vps6 enable nebula

2024-10-23 05:39:05 +08:00 · 2023-08-31 17:20:17 +08:00 · 2023-08-31 17:20:17 +08:00 · 9ae78ee549
commit 9ae78ee549
parent 82c5d9c087
8 changed files with 77 additions and 2 deletions
--- a/flake.nix
+++ b/flake.nix
@ -253,6 +253,7 @@
 								misskey-proxy = { "xn--qbtm095lrg0bfka60z.chn.moe" = {}; "xn--s8w913fdga.chn.moe" = {}; };
 								coturn.enable = true;
 								synapse-proxy."synapse.chn.moe" = {};
+								nebula = { enable = true; lighthouse = null; };
 							};
 							boot =
 							{
--- a/modules/services/default.nix
+++ b/modules/services/default.nix
@ -11,6 +11,7 @@ inputs:
 		./xray.nix
 		./coturn.nix
 		./synapse.nix
+		./nebula
 		# ./docker.nix
 	];
 	options.nixos.services = let inherit (inputs.lib) mkOption types; in
--- a/modules/services/nebula/ca.crt
+++ b/modules/services/nebula/ca.crt
@ -0,0 +1,5 @@
+-----BEGIN NEBULA CERTIFICATE-----
+CkAKDm5lYnVsYS5jaG4ubW9lKLCXwacGMLD+xbYGOiDwt/rshddhDhyoSVl52cJA
+LEgU1ea4Q4L28v/MVXOkUUABEkANATGg8DOPwHmwq6xN2DATxYDCibb5x3qSctHx
+RIr8UAr2TlvOQfzoBw3v4DWsqaEC1U5Hw6iQsQp5sQ8DGU4O
+-----END NEBULA CERTIFICATE-----
--- a/modules/services/nebula/chn-PC.crt
+++ b/modules/services/nebula/chn-PC.crt
@ -0,0 +1,6 @@
+-----BEGIN NEBULA CERTIFICATE-----
+CmAKAnBjEgqDpKGFDID+//8PKO2hwacGMK/+xbYGOiB7i4bfFMM0+9q52Dj4/Y8h
+0IaBkutBjmkeaLQ80a8FXEogKO75tUZ9s0oquFXtII1eFrODJVliKAavN+m8fNqd
+p9YSQD7vjiZOcMzKvz98diLoX8PudoxsovuOrU22EEBvNi80Lhoi41axLsFORzDu
+El34B/13QO0hi2tlviZvJbI91Ao=
+-----END NEBULA CERTIFICATE-----
--- a/modules/services/nebula/default.nix
+++ b/modules/services/nebula/default.nix
@ -0,0 +1,48 @@
+inputs:
+{
+	options.nixos.services.nebula = let inherit (inputs.lib) mkOption types; in
+	{
+		enable = mkOption { type = types.bool; default = false; };
+		# null: is lighthouse, non-empty string: is not lighthouse, and use this string as lighthouse address.
+		lighthouse = mkOption { type = types.nullOr types.nonEmptyStr; };
+	};
+	config =
+		let
+			inherit (inputs.lib) mkIf;
+			inherit (inputs.config.nixos.services) nebula;
+			inherit (builtins) concatStringsSep;
+		in mkIf nebula.enable
+		{
+			services.nebula.networks.nebula =
+			{
+				enable = true;
+				ca = ./ca.crt;
+				cert = ./. + "/${inputs.config.nixos.system.hostname}.crt";
+				key = inputs.config.sops.templates."nebula/key-template".path;
+				isLighthouse = nebula.lighthouse == null;
+				lighthouses = if nebula.lighthouse == null then [] else [ "192.168.82.1" ];
+				staticHostMap = if nebula.lighthouse == null then {} else { "192.168.82.1" = [ nebula.lighthouse ]; };
+				listen.port = if nebula.lighthouse == null then 4242 else 0;
+			};
+			sops =
+			{
+				templates."nebula/key-template" =
+				{
+					content = concatStringsSep "\n"
+					[
+						"-----BEGIN NEBULA X25519 PRIVATE KEY-----"
+						inputs.config.sops.placeholder."nebula/key"
+						"-----END NEBULA X25519 PRIVATE KEY-----"
+					];
+					owner = inputs.config.systemd.services."nebula@nebula".serviceConfig.User;
+					group = inputs.config.systemd.services."nebula@nebula".serviceConfig.Group;
+				};
+				secrets."nebula/key" = {};
+			};
+			networking.firewall = if nebula.lighthouse != null then {} else
+			{
+				allowedTCPPorts = [ 4242 ];
+				allowedUDPPorts = [ 4242 ];
+			};
+		};
+}
--- a/modules/services/nebula/vps6.crt
+++ b/modules/services/nebula/vps6.crt
@ -0,0 +1,6 @@
+-----BEGIN NEBULA CERTIFICATE-----
+CmIKBHZwczYSCoGkoYUMgP7//w8ohJnBpwYwr/7FtgY6IPKlZIGl2zkbjoEbmZho
+7mMfTWkx0XppzZup96IROdJYSiAo7vm1Rn2zSiq4Ve0gjV4Ws4MlWWIoBq836bx8
+2p2n1hJAOvcgC7UjiOGvq9oyv86vdrppIkjOxwz7znpDJAeNrxEURSTsmeCCB7BO
+6rEQZ6b4kXqgRXr08OpBnW6FeMvFCA==
+-----END NEBULA CERTIFICATE-----
--- a/modules/services/nebula/vps7.crt
+++ b/modules/services/nebula/vps7.crt
@ -0,0 +1,6 @@
+-----BEGIN NEBULA CERTIFICATE-----
+CmIKBHZwczcSCoKkoYUMgP7//w8okpnBpwYwr/7FtgY6IAeBowLj1DamSObhmIF7
+bb1tBTjnl4dvRPQSOY3JflBfSiAo7vm1Rn2zSiq4Ve0gjV4Ws4MlWWIoBq836bx8
+2p2n1hJAoCxYon4eLiRfMfmhQR9fKC+8kn3QwILjdvUpn6EyMOZJfOEfeNbm0Ffh
+aedtdOdvl3Gd1WJ45HrZXwHE+nRSCQ==
+-----END NEBULA CERTIFICATE-----
--- a/secrets/vps6.yaml
+++ b/secrets/vps6.yaml
@ -60,6 +60,8 @@ send:
    redis-password: ENC[AES256_GCM,data:6zVKw9AmKwSWvHUZhzy0F2KcJW96uFoZY/N1Zq8ilUJOLZeX,iv:viwLIgJz9v8oadr8784OgETbEsxzGsJvVoxmOwWEFxo=,tag:XEYFnoCGwlnrkqaUbgeH+Q==,type:str]
 coturn:
    auth-secret: ENC[AES256_GCM,data:50KqO4GQ1ERbCnK4IjYu6aywT+IPMtVlTzh/TE4MwWApU4pO9yqz25ENGUAKRLi4p+Ecug+Rn3InRl1b+q6bAQ==,iv:SgHkHvHg/+yA1Z5E9effgCnZMVXv5amGNUsVKErai54=,tag:PoYLV9Xr0IXXsA39n7wiTQ==,type:str]
+nebula:
+    key: ENC[AES256_GCM,data:1zvyGKsyJESAbf6tUCy6hX93rDXEYNA5QBsqV4Ag4+cksToQ5IubchciQt4=,iv:ZG+pCofTTGx6LcJ05qohotRcX6MK4JsUzL2DfmKE4eI=,tag:o/Vm72d4QbfLXoSVwXZYhw==,type:str]
 sops:
    kms: []
    gcp_kms: []
@ -84,8 +86,8 @@ sops:
            ZXFTU3ZCaW1pTVh0RUJzdDdGdHlPYTgK2mlgcX2kEc8+2UDdBnhUm6IIuh8V6agW
            ooxH9OEPXUVI/4JcDo4v8ZUhAyU1ehLH0Ef7PJCChOZe2KZmWSNbhA==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-08-29T13:47:17Z"
-    mac: ENC[AES256_GCM,data:yJPCvlmADSnMvVXMtPhrmp9DOZ/pj1ey2/SZCpZhbBkYDa+sSg48YCKqMPwqyx7PdkQHfVjhyen+eRJjczbeaTclClpGKRkQJzW7qArZz4dF5sfD+q64i8zjVmjxX2Pajb/iHWbQiax7kp5YSgYEKXSP3caCb73fu7aL3Tm9Isw=,iv:6o5MaH/Oy53HabDNDITz1XHDNBila5KgtkU4mwmfkwg=,tag:nuo0srgaAfhEP2xPp2r43w==,type:str]
+    lastmodified: "2023-08-31T09:19:50Z"
+    mac: ENC[AES256_GCM,data:oXNW63+apUuSgla4kycVWrFpNFpaZstsdaNPym2qYJoi/kJblnA94T61ad/WxdLXFYK0eiVRvD5geNjQ62wQ4OGhHw8rAvBEynK6ayF8CFgDXmJCRjGPXIx8dN6gl/voxLf6kVkL/PtC7LH1j8jnEYMadWwG+5ohSw1jB/y60Bs=,iv:YsCd5Ib/9FzQF0sMv8WQMJ4vNkMGRMetFRH+zN4/gzY=,tag:lQ4/AotElVBWcT2BJuY0Bw==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.7.3