From 9ae78ee549ff8a44b60d157c935b7d118945825a Mon Sep 17 00:00:00 2001 From: chn Date: Thu, 31 Aug 2023 17:20:17 +0800 Subject: [PATCH] vps6 enable nebula --- flake.nix | 1 + modules/services/default.nix | 1 + modules/services/nebula/ca.crt | 5 +++ modules/services/nebula/chn-PC.crt | 6 ++++ modules/services/nebula/default.nix | 48 +++++++++++++++++++++++++++++ modules/services/nebula/vps6.crt | 6 ++++ modules/services/nebula/vps7.crt | 6 ++++ secrets/vps6.yaml | 6 ++-- 8 files changed, 77 insertions(+), 2 deletions(-) create mode 100644 modules/services/nebula/ca.crt create mode 100644 modules/services/nebula/chn-PC.crt create mode 100644 modules/services/nebula/default.nix create mode 100644 modules/services/nebula/vps6.crt create mode 100644 modules/services/nebula/vps7.crt diff --git a/flake.nix b/flake.nix index e34e8ce5..c483ba97 100644 --- a/flake.nix +++ b/flake.nix @@ -253,6 +253,7 @@ misskey-proxy = { "xn--qbtm095lrg0bfka60z.chn.moe" = {}; "xn--s8w913fdga.chn.moe" = {}; }; coturn.enable = true; synapse-proxy."synapse.chn.moe" = {}; + nebula = { enable = true; lighthouse = null; }; }; boot = { diff --git a/modules/services/default.nix b/modules/services/default.nix index b0ccfc69..3e637039 100644 --- a/modules/services/default.nix +++ b/modules/services/default.nix @@ -11,6 +11,7 @@ inputs: ./xray.nix ./coturn.nix ./synapse.nix + ./nebula # ./docker.nix ]; options.nixos.services = let inherit (inputs.lib) mkOption types; in diff --git a/modules/services/nebula/ca.crt b/modules/services/nebula/ca.crt new file mode 100644 index 00000000..a0672c11 --- /dev/null +++ b/modules/services/nebula/ca.crt @@ -0,0 +1,5 @@ +-----BEGIN NEBULA CERTIFICATE----- +CkAKDm5lYnVsYS5jaG4ubW9lKLCXwacGMLD+xbYGOiDwt/rshddhDhyoSVl52cJA +LEgU1ea4Q4L28v/MVXOkUUABEkANATGg8DOPwHmwq6xN2DATxYDCibb5x3qSctHx +RIr8UAr2TlvOQfzoBw3v4DWsqaEC1U5Hw6iQsQp5sQ8DGU4O +-----END NEBULA CERTIFICATE----- diff --git a/modules/services/nebula/chn-PC.crt b/modules/services/nebula/chn-PC.crt new file mode 100644 index 00000000..59e4780e --- /dev/null +++ b/modules/services/nebula/chn-PC.crt @@ -0,0 +1,6 @@ +-----BEGIN NEBULA CERTIFICATE----- +CmAKAnBjEgqDpKGFDID+//8PKO2hwacGMK/+xbYGOiB7i4bfFMM0+9q52Dj4/Y8h +0IaBkutBjmkeaLQ80a8FXEogKO75tUZ9s0oquFXtII1eFrODJVliKAavN+m8fNqd +p9YSQD7vjiZOcMzKvz98diLoX8PudoxsovuOrU22EEBvNi80Lhoi41axLsFORzDu +El34B/13QO0hi2tlviZvJbI91Ao= +-----END NEBULA CERTIFICATE----- diff --git a/modules/services/nebula/default.nix b/modules/services/nebula/default.nix new file mode 100644 index 00000000..448048a4 --- /dev/null +++ b/modules/services/nebula/default.nix @@ -0,0 +1,48 @@ +inputs: +{ + options.nixos.services.nebula = let inherit (inputs.lib) mkOption types; in + { + enable = mkOption { type = types.bool; default = false; }; + # null: is lighthouse, non-empty string: is not lighthouse, and use this string as lighthouse address. + lighthouse = mkOption { type = types.nullOr types.nonEmptyStr; }; + }; + config = + let + inherit (inputs.lib) mkIf; + inherit (inputs.config.nixos.services) nebula; + inherit (builtins) concatStringsSep; + in mkIf nebula.enable + { + services.nebula.networks.nebula = + { + enable = true; + ca = ./ca.crt; + cert = ./. + "/${inputs.config.nixos.system.hostname}.crt"; + key = inputs.config.sops.templates."nebula/key-template".path; + isLighthouse = nebula.lighthouse == null; + lighthouses = if nebula.lighthouse == null then [] else [ "192.168.82.1" ]; + staticHostMap = if nebula.lighthouse == null then {} else { "192.168.82.1" = [ nebula.lighthouse ]; }; + listen.port = if nebula.lighthouse == null then 4242 else 0; + }; + sops = + { + templates."nebula/key-template" = + { + content = concatStringsSep "\n" + [ + "-----BEGIN NEBULA X25519 PRIVATE KEY-----" + inputs.config.sops.placeholder."nebula/key" + "-----END NEBULA X25519 PRIVATE KEY-----" + ]; + owner = inputs.config.systemd.services."nebula@nebula".serviceConfig.User; + group = inputs.config.systemd.services."nebula@nebula".serviceConfig.Group; + }; + secrets."nebula/key" = {}; + }; + networking.firewall = if nebula.lighthouse != null then {} else + { + allowedTCPPorts = [ 4242 ]; + allowedUDPPorts = [ 4242 ]; + }; + }; +} diff --git a/modules/services/nebula/vps6.crt b/modules/services/nebula/vps6.crt new file mode 100644 index 00000000..dcd3d38d --- /dev/null +++ b/modules/services/nebula/vps6.crt @@ -0,0 +1,6 @@ +-----BEGIN NEBULA CERTIFICATE----- +CmIKBHZwczYSCoGkoYUMgP7//w8ohJnBpwYwr/7FtgY6IPKlZIGl2zkbjoEbmZho +7mMfTWkx0XppzZup96IROdJYSiAo7vm1Rn2zSiq4Ve0gjV4Ws4MlWWIoBq836bx8 +2p2n1hJAOvcgC7UjiOGvq9oyv86vdrppIkjOxwz7znpDJAeNrxEURSTsmeCCB7BO +6rEQZ6b4kXqgRXr08OpBnW6FeMvFCA== +-----END NEBULA CERTIFICATE----- diff --git a/modules/services/nebula/vps7.crt b/modules/services/nebula/vps7.crt new file mode 100644 index 00000000..3fbb8922 --- /dev/null +++ b/modules/services/nebula/vps7.crt @@ -0,0 +1,6 @@ +-----BEGIN NEBULA CERTIFICATE----- +CmIKBHZwczcSCoKkoYUMgP7//w8okpnBpwYwr/7FtgY6IAeBowLj1DamSObhmIF7 +bb1tBTjnl4dvRPQSOY3JflBfSiAo7vm1Rn2zSiq4Ve0gjV4Ws4MlWWIoBq836bx8 +2p2n1hJAoCxYon4eLiRfMfmhQR9fKC+8kn3QwILjdvUpn6EyMOZJfOEfeNbm0Ffh +aedtdOdvl3Gd1WJ45HrZXwHE+nRSCQ== +-----END NEBULA CERTIFICATE----- diff --git a/secrets/vps6.yaml b/secrets/vps6.yaml index cb352a1d..77b791a2 100644 --- a/secrets/vps6.yaml +++ b/secrets/vps6.yaml @@ -60,6 +60,8 @@ send: redis-password: ENC[AES256_GCM,data:6zVKw9AmKwSWvHUZhzy0F2KcJW96uFoZY/N1Zq8ilUJOLZeX,iv:viwLIgJz9v8oadr8784OgETbEsxzGsJvVoxmOwWEFxo=,tag:XEYFnoCGwlnrkqaUbgeH+Q==,type:str] coturn: auth-secret: ENC[AES256_GCM,data:50KqO4GQ1ERbCnK4IjYu6aywT+IPMtVlTzh/TE4MwWApU4pO9yqz25ENGUAKRLi4p+Ecug+Rn3InRl1b+q6bAQ==,iv:SgHkHvHg/+yA1Z5E9effgCnZMVXv5amGNUsVKErai54=,tag:PoYLV9Xr0IXXsA39n7wiTQ==,type:str] +nebula: + key: ENC[AES256_GCM,data:1zvyGKsyJESAbf6tUCy6hX93rDXEYNA5QBsqV4Ag4+cksToQ5IubchciQt4=,iv:ZG+pCofTTGx6LcJ05qohotRcX6MK4JsUzL2DfmKE4eI=,tag:o/Vm72d4QbfLXoSVwXZYhw==,type:str] sops: kms: [] gcp_kms: [] @@ -84,8 +86,8 @@ sops: ZXFTU3ZCaW1pTVh0RUJzdDdGdHlPYTgK2mlgcX2kEc8+2UDdBnhUm6IIuh8V6agW ooxH9OEPXUVI/4JcDo4v8ZUhAyU1ehLH0Ef7PJCChOZe2KZmWSNbhA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-08-29T13:47:17Z" - mac: ENC[AES256_GCM,data:yJPCvlmADSnMvVXMtPhrmp9DOZ/pj1ey2/SZCpZhbBkYDa+sSg48YCKqMPwqyx7PdkQHfVjhyen+eRJjczbeaTclClpGKRkQJzW7qArZz4dF5sfD+q64i8zjVmjxX2Pajb/iHWbQiax7kp5YSgYEKXSP3caCb73fu7aL3Tm9Isw=,iv:6o5MaH/Oy53HabDNDITz1XHDNBila5KgtkU4mwmfkwg=,tag:nuo0srgaAfhEP2xPp2r43w==,type:str] + lastmodified: "2023-08-31T09:19:50Z" + mac: ENC[AES256_GCM,data:oXNW63+apUuSgla4kycVWrFpNFpaZstsdaNPym2qYJoi/kJblnA94T61ad/WxdLXFYK0eiVRvD5geNjQ62wQ4OGhHw8rAvBEynK6ayF8CFgDXmJCRjGPXIx8dN6gl/voxLf6kVkL/PtC7LH1j8jnEYMadWwG+5ohSw1jB/y60Bs=,iv:YsCd5Ib/9FzQF0sMv8WQMJ4vNkMGRMetFRH+zN4/gzY=,tag:lQ4/AotElVBWcT2BJuY0Bw==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.7.3