xun/nixos-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

add nebula mesh vpn

Browse source
This commit is contained in:
xunuwu 2025-08-27 16:28:21 +02:00
parent df0b6e5187
commit 21b1832dca
Signed by: xun
SSH key fingerprint: SHA256:Uot/1WoAjWAeqLOHA5vYy4phhVydsH7jCPmBjaPZfgI
12 changed files with 203 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

1
flake.nix
View file

@ -55,6 +55,7 @@
just just
home-manager home-manager
sops sops
nebula
]; ];
}; };

1
hosts/hopper/default.nix
View file

@ -50,6 +50,7 @@
network.tailscale network.tailscale
network.avahi network.avahi
network.networkd network.networkd
network.nebula
]); ]);
nixpkgs.config = { nixpkgs.config = {

1
hosts/nixdesk/default.nix
View file

@ -57,6 +57,7 @@
network.localsend network.localsend
network.tailscale network.tailscale
network.goldberg network.goldberg
network.nebula
desktop.sway desktop.sway

1
hosts/rackserv/default.nix
View file

@ -14,6 +14,7 @@
./profiles/backups.nix ./profiles/backups.nix
./profiles/caddy.nix ./profiles/caddy.nix
./profiles/forgejo.nix ./profiles/forgejo.nix
./profiles/nebula.nix
./profiles/prometheus.nix ./profiles/prometheus.nix
] ]
++ (with systemProfiles; [ ++ (with systemProfiles; [

26
hosts/rackserv/profiles/nebula.nix Normal file
View file

@ -0,0 +1,26 @@
{config, ...}: {
networking.firewall.allowedTCPPorts = [4343];
services.nebula.networks.xunmesh = {
enable = true;
isLighthouse = true;
cert = config.sops.secrets.nebula-cert.path;
key = config.sops.secrets.nebula-key.path;
ca = config.sops.secrets.nebula-ca-cert.path;
firewall = {
inbound = [
{
host = "any";
port = "any";
proto = "any";
}
];
outbound = [
{
host = "any";
port = "any";
proto = "any";
}
];
};
};
}

21
secrets/hopper/default.nix
View file

@ -1,6 +1,13 @@
## TODO use defaultSopsFile mayb ## TODO use defaultSopsFile mayb
{config, ...}: { {config, ...}: {
sops.secrets = { sops.secrets = let
loadYamlKey = key: sopsFile: overrides:
{
inherit sopsFile key;
format = "yaml";
}
// overrides;
in {
wireguard = { wireguard = {
format = "binary"; format = "binary";
sopsFile = ./wireguard; sopsFile = ./wireguard;
@ -51,5 +58,17 @@
sopsFile = ./samba-pass; sopsFile = ./samba-pass;
mode = "0600"; mode = "0600";
}; };
nebula-cert = loadYamlKey "nebula-cert" ./nebula.yaml {
group = "nebula-xunmesh";
mode = "0644";
};
nebula-key = loadYamlKey "nebula-key" ./nebula.yaml {
group = "nebula-xunmesh";
mode = "0644";
};
nebula-ca-cert = loadYamlKey "nebula-ca-cert" ./nebula.yaml {
group = "nebula-xunmesh";
mode = "0644";
};
}; };
} }

27
secrets/hopper/nebula.yaml Normal file
View file

@ -0,0 +1,27 @@
nebula-cert: ENC[AES256_GCM,data:iRKflLzmwH3girMrr77ye240UFFHCnwHRHU4D+/uAym3S6KEROL1e8IFMiZ6BHzKATdgbv29HpzjJu6SvgQBuN3YzTrD7plpCKWnC00s67XJb/ZG4seUXKo0oMxEaH3yEabG9srYjrVVjqlrwuSeo5P1CrHN32OfqfQeT379QwGe1I2dzbCWLFVx3yn6EoVtp0L6Yt3VhXrMugnPgBFTNFkynniBYuzq9mSJk/3THtVW+8xaD2VY2lbLbP2x/p4aHnrebh8g3h+02sEJDAO7W6dc4q8tFoN9/qrOcn03PEsiHlCIJn5TeTmN8JES0LliSoa541uVyK3KpRi3kPnbPT7JNl0o45oE/hLmtV54kGft5ODUE1pG3Hw/Hw53+6ETlCWpH1cujco=,iv:Jkc3KKLo2yXlwBhkgdmwSY+aEBFn22fIbgHA+aH/u/Y=,tag:U5k6UCbpcy0nPRL15PsQ3w==,type:str]
nebula-key: ENC[AES256_GCM,data:8GzlBCNmAgW+H2wOwMDa4ILUoi0QMj0Dc7abIwjSUIWREKTbP9Sz26/5YoUQc4R5R2CKGJFUxrRayo3daMEah49/Jh9MdHbZqzI1e+LY8aIwVWHCDH5JOSPVNLH1Z4xxjM8p2qdb98YVhkE2fftOhBj+79cxrGAt/0Q6iJyx8Q==,iv:K5p6n9UI34NRRla+YNNWEnqwS8dnrsEx+g8WYjukT2Q=,tag:RXeANw3P1hdDzbiwEOZTNg==,type:str]
nebula-ca-cert: ENC[AES256_GCM,data:kRtfpo0nmLsemw0ZEkoqh78wmaSSR+yTrJ6BgAWlwrjbMlDl4pz65SarXmudjkKmQKNOmpLqdAnbXFU7UJTYe+LbOgxlc0DRZyiqBvSU/Ss5emQ9i89kcgV5iTKyu6v6DQLqP+/qCzbMUk6sMwtqsrzOKtsxT4NF6/LC/pz6trEUXopd6LdeeqbQWJ25vWVKVscc7MFAOPxCc6qi1E157vOE33OWCbyiymd/9frQPoCxo3eYjb+yh9SmGsDQdtRVDwbHXmuhOjZEK8E7RXAhifeKmUWRct0SvTaYvxayTMHu+OaXYdvUNBl4zt4uHmA=,iv:20CxDFTMRm5rCg8bWYLWpFzJ1hlRVklX34mzGO3ibZ8=,tag:wsByCgFXa8KxGKkj/6zXmg==,type:str]
sops:
age:
- recipient: age17pdqkpfh6kc6wm7gxzdnwf6vphlwddv9yfpdu3j76e24y3amd9tq3avfc8
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyMTZoRk5vdmhMNzl2RmVF
QWVxZXRxaFZ1cGxmOXpjdzlCR3pvM0M1WGhzCm1yL3VyMm5idXNyVFJDa3VMbHN3
eXNJaGpOYXFKUHg1VHpPd3cxMEM4K2sKLS0tIHdXcm1IdXJ0SEZjTldxSERIU0pp
RFFVWGhJRkpPQkN4bFlMc053TUg5YjgKQlaXoWcEjHLjEsTbwF+/24E2LCB+n5rw
v82sPKpcH/bZCReWLb/wFN2pasGx/TNU2/AGWTl1Hntpy63bLh6D1Q==
-----END AGE ENCRYPTED FILE-----
- recipient: age1e9nhfwfcg9krc03re4fwh0wu0cwf6jq4js5vfn26hcdqc2apgdes98fea7
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVTVJkU3hmTy9zcmdZNW91
d3l0eGM1Sm92T2tPaWRDTzhabVpoNzlnRDFvCjB1SndhU05ISnRkWlczQ0xIdXg4
b0JLU3JpaWVwZDJUcHpqWDNxTUNnb1kKLS0tIDJhSXpadTd5VkxtRDFxeGlhSTNM
UkJYM3llMU1rejM3RGU3cDZ0OVA0a0EKX6x5YUOngDmm7sibWO7dUYYgqLrit5k7
H2FZVmGnecLbLXtEvU5L23BeP4L/3jUYWWRbVs6UcMSD396EZSPIMw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-08-27T21:01:41Z"
mac: ENC[AES256_GCM,data:5QGBsBjU/N7giJkvbsJ49jLSTEkGphPgMTPcBcJdw42ckBWeDUaIXWjipbHLxCa2obfFg7wFw7poEXzWNoZDXckVR8GKFODcBYhVcjCf3Vphc4pOKZ+nFxFcL7wS6bwGt1r03E5rHfgZx3eqb8mVa4AI+9DlJujXdgHYVXcKK7E=,iv:J4obkkGlI5LpxojSShQV2xcXEzLsV6I+zvOhmbtO+DA=,tag:+hOkmYO+ys+wm30KRvqDMw==,type:str]
unencrypted_suffix: _unencrypted
version: 3.10.2

21
secrets/nixdesk/default.nix
View file

@ -1,5 +1,12 @@
{ {
sops.secrets = { sops.secrets = let
loadYamlKey = key: sopsFile: overrides:
{
inherit sopsFile key;
format = "yaml";
}
// overrides;
in {
wireguard = { wireguard = {
format = "binary"; format = "binary";
sopsFile = ./wireguard; sopsFile = ./wireguard;
@ -8,5 +15,17 @@
format = "binary"; format = "binary";
sopsFile = ./samba; sopsFile = ./samba;
}; };
nebula-cert = loadYamlKey "nebula-cert" ./nebula.yaml {
group = "nebula-xunmesh";
mode = "0644";
};
nebula-key = loadYamlKey "nebula-key" ./nebula.yaml {
group = "nebula-xunmesh";
mode = "0644";
};
nebula-ca-cert = loadYamlKey "nebula-ca-cert" ./nebula.yaml {
group = "nebula-xunmesh";
mode = "0644";
};
}; };
} }

27
secrets/nixdesk/nebula.yaml Normal file
View file

@ -0,0 +1,27 @@
nebula-cert: ENC[AES256_GCM,data:gc51WLnmdZ35IHjlfMgoDd+CeuR272OYSBZJESHOMhLForNk6KrhX4FYYbKgx2Wk90aUBa1bhWHHPV/+ZGTp9D6+gp5+Ix38v7fj/bakfA61UHtXrhRDpWIeY4uF7yFlr34+7evPo0D+2C4slTyoza3KJR51ewpLESixD5OTt9STuq8olrq7okj29+VMApLJF76YiMBSuS/faE00XV8eYnMnZ9/vKfjU6dodvO1auN3Ih/LMh+p/N6aIbHEciZinzwGGMUzRD247fPjH2+prGXif2ZUqCJxle7BDXMYvjHvMofzpd9HORRNhutR6gpjewQkckLm2hnVFbg5q6uFK/iA9cSXoJVsr1x0XpJzzoqP9VodGfnnyzQiKgdwOsTxBoVNnEd5aLGNdBDrF,iv:MeCyGh2C9ciDz1RxrDYc2w5y5jxHRhAlOsJVzhGmjP0=,tag:H22ooe4QId7ppvNoJRlUWA==,type:str]
nebula-key: ENC[AES256_GCM,data:hBiT+8r9Vf1Tlhxi2nRRHTqOAccw0KQRpbj/jcDDw0skA58oi7QekB6X8k3bJygRps0/NIeMhQEnEtYPY1jPT3EHh4//OgNtw434c+OWLoN47/Lm7hhW6vKcRLzJVIRCrcPjVuJjQMdA6zQfanRcwXj7cZtat+8xI8+U9fTj1g==,iv:70yvhNlGTIIvPwdWibOCv7EdidSs/ja560lAPWO7X14=,tag:x6mQoWMcmPShMAL/EM97aA==,type:str]
nebula-ca-cert: ENC[AES256_GCM,data:7u5SXwVBJYNnG8rKHgCC07mb987zGExB1rySk+kkYzd+myY5k+RjTzJmrJGAj2hzqvrqm9i7Ij0Ubwgjc6mpWZSnjWiLhAVqCeSE51T9iQOL40oHNDcemn7WTzvobWa1N05KOlrsXXOY+q3wcEw2fUPOD6b5veXPx9jMW4vXupqjtVIxQr3K3xbIvZ0mZXmQKLcDYXHz5ODj6OMeUHG0vU47f9tUvN0/Mz/vVyjQu3KeQmpcbuCwQjISa+f0oAcObmIlbb5VuGXkwYU33TW0GaCqq3FR61NgS0aug2hyDfcnLuPit5aTC8G6AuKSx5g=,iv:VYOJdJsMyXGgGnk7C8kOcJvyisyo1EWV+XCfn5s6YP8=,tag:dfP8/TiidaK/uOjDpnCAqA==,type:str]
sops:
age:
- recipient: age17pdqkpfh6kc6wm7gxzdnwf6vphlwddv9yfpdu3j76e24y3amd9tq3avfc8
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvNGx0VWlZeW44bkJqcndG
Qy84REZPcU1YQUQwVFZ0YmtnbG5IcUxGTWhnCld1RXNHeUF3bEhWNStQT0RlQ1dP
dHkwcHY3SzRpWW5jUWgrWmpScURGT1UKLS0tIDg3Z0xzcUZGQW9jRWw0SjlwbEJm
R1U5ZEVPbTR3SUswNk5zd1ZrNFZDRVUKjsqfv1fQ7RdIzLPhig5xEppFs0pQIGPo
FjzOkHqPovGpRX/nak5mJ6NBqugem0qbcC0EU18rwKW1heEI3lwWIQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age155sscpw0x36t6s9usdrz7relpxqrtqnk98mrc7s0qcv2n0v3zd7sfl2xn8
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPeU5SMVM1emk4K1F6UkRB
SW5zcXlaaHB5V3V0TUY3cXdmcm9GejhmRjJjCnhuR2NicGs2UEFGWDZ0RkM3YzE5
eEwrZ0xVdXpnTCtGdnVuU2IvZi9zbVUKLS0tIENLQ0JlZFlmaW8xd00rdW54Smdw
M3VsTHkxUGw3WU00S0tqQktDbmdzOUkKMXk7HjJS8LayEUTljfpLaYdg9YYoW5AT
ODpHY/xOPk4ZTx2g2usB8ABkD2vUATrbLd3sRjdPf6JgLwMyhmqc/w==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-08-27T18:07:00Z"
mac: ENC[AES256_GCM,data:BdzKax73638rb0wDBAB+FL93FgbkTelnxhLfPiU60O9s87lC1cZG1UzW4z2WsqgZY2G6wLsVzTiGGClXgkNZXNzQjUQ/7zML5/gl0ubRKG69oAywxg6ESaSu33jqaaM56+pRivDHJPXlqrICj+TJvBDy1e+Ppe0YUUwYnbCA6QI=,iv:NC3Y6v6hGMW9jZYsqS+S/6BiCFTezBQhzMG5FTotRoc=,tag:oFbguE6yjCINaXoEfVJrPg==,type:str]
unencrypted_suffix: _unencrypted
version: 3.10.2

21
secrets/rackserv/default.nix
View file

@ -1,5 +1,12 @@
{ {
sops.secrets = { sops.secrets = let
loadYamlKey = key: sopsFile: overrides:
{
inherit sopsFile key;
format = "yaml";
}
// overrides;
in {
wireguard-privatekey = { wireguard-privatekey = {
format = "binary"; format = "binary";
sopsFile = ./wireguard-private; sopsFile = ./wireguard-private;
@ -13,5 +20,17 @@
format = "binary"; format = "binary";
sopsFile = ./cloudflare; sopsFile = ./cloudflare;
}; };
nebula-cert = loadYamlKey "nebula-cert" ./nebula.yaml {
group = "nebula-xunmesh";
mode = "0644";
};
nebula-key = loadYamlKey "nebula-key" ./nebula.yaml {
group = "nebula-xunmesh";
mode = "0644";
};
nebula-ca-cert = loadYamlKey "nebula-ca-cert" ./nebula.yaml {
group = "nebula-xunmesh";
mode = "0644";
};
}; };
} }

27
secrets/rackserv/nebula.yaml Normal file
View file

@ -0,0 +1,27 @@
nebula-cert: ENC[AES256_GCM,data:TXrzTe94Ju4xOo/5DfiwbNivl1qvQc0HURA+6F5rY4d3tPz05xk2Hjas2ADyZa4TneGZnweEaoCmjIBemrknSZh2RPkkxAC7CDvRkvTqzFyg1057tQrsdva7/e3Cl7cCm3kEFpkdz51NDW9ZeL+wq+yyk9VWIq4SRMDalODxjdAHj8+dus0AQKSctWfUa+lat+9nORNnu5086uWq81GVOWPJObb1pt410lneToGGtYcCi9OpgLLOOuztcdgDPVy9CJ/e7cg99gzihsP4/t+psPnODZB+wZG5eWeTYyFuWYSnbZ9t/7UVPBYTIQF8tf6YAJm46muIMbtwbOTfrwBE7EqkvWJ5B1uASIc5WtNPypnQ6Cg+BXnl5eUPQf0m+7fjx0XmipPwAfgJVfiW,iv:vOU8qUEdfek5eRpuvHUGbU1irqOkQDyYCo4GZsJ+FG8=,tag:onCjWRAMCmsn4IYtKVdhBQ==,type:str]
nebula-key: ENC[AES256_GCM,data:bsQjSZKDFcOLbRyUZ7CjmaZdRISwq7EPb+nWLmoLTieN9cImwIDMFPAX/nY/xR22IhXoxWQNsNNUEJjAnG8+Ab1UeJhPIcLvlP2zhawpKyuvAeIL4rUpGGe6xPvfcg6RQErlWeFGEAWkeZUQU69jza3nVYaF5DjyvKFuyHx/CQ==,iv:6qdkFrz/3F0/fvh04VWsQNnXDxumh0SetpIErhlJDNY=,tag:6FdOEFsHwyONGUyQAAMuKg==,type:str]
nebula-ca-cert: ENC[AES256_GCM,data:AnLS3fVL6pZQuhsuM+2axcSnwZZVXbAMXHYxcmd4UY6cDDDY0xIFmlbI0AU5Mnpc6eTm2ayfzDYaUiMaw9eiG+HmeoYWvPR4ZlO9WX6QFB6BWZ3U2nCrgpx8DvGmu/Luxew/iUghBAN+eYNKrBZq5kKJzSRlndkcymGs1y/7smRIzzhfV7DS+OXuD/UbQFV5ILsCwka2Xd5/RqhgwyZaPNc6ZDFjm6MHSSd2PepGrpZd3m8+nN9PahjujKnwd34AwtjEKukE/aknV0juyQhZVidQkxdueWiagGV5O/GIt2RIVzjRr3YbqMtYTC9tCGI=,iv:sJhA5EuIypj+GRbNk0ubu8T/ekdYV4+7/ksQfH7tssg=,tag:3lVxSszGv6vxIX4Ru8z3VQ==,type:str]
sops:
age:
- recipient: age17pdqkpfh6kc6wm7gxzdnwf6vphlwddv9yfpdu3j76e24y3amd9tq3avfc8
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2TGNJSDBEZ3Z3OW9FWU5G
YWZFOER6N2o3emJCQ2I5R0kvTVpvcW90UlQ0Cm5USVhwckNOUE9PT1pwOWlBakJR
QzI1U0RjV2N5Uk1Hb3FUY0RuMnRnWTgKLS0tIHh5aWw0b2JSWnRyREFvTzh1Y2M0
TnJWcU1mNmlZLzgyYWgrM1NTc0l0d28KGm+JaAUcKvrqaEayHZjv/f1JcJY7x2m6
lys3PDLcKhhTk3BRiv4GP6nbzhTcK8hRQKRgnm8JzTWsH0F1TIfuTQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1zutg3s4nth679a6av9xqw4km0ezmfkxlnusu78demf0rzazqn3pqk9exgj
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnclVjYWpkTThwd2NPRW8x
WDJhVWFyTUp0OFErM0ZaUjVISDJnMHdwbFNJCi9QcXpQZ3M0YTdoTmdoK29vdi91
cll5ZG9ZY0ZjU011N2dOaUZtSXVmZ1UKLS0tIHlZbnFQZjd0SVgyaUxWbnNKVUp5
QTU4YzRMd3lnN3pXcXJTVWhDazhkeVUK3TOmX/YG2A1m7eM5n61HJEWFxspd2YSN
36j6iP3ybCNEKkphksPyXnjW3//jfV6nfU10iJ8wvxdNyKzUS6ZYyg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-08-27T18:04:52Z"
mac: ENC[AES256_GCM,data:MNVAT0YyCCi2j4YtFQAfjBTsA9CR/Y6yoRCpppnEybWjKjubUOaMtDhDEh5mgEz++iu/gLU+SEwF7NbWb7HSH2xLmhToq+NN09wLsdE77QHC6TEVdW4joHi49PP06ritNp32xlbDGJaDOoeiO6ub9IQEAM9TM+jdlNWc555yhM8=,iv:HfA4Li0NlBAXKoT/3FG6xctoJdlJyVtyK8d9N1Q2YmY=,tag:xUSFbvbGP4nZzNAyhwQV7A==,type:str]
unencrypted_suffix: _unencrypted
version: 3.10.2

32
sys/profiles/network/nebula.nix Normal file
View file

@ -0,0 +1,32 @@
{config, ...}: {
services.nebula.networks.xunmesh = {
enable = true;
staticHostMap = {
"30.0.0.1" = ["172.245.52.19:4242"];
};
cert = config.sops.secrets.nebula-cert.path;
key = config.sops.secrets.nebula-key.path;
ca = config.sops.secrets.nebula-ca-cert.path;
firewall = {
inbound = [
{
host = "any";
port = "any";
proto = "any";
}
];
outbound = [
{
host = "any";
port = "any";
proto = "any";
}
];
};
settings = {
preferred_ranges = ["192.168.50.0/24"];
lighthouse.hosts = ["30.0.0.1"];
punchy.punch = true;
};
};
}