feat(systems/v-coord1): configure nebula

1 files changed, 27 insertions, 0 deletions

diff --git a/systems/v-coord1/default.nix b/systems/v-coord1/default.nix
index ec91e9c..6d97da8 100644
--- a/systems/v-coord1/default.nix
+++ b/systems/v-coord1/default.nix
@@ -61,6 +61,11 @@ in
   time.timeZone = "UTC";
 
   sops.secrets.root-password.neededForUsers = true;
+  # User = networkId;
+  # nameToId = netName: "nebula-${netName}";
+  sops.secrets.nebula-sefidel-internal-ca = { owner = "nebula-sefidel-internal"; };
+  sops.secrets.nebula-sefidel-internal-cert = { owner = "nebula-sefidel-internal"; };
+  sops.secrets.nebula-sefidel-internal-key = { owner = "nebula-sefidel-internal"; };
 
   users.users.root.hashedPasswordFile = config.sops.secrets.root-password.path;
   users.users.root.openssh.authorizedKeys.keys = maintainerKeys;
@@ -78,6 +83,28 @@ in
     sops.enable = true;
 
     services.tailscale.enable = true;
+    services.nebula = {
+      enable = true;
+
+      networks.sefidel-internal = {
+        ca = config.sops.secrets.nebula-sefidel-internal-ca.path;
+        cert = config.sops.secrets.nebula-sefidel-internal-cert.path;
+        key = config.sops.secrets.nebula-sefidel-internal-key.path;
+
+        isLighthouse = true;
+        isRelay = true;
+
+        settings = {
+          lighthouse = {
+            serve_dns = true;
+            dns = {
+              host = "100.64.0.1";
+              port = 53;
+            };
+          };
+        };
+      };
+    };
   };
 
   # This value determines the NixOS release from which the default