 --- a/flake.lock +++ b/flake.lock @@ -88,11 +88,11 @@ }, "locked": { "dir": "pkgs/firefox-addons", - "lastModified": 1767326613, - "narHash": "sha256-XKeo9F/AB+AyzgR2xaoxyLpI2sRJiu60f9etGJymyMk=", + "lastModified": 1766846533, + "narHash": "sha256-D7XoHk5/daZt3E0K6uCueVxpDYp+cIoCctoTsz5mjfk=", "owner": "rycee", "repo": "nur-expressions", - "rev": "bc31b4b6220009dc5fda6082496b9d97b1e855ee", + "rev": "e55ad9427895bc94e55b2cb6474ca46773816885", "type": "gitlab" }, "original": { @@ -160,11 +160,11 @@ ] }, "locked": { - "lastModified": 1767280655, - "narHash": "sha256-YmaYMduV5ko8zURUT1VLGDbVC1L/bxHS0NsiPoZ6bBM=", + "lastModified": 1766939458, + "narHash": "sha256-VvZeAKyB3vhyHStSO8ACKzWRKNQPmVWktjfuSVdvtUA=", "owner": "nix-community", "repo": "home-manager", - "rev": "d49d2543f02dbd789ed032188c84570d929223cb", + "rev": "e298a148013c980e3c8c0ac075295fab5074d643", "type": "github" }, "original": { @@ -191,11 +191,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1767185284, - "narHash": "sha256-ljDBUDpD1Cg5n3mJI81Hz5qeZAwCGxon4kQW3Ho3+6Q=", + "lastModified": 1766568855, + "narHash": "sha256-UXVtN77D7pzKmzOotFTStgZBqpOcf8cO95FcupWp4Zo=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "40b1a28dce561bea34858287fbb23052c3ee63fe", + "rev": "c5db9569ac9cc70929c268ac461f4003e3e5ca80", "type": "github" }, "original": { @@ -207,11 +207,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1767047869, - "narHash": "sha256-tzYsEzXEVa7op1LTnrLSiPGrcCY6948iD0EcNLWcmzo=", + "lastModified": 1766736597, + "narHash": "sha256-BASnpCLodmgiVn0M1MU2Pqyoz0aHwar/0qLkp7CjvSQ=", "owner": "nixos", "repo": "nixpkgs", - "rev": "89dbf01df72eb5ebe3b24a86334b12c27d68016a", + "rev": "f560ccec6b1116b22e6ed15f4c510997d99d5852", "type": "github" }, "original": { @@ -238,11 +238,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1767116409, - "narHash": "sha256-5vKw92l1GyTnjoLzEagJy5V5mDFck72LiQWZSOnSicw=", + "lastModified": 1766651565, + "narHash": "sha256-QEhk0eXgyIqTpJ/ehZKg9IKS7EtlWxF3N7DXy42zPfU=", "owner": "nixos", "repo": "nixpkgs", - "rev": "cad22e7d996aea55ecab064e84834289143e44a0", + "rev": "3e2499d5539c16d0d173ba53552a4ff8547f4539", "type": "github" }, "original": { @@ -344,11 +344,11 @@ ] }, "locked": { - "lastModified": 1767122417, - "narHash": "sha256-yOt/FTB7oSEKQH9EZMFMeuldK1HGpQs2eAzdS9hNS/o=", + "lastModified": 1766000401, + "narHash": "sha256-+cqN4PJz9y0JQXfAK5J1drd0U05D5fcAGhzhfVrDlsI=", "owner": "numtide", "repo": "treefmt-nix", - "rev": "dec15f37015ac2e774c84d0952d57fcdf169b54d", + "rev": "42d96e75aa56a3f70cab7e7dc4a32868db28e8fd", "type": "github" }, "original": { @@ -382,11 +382,11 @@ ] }, "locked": { - "lastModified": 1767319998, - "narHash": "sha256-YXKjuWf/f6Smvv8qEmSSNpXIV+EXllglMZaMVuChT2Q=", + "lastModified": 1766888861, + "narHash": "sha256-BA+gbbAFYY+z0WvIWu8nwOZYzHuzHbnnIH+R6vjSanI=", "owner": "nix-community", "repo": "nix-vscode-extensions", - "rev": "2a8c99844e9e65f6deeee8f1d7e8194998795b41", + "rev": "2b8957cca4532b30e06c1cbd0386ec4fbf3b16fa", "type": "github" }, "original": { diff --git a/hosts/desktop/default.nix b/hosts/desktop/default.nix index 503f282..1a3f192 100644 --- a/hosts/desktop/default.nix +++ b/hosts/desktop/default.nix @@ -33,7 +33,6 @@ nebula.node = { enable = true; address = "10.254.250.1"; - isClient = true; }; syncthing = { enable = true; diff --git a/hosts/laptop/default.nix b/hosts/laptop/default.nix index 73a6c22..4eabbf8 100644 --- a/hosts/laptop/default.nix +++ b/hosts/laptop/default.nix @@ -36,7 +36,6 @@ nebula.node = { enable = true; address = "10.254.250.3"; - isClient = true; }; syncthing = { enable = true; diff --git a/hosts/vps-private/default.nix b/hosts/vps-private/default.nix index 7b2c95d..e63db19 100644 --- a/hosts/vps-private/default.nix +++ b/hosts/vps-private/default.nix @@ -34,9 +34,8 @@ nebula.node = { enable = true; address = "10.254.250.2"; - routableAddress = "49.13.231.235"; isLighthouse = true; - isServer = true; + routableAddress = "49.13.231.235"; }; syncthing = { diff --git a/modules/system/services/nebula/default.nix b/modules/system/services/nebula/default.nix index 37aa9db..54c0884 100644 --- a/modules/system/services/nebula/default.nix +++ b/modules/system/services/nebula/default.nix @@ -6,58 +6,49 @@ }: let cfg = config.custom.services.nebula.node; - peers = config.custom.services.nebula.peers; hostname = config.networking.hostName; - lighthouses = peers |> lib.filter (node: node.isLighthouse); + nodes = + self.nixosConfigurations + |> lib.filterAttrs (name: _: name != hostname) + |> lib.attrValues + |> lib.map (value: value.config.custom.services.nebula.node) + |> lib.filter (node: node.enable); - routablePeers = peers |> lib.filter (node: node.routableAddress != null); + lighthouses = nodes |> lib.filter (node: node.isLighthouse); + + routableNodes = nodes |> lib.filter (node: node.routableAddress != null); in { - options.custom.services.nebula = { - node = { - enable = lib.mkEnableOption ""; - name = lib.mkOption { - type = lib.types.nonEmptyStr; - default = hostname; - }; - address = lib.mkOption { - type = lib.types.nonEmptyStr; - default = ""; - }; - isLighthouse = lib.mkEnableOption ""; - isServer = lib.mkEnableOption ""; - isClient = lib.mkEnableOption ""; + options.custom.services.nebula.node = { + enable = lib.mkEnableOption ""; + name = lib.mkOption { + type = lib.types.nonEmptyStr; + default = config.networking.hostName; + }; + address = lib.mkOption { + type = lib.types.nonEmptyStr; + default = ""; + }; + isLighthouse = lib.mkEnableOption ""; - routableAddress = lib.mkOption { - type = lib.types.nullOr lib.types.nonEmptyStr; - default = null; - }; - routablePort = lib.mkOption { - type = lib.types.nullOr lib.types.port; - default = if cfg.routableAddress != null then 47141 else null; - }; - - publicKeyPath = lib.mkOption { - type = lib.types.path; - default = "${self}/hosts/${hostname}/keys/nebula.pub"; - }; - certificatePath = lib.mkOption { - type = lib.types.path; - default = "${self}/hosts/${hostname}/keys/nebula.crt"; - }; + routableAddress = lib.mkOption { + type = lib.types.nullOr lib.types.nonEmptyStr; + default = null; + }; + routablePort = lib.mkOption { + type = lib.types.nullOr lib.types.port; + default = if cfg.routableAddress != null then 47141 else null; }; - peers = lib.mkOption { - type = lib.types.anything; - default = - self.nixosConfigurations - |> lib.filterAttrs (name: _: name != hostname) - |> lib.attrValues - |> lib.map (value: value.config.custom.services.nebula.node) - |> lib.filter (node: node.enable); - readOnly = true; + publicKeyPath = lib.mkOption { + type = lib.types.path; + default = "${self}/hosts/${hostname}/keys/nebula.pub"; + }; + certificatePath = lib.mkOption { + type = lib.types.path; + default = "${self}/hosts/${hostname}/keys/nebula.crt"; }; }; @@ -70,11 +61,11 @@ in }; sops.secrets."nebula/host-key" = { - owner = config.users.users.nebula-mesh.name; - restartUnits = [ "nebula@mesh.service" ]; + owner = config.users.users.nebula-main.name; + restartUnits = [ "nebula@main.service" ]; }; - services.nebula.networks.mesh = { + services.nebula.networks.main = { enable = true; ca = ./ca.crt; @@ -89,7 +80,7 @@ in ); staticHostMap = - routablePeers + routableNodes |> lib.map (lighthouse: { name = lighthouse.address; value = lib.singleton "${lighthouse.routableAddress}:${toString lighthouse.routablePort}"; @@ -98,14 +89,14 @@ in firewall = { outbound = lib.singleton { + host = "any"; port = "any"; proto = "any"; - host = "any"; }; inbound = lib.singleton { - port = "any"; - proto = "icmp"; host = "any"; + port = "any"; + proto = "any"; }; }; @@ -113,10 +104,7 @@ in pki.disconnect_invalid = true; cipher = "aes"; logging.level = "warning"; - lighthouse.local_allow_list.interfaces.tailscale0 = false; }; }; - - networking.firewall.trustedInterfaces = [ "nebula.mesh" ]; }; } diff --git a/modules/system/services/nebula/sshd.nix b/modules/system/services/nebula/sshd.nix deleted file mode 100644 index 3164c45..0000000 --- a/modules/system/services/nebula/sshd.nix +++ /dev/null @@ -1,45 +0,0 @@ -{ config, lib, ... }: -let - cfg = config.custom.services.nebula.node; -in -{ - options.custom.services.nebula.node.sshd = { - enable = lib.mkEnableOption "" // { - default = true; - }; - port = lib.mkOption { - type = lib.types.port; - default = 22; - }; - }; - - config = lib.mkIf (cfg.enable && cfg.sshd.enable) { - meta.ports.tcp = [ cfg.sshd.port ]; - - services = { - openssh = { - enable = true; - openFirewall = false; - ports = [ ]; - listenAddresses = lib.singleton { - addr = cfg.address; - inherit (cfg.sshd) port; - }; - }; - - nebula.networks.mesh.firewall.inbound = - config.custom.services.nebula.peers - |> lib.filter (node: node.isClient) - |> lib.map (nebula: { - port = "22"; - proto = "tcp"; - host = nebula.name; - }); - }; - - systemd.services.sshd = { - requires = [ "nebula@mesh.service" ]; - after = [ "nebula@mesh.service" ]; - }; - }; -}