SebastianStork/nixos-config
1
0
Fork 0
mirror of https://github.com/SebastianStork/nixos-config.git synced 2026-01-21 15:11:34 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Compare commits

base: SebastianStork:94ac7bbca3df3bf6eb5abd36624d6d6713154d4f
Branches Tags
SebastianStork:main
SebastianStork:develop
..
compare: SebastianStork:2978d2c1a5de76d2f5c0322bc234e87b01c84a27
Branches Tags
SebastianStork:main
SebastianStork:develop

4 commits
94ac7bbca3 ... 2978d2c1a5

Author SHA1 Message Date
SebastianStork
2978d2c1a5
nebula: Fix tailscale ssh disconnects 2026-01-03 00:42:02 +01:00
SebastianStork
61f5c54196
nebula: Enable firewall and restrict ssh access by role 2026-01-03 00:41:13 +01:00
SebastianStork
382dae6cbb
flake.lock: Update 
Flake lock file updates:

• Updated input 'firefox-addons':
    'gitlab:rycee/nur-expressions/e55ad9427895bc94e55b2cb6474ca46773816885?dir=pkgs/firefox-addons&narHash=sha256-D7XoHk5/daZt3E0K6uCueVxpDYp%2BcIoCctoTsz5mjfk%3D' (2025-12-27)
  → 'gitlab:rycee/nur-expressions/bc31b4b6220009dc5fda6082496b9d97b1e855ee?dir=pkgs/firefox-addons&narHash=sha256-XKeo9F/AB%2BAyzgR2xaoxyLpI2sRJiu60f9etGJymyMk%3D' (2026-01-02)
• Updated input 'home-manager':
    'github:nix-community/home-manager/e298a148013c980e3c8c0ac075295fab5074d643?narHash=sha256-VvZeAKyB3vhyHStSO8ACKzWRKNQPmVWktjfuSVdvtUA%3D' (2025-12-28)
  → 'github:nix-community/home-manager/d49d2543f02dbd789ed032188c84570d929223cb?narHash=sha256-YmaYMduV5ko8zURUT1VLGDbVC1L/bxHS0NsiPoZ6bBM%3D' (2026-01-01)
• Updated input 'nixos-hardware':
    'github:NixOS/nixos-hardware/c5db9569ac9cc70929c268ac461f4003e3e5ca80?narHash=sha256-UXVtN77D7pzKmzOotFTStgZBqpOcf8cO95FcupWp4Zo%3D' (2025-12-24)
  → 'github:NixOS/nixos-hardware/40b1a28dce561bea34858287fbb23052c3ee63fe?narHash=sha256-ljDBUDpD1Cg5n3mJI81Hz5qeZAwCGxon4kQW3Ho3%2B6Q%3D' (2025-12-31)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/f560ccec6b1116b22e6ed15f4c510997d99d5852?narHash=sha256-BASnpCLodmgiVn0M1MU2Pqyoz0aHwar/0qLkp7CjvSQ%3D' (2025-12-26)
  → 'github:nixos/nixpkgs/89dbf01df72eb5ebe3b24a86334b12c27d68016a?narHash=sha256-tzYsEzXEVa7op1LTnrLSiPGrcCY6948iD0EcNLWcmzo%3D' (2025-12-29)
• Updated input 'nixpkgs-unstable':
    'github:nixos/nixpkgs/3e2499d5539c16d0d173ba53552a4ff8547f4539?narHash=sha256-QEhk0eXgyIqTpJ/ehZKg9IKS7EtlWxF3N7DXy42zPfU%3D' (2025-12-25)
  → 'github:nixos/nixpkgs/cad22e7d996aea55ecab064e84834289143e44a0?narHash=sha256-5vKw92l1GyTnjoLzEagJy5V5mDFck72LiQWZSOnSicw%3D' (2025-12-30)
• Updated input 'treefmt':
    'github:numtide/treefmt-nix/42d96e75aa56a3f70cab7e7dc4a32868db28e8fd?narHash=sha256-%2BcqN4PJz9y0JQXfAK5J1drd0U05D5fcAGhzhfVrDlsI%3D' (2025-12-17)
  → 'github:numtide/treefmt-nix/dec15f37015ac2e774c84d0952d57fcdf169b54d?narHash=sha256-yOt/FTB7oSEKQH9EZMFMeuldK1HGpQs2eAzdS9hNS/o%3D' (2025-12-30)
• Updated input 'vscode-extensions':
    'github:nix-community/nix-vscode-extensions/2b8957cca4532b30e06c1cbd0386ec4fbf3b16fa?narHash=sha256-BA%2BgbbAFYY%2Bz0WvIWu8nwOZYzHuzHbnnIH%2BR6vjSanI%3D' (2025-12-28)
  → 'github:nix-community/nix-vscode-extensions/2a8c99844e9e65f6deeee8f1d7e8194998795b41?narHash=sha256-YXKjuWf/f6Smvv8qEmSSNpXIV%2BEXllglMZaMVuChT2Q%3D' (2026-01-02)
 2026-01-02 13:12:49 +01:00
SebastianStork
b4191c56aa
nebula: Configure ssh server 2026-01-01 23:46:15 +01:00
6 changed files with 123 additions and 63 deletions
Download patch file Download diff file Expand all files Collapse all files

42
flake.lock generated
View file

@ -88,11 +88,11 @@
}, },
"locked": { "locked": {
"dir": "pkgs/firefox-addons", "dir": "pkgs/firefox-addons",
"lastModified": 1766846533, "lastModified": 1767326613,
"narHash": "sha256-D7XoHk5/daZt3E0K6uCueVxpDYp+cIoCctoTsz5mjfk=", "narHash": "sha256-XKeo9F/AB+AyzgR2xaoxyLpI2sRJiu60f9etGJymyMk=",
"owner": "rycee", "owner": "rycee",
"repo": "nur-expressions", "repo": "nur-expressions",
"rev": "e55ad9427895bc94e55b2cb6474ca46773816885", "rev": "bc31b4b6220009dc5fda6082496b9d97b1e855ee",
"type": "gitlab" "type": "gitlab"
}, },
"original": { "original": {
@ -160,11 +160,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1766939458, "lastModified": 1767280655,
"narHash": "sha256-VvZeAKyB3vhyHStSO8ACKzWRKNQPmVWktjfuSVdvtUA=", "narHash": "sha256-YmaYMduV5ko8zURUT1VLGDbVC1L/bxHS0NsiPoZ6bBM=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "e298a148013c980e3c8c0ac075295fab5074d643", "rev": "d49d2543f02dbd789ed032188c84570d929223cb",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -191,11 +191,11 @@
}, },
"nixos-hardware": { "nixos-hardware": {
"locked": { "locked": {
"lastModified": 1766568855, "lastModified": 1767185284,
"narHash": "sha256-UXVtN77D7pzKmzOotFTStgZBqpOcf8cO95FcupWp4Zo=", "narHash": "sha256-ljDBUDpD1Cg5n3mJI81Hz5qeZAwCGxon4kQW3Ho3+6Q=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixos-hardware", "repo": "nixos-hardware",
"rev": "c5db9569ac9cc70929c268ac461f4003e3e5ca80", "rev": "40b1a28dce561bea34858287fbb23052c3ee63fe",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -207,11 +207,11 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1766736597, "lastModified": 1767047869,
"narHash": "sha256-BASnpCLodmgiVn0M1MU2Pqyoz0aHwar/0qLkp7CjvSQ=", "narHash": "sha256-tzYsEzXEVa7op1LTnrLSiPGrcCY6948iD0EcNLWcmzo=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "f560ccec6b1116b22e6ed15f4c510997d99d5852", "rev": "89dbf01df72eb5ebe3b24a86334b12c27d68016a",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -238,11 +238,11 @@
}, },
"nixpkgs-unstable": { "nixpkgs-unstable": {
"locked": { "locked": {
"lastModified": 1766651565, "lastModified": 1767116409,
"narHash": "sha256-QEhk0eXgyIqTpJ/ehZKg9IKS7EtlWxF3N7DXy42zPfU=", "narHash": "sha256-5vKw92l1GyTnjoLzEagJy5V5mDFck72LiQWZSOnSicw=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "3e2499d5539c16d0d173ba53552a4ff8547f4539", "rev": "cad22e7d996aea55ecab064e84834289143e44a0",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -344,11 +344,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1766000401, "lastModified": 1767122417,
"narHash": "sha256-+cqN4PJz9y0JQXfAK5J1drd0U05D5fcAGhzhfVrDlsI=", "narHash": "sha256-yOt/FTB7oSEKQH9EZMFMeuldK1HGpQs2eAzdS9hNS/o=",
"owner": "numtide", "owner": "numtide",
"repo": "treefmt-nix", "repo": "treefmt-nix",
"rev": "42d96e75aa56a3f70cab7e7dc4a32868db28e8fd", "rev": "dec15f37015ac2e774c84d0952d57fcdf169b54d",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -382,11 +382,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1766888861, "lastModified": 1767319998,
"narHash": "sha256-BA+gbbAFYY+z0WvIWu8nwOZYzHuzHbnnIH+R6vjSanI=", "narHash": "sha256-YXKjuWf/f6Smvv8qEmSSNpXIV+EXllglMZaMVuChT2Q=",
"owner": "nix-community", "owner": "nix-community",
"repo": "nix-vscode-extensions", "repo": "nix-vscode-extensions",
"rev": "2b8957cca4532b30e06c1cbd0386ec4fbf3b16fa", "rev": "2a8c99844e9e65f6deeee8f1d7e8194998795b41",
"type": "github" "type": "github"
}, },
"original": { "original": {

1
hosts/desktop/default.nix
View file

@ -33,6 +33,7 @@
nebula.node = { nebula.node = {
enable = true; enable = true;
address = "10.254.250.1"; address = "10.254.250.1";
isClient = true;
}; };
syncthing = { syncthing = {
enable = true; enable = true;

1
hosts/laptop/default.nix
View file

@ -36,6 +36,7 @@
nebula.node = { nebula.node = {
enable = true; enable = true;
address = "10.254.250.3"; address = "10.254.250.3";
isClient = true;
}; };
syncthing = { syncthing = {
enable = true; enable = true;

3
hosts/vps-private/default.nix
View file

@ -34,8 +34,9 @@
nebula.node = { nebula.node = {
enable = true; enable = true;
address = "10.254.250.2"; address = "10.254.250.2";
isLighthouse = true;
routableAddress = "49.13.231.235"; routableAddress = "49.13.231.235";
isLighthouse = true;
isServer = true;
}; };
syncthing = { syncthing = {

48
modules/system/services/nebula/default.nix
View file

@ -6,32 +6,29 @@
}: }:
let let
cfg = config.custom.services.nebula.node; cfg = config.custom.services.nebula.node;
peers = config.custom.services.nebula.peers;
hostname = config.networking.hostName; hostname = config.networking.hostName;
nodes = lighthouses = peers |> lib.filter (node: node.isLighthouse);
self.nixosConfigurations
|> lib.filterAttrs (name: _: name != hostname)
|> lib.attrValues
|> lib.map (value: value.config.custom.services.nebula.node)
|> lib.filter (node: node.enable);
lighthouses = nodes |> lib.filter (node: node.isLighthouse); routablePeers = peers |> lib.filter (node: node.routableAddress != null);
routableNodes = nodes |> lib.filter (node: node.routableAddress != null);
in in
{ {
options.custom.services.nebula.node = { options.custom.services.nebula = {
node = {
enable = lib.mkEnableOption ""; enable = lib.mkEnableOption "";
name = lib.mkOption { name = lib.mkOption {
type = lib.types.nonEmptyStr; type = lib.types.nonEmptyStr;
default = config.networking.hostName; default = hostname;
}; };
address = lib.mkOption { address = lib.mkOption {
type = lib.types.nonEmptyStr; type = lib.types.nonEmptyStr;
default = ""; default = "";
}; };
isLighthouse = lib.mkEnableOption ""; isLighthouse = lib.mkEnableOption "";
isServer = lib.mkEnableOption "";
isClient = lib.mkEnableOption "";
routableAddress = lib.mkOption { routableAddress = lib.mkOption {
type = lib.types.nullOr lib.types.nonEmptyStr; type = lib.types.nullOr lib.types.nonEmptyStr;
@ -52,6 +49,18 @@ in
}; };
}; };
peers = lib.mkOption {
type = lib.types.anything;
default =
self.nixosConfigurations
|> lib.filterAttrs (name: _: name != hostname)
|> lib.attrValues
|> lib.map (value: value.config.custom.services.nebula.node)
|> lib.filter (node: node.enable);
readOnly = true;
};
};
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
meta.ports.udp = lib.optional (cfg.routablePort != null) cfg.routablePort; meta.ports.udp = lib.optional (cfg.routablePort != null) cfg.routablePort;
@ -61,11 +70,11 @@ in
}; };
sops.secrets."nebula/host-key" = { sops.secrets."nebula/host-key" = {
owner = config.users.users.nebula-main.name; owner = config.users.users.nebula-mesh.name;
restartUnits = [ "nebula@main.service" ]; restartUnits = [ "nebula@mesh.service" ];
}; };
services.nebula.networks.main = { services.nebula.networks.mesh = {
enable = true; enable = true;
ca = ./ca.crt; ca = ./ca.crt;
@ -80,7 +89,7 @@ in
); );
staticHostMap = staticHostMap =
routableNodes routablePeers
|> lib.map (lighthouse: { |> lib.map (lighthouse: {
name = lighthouse.address; name = lighthouse.address;
value = lib.singleton "${lighthouse.routableAddress}:${toString lighthouse.routablePort}"; value = lib.singleton "${lighthouse.routableAddress}:${toString lighthouse.routablePort}";
@ -89,14 +98,14 @@ in
firewall = { firewall = {
outbound = lib.singleton { outbound = lib.singleton {
host = "any";
port = "any"; port = "any";
proto = "any"; proto = "any";
host = "any";
}; };
inbound = lib.singleton { inbound = lib.singleton {
host = "any";
port = "any"; port = "any";
proto = "any"; proto = "icmp";
host = "any";
}; };
}; };
@ -104,7 +113,10 @@ in
pki.disconnect_invalid = true; pki.disconnect_invalid = true;
cipher = "aes"; cipher = "aes";
logging.level = "warning"; logging.level = "warning";
lighthouse.local_allow_list.interfaces.tailscale0 = false;
}; };
}; };
networking.firewall.trustedInterfaces = [ "nebula.mesh" ];
}; };
} }

45
modules/system/services/nebula/sshd.nix Normal file
View file

@ -0,0 +1,45 @@
{ config, lib, ... }:
let
cfg = config.custom.services.nebula.node;
in
{
options.custom.services.nebula.node.sshd = {
enable = lib.mkEnableOption "" // {
default = true;
};
port = lib.mkOption {
type = lib.types.port;
default = 22;
};
};
config = lib.mkIf (cfg.enable && cfg.sshd.enable) {
meta.ports.tcp = [ cfg.sshd.port ];
services = {
openssh = {
enable = true;
openFirewall = false;
ports = [ ];
listenAddresses = lib.singleton {
addr = cfg.address;
inherit (cfg.sshd) port;
};
};
nebula.networks.mesh.firewall.inbound =
config.custom.services.nebula.peers
|> lib.filter (node: node.isClient)
|> lib.map (nebula: {
port = "22";
proto = "tcp";
host = nebula.name;
});
};
systemd.services.sshd = {
requires = [ "nebula@mesh.service" ];
after = [ "nebula@mesh.service" ];
};
};
}