From 73315828f9ab9c1908b293ca18f8bc4b0c748463 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Leonardo=20Eug=C3=AAnio?= Date: Thu, 1 Jan 2026 22:10:14 -0300 Subject: [PATCH] stonehenge: update config --- hosts/stonehenge/default.nix | 7 ++++ hosts/stonehenge/nebula-vpn.nix | 61 +++++++++++++++++++++++++++++++++ hosts/stonehenge/vagrant.nix | 57 ++++++++++++++++++++++++++++++ secrets/stonehenge/default.yaml | 8 +++-- switch-stonehenge | 1 + 5 files changed, 132 insertions(+), 2 deletions(-) create mode 100644 hosts/stonehenge/nebula-vpn.nix create mode 100644 hosts/stonehenge/vagrant.nix create mode 100755 switch-stonehenge diff --git a/hosts/stonehenge/default.nix b/hosts/stonehenge/default.nix index 3c80bd4..4f0ff32 100644 --- a/hosts/stonehenge/default.nix +++ b/hosts/stonehenge/default.nix @@ -9,6 +9,11 @@ # Include the results of the hardware scan. ./hardware-configuration.nix ./gitlab-runner.nix + ./nebula-vpn.nix + ./vagrant.nix + + ../../system/sops.nix + ../../system/nix.nix ]; # Bootloader. @@ -95,6 +100,8 @@ security.sudo.wheelNeedsPassword = false; + virtualisation.virtualbox.host.enable = true; + # Install firefox. programs.firefox.enable = true; diff --git a/hosts/stonehenge/nebula-vpn.nix b/hosts/stonehenge/nebula-vpn.nix new file mode 100644 index 0000000..6666fc4 --- /dev/null +++ b/hosts/stonehenge/nebula-vpn.nix @@ -0,0 +1,61 @@ +{ pkgs, config, ... }: +let + s = config.sops.secrets; + + secretConfig = { + owner = "nebula-wopus"; + group = "nebula-wopus"; + restartUnits = [ "nebula@wopus.service" ]; + sopsFile = ../../secrets/stonehenge/default.yaml; + }; +in +{ + environment.systemPackages = with pkgs; [ nebula ]; + + services.nebula.networks.wopus = { + enable = true; + isLighthouse = false; + lighthouses = [ + "192.168.88.1" + "192.168.88.2" + "192.168.88.3" + ]; + settings = { + cipher = "aes"; + }; + cert = s."nebula-wopus-vpn/stonehenge-crt".path; + key = s."nebula-wopus-vpn/stonehenge-key".path; + ca = s."nebula-wopus-vpn/ca-crt".path; + staticHostMap = { + "192.168.88.1" = [ + "neubla-vpn.wopus.dev:4242" + ]; + "192.168.88.2" = [ + "82.25.77.78:4242" + ]; + "192.168.88.3" = [ + "72.60.60.221:4242" + ]; + }; + firewall.outbound = [ + { + host = "any"; + port = "any"; + proto = "any"; + } + ]; + firewall.inbound = [ + { + host = "any"; + port = "any"; + proto = "any"; + } + ]; + }; + + sops.secrets = { + "nebula-wopus-vpn/ca-crt" = secretConfig; + "nebula-wopus-vpn/stonehenge-crt" = secretConfig; + "nebula-wopus-vpn/stonehenge-key" = secretConfig; + }; +} diff --git a/hosts/stonehenge/vagrant.nix b/hosts/stonehenge/vagrant.nix new file mode 100644 index 0000000..33ac64b --- /dev/null +++ b/hosts/stonehenge/vagrant.nix @@ -0,0 +1,57 @@ +{ pkgs, ... }: +let + vagrantScript = pkgs.writeScriptBin "vagrant-vnode-05" '' + #!${pkgs.bash}/bin/bash + set -euo pipefail + + export PATH="${ + pkgs.lib.makeBinPath ( + with pkgs; + [ + vagrant + curl + openssh + virtualbox + ] + ) + }:$PATH" + export VNODE_NAME=vnode-05 + + cd /home/user/kubernetes-cluster/vnodes + exec ${pkgs.vagrant}/bin/vagrant up + ''; +in +{ + environment.systemPackages = with pkgs; [ + vagrant + curl + openssh + ]; + + users.users.user.extraGroups = [ "vboxusers" ]; + + systemd.services.vagrant-vnode-05 = { + description = "Vagrant vnode-05 service"; + after = [ "network-online.target" ]; + wants = [ "network-online.target" ]; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + ExecStart = "${vagrantScript}/bin/vagrant-vnode-05"; + User = "user"; + WorkingDirectory = "/home/user/kubernetes-cluster/vnodes"; + Environment = "PATH=${ + pkgs.lib.makeBinPath ( + with pkgs; + [ + vagrant + curl + openssh + virtualbox + ] + ) + }:$PATH"; + }; + wantedBy = [ "multi-user.target" ]; + }; +} diff --git a/secrets/stonehenge/default.yaml b/secrets/stonehenge/default.yaml index b8310ab..2db1ef6 100644 --- a/secrets/stonehenge/default.yaml +++ b/secrets/stonehenge/default.yaml @@ -2,6 +2,10 @@ gitlab-runners: wopus-gitlab-nix: ENC[AES256_GCM,data:u+FYWx3yluA+zFk8VV7RB4TW1AP81K8Ntgd7QDHwb2w0bzQH7URmfF1PrQgZGu/r5Q4zOFgmyUkL6EML9KFFu+3QpilIOTXitiEoi/McOn0DnAOTLhW1Fbg42jKd3gTU9OyLDijlQs3ktyRRSg+1TIEsYNc=,iv:LjRyav0YVKtG79roC8KRS99cVVfu8IJRpAQ9w79PFa0=,tag:K2rjIn823sER+zHezFyAZw==,type:str] wopus-ssh-nix-cache-pk: ENC[AES256_GCM,data:hAAMdGvTduLQe+e6g0BVrvDATsVuRX5LxLQA2LqFPrdeNVPNzlWt5dNY4PjDuGKKeOyIjfTP2a4R2tLhjzQzSmoUZZVCEijohIsoDLbTfXgDDSOwXiTTr2nj3Hw4+TiuMH/VRgpIzZVjJSweuDK2UmwhbJ3wtahE7iNYD0gZet9Ibnu3iHVW4NdZs0K9joVxJoAaY8ZQi95QC0NYV/8RZ3GQFm2sQK/I1XKEAZGZ9GK5TbRUxGh3HihX68xsxBv5avpXwURp4K/CXW6VCyhAiU21+kpTPxV1x6ZiUfmPqDUmqqV57HL6+z1g6bLb+XGBNU15L0xqItmGpc3ENV2MpTP79MXA8C2eXgkBr0ylnsoFjlrkff+oJbDtHUkWaRHEQvkQtD3JKPgi97PtuBt0qWlpXRsCXnKwH565pfgKu6SGZHZ+VHpAGI3fjtroLhnoCeV6tBpibHk/ADr826IicVJWAVzxTSRfiMA7o4wji7MJxLYf2p3PRixSpQ9oXCsUPykQ1a2jfDs+J0ov+p0u,iv:AXNYaZS6fGz/Jr2zNhvmKOYKj010wtwcatItB8hRs+c=,tag:DixvP6ZaqX9l8Z8KegkvUw==,type:str] wopus-ssh-nix-cache-pub: ENC[AES256_GCM,data:5G+qIs/J8mwZxGyWkK0nts9E+iqbCe8Or4C4+HHuSr3dyJTmKxmA3a+DpxmbyQ0IKjKQgiz+uJbbRGR7ptzmJr7JvpNhaJO2/CR3MKvsoCpmgynenO2QIqsEidU1h1gqMV6OEDI3pDY3OE6K2M8D2jdYLqMXo5RRa7emEQhXhdQZ98OFgVrLFtrB72Fi/rTJE/tP,iv:JAopM5dwItYl68GDAQublg+C1S0Md3S3G/7GJ11azxQ=,tag:WAqEju2azXgerpIBrk+krw==,type:str] +nebula-wopus-vpn: + ca-crt: ENC[AES256_GCM,data:hV4V9wqOVUhkx6EtNOz1Dd+JzOuWFwwVwFAqkZIOdF4zIAOUvJHN2iUq1bMVLJOWpMcaxTTuXKXTKPbujs8K8TDzpRQzM22SD5o8aZAyPfif/GDUFFaLBygZropM7lUD9WDbjOucCRBKoj9cbazLsabixF1gVR/lZxyPBaquoIlBWvUiFbF5P3CLQGZ5ENprHvHRuFPciiw0JqJJNme/gaz2CBXRbEYxjVFCjwFEYQrxcMxhRw+p/eHCVzUmnOBo+09HFYpBZvIY5Q8F+MPxstWIaeEzn3Spfiw9lRGw7/r6V+Vd8ppKcKWQfgVYynY=,iv:CQjMsZc4oFP4ZDifvynVrh0w1zvXX+g93HOOsdEV2WE=,tag:gRSKJbgkzyLJyHhRqVBL9A==,type:str] + stonehenge-crt: ENC[AES256_GCM,data:y1FQvKI3AOvp8K04qghseuhvaL/yYfjl1lTX2z0f1u61VfLMOPj7R0jR48D5bHXfrTD6exxny6wEy3wuWP105rkLD8oxehzNuT2jgUu85OB3w3yZHdPmW+8lftZcd21BwO0uPTab8EOB19wOCMYuGnO7JL/IRwPTFXVOmKx99+jD5mh5370yB05VVMflSlmA4iCbCvvhTmB1eHFc9a5g687Rwi5PlPEhaaEUDnjyZByO7Uu1nrBBtd5koQIDshIhuQKsVeB4AIOF6EER8dYlLSu9G6GS1cVKuaNoMiUfXLn0Y9kdDDRqetuCteGEd8euwUWGq5XVFIhlOfU6cZOR/wUskrUYWQ+3MApk6TJQQd9HBSU9SoARJZXPXX/RgCIFczeW/dIc1oPRfagnKECS4g==,iv:HSIcmYJib6SsuTbDV4zFePBryCIy0nzV8O5NSAjwuQs=,tag:bonhzMDsyvC/Gn5HLHrJkQ==,type:str] + stonehenge-key: ENC[AES256_GCM,data:HstlV1VXX6edP5XrPUanUfO8yK20imHXwYsV/q/W4IyA+yEH9inYt4oiw3cIvGawx7gfvOpsqU4IUxLsNr4EE83qg3YqkMrnGjYuHTe1LfGsktGhibbCqw4+kcqb12bywuXmPLb9EI4KBCzUi7EQTh4sLEGsqiujS0aUC4qutQ==,iv:RKT2ZM1NeA4MmfbyVvIQ96lNvErSydF8668oHyo4LHg=,tag:EhZlHF7PdAQ0whu/JxIbWw==,type:str] sops: age: - recipient: age1zrgu7w8059xydagm60phnffghvfe9h2ca58cx8qwagqpyfuvs9fqw79c8h @@ -22,8 +26,8 @@ sops: dC9MaDUvcG96djVFU1Fpb1NKZThNaUEKkxPikf5+veTmrXHU4sxtJO/LsQ3YB4j+ vkIWWw4qV8zRrh+XxFXrFUURhDp11m/nlpzPERxjNzRs13VS2tXTrw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2026-01-01T21:41:02Z" - mac: ENC[AES256_GCM,data:VItjDJ1zVRc8qGty9651o1ZlHjPne98JrKeUT/2WAElK+A29IY+UVIlUtooOwwvSPC7kphoGfFSYK5+4emd4EyVbWovPyeYp04tV5/JGdj/3cVaSiXCD3HPM/v2BeiDy3aDAkaqeIg54PueddiSVU0snobCWB2/+DXU8Xly/+sM=,iv:x/3nXue1HkeZt9hKqk2Y9ciU2GK0Bbcp5zcJQdAiO58=,tag:OCKaxQQfTgfVvzYgqaqvsA==,type:str] + lastmodified: "2026-01-01T22:54:16Z" + mac: ENC[AES256_GCM,data:OF2RLQTbuiW3ba9VBhmJCq3UUlVACe/lxhY9RAjctaZBXTutjH84JuYG9idXiJkZkkG5l9OIez3WueLsU44RG1UgkbHAM5d6RrXsvsleVux0hViH0CIAB4K7NaeA+urgM3TQbXlBVgY2w18bA/BpcbxH3HiMC+9/iOWWJMBZ0RM=,iv:MtRBqhc71fzjLXE8S54woNnCL+0iqFhQ28N+Zz9RSyM=,tag:Aa+wJcyaTjamZ0fA2P9oQg==,type:str] pgp: - created_at: "2026-01-01T21:36:47Z" enc: |- diff --git a/switch-stonehenge b/switch-stonehenge new file mode 100755 index 0000000..066d2a7 --- /dev/null +++ b/switch-stonehenge @@ -0,0 +1 @@ +nixos-rebuild switch --flake .#stonehenge -L --target-host stonehenge-lan --build-host stonehenge-lan --sudo