add nebula mesh vpn

hosts/hopper/default.nix

@@ -50,6 +50,7 @@
       network.tailscale
       network.avahi
       network.networkd
+      network.nebula
     ]);
 
   nixpkgs.config = {

hosts/nixdesk/default.nix

@@ -57,6 +57,7 @@
       network.localsend
       network.tailscale
       network.goldberg
+      network.nebula
 
       desktop.sway
 

hosts/rackserv/default.nix

@@ -14,6 +14,7 @@
       ./profiles/backups.nix
       ./profiles/caddy.nix
       ./profiles/forgejo.nix
+      ./profiles/nebula.nix
       ./profiles/prometheus.nix
     ]
     ++ (with systemProfiles; [

hosts/rackserv/profiles/nebula.nix

@@ -0,0 +1,26 @@
+{config, ...}: {
+  networking.firewall.allowedTCPPorts = [4343];
+  services.nebula.networks.xunmesh = {
+    enable = true;
+    isLighthouse = true;
+    cert = config.sops.secrets.nebula-cert.path;
+    key = config.sops.secrets.nebula-key.path;
+    ca = config.sops.secrets.nebula-ca-cert.path;
+    firewall = {
+      inbound = [
+        {
+          host = "any";
+          port = "any";
+          proto = "any";
+        }
+      ];
+      outbound = [
+        {
+          host = "any";
+          port = "any";
+          proto = "any";
+        }
+      ];
+    };
+  };
+}