SebastianStork/nixos-config
1
0
Fork 0
mirror of https://github.com/SebastianStork/nixos-config.git synced 2026-01-21 15:11:34 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Compare commits

base: SebastianStork:2978d2c1a5de76d2f5c0322bc234e87b01c84a27
Branches Tags
SebastianStork:main
SebastianStork:develop
..
compare: SebastianStork:94ac7bbca3df3bf6eb5abd36624d6d6713154d4f
Branches Tags
SebastianStork:main
SebastianStork:develop

No commits in common. "2978d2c1a5de76d2f5c0322bc234e87b01c84a27" and "94ac7bbca3df3bf6eb5abd36624d6d6713154d4f" have entirely different histories.
2978d2c1a5 ... 94ac7bbca3

6 changed files with 63 additions and 123 deletions
Download patch file Download diff file Expand all files Collapse all files

42
flake.lock generated
View file

@ -88,11 +88,11 @@
}, },
"locked": { "locked": {
"dir": "pkgs/firefox-addons", "dir": "pkgs/firefox-addons",
"lastModified": 1767326613, "lastModified": 1766846533,
"narHash": "sha256-XKeo9F/AB+AyzgR2xaoxyLpI2sRJiu60f9etGJymyMk=", "narHash": "sha256-D7XoHk5/daZt3E0K6uCueVxpDYp+cIoCctoTsz5mjfk=",
"owner": "rycee", "owner": "rycee",
"repo": "nur-expressions", "repo": "nur-expressions",
"rev": "bc31b4b6220009dc5fda6082496b9d97b1e855ee", "rev": "e55ad9427895bc94e55b2cb6474ca46773816885",
"type": "gitlab" "type": "gitlab"
}, },
"original": { "original": {
@ -160,11 +160,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1767280655, "lastModified": 1766939458,
"narHash": "sha256-YmaYMduV5ko8zURUT1VLGDbVC1L/bxHS0NsiPoZ6bBM=", "narHash": "sha256-VvZeAKyB3vhyHStSO8ACKzWRKNQPmVWktjfuSVdvtUA=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "d49d2543f02dbd789ed032188c84570d929223cb", "rev": "e298a148013c980e3c8c0ac075295fab5074d643",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -191,11 +191,11 @@
}, },
"nixos-hardware": { "nixos-hardware": {
"locked": { "locked": {
"lastModified": 1767185284, "lastModified": 1766568855,
"narHash": "sha256-ljDBUDpD1Cg5n3mJI81Hz5qeZAwCGxon4kQW3Ho3+6Q=", "narHash": "sha256-UXVtN77D7pzKmzOotFTStgZBqpOcf8cO95FcupWp4Zo=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixos-hardware", "repo": "nixos-hardware",
"rev": "40b1a28dce561bea34858287fbb23052c3ee63fe", "rev": "c5db9569ac9cc70929c268ac461f4003e3e5ca80",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -207,11 +207,11 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1767047869, "lastModified": 1766736597,
"narHash": "sha256-tzYsEzXEVa7op1LTnrLSiPGrcCY6948iD0EcNLWcmzo=", "narHash": "sha256-BASnpCLodmgiVn0M1MU2Pqyoz0aHwar/0qLkp7CjvSQ=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "89dbf01df72eb5ebe3b24a86334b12c27d68016a", "rev": "f560ccec6b1116b22e6ed15f4c510997d99d5852",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -238,11 +238,11 @@
}, },
"nixpkgs-unstable": { "nixpkgs-unstable": {
"locked": { "locked": {
"lastModified": 1767116409, "lastModified": 1766651565,
"narHash": "sha256-5vKw92l1GyTnjoLzEagJy5V5mDFck72LiQWZSOnSicw=", "narHash": "sha256-QEhk0eXgyIqTpJ/ehZKg9IKS7EtlWxF3N7DXy42zPfU=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "cad22e7d996aea55ecab064e84834289143e44a0", "rev": "3e2499d5539c16d0d173ba53552a4ff8547f4539",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -344,11 +344,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1767122417, "lastModified": 1766000401,
"narHash": "sha256-yOt/FTB7oSEKQH9EZMFMeuldK1HGpQs2eAzdS9hNS/o=", "narHash": "sha256-+cqN4PJz9y0JQXfAK5J1drd0U05D5fcAGhzhfVrDlsI=",
"owner": "numtide", "owner": "numtide",
"repo": "treefmt-nix", "repo": "treefmt-nix",
"rev": "dec15f37015ac2e774c84d0952d57fcdf169b54d", "rev": "42d96e75aa56a3f70cab7e7dc4a32868db28e8fd",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -382,11 +382,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1767319998, "lastModified": 1766888861,
"narHash": "sha256-YXKjuWf/f6Smvv8qEmSSNpXIV+EXllglMZaMVuChT2Q=", "narHash": "sha256-BA+gbbAFYY+z0WvIWu8nwOZYzHuzHbnnIH+R6vjSanI=",
"owner": "nix-community", "owner": "nix-community",
"repo": "nix-vscode-extensions", "repo": "nix-vscode-extensions",
"rev": "2a8c99844e9e65f6deeee8f1d7e8194998795b41", "rev": "2b8957cca4532b30e06c1cbd0386ec4fbf3b16fa",
"type": "github" "type": "github"
}, },
"original": { "original": {

1
hosts/desktop/default.nix
View file

@ -33,7 +33,6 @@
nebula.node = { nebula.node = {
enable = true; enable = true;
address = "10.254.250.1"; address = "10.254.250.1";
isClient = true;
}; };
syncthing = { syncthing = {
enable = true; enable = true;

1
hosts/laptop/default.nix
View file

@ -36,7 +36,6 @@
nebula.node = { nebula.node = {
enable = true; enable = true;
address = "10.254.250.3"; address = "10.254.250.3";
isClient = true;
}; };
syncthing = { syncthing = {
enable = true; enable = true;

3
hosts/vps-private/default.nix
View file

@ -34,9 +34,8 @@
nebula.node = { nebula.node = {
enable = true; enable = true;
address = "10.254.250.2"; address = "10.254.250.2";
routableAddress = "49.13.231.235";
isLighthouse = true; isLighthouse = true;
isServer = true; routableAddress = "49.13.231.235";
}; };
syncthing = { syncthing = {

94
modules/system/services/nebula/default.nix
View file

@ -6,58 +6,49 @@
}: }:
let let
cfg = config.custom.services.nebula.node; cfg = config.custom.services.nebula.node;
peers = config.custom.services.nebula.peers;
hostname = config.networking.hostName; hostname = config.networking.hostName;
lighthouses = peers |> lib.filter (node: node.isLighthouse); nodes =
self.nixosConfigurations
|> lib.filterAttrs (name: _: name != hostname)
|> lib.attrValues
|> lib.map (value: value.config.custom.services.nebula.node)
|> lib.filter (node: node.enable);
routablePeers = peers |> lib.filter (node: node.routableAddress != null); lighthouses = nodes |> lib.filter (node: node.isLighthouse);
routableNodes = nodes |> lib.filter (node: node.routableAddress != null);
in in
{ {
options.custom.services.nebula = { options.custom.services.nebula.node = {
node = { enable = lib.mkEnableOption "";
enable = lib.mkEnableOption ""; name = lib.mkOption {
name = lib.mkOption { type = lib.types.nonEmptyStr;
type = lib.types.nonEmptyStr; default = config.networking.hostName;
default = hostname; };
}; address = lib.mkOption {
address = lib.mkOption { type = lib.types.nonEmptyStr;
type = lib.types.nonEmptyStr; default = "";
default = ""; };
}; isLighthouse = lib.mkEnableOption "";
isLighthouse = lib.mkEnableOption "";
isServer = lib.mkEnableOption "";
isClient = lib.mkEnableOption "";
routableAddress = lib.mkOption { routableAddress = lib.mkOption {
type = lib.types.nullOr lib.types.nonEmptyStr; type = lib.types.nullOr lib.types.nonEmptyStr;
default = null; default = null;
}; };
routablePort = lib.mkOption { routablePort = lib.mkOption {
type = lib.types.nullOr lib.types.port; type = lib.types.nullOr lib.types.port;
default = if cfg.routableAddress != null then 47141 else null; default = if cfg.routableAddress != null then 47141 else null;
};
publicKeyPath = lib.mkOption {
type = lib.types.path;
default = "${self}/hosts/${hostname}/keys/nebula.pub";
};
certificatePath = lib.mkOption {
type = lib.types.path;
default = "${self}/hosts/${hostname}/keys/nebula.crt";
};
}; };
peers = lib.mkOption { publicKeyPath = lib.mkOption {
type = lib.types.anything; type = lib.types.path;
default = default = "${self}/hosts/${hostname}/keys/nebula.pub";
self.nixosConfigurations };
|> lib.filterAttrs (name: _: name != hostname) certificatePath = lib.mkOption {
|> lib.attrValues type = lib.types.path;
|> lib.map (value: value.config.custom.services.nebula.node) default = "${self}/hosts/${hostname}/keys/nebula.crt";
|> lib.filter (node: node.enable);
readOnly = true;
}; };
}; };
@ -70,11 +61,11 @@ in
}; };
sops.secrets."nebula/host-key" = { sops.secrets."nebula/host-key" = {
owner = config.users.users.nebula-mesh.name; owner = config.users.users.nebula-main.name;
restartUnits = [ "nebula@mesh.service" ]; restartUnits = [ "nebula@main.service" ];
}; };
services.nebula.networks.mesh = { services.nebula.networks.main = {
enable = true; enable = true;
ca = ./ca.crt; ca = ./ca.crt;
@ -89,7 +80,7 @@ in
); );
staticHostMap = staticHostMap =
routablePeers routableNodes
|> lib.map (lighthouse: { |> lib.map (lighthouse: {
name = lighthouse.address; name = lighthouse.address;
value = lib.singleton "${lighthouse.routableAddress}:${toString lighthouse.routablePort}"; value = lib.singleton "${lighthouse.routableAddress}:${toString lighthouse.routablePort}";
@ -98,14 +89,14 @@ in
firewall = { firewall = {
outbound = lib.singleton { outbound = lib.singleton {
host = "any";
port = "any"; port = "any";
proto = "any"; proto = "any";
host = "any";
}; };
inbound = lib.singleton { inbound = lib.singleton {
port = "any";
proto = "icmp";
host = "any"; host = "any";
port = "any";
proto = "any";
}; };
}; };
@ -113,10 +104,7 @@ in
pki.disconnect_invalid = true; pki.disconnect_invalid = true;
cipher = "aes"; cipher = "aes";
logging.level = "warning"; logging.level = "warning";
lighthouse.local_allow_list.interfaces.tailscale0 = false;
}; };
}; };
networking.firewall.trustedInterfaces = [ "nebula.mesh" ];
}; };
} }

45
modules/system/services/nebula/sshd.nix
View file

@ -1,45 +0,0 @@
{ config, lib, ... }:
let
cfg = config.custom.services.nebula.node;
in
{
options.custom.services.nebula.node.sshd = {
enable = lib.mkEnableOption "" // {
default = true;
};
port = lib.mkOption {
type = lib.types.port;
default = 22;
};
};
config = lib.mkIf (cfg.enable && cfg.sshd.enable) {
meta.ports.tcp = [ cfg.sshd.port ];
services = {
openssh = {
enable = true;
openFirewall = false;
ports = [ ];
listenAddresses = lib.singleton {
addr = cfg.address;
inherit (cfg.sshd) port;
};
};
nebula.networks.mesh.firewall.inbound =
config.custom.services.nebula.peers
|> lib.filter (node: node.isClient)
|> lib.map (nebula: {
port = "22";
proto = "tcp";
host = nebula.name;
});
};
systemd.services.sshd = {
requires = [ "nebula@mesh.service" ];
after = [ "nebula@mesh.service" ];
};
};
}