stonehenge: update config

2026-01-01 22:10:14 -03:00 · 2026-01-01 22:10:14 -03:00 · 73315828f9
commit 73315828f9
parent c36c1f618b
5 changed files with 132 additions and 2 deletions
--- a/hosts/stonehenge/default.nix
+++ b/hosts/stonehenge/default.nix
@ -9,6 +9,11 @@
    # Include the results of the hardware scan.
    ./hardware-configuration.nix
    ./gitlab-runner.nix
+    ./nebula-vpn.nix
+    ./vagrant.nix
+
+    ../../system/sops.nix
+    ../../system/nix.nix
  ];

  # Bootloader.
@ -95,6 +100,8 @@

  security.sudo.wheelNeedsPassword = false;

+  virtualisation.virtualbox.host.enable = true;
+
  # Install firefox.
  programs.firefox.enable = true;

--- a/hosts/stonehenge/nebula-vpn.nix
+++ b/hosts/stonehenge/nebula-vpn.nix
@ -0,0 +1,61 @@
+{ pkgs, config, ... }:
+let
+  s = config.sops.secrets;
+
+  secretConfig = {
+    owner = "nebula-wopus";
+    group = "nebula-wopus";
+    restartUnits = [ "nebula@wopus.service" ];
+    sopsFile = ../../secrets/stonehenge/default.yaml;
+  };
+in
+{
+  environment.systemPackages = with pkgs; [ nebula ];
+
+  services.nebula.networks.wopus = {
+    enable = true;
+    isLighthouse = false;
+    lighthouses = [
+      "192.168.88.1"
+      "192.168.88.2"
+      "192.168.88.3"
+    ];
+    settings = {
+      cipher = "aes";
+    };
+    cert = s."nebula-wopus-vpn/stonehenge-crt".path;
+    key = s."nebula-wopus-vpn/stonehenge-key".path;
+    ca = s."nebula-wopus-vpn/ca-crt".path;
+    staticHostMap = {
+      "192.168.88.1" = [
+        "neubla-vpn.wopus.dev:4242"
+      ];
+      "192.168.88.2" = [
+        "82.25.77.78:4242"
+      ];
+      "192.168.88.3" = [
+        "72.60.60.221:4242"
+      ];
+    };
+    firewall.outbound = [
+      {
+        host = "any";
+        port = "any";
+        proto = "any";
+      }
+    ];
+    firewall.inbound = [
+      {
+        host = "any";
+        port = "any";
+        proto = "any";
+      }
+    ];
+  };
+
+  sops.secrets = {
+    "nebula-wopus-vpn/ca-crt" = secretConfig;
+    "nebula-wopus-vpn/stonehenge-crt" = secretConfig;
+    "nebula-wopus-vpn/stonehenge-key" = secretConfig;
+  };
+}
--- a/hosts/stonehenge/vagrant.nix
+++ b/hosts/stonehenge/vagrant.nix
@ -0,0 +1,57 @@
+{ pkgs, ... }:
+let
+  vagrantScript = pkgs.writeScriptBin "vagrant-vnode-05" ''
+    #!${pkgs.bash}/bin/bash
+    set -euo pipefail
+
+    export PATH="${
+      pkgs.lib.makeBinPath (
+        with pkgs;
+        [
+          vagrant
+          curl
+          openssh
+          virtualbox
+        ]
+      )
+    }:$PATH"
+    export VNODE_NAME=vnode-05
+
+    cd /home/user/kubernetes-cluster/vnodes
+    exec ${pkgs.vagrant}/bin/vagrant up
+  '';
+in
+{
+  environment.systemPackages = with pkgs; [
+    vagrant
+    curl
+    openssh
+  ];
+
+  users.users.user.extraGroups = [ "vboxusers" ];
+
+  systemd.services.vagrant-vnode-05 = {
+    description = "Vagrant vnode-05 service";
+    after = [ "network-online.target" ];
+    wants = [ "network-online.target" ];
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = true;
+      ExecStart = "${vagrantScript}/bin/vagrant-vnode-05";
+      User = "user";
+      WorkingDirectory = "/home/user/kubernetes-cluster/vnodes";
+      Environment = "PATH=${
+        pkgs.lib.makeBinPath (
+          with pkgs;
+          [
+            vagrant
+            curl
+            openssh
+            virtualbox
+          ]
+        )
+      }:$PATH";
+    };
+    wantedBy = [ "multi-user.target" ];
+  };
+}