mjallen/nix-config
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
Files
23f29b6ca15f10ef0cd6ac041973d3585f113aad
nix-config/modules/nixos/services/nebula/default.nix
mjallen18 23f29b6ca1 fixes and docs
2026-03-23 15:17:10 -05:00

121 lines
4.2 KiB
Nix
Raw Blame History

{
config,
lib,
namespace,
pkgs,
...
}:
with lib;
let
name = "nebula";
cfg = config.${namespace}.services.${name};
ca = config.sops.secrets."${cfg.secretsPrefix}/ca-cert".path;
cert = config.sops.secrets."${cfg.secretsPrefix}/${cfg.hostSecretName}-cert".path;
key = config.sops.secrets."${cfg.secretsPrefix}/${cfg.hostSecretName}-key".path;
nebulaConfig = lib.${namespace}.mkModule {
inherit config name;
description = "nebula overlay network node";
options = {
# -----------------------------------------------------------------------
# Role
# -----------------------------------------------------------------------
isLighthouse = lib.${namespace}.mkBoolOpt false "Act as a Nebula lighthouse";
isRelay = lib.${namespace}.mkBoolOpt false "Act as a Nebula relay node";
# -----------------------------------------------------------------------
# Network identity
# -----------------------------------------------------------------------
networkName =
lib.${namespace}.mkOpt types.str "jallen-nebula"
"Nebula network name (used as the systemd service suffix and interface name)";
# -----------------------------------------------------------------------
# SOPS secret location
#
# secretsPrefix — key path prefix inside the SOPS file, e.g. "pi5/nebula"
# The module expects three secrets under this prefix:
# <secretsPrefix>/ca-cert
# <secretsPrefix>/host-cert
# <secretsPrefix>/host-key
#
# secretsFile — path to the SOPS-encrypted YAML that holds the secrets
# -----------------------------------------------------------------------
secretsPrefix = lib.${namespace}.mkOpt types.str "" "SOPS secret key prefix, e.g. \"pi5/nebula\"";
secretsFile =
lib.${namespace}.mkOpt types.str ""
"Path to the SOPS secrets YAML file for this host";
# hostSecretName — the middle segment of the cert/key secret names.
# Secrets are looked up as <secretsPrefix>/<hostSecretName>-cert and
# <secretsPrefix>/<hostSecretName>-key. Defaults to "host"; set to
# e.g. "nas", "lighthouse", or the machine hostname to match existing
# SOPS YAML keys without renaming them.
hostSecretName =
lib.${namespace}.mkOpt types.str "host"
"Secret name segment for cert/key (e.g. \"nas\" looks for nas-cert / nas-key)";
# -----------------------------------------------------------------------
# Peer addressing (ignored on lighthouse nodes)
# -----------------------------------------------------------------------
lighthouses =
lib.${namespace}.mkOpt (types.listOf types.str) [ ]
"Nebula overlay IPs of lighthouse nodes (leave empty on lighthouses)";
staticHostMap = lib.${namespace}.mkOpt (types.attrsOf (
types.listOf types.str
)) { } "Static host map: overlay IP list of public addr:port strings";
# -----------------------------------------------------------------------
# Firewall rules inside the overlay
# -----------------------------------------------------------------------
inboundRules = lib.${namespace}.mkOpt (types.listOf types.attrs) [
{
port = "any";
proto = "any";
host = "any";
}
] "Nebula inbound firewall rules";
outboundRules = lib.${namespace}.mkOpt (types.listOf types.attrs) [
{
port = "any";
proto = "any";
host = "any";
}
] "Nebula outbound firewall rules";
};
moduleConfig = {
environment.systemPackages = with pkgs; [ nebula ];
services.nebula.networks.${cfg.networkName} = {
enable = true;
enableReload = true;
isLighthouse = cfg.isLighthouse;
isRelay = cfg.isRelay;
inherit ca cert key;
lighthouses = cfg.lighthouses;
staticHostMap = cfg.staticHostMap;
listen = {
host = cfg.listenAddress;
port = cfg.port;
};
settings.firewall = {
inbound = cfg.inboundRules;
outbound = cfg.outboundRules;
};
};
};
};
in
{
imports = [
nebulaConfig
./sops.nix
];
}
Reference in New Issue View Git Blame Copy Permalink