From 4afa6aa625dc8930fe14e9aff0750ff64c5098a8 Mon Sep 17 00:00:00 2001 From: sefidel Date: Thu, 11 Jan 2024 22:53:35 +0900 Subject: feat(systems/v-coord1): configure nebula --- systems/v-coord1/default.nix | 27 +++++++++++++++++++++++++++ systems/v-coord1/secrets/secrets.yaml | 7 +++++-- 2 files changed, 32 insertions(+), 2 deletions(-) (limited to 'systems') diff --git a/systems/v-coord1/default.nix b/systems/v-coord1/default.nix index ec91e9c..6d97da8 100644 --- a/systems/v-coord1/default.nix +++ b/systems/v-coord1/default.nix @@ -61,6 +61,11 @@ in time.timeZone = "UTC"; sops.secrets.root-password.neededForUsers = true; + # User = networkId; + # nameToId = netName: "nebula-${netName}"; + sops.secrets.nebula-sefidel-internal-ca = { owner = "nebula-sefidel-internal"; }; + sops.secrets.nebula-sefidel-internal-cert = { owner = "nebula-sefidel-internal"; }; + sops.secrets.nebula-sefidel-internal-key = { owner = "nebula-sefidel-internal"; }; users.users.root.hashedPasswordFile = config.sops.secrets.root-password.path; users.users.root.openssh.authorizedKeys.keys = maintainerKeys; @@ -78,6 +83,28 @@ in sops.enable = true; services.tailscale.enable = true; + services.nebula = { + enable = true; + + networks.sefidel-internal = { + ca = config.sops.secrets.nebula-sefidel-internal-ca.path; + cert = config.sops.secrets.nebula-sefidel-internal-cert.path; + key = config.sops.secrets.nebula-sefidel-internal-key.path; + + isLighthouse = true; + isRelay = true; + + settings = { + lighthouse = { + serve_dns = true; + dns = { + host = "100.64.0.1"; + port = 53; + }; + }; + }; + }; + }; }; # This value determines the NixOS release from which the default diff --git a/systems/v-coord1/secrets/secrets.yaml b/systems/v-coord1/secrets/secrets.yaml index e3a3d5e..e3a6fdd 100644 --- a/systems/v-coord1/secrets/secrets.yaml +++ b/systems/v-coord1/secrets/secrets.yaml @@ -1,4 +1,7 @@ root-password: ENC[AES256_GCM,data:un7dq8JK2/dzapuT4Ke1zIP6eT32iquZWwp00vrUtP44vwTEKRuaAl7lI2gyvbBu4fIFL0kzn855Umy9xXXrbg5EBHJPFr6J5Q==,iv:mLvwFdtnVyQsrmOK5IKv1VgTHfNr2Lu7I3fWVDaM0i4=,tag:rktJjITTn6CjjlcOxOixrQ==,type:str] +nebula-sefidel-internal-ca: ENC[AES256_GCM,data:99Sk+4eJovl53/haBe+QHpKz1rii2EvMNqQyP6mtQcNjm90n0hNhxjzsS6n9V52fruDyIftaz2ahAoY/Xfj6Ab8+qcSXPjo2Sw6vbmsL6QAtjeE24+vvFfEckzqaF3MgUjN6chyKxht6QB4cAsW42xz68XwAeDYXzMQPGYdZ3LNkd3tDacniQv3Mwo+Fa6+KUW5uHn5OX5aZ7o8ZCrMXAIgLEb3vAtftjOQL6PyzPx1Fx8fKIcIWvHTivkmyr8AhyulSFQMKCVdXFsolDvbqnOr/F5Q9m7ZyBHHv0a+8wejRb1N5HPrx3xWt+uL/1Y5DdC6PyuNlIm2gyq1dCfwOQpSs+Q==,iv:68YvDFuQOUfFzzEiV8tEeUx/J1zAbS8/PP7e0jtyfgg=,tag:9nlOEAfitd9tzIvx53Euyg==,type:str] +nebula-sefidel-internal-cert: ENC[AES256_GCM,data:1oMYBWjrXGAm2tAETQQAUvcsxDjQEaXrTqqvyFmRDOnki06ueh5jvXapBPoYxmyVJGti5QAwURAabbYVL5jJTRUhPduugug3obPLIXMrBFx3P1RAmiWqam0XQw+cArZtzWcyGRXI6iTg8vEbO42Uo8m3OrHjUcMMT8fLm8nqB6mM4EMJZWQV+n2++OkzsI+q+T6emKi+Vo98IfKwCuJOC4S8+hrp2HonZbyW3N72hz/8dLY6BKvXLugWpkmlhYBNRwruboPgmCJWHU+WWDY2xshhSJPAPoCnmxE2aYot16ZKLolZupEZAEUx4JQEBxXgpc9wxQLoSnNB6/a6Qp2g1SdjasUIvjyKbAKkX708f/jdqBYyrXAf8aplDHsiQm7O0OJ8Z9ZUd8S6pwDeCwU/uklng1b6wO2YX8L42tHp0KDKDGA1LJ3eSA==,iv:+VHSqObrNN02Z5SMmvxSVYR+nNX74UYuLtfylghYR10=,tag:bTUdnkrz0TEPldvQVIn/Og==,type:str] +nebula-sefidel-internal-key: ENC[AES256_GCM,data:sfgixmxkURUBlURSb2k/AAHcPp9vECZrd7cSwS6Vtgr5Wxsl/gi+F8T/4Lx6K6rin8FDZyQUI/e4yeF1vWDXmtEKl7khttI7saIZ1Zh678Cd5SOzyNTCfLALPhrZgShvrWsRUCb+YOZ5t3hVagUc5BZXFFfKJyxLRcriZSTr5w==,iv:GiDD+JrdQTLgakeVzvSThN/YvkwYUPTFs8wy8HJLmqc=,tag:WAJul+MPfSZ4qm7MmgRB6w==,type:str] sops: kms: [] gcp_kms: [] @@ -23,8 +26,8 @@ sops: T3drWEw2c0x4ZXJYNlQ5UTVReitTekkKn4JF/VB1qbB/up+a5yiohMxPyW+o+F76 zC/cBgJoI3g7gdYLLPBoWxX4uRCv03/D1g3JDJVcsRo/MuUdv7iOyg== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-01-09T17:17:21Z" - mac: ENC[AES256_GCM,data:M9PQJI7xFzFBf21T8FRQ6ui7aji0Ln987/KRkOEDI8tEKER16TCAY4qVVrZ0mltLpjYMBZajbtgipwh3yAz/6INEWHuS0Ao4hN8XALLhVK9PbYLLk+9YxKQ2n/8navv6dZdKt8vBDqX8Rc+BZmWbU9l8ogNbdA0YgpvTjaNyaaE=,iv:v8GJjZQfgdjx9tJFSkfsIytt55lYxmTwaRcg9MTgSWg=,tag:NVrdbkvT+5RGRskteB8iDA==,type:str] + lastmodified: "2024-01-11T09:58:29Z" + mac: ENC[AES256_GCM,data:nOOmRDIhi/l87kY0hGO4x/sjqBVAGlZSjwrJkjQtCLuMdGLpyyeJACUCqzNYdrlYcryNockGDG7FQPbHV0PszHFfWLTFxBpuTfHdOJyYjLBwM1S6bmkaq0cb/BGd55JLbuqBk3dMcessE0aqLcFZZ3fOJM/WxJ/JXOs1LsWXL7Y=,iv:4LTPRk8wCAU1eppHGmAOwWOeFv9uczweSEZNCUJT8Xk=,tag:Xv78dxnD1G8UxYJ7UkXfFQ==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.8.1 -- cgit 1.4.1