mjallen/nix-config
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

pi5

Browse Source
This commit is contained in:
mjallen18
2026-02-13 15:11:57 -06:00
parent 3b3ec68a3c
commit ae9075e795
5 changed files with 255 additions and 186 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
modules/nixos/services/nebula-lighthouse/default.nix
View File

@@ -10,9 +10,9 @@ let
name = "nebula-lighthouse";
cfg = config.${namespace}.services.${name};
rootUrl = "https://lighthouse.${namespace}.dev/";
ca = config.sops.secrets."pi4/nebula/ca-cert".path;
cert = config.sops.secrets."pi4/nebula/lighthouse-cert".path;
key = config.sops.secrets."pi4/nebula/lighthouse-key".path;
ca = config.sops.secrets."pi5/nebula/ca-cert".path;
cert = config.sops.secrets."pi5/nebula/lighthouse-cert".path;
key = config.sops.secrets."pi5/nebula/lighthouse-key".path;
nebulaConfig = lib.${namespace}.mkModule {
inherit config name;

16
modules/nixos/services/nebula-lighthouse/sops.nix
View File

@@ -13,28 +13,28 @@ in
config = mkIf cfg.enable {
sops = {
secrets = {
"pi4/nebula/ca-cert" = {
sopsFile = (lib.snowfall.fs.get-file "secrets/pi4-secrets.yaml");
"pi5/nebula/ca-cert" = {
sopsFile = (lib.snowfall.fs.get-file "secrets/pi5-secrets.yaml");
owner = "nebula-jallen-nebula";
group = "nebula-jallen-nebula";
restartUnits = [ "nebula@jallen-nebula.service" ];
};
"pi4/nebula/ca-key" = {
sopsFile = (lib.snowfall.fs.get-file "secrets/pi4-secrets.yaml");
"pi5/nebula/ca-key" = {
sopsFile = (lib.snowfall.fs.get-file "secrets/pi5-secrets.yaml");
owner = "nebula-jallen-nebula";
group = "nebula-jallen-nebula";
restartUnits = [ "nebula@jallen-nebula.service" ];
};
"pi4/nebula/lighthouse-cert" = {
sopsFile = (lib.snowfall.fs.get-file "secrets/pi4-secrets.yaml");
"pi5/nebula/lighthouse-cert" = {
sopsFile = (lib.snowfall.fs.get-file "secrets/pi5-secrets.yaml");
owner = "nebula-jallen-nebula";
group = "nebula-jallen-nebula";
restartUnits = [ "nebula@jallen-nebula.service" ];
};
"pi4/nebula/lighthouse-key" = {
sopsFile = (lib.snowfall.fs.get-file "secrets/pi4-secrets.yaml");
"pi5/nebula/lighthouse-key" = {
sopsFile = (lib.snowfall.fs.get-file "secrets/pi5-secrets.yaml");
owner = "nebula-jallen-nebula";
group = "nebula-jallen-nebula";
restartUnits = [ "nebula@v-nebula.service" ];

11
secrets/pi5-secrets.yaml
View File

@@ -2,6 +2,11 @@ pi5:
matt-password: ENC[AES256_GCM,data:Cvy8kBR5U/LsiIzSe2elpY8O85hZ2FlQaSI+bp2usuUZjO6hyPsd92DF+YwUICBSRe20jTUZtYHER55CmPraoB4e9vLfeHhltg==,iv:jl2kzly0+ocf8hQInQAXdie4bxfvTR5cJvEUGlw9vUY=,tag:18918GNxaX2D1dXGqKszMw==,type:str]
sys-public-key: ENC[AES256_GCM,data:1e40s/H1W28bNhIIi1Dxl1MILSY/nzre2FTPtFsrMzFXBQBNVFLgfrOhkU7HobM5xkc2p2UC0VmlbhV4zWMmfGHO42dMpqs7QrGh43pDcfxQ8cV8LYoBJ+4=,iv:EkyZNizuMT0KGdqIucCmDTtHNYXQhj1fYsVR/Y3K5wU=,tag:z80I/jRUxKveiy6sRUqkqg==,type:str]
sys-priv-key: ENC[AES256_GCM,data:S9eApbzw7NxBZJZWB0DVvx+/OPK9YS8Zz3V5QtqbbcrDWq+YvcZt7tvZCwfHy3/Kk96G51DYusNLiliTGH5lL84Y7sVM9iyjY1P5KtrSw6wUnaqI7ajhD3Q9TsnFAVfnGrwFtkU7Blua7XX5YPvFo8C1rAYLspidq5CVi1WEg7oOzU+VKqLf4YXJEic9mJER8e9atLoV7Yl6gOgP/vG82VN94f/KPY8Sv1O3STgpjYWo/UoGM9UHwmG5soHdtKuhQntUDjobSiNH+qWsc8DXHddD07S0YHpf27sQD841jyF+jOXqZyNhaciBDUvxLdMcWmL6Z65vr9rtRrUwtpS7EIUammzrk74wGNO1bsRvL5JNixIIoXrFP/zYqnI6hyw1LLvWilmDs+0d+sq3bxrF/zEs9bLEpmHXVtQCPy6Q9vAA18dhz+PYNl03Yn2pVNU+P2O0xYel0J9jhOvhX7vmmphqub60c5bk1UQBHqSRozVLb8k+fr2MR3iCR/xAQw6TUpEDiaWg90O4cQ/Nrto=,iv:IlRpeEcJf0zueXknbWVi56TbVYCAhnZqvMekNfUe5eo=,tag:MST88zgTgvj36FQk9NX1eQ==,type:str]
nebula:
ca-cert: ENC[AES256_GCM,data:cm5MaIeBh4U3OLSCTE1U3pR2isRXDFR2MLdPOOsBvD9S7lUWPGenbm7KIHBfgfepZo2lh7VzB16eqxjr2HtA+tNDbHenruOJU0XyG5Nalvt919Z1jU4YEGhymUWTmovThisNYQOLQpoqDTrJkfM09r1bKwVteRlap+bOblSbHT9+QAUvbRPamCYP+8GGvfjy4TQQYsnbSv37slccIjuzWVqyLoyC8qIjpRkHviH/GF3JPRu2iNg000CKAqQiYczXp3e8yOyrYahhAPBO7Y77Z6q7vTrLC51TNm7AmNpmF0/jpHTWg5ULbScv4/MbwEzEZNZiYDomHrNqEu231g==,iv:OMWLUOQpv2XyFZleD1pL4h9RxUY1jvDNyTZ4MaHm790=,tag:TzPRZo8q1eEEmPfOT73J7A==,type:str]
ca-key: ENC[AES256_GCM,data:emaObWSaApcNPuRzVRkHMRIz+6zcQ6BZ4hJI4tPCtZzqgNQtg8HNJAT8owdGm44FFDmzlLHuStXZbsY+T/24PViNnvRPOaxJpm/OI1TQEkSYn6JeDGvzbexVifYhzGBOzevEcAe9qTd10AyboY06G7BmvU49OKrXbJdPTk028IL9BKP7g294ujOuq8VEuWQyFKWrtd7rlQbmmPk+OC2Rkb9Kx/MjZqdNRFYcvQic,iv:LN58z6+s+qoJrRFC8v09M1NLrJQYWOlDb7aBlolBcpY=,tag:elzDFxE3NwcbBeXEHXw+sA==,type:str]
lighthouse-cert: ENC[AES256_GCM,data:iFfQzcVNMVStXKPXP9xNeQYM0GCNZMKueLOsJTSO8GdQaxMUtnRqzTgnxxSBfYjRwtlkLm4C2356X+gGMXQ5Oo6TdkshEvJPsvqmMFMwfGwrNnn2eTWnByQZzmppiJwjCQrl8cFjJKtqP2k1YE/s93rKvTTG47yH6vgo9T56R6CLmpCxG8+YY6dDK5X4U6jyQibD9v1uPo9cn53ITbYzgd08KcbKuTG07cv+cNTxRoHvCyAcrDbD3KcEewspM+wKMYTwIVIfZFJC/kcNiNSi3HjBRctMnlGnHx5PxNOsbGKS+wLYWs2TAAXATnpzt7kTvj5fZ3+00qAVlpP8A9MThRRlX1UU7zU73qpzxb+CMFUp/BGWKSOHt/3XiquQ7jq1zvnFzgr088fetHtUg59A+K4tGGuhU/N8ojQ=,iv:sVJIxo7EKIhCAwqtb+jk908H0G9Tra0i9lv04FASI8c=,tag:szr1mCf3eRUfrpVgz73xDQ==,type:str]
lighthouse-key: ENC[AES256_GCM,data:A8ithNl+S4jm94yDeq7ZMsi0+gygWR5wcE7tQWQaxqSgLSGxzH7yVHP/BKlpzOxvIdrCG2orsWLBOqwOAjc8nYX2NqWHJBYod27FZ3eWBcw3jsRigZDzMjLScYosmw3qXLVUBQISSDf2/dhIttelFdOot4z6KANV2ybG4KOiEg==,iv:+TrvHMgF3Q/pPAGlDMLzsiFOG3PzJ4W4J1QQJ7vcYFk=,tag:zP//ogSoNB9gjv57f+hwug==,type:str]
sops:
shamir_threshold: 1
age:
@@ -149,8 +154,8 @@ sops:
NVBTU05NOWg3SERoTnIrWXAxRWphVHMKKDbI2ijKIZq2wSXkOFILxWzeWCHgm84d
UjKMORr0FZRSNNrj3l+jsvIG3SWeAaHq2ds3Mov9MvI/u5eV2rzRRA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-05-29T02:27:06Z"
mac: ENC[AES256_GCM,data:BBDriz26Gg0UqBq7yKpwJr8CswSDeNNLtVgnRHN4delwG8Yzf3T3Vd/fpeHHAFyvJHf2iX/sS0zMSzbPjVjWSPVdkR0hrnBK7Z1DsLDJhB/E0np5Pt42MaIxXHTqXzoi6M+8S/owQ3c3fJH9hQPbf1AP2UMjx0Udm/dnVwX6Bpk=,iv:7ib65GkpgI4FwLrK6hThsbWjRxePPEPOylQsqObGXsA=,tag:YAVITy8WwHgrSVOg8Yn0zg==,type:str]
lastmodified: "2026-02-13T21:11:50Z"
mac: ENC[AES256_GCM,data:ww1TS4WkOQc7nPOJkqCvJAOo4z4dTXF7UeIxiXILbgwOxuAH3p40m2Uuut9zRpmqgFEL1WslHr4N7eRg+ITe/A1WmaGM3xOr4oaVUQzjbC+O5rcK3R1EeIMCIIKp1Af/FciqaMDelcdKPZitlKUHTTxJMf4Oz21ffFkQ2iZeXW0=,iv:69m9NqE3CjBC/l/ntQwV8hJao4krsaqQbDYRS+Cdp9U=,tag:mY7p+NHVbI3JcXaXair+pA==,type:str]
pgp:
- created_at: "2026-02-06T15:34:32Z"
enc: |-
@@ -173,4 +178,4 @@ sops:
-----END PGP MESSAGE-----
fp: CBCB9B18A6B8930B0B6ABFD1CCB8CBEB30633684
unencrypted_suffix: _unencrypted
version: 3.10.2
version: 3.11.0

58
systems/aarch64-linux/pi5/adguard.nix Normal file
View File

@@ -0,0 +1,58 @@
{ lib, ... }:
{
services.resolved.enable = lib.mkForce false;
services.adguardhome = {
enable = true;
openFirewall = true;
allowDHCP = true;
mutableSettings = true;
settings = {
http.address = "0.0.0.0:0";
users = [
{
name = "mjallen";
password = "$2a$10$G07P7V1EnBQxWtMNGyfgTOTpAgr4d.uqYoG.cGSFCv9jQdiYWCsfq";
}
];
dns = {
upstream_dns = [
"https://dns10.quad9.net/dns-query"
"1.1.1.1"
"8.8.8.8"
];
bootstrap_dns = [
"9.9.9.10"
"149.112.112.10"
"2620:fe::10"
"2620:fe::fe:10"
];
upstream_mode = "load_balance";
trusted_proxies = [
"127.0.0.0/8"
"::1/128"
"10.0.1.3"
];
cache_optimistic = true;
};
dhcp = {
enabled = false;
interface_name = "end0";
local_domain_name = "lan";
dhcpv4 = {
gateway_ip = "10.0.1.1";
subnet_mask = "255.255.255.0";
range_start = "10.0.1.100";
range_end = "10.0.1.254";
lease_duration = 86400;
icmp_timeout_msec = 1000;
};
dhcpv6 = {
range_start = "2001::1";
lease_duration = 86400;
ra_slaac_only = false;
ra_allow_slaac = false;
};
};
};
};
}

10
systems/aarch64-linux/pi5/default.nix
View File

@@ -8,6 +8,7 @@
}:
{
imports = [
./adguard.nix
./boot.nix
./sops.nix
];
@@ -99,7 +100,12 @@
# # Services # #
# ###################################################
services.home-assistant.enable = false;
services = {
nebula-lighthouse = {
enable = true;
port = 4242;
};
};
# ###################################################
# # Network # #
@@ -109,7 +115,7 @@
hostName = "pi5";
ipv4 = {
method = "manual";
address = "10.0.1.5/24";
address = "10.0.1.2/24";
gateway = "10.0.1.1";
dns = "1.1.1.1";
interface = "end0";