stonehenge: update config

2026-01-01 22:10:14 -03:00 · 2026-01-01 22:10:14 -03:00 · 73315828f9
commit 73315828f9
parent c36c1f618b
5 changed files with 132 additions and 2 deletions
--- a/hosts/stonehenge/nebula-vpn.nix
+++ b/hosts/stonehenge/nebula-vpn.nix
@ -0,0 +1,61 @@
+{ pkgs, config, ... }:
+let
+  s = config.sops.secrets;
+
+  secretConfig = {
+    owner = "nebula-wopus";
+    group = "nebula-wopus";
+    restartUnits = [ "nebula@wopus.service" ];
+    sopsFile = ../../secrets/stonehenge/default.yaml;
+  };
+in
+{
+  environment.systemPackages = with pkgs; [ nebula ];
+
+  services.nebula.networks.wopus = {
+    enable = true;
+    isLighthouse = false;
+    lighthouses = [
+      "192.168.88.1"
+      "192.168.88.2"
+      "192.168.88.3"
+    ];
+    settings = {
+      cipher = "aes";
+    };
+    cert = s."nebula-wopus-vpn/stonehenge-crt".path;
+    key = s."nebula-wopus-vpn/stonehenge-key".path;
+    ca = s."nebula-wopus-vpn/ca-crt".path;
+    staticHostMap = {
+      "192.168.88.1" = [
+        "neubla-vpn.wopus.dev:4242"
+      ];
+      "192.168.88.2" = [
+        "82.25.77.78:4242"
+      ];
+      "192.168.88.3" = [
+        "72.60.60.221:4242"
+      ];
+    };
+    firewall.outbound = [
+      {
+        host = "any";
+        port = "any";
+        proto = "any";
+      }
+    ];
+    firewall.inbound = [
+      {
+        host = "any";
+        port = "any";
+        proto = "any";
+      }
+    ];
+  };
+
+  sops.secrets = {
+    "nebula-wopus-vpn/ca-crt" = secretConfig;
+    "nebula-wopus-vpn/stonehenge-crt" = secretConfig;
+    "nebula-wopus-vpn/stonehenge-key" = secretConfig;
+  };
+}