2023-08-31 17:20:17 +08:00
|
|
|
inputs:
|
|
|
|
{
|
2023-09-02 22:27:26 +08:00
|
|
|
options.nixos.system.networking.nebula = let inherit (inputs.lib) mkOption types; in
|
2023-09-01 21:05:26 +08:00
|
|
|
{
|
|
|
|
enable = mkOption { type = types.bool; default = false; };
|
2023-09-13 09:26:18 +08:00
|
|
|
# null: is lighthouse; non-empty string: is not lighthouse, and use this string as lighthouse address.
|
2023-09-02 16:52:11 +08:00
|
|
|
lighthouse = mkOption { type = types.nullOr types.nonEmptyStr; default = null; };
|
2023-09-13 09:26:18 +08:00
|
|
|
useRelay = mkOption { type = types.bool; default = false; };
|
2023-09-01 21:05:26 +08:00
|
|
|
};
|
|
|
|
config =
|
|
|
|
let
|
|
|
|
inherit (inputs.lib) mkIf;
|
2023-09-02 22:27:26 +08:00
|
|
|
inherit (inputs.config.nixos.system.networking) nebula;
|
2023-09-01 21:05:26 +08:00
|
|
|
inherit (builtins) concatStringsSep;
|
|
|
|
in mkIf nebula.enable
|
|
|
|
{
|
|
|
|
services.nebula.networks.nebula =
|
|
|
|
{
|
|
|
|
enable = true;
|
|
|
|
ca = ./ca.crt;
|
2023-09-12 16:38:14 +08:00
|
|
|
# nebula-cert sign -name 1p9p -ip 192.168.82.4/24
|
2023-09-02 21:33:09 +08:00
|
|
|
cert = ./. + "/${inputs.config.nixos.system.networking.hostname}.crt";
|
2023-09-01 21:05:26 +08:00
|
|
|
key = inputs.config.sops.templates."nebula/key-template".path;
|
|
|
|
firewall.inbound = [ { host = "any"; port = "any"; proto = "any"; } ];
|
|
|
|
firewall.outbound = [ { host = "any"; port = "any"; proto = "any"; } ];
|
|
|
|
}
|
|
|
|
// (
|
2023-09-13 02:12:52 +08:00
|
|
|
if nebula.lighthouse == null then { isLighthouse = true; isRelay = true; }
|
2023-09-01 21:05:26 +08:00
|
|
|
else
|
|
|
|
{
|
|
|
|
lighthouses = [ "192.168.82.1" ];
|
2023-09-13 09:26:18 +08:00
|
|
|
relays = if nebula.useRelay then [ "192.168.82.1" ] else [];
|
2023-09-01 21:05:26 +08:00
|
|
|
staticHostMap."192.168.82.1" = [ "${nebula.lighthouse}:4242" ];
|
|
|
|
}
|
|
|
|
);
|
|
|
|
sops =
|
|
|
|
{
|
|
|
|
templates."nebula/key-template" =
|
|
|
|
{
|
|
|
|
content = concatStringsSep "\n"
|
|
|
|
[
|
|
|
|
"-----BEGIN NEBULA X25519 PRIVATE KEY-----"
|
|
|
|
inputs.config.sops.placeholder."nebula/key"
|
|
|
|
"-----END NEBULA X25519 PRIVATE KEY-----"
|
|
|
|
];
|
|
|
|
owner = inputs.config.systemd.services."nebula@nebula".serviceConfig.User;
|
|
|
|
group = inputs.config.systemd.services."nebula@nebula".serviceConfig.Group;
|
|
|
|
};
|
|
|
|
secrets."nebula/key" = {};
|
|
|
|
};
|
2023-09-13 09:26:18 +08:00
|
|
|
networking.firewall.trustedInterfaces = [ "nebula.nebula" ];
|
2023-11-16 15:51:47 +08:00
|
|
|
systemd.services."nebula@nebula" = { after = [ "network-online.target" ]; serviceConfig.Restart = "always"; };
|
2023-09-01 21:05:26 +08:00
|
|
|
};
|
2023-08-31 17:20:17 +08:00
|
|
|
}
|