about summary refs log tree commit diff
path: root/systems
diff options
context:
space:
mode:
authorsefidel <contact@sefidel.net>2024-01-11 22:53:35 +0900
committersefidel <contact@sefidel.net>2024-01-12 00:18:47 +0900
commit4afa6aa625dc8930fe14e9aff0750ff64c5098a8 (patch)
tree04ccd8673e4c8e61a26339dc2543ff4a879aa2ec /systems
parentb6df3d14a431ef23c1fe1c138b109028f61e5b74 (diff)
downloadinfra-4afa6aa625dc8930fe14e9aff0750ff64c5098a8.tar.gz
infra-4afa6aa625dc8930fe14e9aff0750ff64c5098a8.zip
feat(systems/v-coord1): configure nebula
Diffstat (limited to 'systems')
-rw-r--r--systems/v-coord1/default.nix27
-rw-r--r--systems/v-coord1/secrets/secrets.yaml7
2 files changed, 32 insertions, 2 deletions
diff --git a/systems/v-coord1/default.nix b/systems/v-coord1/default.nix
index ec91e9c..6d97da8 100644
--- a/systems/v-coord1/default.nix
+++ b/systems/v-coord1/default.nix
@@ -61,6 +61,11 @@ in
   time.timeZone = "UTC";
 
   sops.secrets.root-password.neededForUsers = true;
+  # User = networkId;
+  # nameToId = netName: "nebula-${netName}";
+  sops.secrets.nebula-sefidel-internal-ca = { owner = "nebula-sefidel-internal"; };
+  sops.secrets.nebula-sefidel-internal-cert = { owner = "nebula-sefidel-internal"; };
+  sops.secrets.nebula-sefidel-internal-key = { owner = "nebula-sefidel-internal"; };
 
   users.users.root.hashedPasswordFile = config.sops.secrets.root-password.path;
   users.users.root.openssh.authorizedKeys.keys = maintainerKeys;
@@ -78,6 +83,28 @@ in
     sops.enable = true;
 
     services.tailscale.enable = true;
+    services.nebula = {
+      enable = true;
+
+      networks.sefidel-internal = {
+        ca = config.sops.secrets.nebula-sefidel-internal-ca.path;
+        cert = config.sops.secrets.nebula-sefidel-internal-cert.path;
+        key = config.sops.secrets.nebula-sefidel-internal-key.path;
+
+        isLighthouse = true;
+        isRelay = true;
+
+        settings = {
+          lighthouse = {
+            serve_dns = true;
+            dns = {
+              host = "100.64.0.1";
+              port = 53;
+            };
+          };
+        };
+      };
+    };
   };
 
   # This value determines the NixOS release from which the default
diff --git a/systems/v-coord1/secrets/secrets.yaml b/systems/v-coord1/secrets/secrets.yaml
index e3a3d5e..e3a6fdd 100644
--- a/systems/v-coord1/secrets/secrets.yaml
+++ b/systems/v-coord1/secrets/secrets.yaml
@@ -1,4 +1,7 @@
 root-password: ENC[AES256_GCM,data:un7dq8JK2/dzapuT4Ke1zIP6eT32iquZWwp00vrUtP44vwTEKRuaAl7lI2gyvbBu4fIFL0kzn855Umy9xXXrbg5EBHJPFr6J5Q==,iv:mLvwFdtnVyQsrmOK5IKv1VgTHfNr2Lu7I3fWVDaM0i4=,tag:rktJjITTn6CjjlcOxOixrQ==,type:str]
+nebula-sefidel-internal-ca: ENC[AES256_GCM,data:99Sk+4eJovl53/haBe+QHpKz1rii2EvMNqQyP6mtQcNjm90n0hNhxjzsS6n9V52fruDyIftaz2ahAoY/Xfj6Ab8+qcSXPjo2Sw6vbmsL6QAtjeE24+vvFfEckzqaF3MgUjN6chyKxht6QB4cAsW42xz68XwAeDYXzMQPGYdZ3LNkd3tDacniQv3Mwo+Fa6+KUW5uHn5OX5aZ7o8ZCrMXAIgLEb3vAtftjOQL6PyzPx1Fx8fKIcIWvHTivkmyr8AhyulSFQMKCVdXFsolDvbqnOr/F5Q9m7ZyBHHv0a+8wejRb1N5HPrx3xWt+uL/1Y5DdC6PyuNlIm2gyq1dCfwOQpSs+Q==,iv:68YvDFuQOUfFzzEiV8tEeUx/J1zAbS8/PP7e0jtyfgg=,tag:9nlOEAfitd9tzIvx53Euyg==,type:str]
+nebula-sefidel-internal-cert: ENC[AES256_GCM,data:1oMYBWjrXGAm2tAETQQAUvcsxDjQEaXrTqqvyFmRDOnki06ueh5jvXapBPoYxmyVJGti5QAwURAabbYVL5jJTRUhPduugug3obPLIXMrBFx3P1RAmiWqam0XQw+cArZtzWcyGRXI6iTg8vEbO42Uo8m3OrHjUcMMT8fLm8nqB6mM4EMJZWQV+n2++OkzsI+q+T6emKi+Vo98IfKwCuJOC4S8+hrp2HonZbyW3N72hz/8dLY6BKvXLugWpkmlhYBNRwruboPgmCJWHU+WWDY2xshhSJPAPoCnmxE2aYot16ZKLolZupEZAEUx4JQEBxXgpc9wxQLoSnNB6/a6Qp2g1SdjasUIvjyKbAKkX708f/jdqBYyrXAf8aplDHsiQm7O0OJ8Z9ZUd8S6pwDeCwU/uklng1b6wO2YX8L42tHp0KDKDGA1LJ3eSA==,iv:+VHSqObrNN02Z5SMmvxSVYR+nNX74UYuLtfylghYR10=,tag:bTUdnkrz0TEPldvQVIn/Og==,type:str]
+nebula-sefidel-internal-key: ENC[AES256_GCM,data:sfgixmxkURUBlURSb2k/AAHcPp9vECZrd7cSwS6Vtgr5Wxsl/gi+F8T/4Lx6K6rin8FDZyQUI/e4yeF1vWDXmtEKl7khttI7saIZ1Zh678Cd5SOzyNTCfLALPhrZgShvrWsRUCb+YOZ5t3hVagUc5BZXFFfKJyxLRcriZSTr5w==,iv:GiDD+JrdQTLgakeVzvSThN/YvkwYUPTFs8wy8HJLmqc=,tag:WAJul+MPfSZ4qm7MmgRB6w==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -23,8 +26,8 @@ sops:
             T3drWEw2c0x4ZXJYNlQ5UTVReitTekkKn4JF/VB1qbB/up+a5yiohMxPyW+o+F76
             zC/cBgJoI3g7gdYLLPBoWxX4uRCv03/D1g3JDJVcsRo/MuUdv7iOyg==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-01-09T17:17:21Z"
-    mac: ENC[AES256_GCM,data:M9PQJI7xFzFBf21T8FRQ6ui7aji0Ln987/KRkOEDI8tEKER16TCAY4qVVrZ0mltLpjYMBZajbtgipwh3yAz/6INEWHuS0Ao4hN8XALLhVK9PbYLLk+9YxKQ2n/8navv6dZdKt8vBDqX8Rc+BZmWbU9l8ogNbdA0YgpvTjaNyaaE=,iv:v8GJjZQfgdjx9tJFSkfsIytt55lYxmTwaRcg9MTgSWg=,tag:NVrdbkvT+5RGRskteB8iDA==,type:str]
+    lastmodified: "2024-01-11T09:58:29Z"
+    mac: ENC[AES256_GCM,data:nOOmRDIhi/l87kY0hGO4x/sjqBVAGlZSjwrJkjQtCLuMdGLpyyeJACUCqzNYdrlYcryNockGDG7FQPbHV0PszHFfWLTFxBpuTfHdOJyYjLBwM1S6bmkaq0cb/BGd55JLbuqBk3dMcessE0aqLcFZZ3fOJM/WxJ/JXOs1LsWXL7Y=,iv:4LTPRk8wCAU1eppHGmAOwWOeFv9uczweSEZNCUJT8Xk=,tag:Xv78dxnD1G8UxYJ7UkXfFQ==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.8.1