mjallen/nix-config
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

fixes and docs

Browse Source
This commit is contained in:
mjallen18
2026-03-23 15:17:10 -05:00
parent 2c0b26ced0
commit 23f29b6ca1
25 changed files with 1590 additions and 795 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
modules/nixos/services/cockpit/default.nix
View File

@@ -1,6 +1,7 @@
{
config,
lib,
pkgs,
namespace,
...
}:
@@ -16,6 +17,16 @@ let
enable = true;
port = cfg.port;
openFirewall = cfg.openFirewall;
allowed-origins = [
"https://10.0.1.3:${toString cfg.port}"
"https://jallen-nas:${toString cfg.port}"
"https://jallen-nas.local:${toString cfg.port}"
];
plugins = with pkgs.${namespace}; [
# cockpit-benchmark
cockpit-podman
cockpit-machines
];
};
};
};

74
modules/nixos/services/nebula-lighthouse/default.nix
View File

@@ -1,74 +0,0 @@
{
config,
lib,
pkgs,
namespace,
...
}:
with lib;
let
name = "nebula-lighthouse";
cfg = config.${namespace}.services.${name};
ca = config.sops.secrets."pi5/nebula/ca-cert".path;
cert = config.sops.secrets."pi5/nebula/lighthouse-cert".path;
key = config.sops.secrets."pi5/nebula/lighthouse-key".path;
nebulaConfig = lib.${namespace}.mkModule {
inherit config name;
description = "nebula";
options = { };
moduleConfig = {
environment.systemPackages = with pkgs; [ nebula ];
services.nebula.networks = {
jallen-nebula = {
enable = true;
enableReload = true;
isLighthouse = true;
ca = ca;
cert = cert;
key = key;
lighthouse = {
dns = {
enable = false;
host = "localhost";
port = 53;
};
};
listen = {
host = cfg.listenAddress;
port = cfg.port;
};
# lighthouses = [
# "10.1.1.1"
# ];
settings = {
firewall = {
outbound = [
{
# Allow all outbound traffic from this node
port = "any";
proto = "any";
host = "any";
}
];
inbound = [
{
# Allow all outbound traffic from this node
port = "any";
proto = "any";
host = "any";
}
];
};
};
};
};
};
};
in
{
imports = [
nebulaConfig
./sops.nix
];
}

45
modules/nixos/services/nebula-lighthouse/sops.nix
View File

@@ -1,45 +0,0 @@
{
config,
lib,
namespace,
...
}:
with lib;
let
cfg = config.${namespace}.services.nebula-lighthouse;
in
{
config = mkIf cfg.enable {
sops = {
secrets = {
"pi5/nebula/ca-cert" = {
sopsFile = (lib.snowfall.fs.get-file "secrets/pi5-secrets.yaml");
owner = "nebula-jallen-nebula";
group = "nebula-jallen-nebula";
restartUnits = [ "nebula@jallen-nebula.service" ];
};
"pi5/nebula/ca-key" = {
sopsFile = (lib.snowfall.fs.get-file "secrets/pi5-secrets.yaml");
owner = "nebula-jallen-nebula";
group = "nebula-jallen-nebula";
restartUnits = [ "nebula@jallen-nebula.service" ];
};
"pi5/nebula/lighthouse-cert" = {
sopsFile = (lib.snowfall.fs.get-file "secrets/pi5-secrets.yaml");
owner = "nebula-jallen-nebula";
group = "nebula-jallen-nebula";
restartUnits = [ "nebula@jallen-nebula.service" ];
};
"pi5/nebula/lighthouse-key" = {
sopsFile = (lib.snowfall.fs.get-file "secrets/pi5-secrets.yaml");
owner = "nebula-jallen-nebula";
group = "nebula-jallen-nebula";
restartUnits = [ "nebula@jallen-nebula.service" ];
};
};
};
};
}

135
modules/nixos/services/nebula/default.nix
View File

@@ -8,54 +8,105 @@
with lib;
let
name = "nebula";
cfg = config.${namespace}.services.${name};
ca = config.sops.secrets."jallen-nas/nebula/ca-cert".path;
cert = config.sops.secrets."jallen-nas/nebula/nas-cert".path;
key = config.sops.secrets."jallen-nas/nebula/nas-key".path;
ca = config.sops.secrets."${cfg.secretsPrefix}/ca-cert".path;
cert = config.sops.secrets."${cfg.secretsPrefix}/${cfg.hostSecretName}-cert".path;
key = config.sops.secrets."${cfg.secretsPrefix}/${cfg.hostSecretName}-key".path;
nebulaConfig = lib.${namespace}.mkModule {
inherit config name;
description = "nebula";
options = { };
description = "nebula overlay network node";
options = {
# -----------------------------------------------------------------------
# Role
# -----------------------------------------------------------------------
isLighthouse = lib.${namespace}.mkBoolOpt false "Act as a Nebula lighthouse";
isRelay = lib.${namespace}.mkBoolOpt false "Act as a Nebula relay node";
# -----------------------------------------------------------------------
# Network identity
# -----------------------------------------------------------------------
networkName =
lib.${namespace}.mkOpt types.str "jallen-nebula"
"Nebula network name (used as the systemd service suffix and interface name)";
# -----------------------------------------------------------------------
# SOPS secret location
#
# secretsPrefix — key path prefix inside the SOPS file, e.g. "pi5/nebula"
# The module expects three secrets under this prefix:
# <secretsPrefix>/ca-cert
# <secretsPrefix>/host-cert
# <secretsPrefix>/host-key
#
# secretsFile — path to the SOPS-encrypted YAML that holds the secrets
# -----------------------------------------------------------------------
secretsPrefix = lib.${namespace}.mkOpt types.str "" "SOPS secret key prefix, e.g. \"pi5/nebula\"";
secretsFile =
lib.${namespace}.mkOpt types.str ""
"Path to the SOPS secrets YAML file for this host";
# hostSecretName — the middle segment of the cert/key secret names.
# Secrets are looked up as <secretsPrefix>/<hostSecretName>-cert and
# <secretsPrefix>/<hostSecretName>-key. Defaults to "host"; set to
# e.g. "nas", "lighthouse", or the machine hostname to match existing
# SOPS YAML keys without renaming them.
hostSecretName =
lib.${namespace}.mkOpt types.str "host"
"Secret name segment for cert/key (e.g. \"nas\" looks for nas-cert / nas-key)";
# -----------------------------------------------------------------------
# Peer addressing (ignored on lighthouse nodes)
# -----------------------------------------------------------------------
lighthouses =
lib.${namespace}.mkOpt (types.listOf types.str) [ ]
"Nebula overlay IPs of lighthouse nodes (leave empty on lighthouses)";
staticHostMap = lib.${namespace}.mkOpt (types.attrsOf (
types.listOf types.str
)) { } "Static host map: overlay IP list of public addr:port strings";
# -----------------------------------------------------------------------
# Firewall rules inside the overlay
# -----------------------------------------------------------------------
inboundRules = lib.${namespace}.mkOpt (types.listOf types.attrs) [
{
port = "any";
proto = "any";
host = "any";
}
] "Nebula inbound firewall rules";
outboundRules = lib.${namespace}.mkOpt (types.listOf types.attrs) [
{
port = "any";
proto = "any";
host = "any";
}
] "Nebula outbound firewall rules";
};
moduleConfig = {
environment.systemPackages = with pkgs; [ nebula ];
services.nebula.networks = {
jallen-nebula = {
enable = true;
enableReload = true;
isLighthouse = false;
isRelay = false;
ca = ca;
cert = cert;
key = key;
lighthouses = [
"10.1.1.1"
];
staticHostMap = {
"10.1.1.1" = [
"mjallen.dev:4242"
];
};
settings = {
firewall = {
outbound = [
{
# Allow all outbound traffic from this node
port = "any";
proto = "any";
host = "any";
}
];
inbound = [
{
# Allow all outbound traffic from this node
port = "any";
proto = "any";
host = "any";
}
];
};
};
services.nebula.networks.${cfg.networkName} = {
enable = true;
enableReload = true;
isLighthouse = cfg.isLighthouse;
isRelay = cfg.isRelay;
inherit ca cert key;
lighthouses = cfg.lighthouses;
staticHostMap = cfg.staticHostMap;
listen = {
host = cfg.listenAddress;
port = cfg.port;
};
settings.firewall = {
inbound = cfg.inboundRules;
outbound = cfg.outboundRules;
};
};
};

53
modules/nixos/services/nebula/sops.nix
View File

@@ -7,39 +7,34 @@
with lib;
let
cfg = config.${namespace}.services.nebula;
sopsFile = cfg.secretsFile;
nebulaUser = "nebula-${cfg.networkName}";
nebulaUnit = "nebula@${cfg.networkName}.service";
mkSecret = _key: {
inherit sopsFile;
owner = nebulaUser;
group = nebulaUser;
restartUnits = [ nebulaUnit ];
};
in
{
config = mkIf cfg.enable {
sops = {
secrets = {
"jallen-nas/nebula/ca-cert" = {
sopsFile = (lib.snowfall.fs.get-file "secrets/nas-secrets.yaml");
owner = "nebula-jallen-nebula";
group = "nebula-jallen-nebula";
restartUnits = [ "nebula@jallen-nebula.service" ];
};
assertions = [
{
assertion = cfg.secretsPrefix != "";
message = "mjallen.services.nebula.secretsPrefix must be set (e.g. \"pi5/nebula\")";
}
{
assertion = cfg.secretsFile != "";
message = "mjallen.services.nebula.secretsFile must be set to the path of the SOPS secrets YAML";
}
];
"jallen-nas/nebula/ca-key" = {
sopsFile = (lib.snowfall.fs.get-file "secrets/nas-secrets.yaml");
owner = "nebula-jallen-nebula";
group = "nebula-jallen-nebula";
restartUnits = [ "nebula@jallen-nebula.service" ];
};
"jallen-nas/nebula/nas-cert" = {
sopsFile = (lib.snowfall.fs.get-file "secrets/nas-secrets.yaml");
owner = "nebula-jallen-nebula";
group = "nebula-jallen-nebula";
restartUnits = [ "nebula@jallen-nebula.service" ];
};
"jallen-nas/nebula/nas-key" = {
sopsFile = (lib.snowfall.fs.get-file "secrets/nas-secrets.yaml");
owner = "nebula-jallen-nebula";
group = "nebula-jallen-nebula";
restartUnits = [ "nebula@jallen-nebula.service" ];
};
};
sops.secrets = {
"${cfg.secretsPrefix}/ca-cert" = mkSecret "ca-cert";
"${cfg.secretsPrefix}/${cfg.hostSecretName}-cert" = mkSecret "host-cert";
"${cfg.secretsPrefix}/${cfg.hostSecretName}-key" = mkSecret "host-key";
};
};
}