mirror of
https://github.com/CHN-beta/nixos.git
synced 2024-10-23 18:29:07 +08:00
56 lines
1.7 KiB
Nix
56 lines
1.7 KiB
Nix
inputs:
|
|
{
|
|
options.nixos.services.nebula = let inherit (inputs.lib) mkOption types; in
|
|
{
|
|
enable = mkOption { type = types.bool; default = false; };
|
|
# null: is lighthouse, non-empty string: is not lighthouse, and use this string as lighthouse address.
|
|
lighthouse = mkOption { type = types.nullOr types.nonEmptyStr; };
|
|
};
|
|
config =
|
|
let
|
|
inherit (inputs.lib) mkIf;
|
|
inherit (inputs.config.nixos.services) nebula;
|
|
inherit (builtins) concatStringsSep;
|
|
in mkIf nebula.enable
|
|
{
|
|
services.nebula.networks.nebula =
|
|
{
|
|
enable = true;
|
|
ca = ./ca.crt;
|
|
cert = ./. + "/${inputs.config.nixos.system.hostname}.crt";
|
|
key = inputs.config.sops.templates."nebula/key-template".path;
|
|
firewall.inbound = [ { host = "any"; port = "any"; proto = "any"; } ];
|
|
firewall.outbound = [ { host = "any"; port = "any"; proto = "any"; } ];
|
|
}
|
|
// (
|
|
if nebula.lighthouse == null then { isLighthouse = true; }
|
|
else
|
|
{
|
|
lighthouses = [ "192.168.82.1" ];
|
|
staticHostMap."192.168.82.1" = [ "${nebula.lighthouse}:4242" ];
|
|
listen.port = 0;
|
|
}
|
|
);
|
|
sops =
|
|
{
|
|
templates."nebula/key-template" =
|
|
{
|
|
content = concatStringsSep "\n"
|
|
[
|
|
"-----BEGIN NEBULA X25519 PRIVATE KEY-----"
|
|
inputs.config.sops.placeholder."nebula/key"
|
|
"-----END NEBULA X25519 PRIVATE KEY-----"
|
|
];
|
|
owner = inputs.config.systemd.services."nebula@nebula".serviceConfig.User;
|
|
group = inputs.config.systemd.services."nebula@nebula".serviceConfig.Group;
|
|
};
|
|
secrets."nebula/key" = {};
|
|
};
|
|
networking.firewall = if nebula.lighthouse != null then {} else
|
|
{
|
|
allowedTCPPorts = [ 4242 ];
|
|
allowedUDPPorts = [ 4242 ];
|
|
};
|
|
};
|
|
}
|