diff --git a/flake.lock b/flake.lock index ad6b5c4..ea2322c 100644 --- a/flake.lock +++ b/flake.lock @@ -88,11 +88,11 @@ }, "locked": { "dir": "pkgs/firefox-addons", - "lastModified": 1766203416, - "narHash": "sha256-UrIuqnXvM+73owAiq1zjHNtaWrv72wD1yKO6jTowhTQ=", + "lastModified": 1766549013, + "narHash": "sha256-GTT+poVhfyQ3JoKIneAT8tZgUEt0KyC6jN6LewIDYLY=", "owner": "rycee", "repo": "nur-expressions", - "rev": "8b55bb199045aa79e2965b7482b04ee4773192e3", + "rev": "356637020672729e7d406e65cb2e72a633301aba", "type": "gitlab" }, "original": { @@ -160,11 +160,11 @@ ] }, "locked": { - "lastModified": 1765979862, - "narHash": "sha256-/r9/1KamvbHJx6I40H4HsSXnEcBAkj46ZwibhBx9kg0=", + "lastModified": 1766553861, + "narHash": "sha256-ZbnG01yA3O8Yr1vUm3+NQ2qk9iRhS5bloAnuXHHy7+c=", "owner": "nix-community", "repo": "home-manager", - "rev": "d3135ab747fd9dac250ffb90b4a7e80634eacbe9", + "rev": "0999ed8f965bbbd991437ad9c5ed3434cecbc30e", "type": "github" }, "original": { @@ -191,11 +191,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1764440730, - "narHash": "sha256-ZlJTNLUKQRANlLDomuRWLBCH5792x+6XUJ4YdFRjtO4=", + "lastModified": 1766568855, + "narHash": "sha256-UXVtN77D7pzKmzOotFTStgZBqpOcf8cO95FcupWp4Zo=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "9154f4569b6cdfd3c595851a6ba51bfaa472d9f3", + "rev": "c5db9569ac9cc70929c268ac461f4003e3e5ca80", "type": "github" }, "original": { @@ -207,11 +207,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1765838191, - "narHash": "sha256-m5KWt1nOm76ILk/JSCxBM4MfK3rYY7Wq9/TZIIeGnT8=", + "lastModified": 1766473571, + "narHash": "sha256-5G1NDO2PulBx1RoaA6U1YoUDX0qZslpPxv+n5GX6Qto=", "owner": "nixos", "repo": "nixpkgs", - "rev": "c6f52ebd45e5925c188d1a20119978aa4ffd5ef6", + "rev": "76701a179d3a98b07653e2b0409847499b2a07d3", "type": "github" }, "original": { @@ -238,11 +238,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1766070988, - "narHash": "sha256-G/WVghka6c4bAzMhTwT2vjLccg/awmHkdKSd2JrycLc=", + "lastModified": 1766309749, + "narHash": "sha256-3xY8CZ4rSnQ0NqGhMKAy5vgC+2IVK0NoVEzDoOh4DA4=", "owner": "nixos", "repo": "nixpkgs", - "rev": "c6245e83d836d0433170a16eb185cefe0572f8b8", + "rev": "a6531044f6d0bef691ea18d4d4ce44d0daa6e816", "type": "github" }, "original": { @@ -294,11 +294,11 @@ ] }, "locked": { - "lastModified": 1765836173, - "narHash": "sha256-hWRYfdH2ONI7HXbqZqW8Q1y9IRbnXWvtvt/ONZovSNY=", + "lastModified": 1766289575, + "narHash": "sha256-BOKCwOQQIP4p9z8DasT5r+qjri3x7sPCOq+FTjY8Z+o=", "owner": "Mic92", "repo": "sops-nix", - "rev": "443a7f2e7e118c4fc63b7fae05ab3080dd0e5c63", + "rev": "9836912e37aef546029e48c8749834735a6b9dad", "type": "github" }, "original": { @@ -382,11 +382,11 @@ ] }, "locked": { - "lastModified": 1766225876, - "narHash": "sha256-e7kkh5axo86jc7QRMnWYpHNf9hHbG53xMTzr5v63cjw=", + "lastModified": 1766369649, + "narHash": "sha256-8Z/4upd/AS7pU72QS3GesaWeTgM4VcrSf85bh9fxum8=", "owner": "nix-community", "repo": "nix-vscode-extensions", - "rev": "4ee8ee764ea5cf2fcb44684d04488b8f5e2115b7", + "rev": "94058abef65a5f2916f4d9da67d9966039366514", "type": "github" }, "original": { diff --git a/modules/system/services/nebula/default.nix b/modules/system/services/nebula/default.nix index 106328e..9ae8915 100644 --- a/modules/system/services/nebula/default.nix +++ b/modules/system/services/nebula/default.nix @@ -9,13 +9,16 @@ let hostname = config.networking.hostName; - lighthouses = + nodes = self.nixosConfigurations |> lib.filterAttrs (name: _: name != hostname) |> lib.attrValues |> lib.map (value: value.config.custom.services.nebula.node) - |> lib.filter (nebula: nebula.enable) - |> lib.filter (nebula: nebula.isLighthouse); + |> lib.filter (node: node.enable); + + lighthouses = nodes |> lib.filter (node: node.isLighthouse); + + routableNodes = nodes |> lib.filter (node: node.routableAddress != null); in { options.custom.services.nebula.node = { @@ -28,15 +31,15 @@ in type = lib.types.nonEmptyStr; default = ""; }; - isLighthouse = lib.mkEnableOption ""; + routableAddress = lib.mkOption { type = lib.types.nullOr lib.types.nonEmptyStr; default = null; }; routablePort = lib.mkOption { type = lib.types.nullOr lib.types.port; - default = if cfg.isLighthouse then 47141 else null; + default = if cfg.routableAddress != null then 47141 else null; }; pubPath = lib.mkOption { @@ -50,7 +53,12 @@ in }; config = lib.mkIf cfg.enable { - meta.ports.udp = lib.optional (cfg.routablePort != 0) cfg.routablePort; + meta.ports.udp = lib.optional (cfg.routablePort != null) cfg.routablePort; + + assertions = lib.singleton { + assertion = cfg.isLighthouse -> cfg.routableAddress != null; + message = "'${hostname}' is a Nebula lighthouse, but routableAddress is not set. Lighthouses must be publicly reachable."; + }; sops.secrets."nebula/host-key" = { owner = config.users.users.nebula-main.name; @@ -70,8 +78,9 @@ in lighthouses = lib.mkIf (!cfg.isLighthouse) ( lighthouses |> lib.map (lighthouse: lighthouse.address) ); + staticHostMap = - lighthouses + routableNodes |> lib.map (lighthouse: { name = lighthouse.address; value = lib.singleton "${lighthouse.routableAddress}:${toString lighthouse.routablePort}"; @@ -94,6 +103,7 @@ in settings = { pki.disconnect_invalid = true; cipher = "aes"; + logging.level = "warning"; }; }; };