SebastianStork/nixos-config
1
0
Fork 0
mirror of https://github.com/SebastianStork/nixos-config.git synced 2026-01-21 14:01:34 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Compare commits

base: SebastianStork:e6b9900d34a33503cc183b868b90545be2d7617f
Branches Tags
SebastianStork:main
SebastianStork:develop
...
compare: SebastianStork:435a70a4e926cc646ff1095c967409c3eda125d2
Branches Tags
SebastianStork:main
SebastianStork:develop

5 commits
e6b9900d34 ... 435a70a4e9

Author SHA1 Message Date
SebastianStork
435a70a4e9
nebula: Test with desktop and vps-private 2025-12-23 14:43:18 +01:00
SebastianStork
a7a16378b2
nebula: Init module 2025-12-23 14:42:26 +01:00
SebastianStork
2eea28da43
caddy: Fix caddy-tailscale hash 2025-12-22 22:38:04 +01:00
SebastianStork
8cd27cac05
Increase min-free threshold 2025-12-22 22:37:27 +01:00
SebastianStork
3a707235fa
flake.lock: Update 
Flake lock file updates:

• Updated input 'firefox-addons':
    'gitlab:rycee/nur-expressions/2843ec4d4793815111a1b99e170ec7b1842b7f9f?dir=pkgs/firefox-addons&narHash=sha256-j9BnLfWdJrJrETfmfnlnpvRGKVp1MLRaw78oYDSnTRY%3D' (2025-12-16)
  → 'gitlab:rycee/nur-expressions/8b55bb199045aa79e2965b7482b04ee4773192e3?dir=pkgs/firefox-addons&narHash=sha256-UrIuqnXvM%2B73owAiq1zjHNtaWrv72wD1yKO6jTowhTQ%3D' (2025-12-20)
• Updated input 'home-manager':
    'github:nix-community/home-manager/7df150f0d3857cf68dae443813b27acfb201b2d8?narHash=sha256-LN5O0h9GSgcDE/sz4%2BsLS3CbQALru1x4lh9hrxpeHwI%3D' (2025-12-16)
  → 'github:nix-community/home-manager/d3135ab747fd9dac250ffb90b4a7e80634eacbe9?narHash=sha256-/r9/1KamvbHJx6I40H4HsSXnEcBAkj46ZwibhBx9kg0%3D' (2025-12-17)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/c8cfcd6ccd422e41cc631a0b73ed4d5a925c393d?narHash=sha256-3iXM/zTqEskWtmZs3gqNiVtRTsEjYAedIaLL0mSBsrk%3D' (2025-12-15)
  → 'github:nixos/nixpkgs/c6f52ebd45e5925c188d1a20119978aa4ffd5ef6?narHash=sha256-m5KWt1nOm76ILk/JSCxBM4MfK3rYY7Wq9/TZIIeGnT8%3D' (2025-12-15)
• Updated input 'nixpkgs-unstable':
    'github:nixos/nixpkgs/1306659b587dc277866c7b69eb97e5f07864d8c4?narHash=sha256-KJ2wa/BLSrTqDjbfyNx70ov/HdgNBCBBSQP3BIzKnv4%3D' (2025-12-15)
  → 'github:nixos/nixpkgs/c6245e83d836d0433170a16eb185cefe0572f8b8?narHash=sha256-G/WVghka6c4bAzMhTwT2vjLccg/awmHkdKSd2JrycLc%3D' (2025-12-18)
• Updated input 'treefmt':
    'github:numtide/treefmt-nix/5b4ee75aeefd1e2d5a1cc43cf6ba65eba75e83e4?narHash=sha256-AlEObg0syDl%2BSpi4LsZIBrjw%2BsnSVU4T8MOeuZJUJjM%3D' (2025-11-12)
  → 'github:numtide/treefmt-nix/42d96e75aa56a3f70cab7e7dc4a32868db28e8fd?narHash=sha256-%2BcqN4PJz9y0JQXfAK5J1drd0U05D5fcAGhzhfVrDlsI%3D' (2025-12-17)
• Updated input 'vscode-extensions':
    'github:nix-community/nix-vscode-extensions/3117a5178ba33eafea691756cca52ab250f2a5a9?narHash=sha256-WMxrG7K5kQQS0dc8b8WDdwKyBYokRc0Ssa1gIcAigBs%3D' (2025-12-16)
  → 'github:nix-community/nix-vscode-extensions/4ee8ee764ea5cf2fcb44684d04488b8f5e2115b7?narHash=sha256-e7kkh5axo86jc7QRMnWYpHNf9hHbG53xMTzr5v63cjw%3D' (2025-12-20)
 2025-12-21 01:16:47 +01:00
13 changed files with 165 additions and 26 deletions
Download patch file Download diff file Expand all files Collapse all files

36
flake.lock generated
View file

@ -88,11 +88,11 @@
}, },
"locked": { "locked": {
"dir": "pkgs/firefox-addons", "dir": "pkgs/firefox-addons",
"lastModified": 1765876616, "lastModified": 1766203416,
"narHash": "sha256-j9BnLfWdJrJrETfmfnlnpvRGKVp1MLRaw78oYDSnTRY=", "narHash": "sha256-UrIuqnXvM+73owAiq1zjHNtaWrv72wD1yKO6jTowhTQ=",
"owner": "rycee", "owner": "rycee",
"repo": "nur-expressions", "repo": "nur-expressions",
"rev": "2843ec4d4793815111a1b99e170ec7b1842b7f9f", "rev": "8b55bb199045aa79e2965b7482b04ee4773192e3",
"type": "gitlab" "type": "gitlab"
}, },
"original": { "original": {
@ -160,11 +160,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1765859973, "lastModified": 1765979862,
"narHash": "sha256-LN5O0h9GSgcDE/sz4+sLS3CbQALru1x4lh9hrxpeHwI=", "narHash": "sha256-/r9/1KamvbHJx6I40H4HsSXnEcBAkj46ZwibhBx9kg0=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "7df150f0d3857cf68dae443813b27acfb201b2d8", "rev": "d3135ab747fd9dac250ffb90b4a7e80634eacbe9",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -207,11 +207,11 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1765762245, "lastModified": 1765838191,
"narHash": "sha256-3iXM/zTqEskWtmZs3gqNiVtRTsEjYAedIaLL0mSBsrk=", "narHash": "sha256-m5KWt1nOm76ILk/JSCxBM4MfK3rYY7Wq9/TZIIeGnT8=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "c8cfcd6ccd422e41cc631a0b73ed4d5a925c393d", "rev": "c6f52ebd45e5925c188d1a20119978aa4ffd5ef6",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -238,11 +238,11 @@
}, },
"nixpkgs-unstable": { "nixpkgs-unstable": {
"locked": { "locked": {
"lastModified": 1765779637, "lastModified": 1766070988,
"narHash": "sha256-KJ2wa/BLSrTqDjbfyNx70ov/HdgNBCBBSQP3BIzKnv4=", "narHash": "sha256-G/WVghka6c4bAzMhTwT2vjLccg/awmHkdKSd2JrycLc=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "1306659b587dc277866c7b69eb97e5f07864d8c4", "rev": "c6245e83d836d0433170a16eb185cefe0572f8b8",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -344,11 +344,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1762938485, "lastModified": 1766000401,
"narHash": "sha256-AlEObg0syDl+Spi4LsZIBrjw+snSVU4T8MOeuZJUJjM=", "narHash": "sha256-+cqN4PJz9y0JQXfAK5J1drd0U05D5fcAGhzhfVrDlsI=",
"owner": "numtide", "owner": "numtide",
"repo": "treefmt-nix", "repo": "treefmt-nix",
"rev": "5b4ee75aeefd1e2d5a1cc43cf6ba65eba75e83e4", "rev": "42d96e75aa56a3f70cab7e7dc4a32868db28e8fd",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -382,11 +382,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1765850658, "lastModified": 1766225876,
"narHash": "sha256-WMxrG7K5kQQS0dc8b8WDdwKyBYokRc0Ssa1gIcAigBs=", "narHash": "sha256-e7kkh5axo86jc7QRMnWYpHNf9hHbG53xMTzr5v63cjw=",
"owner": "nix-community", "owner": "nix-community",
"repo": "nix-vscode-extensions", "repo": "nix-vscode-extensions",
"rev": "3117a5178ba33eafea691756cca52ab250f2a5a9", "rev": "4ee8ee764ea5cf2fcb44684d04488b8f5e2115b7",
"type": "github" "type": "github"
}, },
"original": { "original": {

4
hosts/common.nix
View file

@ -36,8 +36,8 @@
commit-lock-file-summary = "flake.lock: Update"; commit-lock-file-summary = "flake.lock: Update";
allow-import-from-derivation = false; allow-import-from-derivation = false;
min-free = 1 * 1024 * 1024 * 1024; min-free = 4 * 1024 * 1024 * 1024;
max-free = 5 * 1024 * 1024 * 1024; max-free = 8 * 1024 * 1024 * 1024;
}; };
}; };

4
hosts/desktop/default.nix
View file

@ -33,6 +33,10 @@
enable = true; enable = true;
ssh.enable = true; ssh.enable = true;
}; };
nebula.node = {
enable = true;
address = "10.254.250.1";
};
syncthing = { syncthing = {
enable = true; enable = true;
deviceId = "FAJS5WM-UAWGW2U-FXCGPSP-VAUOTGM-XUKSEES-D66PMCJ-WBODJLV-XTNCRA7"; deviceId = "FAJS5WM-UAWGW2U-FXCGPSP-VAUOTGM-XUKSEES-D66PMCJ-WBODJLV-XTNCRA7";

6
hosts/desktop/keys/nebula.crt Normal file
View file

@ -0,0 +1,6 @@
-----BEGIN NEBULA CERTIFICATE V2-----
MIGmoECAB2Rlc2t0b3ChBwQFCv76ARiFBGlIaqqGBGsoffSHIBVD/hlbqt7XLMVq
DE4DhIQzJRBaXtQIwm5gRTI7c0VogiAWuCbaQyz2y1A+OrT1+mI2U2EdQ3X3HPzA
SkjZQ+zAG4NANTlPvjlzVHXcvSnZpWO0HVFFLlFKkPav33SUb51KaOt+HX0Xyu3r
3EvhBuRRS6pc6x5/ZawfxWakQwb5dTuhDg==
-----END NEBULA CERTIFICATE V2-----

3
hosts/desktop/keys/nebula.pub Normal file
View file

@ -0,0 +1,3 @@
-----BEGIN NEBULA X25519 PUBLIC KEY-----
Frgm2kMs9stQPjq09fpiNlNhHUN19xz8wEpI2UPswBs=
-----END NEBULA X25519 PUBLIC KEY-----

9
hosts/desktop/secrets.json
View file

@ -7,6 +7,9 @@
"cert": "ENC[AES256_GCM,data:Rf6Pgni4jkcFC0pYC+CBJnCRfsNqSBR2yStaFngefb2/rQd3za2h7o7fp2IPVLs9fYmUG5r8/mP9K0m46xA/2wVLp+ddyNA2wndSwk7ZqNEs2BA/GAdelX8gtcPV74CkB/NJa4E42qH7aTVcgrBZVIM27RxO6e/8r8JSXb/HOczYpLAVdW2DHXjGrzi43cjEcn8UK+dNeNsp0AlEZqN9eRRbqh3JQr7+WOYKkk0R0VP3SLH4O9ROLzSJ4Pw4BoLArR3lvp7pOLOrmXvazToKkMInnLZsH0oV7Zvpu1kTz2KrvhIZdNoUZOV2L/laoS7nc/MFixEwpMy4gqszhiADXlNEbslZyZPcq9KxLgIH0W3xKuQDwrC/RWfjMAwnpucByKy9dR4+9C7maVYp5rvBdRbhNM/Yp6U465d8qJVG5YmURG5NBudAsXkfkp8/AqGSK8RQk/F2b28SfqVCfd/Kga1SINcbdEY7P9nNxx3sbVhncQ3pZXY2tZhYJiSuZ/hGMuPa3yMJPgDPJV8tPIUASCNxbeLOKp7HVghb9IIHSDhhiZmFTFB9xT8X9w05w0afLgQQCybG81YGXvXTiA/xLriA2AzQqg4KzdjUgs+lv7rPL9fsP5V7LAoBZamTirsOCoApMrP7L+QP0OTFyHBakf+GBEREwn5dygos+/vBXne4RtDmji/+zh9U1CqwwCIbx/rdVODzYusYV0lvDjYPyVnTWjEGQN5uGCgEBozQWUkaR1KlmamzcXS9ihPsIa1VNu/aLRrb66hS99wuALFdHJPg5XgHNKEA+Re/lXqUwups/A1RQ9bymqXUj8lIK1hDWsC3DCqDsL54x2BIodyvBBB8hyHFnBC3xg+W8yC0SQLivkFLdNMTRdAgyREFEZp3Nvi19B9+njnciFjcbRj+sG1L9X2OSvDZ2e7273DYtXAVsI9977VBtQYHmjXeyDVBnK53sri/8P2ofniPmBM/ZQ9X1UtMI+vrKIj/o4jcTaEcAmqA9bI2YbG5p84rIH6mBA4SvPCHGz6s48XhaYLzCJbOIR+eqwjbvBA=,iv:72+0+hlBxKtuhjhrLD1EMlx8LcJtskxO+MCpYj7rpes=,tag:qnQlahuimpMoVY1hbTGI6g==,type:str]", "cert": "ENC[AES256_GCM,data:Rf6Pgni4jkcFC0pYC+CBJnCRfsNqSBR2yStaFngefb2/rQd3za2h7o7fp2IPVLs9fYmUG5r8/mP9K0m46xA/2wVLp+ddyNA2wndSwk7ZqNEs2BA/GAdelX8gtcPV74CkB/NJa4E42qH7aTVcgrBZVIM27RxO6e/8r8JSXb/HOczYpLAVdW2DHXjGrzi43cjEcn8UK+dNeNsp0AlEZqN9eRRbqh3JQr7+WOYKkk0R0VP3SLH4O9ROLzSJ4Pw4BoLArR3lvp7pOLOrmXvazToKkMInnLZsH0oV7Zvpu1kTz2KrvhIZdNoUZOV2L/laoS7nc/MFixEwpMy4gqszhiADXlNEbslZyZPcq9KxLgIH0W3xKuQDwrC/RWfjMAwnpucByKy9dR4+9C7maVYp5rvBdRbhNM/Yp6U465d8qJVG5YmURG5NBudAsXkfkp8/AqGSK8RQk/F2b28SfqVCfd/Kga1SINcbdEY7P9nNxx3sbVhncQ3pZXY2tZhYJiSuZ/hGMuPa3yMJPgDPJV8tPIUASCNxbeLOKp7HVghb9IIHSDhhiZmFTFB9xT8X9w05w0afLgQQCybG81YGXvXTiA/xLriA2AzQqg4KzdjUgs+lv7rPL9fsP5V7LAoBZamTirsOCoApMrP7L+QP0OTFyHBakf+GBEREwn5dygos+/vBXne4RtDmji/+zh9U1CqwwCIbx/rdVODzYusYV0lvDjYPyVnTWjEGQN5uGCgEBozQWUkaR1KlmamzcXS9ihPsIa1VNu/aLRrb66hS99wuALFdHJPg5XgHNKEA+Re/lXqUwups/A1RQ9bymqXUj8lIK1hDWsC3DCqDsL54x2BIodyvBBB8hyHFnBC3xg+W8yC0SQLivkFLdNMTRdAgyREFEZp3Nvi19B9+njnciFjcbRj+sG1L9X2OSvDZ2e7273DYtXAVsI9977VBtQYHmjXeyDVBnK53sri/8P2ofniPmBM/ZQ9X1UtMI+vrKIj/o4jcTaEcAmqA9bI2YbG5p84rIH6mBA4SvPCHGz6s48XhaYLzCJbOIR+eqwjbvBA=,iv:72+0+hlBxKtuhjhrLD1EMlx8LcJtskxO+MCpYj7rpes=,tag:qnQlahuimpMoVY1hbTGI6g==,type:str]",
"key": "ENC[AES256_GCM,data:A/Am53gADkKNOn1kAgNoJmirRhIDtysyX8+ubtpyKTQKhTzEJfEKFrVw5BjJ8rYRS31DgMYV20FQs7HOfoRsR3MFdSGDFUgePnbIcNGpHD6EY8GJ9TblT+NyPsYsKG4WgFZElOjQYT3X9Rr0IWoNnDJoOaaI5sCpOumfLKWrekWvYfTUT+SiFfkCebeEQs7ZF7G6ZQJF73upaeKdbd8/uBdcfVc/c6PdjGvY1xnCOAqW39S9K2fK0RibqHs8BiuzPBTCYjBg6euYXi+XGrZjmHLFnj/ZflroiPJr/qFhMDVnmiaW7M3sWYDQYYPd6rk6Adam+ylEAU8BXwIjmdHNkR48WbdIDYWCHHdv4iZ8MLTj6MaX/ksIZvev2M19Eiyi,iv:lkGS4uR0Xd7FnahXLjVc8g0PiRPxyUS6YQY3EM3B5G0=,tag:NZYybe/MgP+LNlJ09AiV6g==,type:str]" "key": "ENC[AES256_GCM,data:A/Am53gADkKNOn1kAgNoJmirRhIDtysyX8+ubtpyKTQKhTzEJfEKFrVw5BjJ8rYRS31DgMYV20FQs7HOfoRsR3MFdSGDFUgePnbIcNGpHD6EY8GJ9TblT+NyPsYsKG4WgFZElOjQYT3X9Rr0IWoNnDJoOaaI5sCpOumfLKWrekWvYfTUT+SiFfkCebeEQs7ZF7G6ZQJF73upaeKdbd8/uBdcfVc/c6PdjGvY1xnCOAqW39S9K2fK0RibqHs8BiuzPBTCYjBg6euYXi+XGrZjmHLFnj/ZflroiPJr/qFhMDVnmiaW7M3sWYDQYYPd6rk6Adam+ylEAU8BXwIjmdHNkR48WbdIDYWCHHdv4iZ8MLTj6MaX/ksIZvev2M19Eiyi,iv:lkGS4uR0Xd7FnahXLjVc8g0PiRPxyUS6YQY3EM3B5G0=,tag:NZYybe/MgP+LNlJ09AiV6g==,type:str]"
}, },
"nebula": {
"host-key": "ENC[AES256_GCM,data:Udr9Frsmn5krgFHgjTbtUoziUCL9eRgFpslWL8Pfx6Y/iHaLg2zuuH8OnsU1wRr68VZVxJ8lhhPInG2Q+SFOaUt9LHAxRc+GxeBq0kRw+Slqd8dOyvFC+Q9IBlgf9dynF/gyyCNsaec9arggvK0BJiHuCZeJ15gCE9nUQJspAw==,iv:fZQOFH+iFWUu+Vap7irn0i265NuFwwzvaK0J1tRdbl4=,tag:d6uWFpM77RsPAyKwCES8zg==,type:str]"
},
"sops": { "sops": {
"age": [ "age": [
{ {
@ -18,9 +21,9 @@
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2Qmh4TnU2U0toYXZlaUpU\nZWdBVFMwRVpxelBTb3FvMHVDQkFMMkVlOEVjCjNaTEJDaGlkcUJtem43aDZ6Yk9j\nZGhmWFFvbm1HN0N1VkUyN1lQLzM2c0UKLS0tIHhEeFNyaXI0UDB0ZDBydW80djRX\nSmpyNDlLSFMvaXRsZGdWcS9nVTRzbk0KNryo5P1+bu9vntBafSgAAHxSsYXG2ELj\nQQM6kP+eaSoEFXfWxp7dhxHcjoTjQ9DmCgzVaDUD8nLzFsiJsgbjIg==\n-----END AGE ENCRYPTED FILE-----\n" "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2Qmh4TnU2U0toYXZlaUpU\nZWdBVFMwRVpxelBTb3FvMHVDQkFMMkVlOEVjCjNaTEJDaGlkcUJtem43aDZ6Yk9j\nZGhmWFFvbm1HN0N1VkUyN1lQLzM2c0UKLS0tIHhEeFNyaXI0UDB0ZDBydW80djRX\nSmpyNDlLSFMvaXRsZGdWcS9nVTRzbk0KNryo5P1+bu9vntBafSgAAHxSsYXG2ELj\nQQM6kP+eaSoEFXfWxp7dhxHcjoTjQ9DmCgzVaDUD8nLzFsiJsgbjIg==\n-----END AGE ENCRYPTED FILE-----\n"
} }
], ],
"lastmodified": "2025-10-11T15:48:45Z", "lastmodified": "2025-12-21T01:21:48Z",
"mac": "ENC[AES256_GCM,data:JXwbZJDo7yDhTPA7QfJ83dWuIJovwyijqcU6XtLMToN6LQnqsdD0mJ9blZDXFT6X+Z/LIlkeK/LOZURYLp73FiAPV5I8S9D7iq/PCGiB6HZOIAzZbwD4s3/0lw+0FhcpVK6obS1gMqr1si6vDm5mM4XvhMifOCx9Dxic8IuGoTg=,iv:QbxT/6oNQa598yeAFBrYnNn/N8uNsMoIZNJMPAaijH8=,tag:1IgkVIJlcpQ9TNW/javbmg==,type:str]", "mac": "ENC[AES256_GCM,data:tn8lgEn8Sp2YYFUVRUa+yOND7oISGld22+otWBB9U1she28JZ+g+vvdpCPRPevkqWHA+BawKUKkaD8Iaoe732HQukpbIBrVgK+g6YpaSnakhSZPGV2oE3z7KdSDeYdBF/La0ml1OKs67hldFfN9D2Sl5RdTROwBWaVaJesNTFS4=,iv:BCbSXBAUqb/LoDfLXLi6UB+CRuJOKEXuHFjITAdaH+E=,tag:f570BuZv30rL45m4y1IwJg==,type:str]",
"unencrypted_suffix": "_unencrypted", "unencrypted_suffix": "_unencrypted",
"version": "3.10.2" "version": "3.11.0"
} }
} }

6
hosts/vps-private/default.nix
View file

@ -33,6 +33,12 @@
ssh.enable = true; ssh.enable = true;
exitNode.enable = true; exitNode.enable = true;
}; };
nebula.node = {
enable = true;
address = "10.254.250.2";
isLighthouse = true;
routableAddress = "49.13.231.235";
};
syncthing = { syncthing = {
enable = true; enable = true;

6
hosts/vps-private/keys/nebula.crt Normal file
View file

@ -0,0 +1,6 @@
-----BEGIN NEBULA CERTIFICATE V2-----
MIGqoESAC3Zwcy1wcml2YXRloQcEBQr++gIYhQRpSG/KhgRrKH30hyAVQ/4ZW6re
1yzFagxOA4SEMyUQWl7UCMJuYEUyO3NFaIIgxxdwQe3CJkEjhN6lB0dWCNqjNug5
oIN9KQTTTCp0dguDQHynn1xdarsZsfvF6ZJB01HrOVgLs2kVod3ZZZD3L8Fe/hfF
TryU5SxJ8MH6irDdtgTs+9pU+BaNWms1X4zfkAQ=
-----END NEBULA CERTIFICATE V2-----

3
hosts/vps-private/keys/nebula.pub Normal file
View file

@ -0,0 +1,3 @@
-----BEGIN NEBULA X25519 PUBLIC KEY-----
xxdwQe3CJkEjhN6lB0dWCNqjNug5oIN9KQTTTCp0dgs=
-----END NEBULA X25519 PUBLIC KEY-----

7
hosts/vps-private/secrets.json
View file

@ -21,6 +21,9 @@
"radicale": { "radicale": {
"htpasswd": "ENC[AES256_GCM,data:PaN9mAYR8slQQpojnZpCPMNxgQtvCa0pj90tfUgQr9MFgout7RpbWs97XMzbmWws6ov3g91+0U5l1tcS68O4rQ==,iv:Je68Sg1b5qkx1WYJ5y11yx+ASNd5bk43YpY8axzqNGI=,tag:Ce84ptIiCIRHpZHSoozoyg==,type:str]" "htpasswd": "ENC[AES256_GCM,data:PaN9mAYR8slQQpojnZpCPMNxgQtvCa0pj90tfUgQr9MFgout7RpbWs97XMzbmWws6ov3g91+0U5l1tcS68O4rQ==,iv:Je68Sg1b5qkx1WYJ5y11yx+ASNd5bk43YpY8axzqNGI=,tag:Ce84ptIiCIRHpZHSoozoyg==,type:str]"
}, },
"nebula": {
"host-key": "ENC[AES256_GCM,data:dS3tXWUK+POzTZ98wLETaWz4ief/yFULCfI5Y3EbK26KQpwxzw6cpLXUNOSZeUwz9brN/4JcwUgewJR08Uq3HZhKZKoMPZfPRtZMDe51I4RYg4hZd1mMWXQn82KmSytZCiDIL/9qCwYvObVRiNCpAOKRj6JBpgpoQ1u5hgn1EA==,iv:G25EpAnvoLfYXAdPyJVqS3ocUPg5LQlUoi7fA+XFOZ8=,tag:/BNhuxJCunM85H9DnPF5Kg==,type:str]"
},
"sops": { "sops": {
"age": [ "age": [
{ {
@ -32,8 +35,8 @@
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqU01heng3NHdrYnZFZmZn\nZlJtUUIyd1ExTmhzeU5iZFZadFcwR25GOEVZCmxHOXNWQVh1ZlJSRHJtaDVHNVUv\nbTY0TlNmZ2hESDkzS2M3WHdlamxwclkKLS0tIEEvOFd3TDFkQmQwbjBodHhpb1BD\nZ2NvTnNqQmtrLy9aVDdGRGxZbVgrZG8KdnnjJWcjZFu3R8fVKToj6THHHRCFou9k\njQoedCZAML2A2FZIhHugH9wnDUPQQjG86WbcCBuFWcOTGiTF2gN+Qg==\n-----END AGE ENCRYPTED FILE-----\n" "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqU01heng3NHdrYnZFZmZn\nZlJtUUIyd1ExTmhzeU5iZFZadFcwR25GOEVZCmxHOXNWQVh1ZlJSRHJtaDVHNVUv\nbTY0TlNmZ2hESDkzS2M3WHdlamxwclkKLS0tIEEvOFd3TDFkQmQwbjBodHhpb1BD\nZ2NvTnNqQmtrLy9aVDdGRGxZbVgrZG8KdnnjJWcjZFu3R8fVKToj6THHHRCFou9k\njQoedCZAML2A2FZIhHugH9wnDUPQQjG86WbcCBuFWcOTGiTF2gN+Qg==\n-----END AGE ENCRYPTED FILE-----\n"
} }
], ],
"lastmodified": "2025-12-09T12:25:40Z", "lastmodified": "2025-12-21T22:05:56Z",
"mac": "ENC[AES256_GCM,data:S9WbziGg3LInSZ0ClNa7AKAOHxmYN12K/8Gw0EEWU/Sw5drdQ0UUPapU6r2FJRssQhjw03tOfwylEHO0fFZx9ra0bk9ZX+QrNnktSWNzpJE3XAg9/OzApOoyWptvfxEFLWdYb7FgB4qlK+goNYTiC7sPe1Z4j9Ct25ARfFQYKFc=,iv:7vehA/fdtEJ3B+vnsP2EkaO0L8h4B/gmXudFgJCyyAA=,tag:wBYlqvWDQobqPutTVFbfEA==,type:str]", "mac": "ENC[AES256_GCM,data:i6N/BeTtqkiYz5igk7mHxa69Z8MEe2cRF9541P93utNBddrTGev4VQ5VoqEQEkcOpKWvH5DbQcfsa8k60/zaGXJZ9tWbmbBiBTrbjdslpPJTbVkIwMXWYVhbS87WhfAsyQbRzXu73/jArGKVfDPzcdl2FuRmzXZKQkVjRc7x+Rc=,iv:HxjT6ppxY6jkrSPrcP9m84dd2gy2rGCGKV8MdjGy7FA=,tag:KPWQ2nhsGFuhX8ddFhEZow==,type:str]",
"unencrypted_suffix": "_unencrypted", "unencrypted_suffix": "_unencrypted",
"version": "3.11.0" "version": "3.11.0"
} }

2
modules/system/services/caddy.nix
View file

@ -112,7 +112,7 @@ in
services.caddy = { services.caddy = {
package = pkgs.caddy.withPlugins { package = pkgs.caddy.withPlugins {
plugins = [ "github.com/tailscale/caddy-tailscale@v0.0.0-20251117033914-662ef34c64b1" ]; plugins = [ "github.com/tailscale/caddy-tailscale@v0.0.0-20251117033914-662ef34c64b1" ];
hash = "sha256-t2Gw0AbkguS3pwl3FLooK6ZA16mWJLHAkHe3ZdqaE+c="; hash = "sha256-3lc2oSLFIco5Pgz1QNH2hT5tDTPZ4wcbc+NKH9wLEfY=";
}; };
globalConfig = '' globalConfig = ''
tailscale { tailscale {

5
modules/system/services/nebula/ca.crt Normal file
View file

@ -0,0 +1,5 @@
-----BEGIN NEBULA CERTIFICATE V2-----
MHugFYAEbWFpboQB/4UEaUdKdYYEayh99YIg5FsAhFthpvA/ELlR7NVFGvuIB5Zv
66n1h1qg0vumHY+DQHGky+1qxbGswdyDZBYfqctktyfJUMKk0TZIn6cqYLbydSZJ
J9HxMj2JWu/d/2nsh11uhRwquBH733AmXZ2DDgE=
-----END NEBULA CERTIFICATE V2-----

100
modules/system/services/nebula/default.nix Normal file
View file

@ -0,0 +1,100 @@
{
config,
self,
lib,
...
}:
let
cfg = config.custom.services.nebula.node;
hostname = config.networking.hostName;
lighthouses =
self.nixosConfigurations
|> lib.filterAttrs (name: _: name != hostname)
|> lib.attrValues
|> lib.map (value: value.config.custom.services.nebula.node)
|> lib.filter (nebula: nebula.enable)
|> lib.filter (nebula: nebula.isLighthouse);
in
{
options.custom.services.nebula.node = {
enable = lib.mkEnableOption "";
name = lib.mkOption {
type = lib.types.nonEmptyStr;
default = config.networking.hostName;
};
address = lib.mkOption {
type = lib.types.nonEmptyStr;
default = "";
};
isLighthouse = lib.mkEnableOption "";
routableAddress = lib.mkOption {
type = lib.types.nullOr lib.types.nonEmptyStr;
default = null;
};
routablePort = lib.mkOption {
type = lib.types.nullOr lib.types.port;
default = if cfg.isLighthouse then 47141 else null;
};
pubPath = lib.mkOption {
type = lib.types.path;
default = "${self}/hosts/${hostname}/keys/nebula.pub";
};
certPath = lib.mkOption {
type = lib.types.path;
default = "${self}/hosts/${hostname}/keys/nebula.crt";
};
};
config = lib.mkIf cfg.enable {
meta.ports.udp = lib.optional (cfg.routablePort != 0) cfg.routablePort;
sops.secrets."nebula/host-key" = {
owner = config.users.users.nebula-main.name;
restartUnits = [ "nebula@main.service" ];
};
services.nebula.networks.main = {
enable = true;
ca = ./ca.crt;
cert = cfg.certPath;
key = config.sops.secrets."nebula/host-key".path;
listen.port = cfg.routablePort;
isLighthouse = cfg.isLighthouse;
lighthouses = lib.mkIf (!cfg.isLighthouse) (
lighthouses |> lib.map (lighthouse: lighthouse.address)
);
staticHostMap =
lighthouses
|> lib.map (lighthouse: {
name = lighthouse.address;
value = lib.singleton "${lighthouse.routableAddress}:${toString lighthouse.routablePort}";
})
|> lib.listToAttrs;
firewall = {
outbound = lib.singleton {
host = "any";
port = "any";
proto = "any";
};
inbound = lib.singleton {
host = "any";
port = "any";
proto = "any";
};
};
settings = {
pki.disconnect_invalid = true;
cipher = "aes";
};
};
};
}