neb

2026-03-23 16:37:34 -05:00
parent 23f29b6ca1
commit 0b9a301a92
6 changed files with 586 additions and 355 deletions
--- a/packages/system/nebula-sign-cert/default.nix
+++ b/packages/system/nebula-sign-cert/default.nix
@@ -0,0 +1,187 @@
+{
+  lib,
+  writeShellApplication,
+  nebula,
+  sops,
+  coreutils,
+  jq,
+  ...
+}:
+
+writeShellApplication {
+  name = "nebula-sign-cert";
+
+  runtimeInputs = [
+    nebula
+    sops
+    coreutils
+    jq
+  ];
+
+  text = ''
+    # ---------------------------------------------------------------------------
+    # nebula-sign-cert
+    #
+    # Signs a new Nebula host certificate using the CA stored in a SOPS secrets
+    # file and writes the resulting cert+key back into a (possibly different)
+    # SOPS secrets file.
+    #
+    # The CA is read from:
+    #   <ca-sops-file>  at YAML path  <ca-prefix>/ca-cert  and  <ca-prefix>/ca-key
+    #
+    # The new cert+key are written to:
+    #   <host-sops-file>  at YAML paths
+    #     <host-prefix>/<host-secret-name>-cert
+    #     <host-prefix>/<host-secret-name>-key
+    #
+    # Usage:
+    #   nebula-sign-cert \
+    #     --name         <node-name>           # e.g. "nas" — used in the cert
+    #     --ip           <overlay-ip/mask>     # e.g. "10.1.1.2/24"
+    #     --ca-file      <path/to/ca-secrets.yaml>
+    #     --ca-prefix    <sops-key-prefix>     # e.g. "pi5/nebula"
+    #     --host-file    <path/to/host-secrets.yaml>
+    #     --host-prefix  <sops-key-prefix>     # e.g. "jallen-nas/nebula"
+    #     --host-secret-name <name>            # e.g. "nas" (cert stored as nas-cert/nas-key)
+    #     [--groups  <group1,group2>]          # optional Nebula groups
+    #     [--duration <duration>]              # e.g. "8760h0m0s" (1 year), default: CA lifetime
+    #
+    # All temp files are written to a private tmpdir and shredded on exit.
+    # ---------------------------------------------------------------------------
+
+    set -euo pipefail
+
+    # ── argument parsing ────────────────────────────────────────────────────────
+    NAME=""
+    IP=""
+    CA_FILE=""
+    CA_PREFIX=""
+    HOST_FILE=""
+    HOST_PREFIX=""
+    HOST_SECRET_NAME=""
+    NEBULA_GROUPS=""
+    DURATION=""
+
+    usage() {
+      echo "Usage: nebula-sign-cert \\"
+      echo "         --name          <node-name> \\"
+      echo "         --ip            <overlay-ip/mask> \\"
+      echo "         --ca-file       <path/to/ca-sops-file.yaml> \\"
+      echo "         --ca-prefix     <sops-key-prefix>  (e.g. pi5/nebula) \\"
+      echo "         --host-file     <path/to/host-sops-file.yaml> \\"
+      echo "         --host-prefix   <sops-key-prefix>  (e.g. jallen-nas/nebula) \\"
+      echo "         --host-secret-name <name>          (e.g. nas) \\"
+      echo "         [--groups       <group1,group2>] \\"
+      echo "         [--duration     <8760h0m0s>]"
+      exit 1
+    }
+
+    while [[ $# -gt 0 ]]; do
+      case "$1" in
+        --name)           NAME="$2";            shift 2 ;;
+        --ip)             IP="$2";              shift 2 ;;
+        --ca-file)        CA_FILE="$2";         shift 2 ;;
+        --ca-prefix)      CA_PREFIX="$2";       shift 2 ;;
+        --host-file)      HOST_FILE="$2";       shift 2 ;;
+        --host-prefix)    HOST_PREFIX="$2";     shift 2 ;;
+        --host-secret-name) HOST_SECRET_NAME="$2"; shift 2 ;;
+        --groups)         NEBULA_GROUPS="$2";    shift 2 ;;
+        --duration)       DURATION="$2";        shift 2 ;;
+        -h|--help)        usage ;;
+        *) echo "Unknown argument: $1"; usage ;;
+      esac
+    done
+
+    # ── validate required args ──────────────────────────────────────────────────
+    missing=()
+    [[ -z "$NAME"             ]] && missing+=(--name)
+    [[ -z "$IP"               ]] && missing+=(--ip)
+    [[ -z "$CA_FILE"          ]] && missing+=(--ca-file)
+    [[ -z "$CA_PREFIX"        ]] && missing+=(--ca-prefix)
+    [[ -z "$HOST_FILE"        ]] && missing+=(--host-file)
+    [[ -z "$HOST_PREFIX"      ]] && missing+=(--host-prefix)
+    [[ -z "$HOST_SECRET_NAME" ]] && missing+=(--host-secret-name)
+    if [[ ''${#missing[@]} -gt 0 ]]; then
+      echo "error: missing required arguments: ''${missing[*]}"
+      usage
+    fi
+
+    [[ -f "$CA_FILE"   ]] || { echo "error: CA secrets file not found: $CA_FILE";   exit 1; }
+    [[ -f "$HOST_FILE" ]] || { echo "error: host secrets file not found: $HOST_FILE"; exit 1; }
+
+    # Convert "a/b/c" prefix → sops extract path ["a"]["b"]["c"]
+    prefix_to_sops_path() {
+      local prefix="$1"
+      local IFS='/'
+      local result=""
+      for segment in $prefix; do
+        result+="[\"$segment\"]"
+      done
+      echo "$result"
+    }
+
+    CA_SOPS_PATH=$(prefix_to_sops_path "$CA_PREFIX")
+    HOST_SOPS_PATH=$(prefix_to_sops_path "$HOST_PREFIX")
+
+    # ── setup temp directory (cleaned up on exit) ───────────────────────────────
+    TMPDIR=$(mktemp -d)
+    cleanup() {
+      # Shred all temp files before removing the directory
+      find "$TMPDIR" -type f -exec shred -u {} \;
+      rm -rf "$TMPDIR"
+    }
+    trap cleanup EXIT
+
+    CA_CRT="$TMPDIR/ca.crt"
+    CA_KEY="$TMPDIR/ca.key"
+    HOST_CRT="$TMPDIR/host.crt"
+    HOST_KEY="$TMPDIR/host.key"
+
+    # ── extract CA cert and key from SOPS ──────────────────────────────────────
+    echo "» Extracting CA from $CA_FILE ($CA_PREFIX)..."
+    sops decrypt --extract "''${CA_SOPS_PATH}[\"ca-cert\"]" "$CA_FILE" > "$CA_CRT"
+    sops decrypt --extract "''${CA_SOPS_PATH}[\"ca-key\"]"  "$CA_FILE" > "$CA_KEY"
+
+    # ── build nebula-cert sign args ─────────────────────────────────────────────
+    SIGN_ARGS=(
+      sign
+      -name     "$NAME"
+      -ip       "$IP"
+      -ca-crt   "$CA_CRT"
+      -ca-key   "$CA_KEY"
+      -out-crt  "$HOST_CRT"
+      -out-key  "$HOST_KEY"
+    )
+    [[ -n "$NEBULA_GROUPS" ]] && SIGN_ARGS+=(-groups "$NEBULA_GROUPS")
+    [[ -n "$DURATION" ]] && SIGN_ARGS+=(-duration "$DURATION")
+
+    # ── sign the certificate ────────────────────────────────────────────────────
+    echo "» Signing certificate for $NAME ($IP)..."
+    nebula-cert "''${SIGN_ARGS[@]}"
+
+    echo "» Certificate details:"
+    nebula-cert print -path "$HOST_CRT"
+
+    # ── write cert and key back into the host SOPS file ────────────────────────
+    # sops set requires a JSON-encoded string value; use jq -Rs . to encode the
+    # file contents and pipe via --value-stdin to avoid leaking secrets in ps.
+    echo "» Writing ''${HOST_SECRET_NAME}-cert into $HOST_FILE ($HOST_PREFIX)..."
+    jq -Rs . "$HOST_CRT" | sops set --value-stdin \
+      "$HOST_FILE" \
+      "''${HOST_SOPS_PATH}[\"''${HOST_SECRET_NAME}-cert\"]"
+
+    echo "» Writing ''${HOST_SECRET_NAME}-key into $HOST_FILE ($HOST_PREFIX)..."
+    jq -Rs . "$HOST_KEY" | sops set --value-stdin \
+      "$HOST_FILE" \
+      "''${HOST_SOPS_PATH}[\"''${HOST_SECRET_NAME}-key\"]"
+
+    echo ""
+    echo "✓ Done. Certificate for '$NAME' written to $HOST_FILE"
+    echo "  Rebuild the host to apply: sudo nixos-rebuild switch --flake .#<hostname>"
+  '';
+
+  meta = {
+    description = "Sign a Nebula host certificate using a CA stored in SOPS";
+    mainProgram = "nebula-sign-cert";
+  };
+}
--- a/secrets/desktop-secrets.yaml
+++ b/secrets/desktop-secrets.yaml
@@ -9,6 +9,11 @@ desktop:
    system-ed25519-priv: ENC[AES256_GCM,data:neR7rxQic+JxfkupQh9hIFOSF+QEahIWhFaP4Vk7bDBims9nimy1WRF4jwwoY8+rco+mfrQZT+/F5URpC0uCf0UeL+RCnGcVPMS+NS1+T9/Wygh1ZfsdQNv3G9+H2r59n4kGmaPfaLxfeftNf2M2YkTD5VEt4oZuHg8gcivoeQ8evtezjicIZGLrMxJLXn+SxDq6+glKKk4xOel9AdYsXTw6fCZ/y8uXCjhpMp0FvV6DZbeBawm8O+R/m0KUIEBpfDLXWXnpjZ71XhYCNYRyIwiDBhW5S0o0X+0iX4vSQfxBcwd1oLPYWJjYlMcUSTmaiKH2x5JaQJRiXCd6t3vQchRNQ81wNbL1Q/xERO8RsUMu7u0EW5qeBiGAuW7z/sx3yV8c8SNBwr1GfT+d3g77EShXn48XaGIYvNKW1ANdxkgSc6h66acWeI1kY6/Dk9IpVxvuAQgV3Ukwv8HDCnSHsKJVfm7KYw/jqVZGKTE/msVkCm7KGig1OfinZCs5VvBO7YSWrSyeb580kiiKf32xxBJtmELWueVVov1c,iv:m2Eqw9OAWf1UO38r5i4DVdh9zqLdrbggUOcxqu2339w=,tag:+yq0MDE3dofu8XbDdcTbPQ==,type:str]
    system-rsa-pub: ENC[AES256_GCM,data:uqiKfnAPDXEo0UF0kITdSaGeYaG5Je8jLx2S0tYEyz2jGlTYGvervjQvpbSogHot0A2qgJUc+E2o161fJFNDH599MnI7n3WGJpNQekfUZh/kGM3tBOigzMl6d0UdDjWnJh7IQo06dD35rCE79ZLg5HQEuJz602HG36Be/XfJ2nWAVDqd+/F8+06jrc7RKvecp4ubbrrz9u/wj9BZRLN3GcG8QV4MCRY5neX7MrLWNtB9wcuRS/kt7jLtM2aIDd7a+DZvcUM+4fbWLqpwMQq4N/pf6AYLs/GuemjaZ4iE8evBvHoP82TaCLUhd4jgWp0g8KamK+DHwZAn2nkNGVNOFTSy4p3hA2tkugDIubDhY4ahKAbf9Z0IgY+2iW/ICtvSGxcjT7zIgynnOHTZn0wdVUJEWomTwWdmjCdWo5WSQnCvSEXngNDvEhDVkyA51nBaKVKnshHwOEFiV/0RvO+WnjRjR1jnPz4sksp58OzChd5J4YrA8Y2RbhHFxFV/W3Sn9HFUbGUWo2xHWqhWTBhVmmJSHlwkuG1hzZi1q18aHLgaJBbJzlaDcWLrn8XMm7CPMQzf4+iMJliaANHwGKv52+NEyRMcsgAHUyfsW2qU2uZtCkziPMzxQpJZrNibZrAdwII50hT2B4BQBPVzK1VBC+BLrYmRl+Qvie9C5yzzllQMhLEcA0ChI5+MJ6Rul8UjVpBxsWteLWkc4KHkOabjDLGbF6UAjpnj8xpGCZteLfno6UxJFavXaqm2IsX1IgW80ptPKuJmxiwnkQg7yue19/lsB9/5pWfgHfpThj7Rt25TUIAdl0VtC0yer7UuIKdyl6t58TZHZ78ncTWWRqgnEPABjsN3oUpuhCUbtaq0u1jbJt6CUfIXhaO9Y/YlMPwMyfacAZKQBlg2BxBbtycsWG/ktMUKAbNIdxr+g2kKCEGBgpuMJXmhsE4QmLzZJ1J+y9TOkBrimpJPY+awYkAL0q86HVQ=,iv:tD8LK0+Ksb+3Ahhx2td//ktIgeyFykdrFjN1HURZwno=,tag:XeRgt9DQhWUynhBRZF+rcA==,type:str]
    system-rsa-priv: ENC[AES256_GCM,data:Xu8hN6CtBWZwaY/l0H0iJKIzWBjT3G0YLKqsSSzr914x1ux+790B3H2Tj0aF5tLgHhpqlBD0jzq5Jo4snIxAdBbvttmuJU+VIWRAxqa5YYZVs7G2cumKYvCyY9SoNKRydyBlNqZlWazpx1/TmFwYkj5monyDUm1ShzJ3YqYm/eX9p6sUalJR0atB8YdaXSh0R3b+GM4kMj2OhVOezJmWwpcVXahr/lqwke2j+A27886LyLX9a/vjz9H3B/yIPwSKccAIc4okru+CvQ+IinKas9QZ0PF/rfh4Slv7SqxzyoI5OaxK5ODPu5KfZpNXYv5h/3frueICsfsP4iRb/KPNK5sQtXuvDAOMVXfY3/LkoqcwNjjRKXK6LRiL2AZSgE94qkQgybTNCrKgRLThdK5ckgFAnS/AC16Qy5YpErV8qOprNeh9/9m9mqXK2DfhnXR26z/grb7IFmI3oDTvjBpFppqcQqO42XFhQY18rpGMqXZNiIp544lBHk0zXZkyQAVDSHjHpjQInCxFtFgISUjOrzvnFwewxAN7s0wv6WzEMBiTTz6aigwZ1fn3mM5M197scBsffnM8aT204fyRkPLSfS8hhvL3PlZegBjlW+GIpmFDe7kyXOGLU37TIEVE9k1N9/JrEWSSNqfLEhtKxAhI8dU0Vq03IgM30RvNEmAWXkl0vYRrsj1ciNQ8IX1/YaP+WhcRNre8pZ8iQKP6RyTQrwCYvy1pP8NhwmCbZnuN+57vO8PEwt8r6cL18OlxTZNfMPRtDgeXDRMV3XIlBtIPHSFbzslvXxsIYw+v0iIGEU4amukonrEzxU4pXOq8VN/lL/Y+v0Pi8X5QSG4kGzABwQPZec4zf0PUh+jZWtiVtNNkSAwSX2ENY85MaT1x2YXuTsUhG4uQslPWUXgDnR4RRf2tfsFOC7CpK0VB1QJkjHbV8v7y75PyK7Gk4+q9+qd3vTxatPFaaTzH1UlFlc6GajKjhyifSa2tBB50+DB3c5brOrVRktBWjIVP4ynx0Pxv7XYdUowNsqYQ6DC7ussAlVDuzxXO0TAuiQ0M3sBBGxTZ7j2n4UAXR27dKTGpvyEGrBpaVVSy1v3Ae3CXn0ZSFsY8MNAObnkaNrV7KXU2kcVTPHzxBFAg29ykfg2qkbFp5TP6UlWPl/JF9YPoWSoL9C1WzC5D3cwrXKxgKY6TS3OSDqXaHFK8CZhjiHJitXNWOPr3lKkN3sePRh/8pEw0cbKMn90HWuAuWdzzT8S70nYpBJCeLzFTpkJ4lqLFf3e6z1haojHuKpF463W6FyeZl/a0N4W/ceG1ZgYRBlMm8bXkcq7t2lbSfPg8AqLYDIf+5DXOpr0puhe1/0kpUm6xc/V+B8r4Z8Q15+g2DGIL0DzSyD/SvxADLfsakdUbZkVTDxJ8pjs/jksgeR67VHSKGCwd3BYfzfw2SN/pJ14nIQ9loVe5HLWYcMuCXkNzVBfPINQzA2LC1K/hPQ1BbT0AxU0MvNV1omybgwro1kFPzwkeycT2JJxNz31esHGQsOONh9R6bw4HGgKkOR2UMkTQExg/XRDtBM1g2Sx+t//nNh0bHixSqArtEqNnXyhGQRSYQd1BLHro40wG6GnwRLy2FPdSVPQKo5Uo2OWRl2jKh51yCzBEHRtC2uWR6i1SyqLmr6wxwwxuePEAnE38kQOsfDjWsErEhHtjtEN2GxuLCb016tD6BVkzXWhA2jvKBnQL0NjMB7GEjGHSVXjOWasLJ1EVmNel/AJ8Ic65jdKlINAajVuuPhl/vXVXdnyYBHlLSSgsrFaWWo7uwvlnq5DxDLfFBgRisj3dEv+rN25ZYyFNkCeRPzTFfPmloSmoT/hzlz9jWNwlgM84yspuiBAgBw0ci+eqbWA/1dQiqB36W+SmMdtmZhCTjD3QZ3u216S+Zyc/HvtOlc2UdUn6P2JCq+x2hQgI/4X0aalwUo15q3rSlJaOK48SEjFOgqOUlxrdSXPE6YfMECqgTtLsj7Ym/gxidIoT0/QFIbuu43WEGzk8bnVKRHvthuv0EwhM5cWCfWvF0EsC9GGacP4NKpRfKDxOV+gSG6s4FvKwiRiHqy9ATSv2ZSxwUDN+pjBAkZBELbkMBC8D//M5kXQh+PQHD09JoFqOnfRfSDF5WACiVx27kRBxbV/LlVIL90u62Wzd5eFMGCnihd1efEyX3ulP2qBK8WTr/OP2cGHjEXdXT7RdZvINNSLjwRUQtUKzFHNM/LxnegTufOrxGJ9zcIzMfyFVHmBra6Yg1Fyp7LEP5ITQpc6b44sHF7lTZuSyw4xyqPvfoBHuki2f+d3Z7oqvnjGSEJFy1uclORr+IDlutCImcjw/VOH/Er4ivwLXzxtbG8pf45XgJUcpPHSliFL8cV84jRSqIHToPVttHjLbpPcKm8efc9SYcpGNZeK1a3AdiFhB3o/X3duZmZuxuRHvjh55AKsJBinM4MH6I43XvIljmncQY7CKHz7S3E56fmDEOOsPv+IDnLiu0F7xOLytMM3JJUrb7VDYMvPuTPbsGb7kBYeozJJLl5GACc0Xp+1pk2DVxnq5EdVBqxhV81m5WPY/rMUsAAHnZyvYeZoxC8sKtTlromE2U6WI/N4znAfl0xGtjxosJkmgx7HrrhJnehGWNDwad5sHNyIc7T2NpP22PILG4OLUg5fm5NNTs4u+3ebsY3awQG73xRWqWM78NJbIClhiRih/qttaEip0557ymBwpBvYi4ZLH+t40sd7wSuuiAhTSCx/XD5H3aEaDTGohloUJ7BfyyVDQA56T5i45WdxEd3Dm4W2GE2rcRmxasMA6ayqxaAD3rpucLaY5LO/K+KDJYlMY3R6En/nLM8V0losMutVPziM8br+6xz5wqSUSilAUqFWWsCotrdwMYu5EFgb6XF63JiwZZC7MZOyDpFCnaj8zw8IOgV1PMlVx6sbi3hyRa/xBlCh0ktts4LWDAHzt3ckZaLs+eIqdYQyehOck7MtK+cc7Dm/9XBR1/lrz2Mk8WC/rLjG6ZOD0Z+OhQwTneQLYHCd8oNMpXrjlu2YfjW8mMyK1sl2YoyFfP1P1XdDt0Ln563WOJNuv9jaiuHUvkf4mbW98K3RUlwvp/Gb0dIVjn+8Ei8oLnw1Xoc78SFwqvid77RG7+cqxDSsU2PPmMM+K3WlLV9LvoYswSTmYEkmBFscDFANaqrM9+nMYWwsaoT9JQb+ADBSkMwO/Ha8uGaGxVYdcZT53pfXjSQ46AyYkTFDuDGszEP+RhwX4bwRJMubq0sxHz1igRh/8apl0AA5TRgECuM2wFPJH8Md1Nvp8IRoeJLk81smFgjJ4l2al8G+TPAxCgNR64iwIXWZH9SwYnPaQECmPaNFtihAIPrZ6wcTrF2WjmlrTj11Gj34wj6cmoKJSELUm0cWl4zJ5SLyqPV00UFuRIWHyLz8Rc1Tcz11L6B9CZL0FYRTfZYvu/6PT4k5nZQSp3QlBm/XRYiWbYy2HT27cnBn4qVreYtipru6wwB6Px/dNvV6YZb+rAZ2gsHEi6kG1dgQY9qEsN52hDh2ggQ7FHKJpgX98ir35qgufTQ5eLdN8zmcfSs0ZCwPrm+Yj/VuGzEGAuqcaIPvmiez+9O9tbs7Bl8iF6f5Em7hpgyXem4/b0EiI1Y0cKyJNp2sXgh6cOiAe5emw8Oxpmkuu8mkqqo8Crl4GcDYLKg5kj9HjYD8SeE5mYNi63PUshSG1+ikgxpS3ZEtv6P1xIOhM8dIGu/Y0DlgfYHp2pGcQNQAWfEIsTGrvXlY94cQaCc0Q1ZqDHCLdebgGe3wfSL4wsBDxhIljFujbbXzHPov4AkYXcH4wi7NYUs7+BoGu8em0dQZBpLgW3BHsxyeRX5HNec6TrvWI+norIgtDwQnZ6gbVnERiOCjudrEyROXjwr3GRpcy+33ec2Ou6nhAYMx9Wf03MlkSG7VjSnrsU44R0+okyfUm0DlGTGxpUEtDz0kprkBqmx/XknZZt9LHOhsKlWTDwVzlgSt/JVGN8pRFnNxy16mjWwFPFXeTeseSyX8XtGbPyH7bpf8XvOkcMs82kkeemFhdDyoqC40JPzUBObrNoHRF3vd+UJyS+79Kl3DijeIPS5gtdRlVQW53XL9J9xFpDsVUI6n50Ha5CT/QjsOmoh6vCi6hVWPEB0RjmD4v7K/eLw3IPI3CNi5/VDY+we5eLb7p6fPLmi6x2uXjFvJsfNG7S4hCzHonoOrmkGg1RaL9eYdMJAaMwvC7Kq8rgmSWvW0iahZviOEtvc8sKs1t8lS0mlWlM3Gh5q6DDoe1aiI9Nu3IzmI7QGpmKpD0po3JzbJ+HLwqpPfMEju56RWmaXMv3iHd0vpQHaPfcXqXmuI67q1ilVwmx4lwcGzPGk4THJdvrVB3bsVZzAjT/hz/FJ8yWeNzJqwvtC+mGqB8kdlmQwQpeYBsCtlKHK5e6gJUW+F2z6XfqX7MBVZiDrk/VPaNw6gZhf8p3RCXYGYkgcO0R7IcXmQ=,iv:1buceQb4i5BsZDLh7bY22+mZvnSrJLLpdPOoewXgvU4=,tag:Y7N0bwnIHrvPAPzhTiROig==,type:str]
+matt-nixos:
+    nebula:
+        matt-nixos-cert: ENC[AES256_GCM,data:ycSIZdRnUjpErv8AlogulCj6rqOddyEuvxMsm19FNbEblsG7CIUTXywoQlmx6cZthy83sbFj7RRVSPIkIRL37Zq0zJ4ZBI7kD2o58pfEmS5z6COrhiRVv7pirjlS0kJAlI7ELy6+qwbHWFVwvTWh+d9zpWf7aiEdAQjNvnFU1Oopc9ginN7qQU1UVtl0R5SsSYaGsAmayCb+2ooQOo8CwfBEzNXbxCkFgDnjDCxFjZUqxwO2kwe5z20dORVmB0rOhOwF1IOFfPwuXiFRxK1NaGRoaqH7ILJ+4ULQY2+kwMxpXxJkoP8IvvjXgNntGAy/OAR77jQ12EA6dDFbkSLxPwGB4gp3Q78yjAeqZmnK0ZIEaNsl5nu5L4O4k0QWmReufpXInxBYmBLa1lQLWXlBfNw1jsN9eA==,iv:xKwEFFzdI8pC6EaxKJuZLExb8CsOAuZjBcMen4O78VY=,tag:5WwJwUrtopo0Dwyi7H6GAA==,type:str]
+        matt-nixos-key: ENC[AES256_GCM,data:lwcpFV/HqrVOglxNxnbcnNYGdSFVXLLa0wdvqNO2DUAwWgaM/fZMdOVJgEt05xCeuB3liI8YkjQ5JxGv4CFE+YxsgetA4X81d7MZEybneg4ajuWQFWTdfgCZPOOqqpW7N7eHOc8VxdOGMJmVNeT1ZWUyTja4hhQ3yJF/5i2evQ==,iv:ueuRlJ+86LkM9Uz74ROX0pBvAgujquGXsC9gtzacs4o=,tag:6goq8LY31G7Bj8WpsoRUsw==,type:str]
+        ca-cert: ENC[AES256_GCM,data:n+mwKUzg3Ic8l21JzkLbOCWVg0dksXoqmuwnEVb3tPS1DEAMUih1OunwRV857nylKV1VUf2P4EL0O5CJSCHoaFYOJXnNfL0weWWoLjSU+sYJMOjWMJTPymsu86H0D5p0+cVlZo2jBEGXlVTW05GFMOt25gtVq5assNjRbRkpLxbMJo5WHW5j/qhRF8ec/IcN/NOXMCvIar/ZbRjXbw0JxVFCtdvX3Z/mcAeXOQuLiX/o0H1vTxLUGjAnggfLMTZbFKTQqt6e+aMlbQ3+XAp6GYrGoY6JtM+83r2XWBCTX3n9oZKcx3cTYIZRM1cQz7wYeMAOPcPycfU+4MDumA==,iv:v2V9uLeRrobKREzVIEMg6WPQDh3K1yg5kCqQNAenZ38=,tag:RjwbL+OiM+92QiUo3FHXpg==,type:str]
 sops:
    shamir_threshold: 1
    age:
@@ -156,8 +161,8 @@ sops:
            STU1bkRXNVRsYkJac0RPOVpZTmJCaW8KS9zUt1QpP0k38LQ6OMCkL7Ee3r/fZsWp
            hfISSv9uO1uEmgRHtXSRaElQmOmGgcZB7oqSJvY3SJHxENPiCK4cDw==
            -----END AGE ENCRYPTED FILE-----
-  lastmodified: "2026-02-24T20:19:24Z"
-  mac: ENC[AES256_GCM,data:HInBMtc8M02FH+rwH9Xp1YPsNlMEu5b2m7S49E3Gu1sja2SnA4W62MII92UYPJXqKXDrddkkQjLbOnAX4C9mp8krQ/DaNZtd0nor+tgrSu90DUHQq3pT7tEs4MlTYTI6sGZ0Lhl+9Styr831lH/rC4uqB+nZhHmN/WRnPsDM3Ds=,iv:qkoQLi3IvgJqfdAiSpAxndCSy964fVahXSEHNDKBiUc=,tag:Qr4Ahk0nChcv0itzObxN8g==,type:str]
+    lastmodified: "2026-03-23T21:04:05Z"
+    mac: ENC[AES256_GCM,data:RzOE3TI/cz2OD/cfyuR4aUTm2idclRiBEMzex8HAdg9MiHbxrBST7UF1D0hkG8tRxJZccKerwjJLj+cY+zfMGI59299AC8PEdHQFnyK8JJH3Nk93Bl5Ctsd0eSRV5UHo+XerZbEh0/5o2YlXLQcar++08GhDf0bRjiacjBt6TRc=,iv:79JFaUW4ro35VS9NFlSdG57y6NJ10KglRQOLfhiiQHY=,tag:7CpnuBT5kdcMqEsKcGtimA==,type:str]
    pgp:
        - created_at: "2026-02-06T15:34:29Z"
          enc: |-
--- a/secrets/mac-secrets.yaml
+++ b/secrets/mac-secrets.yaml
@@ -2,6 +2,11 @@ macbook-pro:
    mac-password: ENC[AES256_GCM,data:pGnlpi1EMIq6yyW/Wuv3N/60rk6mXA5wlkkwTTVHpFKIRx9IEQK5nXGJa/bbxIoexpIGySbswRBzrG+skx0tQtdg1ae6VR8TEg==,iv:7v3OQmd3oj4WquCBu35AuozTdpAk2ehYMZbjhcQOGGY=,tag:DW96+jPxQzGsjylRfchwRA==,type:str]
    sys-public-key: ENC[AES256_GCM,data:Haq1gnVd2MwbvG8UCC+hOVAz65dMgfq+kIqEJ3jvDL95HKYS9zBScMR2m/qhk0q1cwhRkrb52NuWsEq2BTW1Bdd/MFwtUInd0hpdncnP0KMYxtBs2q8CX7s3ZWeDkaVjdCkVk3hCNA==,iv:lM4csf/RzLIUYCLpcQPHwqj2XDIPRY6H93m6XIp13Oo=,tag:Vj3cYh5SQe3mkv5XbMp3/w==,type:str]
    sys-priv-key: ENC[AES256_GCM,data:iiFuaUmmbQl1pU41fy1vJGWoOwEslR3oLdXvrKxrmTLS4tgWjd6LYMIay2aZssvDRI0v4qbUQI1ZMJlavk7wbnala63Qp2gO6MJqiJnHAzIYTd0632W0iEJDTsgT0OTMMJDg12UhQJgvsuS0xx/cRkNOSuq0V8G6t1dQNUMks3isF9Rx3AIFoG0Obz6LabdyKXE7Ha2m7qa23XmenvjyvNjsM2+BygI0hc+hMsMox1mDsSqLBUPJ7tw6uQHi0hrATmP1a7ChD/YE+aR9brS7zepwAqzz7FeorkEJ7/lE0eBGUaAC+0KHPpzWUOP9SRNmsjbLxDmPKLe4GxeBaGoPpNr/Ad23Bh3b49aecg4B7ZEkNeHokHBmxEvEaaLRYNa1ySLB1vqAE6KH993H9JaI/1jilTtuI8kZRxxBrmUH7u8HoamQ4jM5UcPanEBkxChgTy5wNeG4PDSxLNHvRHvITq1yNCNrFQYF1+cRARrighmi2tveKHmxOh3XOzIFTxqkrikm8YNANZqsIhdeGaKSBje+u4R5GfwJZeGWdRoQnOh+uA==,iv:Qbw4VraVAi1OCzqsSGdiLCgHvpBxae6m+R0ypLsAC/4=,tag:lXxveQCPgxRY9mwS4Z0a3A==,type:str]
+macbook-pro-nixos:
+    nebula:
+        macbook-pro-nixos-cert: ENC[AES256_GCM,data:Y5/NkBKhilxU1zbA9/tP2uPMqdLquVboEADROJ4HvHqN3EDY1BqfdqBapW/Ka4kH/m005qWEMsZTwM+/WPDRz2wujWZ/55NrOEK/wXwNEAA9rlXwIS9BWuSGInRSb8Z1jfH8EIBuCoKlckAhEpgu31wC2M5I6xG+Jq6kmI+nlhNhHVyAeizzYUrY5PlNUZBP/COWpFs9ukvgvZxAtYWNCr6tlNumEQP2D4rVo5llqxFobGwAXLqvm2rVb8akZlg+UTlp7lZQfZGpOGTZRf3MEcmjXUEsT/aL4f6LtiVTKwEB76bvtYF5SxIx+SAgaUkqsaxJeTGc8c8ZNtw9TqynMdBHSfB0fIxXf6cCHZaztHe5eWUhSnxW0VvLd60btdA7jUHGcvx8LkOpsR0e+WMcXjrw9zO4mEs+JOQ1OQL1,iv:T85Qz/1H6ojbq0ZlqfBpeyznNigoCA8czMMqLBIUwjI=,tag:jEznUzK9V+QMfho/f+3TIQ==,type:str]
+        macbook-pro-nixos-key: ENC[AES256_GCM,data:zemLrMzg+IuIIA3dbIONVzKzBJFjdR6LMIPKGSnP23O/ZhoiflRPI1xZX3dKBcws51XtVhxKdfv/9UIiJwo2YRkW3xd2twJSld91ccN9xpwlnTciL4SS1lw4Tvrls4jmvpEZ6H0I2vwSOUyRrtx2/9cFGiJ/UfmnkxfbPtaBdA==,iv:5RMzQN3Pra2XnS+XZ/NKyOm+EvKY0d/76tQbczTjEAg=,tag:qyZviaLehXBZpjJ2VxXYDg==,type:str]
+        ca-cert: ENC[AES256_GCM,data:lHROT0PA2cMxrNr9DOYF87oJwyclpiWmuHSKLqBojtLFBUovJH1uQQPIRKEuJ2+3PiAg+4Oca9RRuDfmdik7NJcjNW6WCOdIhkxiHtZsQnP5jR+oY5xvQ100nrxa4ucwK6M8da3P0o/5AiniFulxlqRC3x4o+Ntxh8pqEGbN5AgCKgqds3qqv9LdVtIIQD5BB9IBlKwMEixHGoYreIoMxDEbjCuqc3/uwigE/xzxs1LqfmbBu1sSX3tnLpZvmt3BpZ6e/nhJahVzA8ni2GNcorNb6UXX9wXpuI1rkNC/7q5bXtZqBqe0ewR/qf/Mc306sZp/omvI/1/MWnwq2Q==,iv:kIohsCxkydUC0gaK5DAERdVR+wlNpMlTZzAZf2G6tGk=,tag:Tko/c8L6iy5zEqL+/qRPUw==,type:str]
 sops:
    shamir_threshold: 1
    age:
@@ -149,8 +154,8 @@ sops:
            SlVQcGorK3l3UU1WbTlLV3RvUVoyQlEKdR12pS1USSx70fvyNRLcHRD1IUOK+OkD
            J9XppV46eyGY5GLTDO7y7tmTu1Bw94inB0QA3PEw+6TZ0PEUTAqZVw==
            -----END AGE ENCRYPTED FILE-----
-  lastmodified: "2026-02-09T22:45:04Z"
-  mac: ENC[AES256_GCM,data:nvi+6VK6S7TpYVbFZHXkPU3LObc7i0N1bjp5rzEjUZUDjcPuI3IOM47Rs51T3uRi3AUyGy9sNR2ndkfD6qtT3QXJz6v/eyk01tJ9F7nEMYe+eoa8eC9GgaaJrrqgN1yPonMCLlUGUkQ9bslo/4opVMpQC2GM4EktsCvamHcAfSM=,iv:wljbtstRruCI69HUYqu/3WfUbPMAj+W1UFrz/+keQOU=,tag:uEAvNG9K3+qUJ8P3c/46ew==,type:str]
+    lastmodified: "2026-03-23T21:06:15Z"
+    mac: ENC[AES256_GCM,data:02pvRfBy1zjwj62YNtmYqeXwQic6zOQqAIeYASszItFQUeFKDZvM+gONNzKgONCS0Zp2V3CuRY5xofsaPLpk8pef6ZoUxQJGhYCIN410R59aJia6KBVnCMHeky5knWGNqTcErGym90GVQMwvQTLpbcTZLtlESAXpZzdk5ESDv9U=,iv:6COWTXKpxzBb/3h3ueln9Dgr0Zc+ElZg0HIn+57WveA=,tag:7hNizplCE2LJGpvTSmzmRQ==,type:str]
    pgp:
        - created_at: "2026-02-06T15:34:34Z"
          enc: |-
--- a/systems/aarch64-linux/macbook-pro-nixos/default.nix
+++ b/systems/aarch64-linux/macbook-pro-nixos/default.nix
@@ -2,7 +2,12 @@
 # your system. Help is available in the configuration.nix(5) man page, on
 # https://search.nixos.org/options and in the NixOS manual (`nixos-help`).

-{ pkgs, namespace, ... }:
+{
+  lib,
+  pkgs,
+  namespace,
+  ...
+}:
 {
  imports = [
    ./boot.nix
@@ -93,6 +98,19 @@
        iptables -I INPUT -p udp -m udp --match multiport --dports 1990,2021 -j ACCEPT
      '';
    };
+    services = {
+      nebula = {
+        enable = true;
+        port = 4242;
+        lighthouses = [ "10.1.1.1" ];
+        staticHostMap = {
+          "10.1.1.1" = [ "mjallen.dev:4242" ];
+        };
+        secretsPrefix = "macbook-pro-nixos/nebula";
+        secretsFile = lib.snowfall.fs.get-file "secrets/mac-secrets.yaml";
+        hostSecretName = "macbook-pro-nixos";
+      };
+    };
  };

  nixpkgs.config.allowUnsupportedSystem = true;
--- a/systems/x86_64-linux/jallen-nas/default.nix
+++ b/systems/x86_64-linux/jallen-nas/default.nix
@@ -326,7 +326,9 @@ in
      tigervnc
      tpm2-tools
      tpm2-tss
-    ];
+    ] ++ (with pkgs.${namespace}; [
+      nebula-sign-cert
+    ]);
    persistence."/media/nas/main/persist" = {
      hideMounts = true;
      directories = [
--- a/systems/x86_64-linux/matt-nixos/default.nix
+++ b/systems/x86_64-linux/matt-nixos/default.nix
@@ -72,6 +72,20 @@
    network = {
      hostName = "matt-nixos";
    };
+
+    services = {
+      nebula = {
+        enable = true;
+        port = 4242;
+        lighthouses = [ "10.1.1.1" ];
+        staticHostMap = {
+          "10.1.1.1" = [ "mjallen.dev:4242" ];
+        };
+        secretsPrefix = "matt-nixos/nebula";
+        secretsFile = lib.snowfall.fs.get-file "secrets/desktop-secrets.yaml";
+        hostSecretName = "matt-nixos";
+      };
+    };
  };

  programs.coolercontrol.enable = true;