stonehenge: update config

hosts/stonehenge/default.nix

@@ -9,6 +9,11 @@
     # Include the results of the hardware scan.
     ./hardware-configuration.nix
     ./gitlab-runner.nix
+    ./nebula-vpn.nix
+    ./vagrant.nix
+
+    ../../system/sops.nix
+    ../../system/nix.nix
   ];
 
   # Bootloader.
@@ -95,6 +100,8 @@
 
   security.sudo.wheelNeedsPassword = false;
 
+  virtualisation.virtualbox.host.enable = true;
+
   # Install firefox.
   programs.firefox.enable = true;
 

hosts/stonehenge/nebula-vpn.nix

@@ -0,0 +1,61 @@
+{ pkgs, config, ... }:
+let
+  s = config.sops.secrets;
+
+  secretConfig = {
+    owner = "nebula-wopus";
+    group = "nebula-wopus";
+    restartUnits = [ "nebula@wopus.service" ];
+    sopsFile = ../../secrets/stonehenge/default.yaml;
+  };
+in
+{
+  environment.systemPackages = with pkgs; [ nebula ];
+
+  services.nebula.networks.wopus = {
+    enable = true;
+    isLighthouse = false;
+    lighthouses = [
+      "192.168.88.1"
+      "192.168.88.2"
+      "192.168.88.3"
+    ];
+    settings = {
+      cipher = "aes";
+    };
+    cert = s."nebula-wopus-vpn/stonehenge-crt".path;
+    key = s."nebula-wopus-vpn/stonehenge-key".path;
+    ca = s."nebula-wopus-vpn/ca-crt".path;
+    staticHostMap = {
+      "192.168.88.1" = [
+        "neubla-vpn.wopus.dev:4242"
+      ];
+      "192.168.88.2" = [
+        "82.25.77.78:4242"
+      ];
+      "192.168.88.3" = [
+        "72.60.60.221:4242"
+      ];
+    };
+    firewall.outbound = [
+      {
+        host = "any";
+        port = "any";
+        proto = "any";
+      }
+    ];
+    firewall.inbound = [
+      {
+        host = "any";
+        port = "any";
+        proto = "any";
+      }
+    ];
+  };
+
+  sops.secrets = {
+    "nebula-wopus-vpn/ca-crt" = secretConfig;
+    "nebula-wopus-vpn/stonehenge-crt" = secretConfig;
+    "nebula-wopus-vpn/stonehenge-key" = secretConfig;
+  };
+}

hosts/stonehenge/vagrant.nix

@@ -0,0 +1,57 @@
+{ pkgs, ... }:
+let
+  vagrantScript = pkgs.writeScriptBin "vagrant-vnode-05" ''
+    #!${pkgs.bash}/bin/bash
+    set -euo pipefail
+
+    export PATH="${
+      pkgs.lib.makeBinPath (
+        with pkgs;
+        [
+          vagrant
+          curl
+          openssh
+          virtualbox
+        ]
+      )
+    }:$PATH"
+    export VNODE_NAME=vnode-05
+
+    cd /home/user/kubernetes-cluster/vnodes
+    exec ${pkgs.vagrant}/bin/vagrant up
+  '';
+in
+{
+  environment.systemPackages = with pkgs; [
+    vagrant
+    curl
+    openssh
+  ];
+
+  users.users.user.extraGroups = [ "vboxusers" ];
+
+  systemd.services.vagrant-vnode-05 = {
+    description = "Vagrant vnode-05 service";
+    after = [ "network-online.target" ];
+    wants = [ "network-online.target" ];
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = true;
+      ExecStart = "${vagrantScript}/bin/vagrant-vnode-05";
+      User = "user";
+      WorkingDirectory = "/home/user/kubernetes-cluster/vnodes";
+      Environment = "PATH=${
+        pkgs.lib.makeBinPath (
+          with pkgs;
+          [
+            vagrant
+            curl
+            openssh
+            virtualbox
+          ]
+        )
+      }:$PATH";
+    };
+    wantedBy = [ "multi-user.target" ];
+  };
+}

secrets/stonehenge/default.yaml

@@ -2,6 +2,10 @@ gitlab-runners:
     wopus-gitlab-nix: ENC[AES256_GCM,data:u+FYWx3yluA+zFk8VV7RB4TW1AP81K8Ntgd7QDHwb2w0bzQH7URmfF1PrQgZGu/r5Q4zOFgmyUkL6EML9KFFu+3QpilIOTXitiEoi/McOn0DnAOTLhW1Fbg42jKd3gTU9OyLDijlQs3ktyRRSg+1TIEsYNc=,iv:LjRyav0YVKtG79roC8KRS99cVVfu8IJRpAQ9w79PFa0=,tag:K2rjIn823sER+zHezFyAZw==,type:str]
     wopus-ssh-nix-cache-pk: ENC[AES256_GCM,data:hAAMdGvTduLQe+e6g0BVrvDATsVuRX5LxLQA2LqFPrdeNVPNzlWt5dNY4PjDuGKKeOyIjfTP2a4R2tLhjzQzSmoUZZVCEijohIsoDLbTfXgDDSOwXiTTr2nj3Hw4+TiuMH/VRgpIzZVjJSweuDK2UmwhbJ3wtahE7iNYD0gZet9Ibnu3iHVW4NdZs0K9joVxJoAaY8ZQi95QC0NYV/8RZ3GQFm2sQK/I1XKEAZGZ9GK5TbRUxGh3HihX68xsxBv5avpXwURp4K/CXW6VCyhAiU21+kpTPxV1x6ZiUfmPqDUmqqV57HL6+z1g6bLb+XGBNU15L0xqItmGpc3ENV2MpTP79MXA8C2eXgkBr0ylnsoFjlrkff+oJbDtHUkWaRHEQvkQtD3JKPgi97PtuBt0qWlpXRsCXnKwH565pfgKu6SGZHZ+VHpAGI3fjtroLhnoCeV6tBpibHk/ADr826IicVJWAVzxTSRfiMA7o4wji7MJxLYf2p3PRixSpQ9oXCsUPykQ1a2jfDs+J0ov+p0u,iv:AXNYaZS6fGz/Jr2zNhvmKOYKj010wtwcatItB8hRs+c=,tag:DixvP6ZaqX9l8Z8KegkvUw==,type:str]
     wopus-ssh-nix-cache-pub: ENC[AES256_GCM,data:5G+qIs/J8mwZxGyWkK0nts9E+iqbCe8Or4C4+HHuSr3dyJTmKxmA3a+DpxmbyQ0IKjKQgiz+uJbbRGR7ptzmJr7JvpNhaJO2/CR3MKvsoCpmgynenO2QIqsEidU1h1gqMV6OEDI3pDY3OE6K2M8D2jdYLqMXo5RRa7emEQhXhdQZ98OFgVrLFtrB72Fi/rTJE/tP,iv:JAopM5dwItYl68GDAQublg+C1S0Md3S3G/7GJ11azxQ=,tag:WAqEju2azXgerpIBrk+krw==,type:str]
+nebula-wopus-vpn:
+    ca-crt: ENC[AES256_GCM,data:hV4V9wqOVUhkx6EtNOz1Dd+JzOuWFwwVwFAqkZIOdF4zIAOUvJHN2iUq1bMVLJOWpMcaxTTuXKXTKPbujs8K8TDzpRQzM22SD5o8aZAyPfif/GDUFFaLBygZropM7lUD9WDbjOucCRBKoj9cbazLsabixF1gVR/lZxyPBaquoIlBWvUiFbF5P3CLQGZ5ENprHvHRuFPciiw0JqJJNme/gaz2CBXRbEYxjVFCjwFEYQrxcMxhRw+p/eHCVzUmnOBo+09HFYpBZvIY5Q8F+MPxstWIaeEzn3Spfiw9lRGw7/r6V+Vd8ppKcKWQfgVYynY=,iv:CQjMsZc4oFP4ZDifvynVrh0w1zvXX+g93HOOsdEV2WE=,tag:gRSKJbgkzyLJyHhRqVBL9A==,type:str]
+    stonehenge-crt: ENC[AES256_GCM,data:y1FQvKI3AOvp8K04qghseuhvaL/yYfjl1lTX2z0f1u61VfLMOPj7R0jR48D5bHXfrTD6exxny6wEy3wuWP105rkLD8oxehzNuT2jgUu85OB3w3yZHdPmW+8lftZcd21BwO0uPTab8EOB19wOCMYuGnO7JL/IRwPTFXVOmKx99+jD5mh5370yB05VVMflSlmA4iCbCvvhTmB1eHFc9a5g687Rwi5PlPEhaaEUDnjyZByO7Uu1nrBBtd5koQIDshIhuQKsVeB4AIOF6EER8dYlLSu9G6GS1cVKuaNoMiUfXLn0Y9kdDDRqetuCteGEd8euwUWGq5XVFIhlOfU6cZOR/wUskrUYWQ+3MApk6TJQQd9HBSU9SoARJZXPXX/RgCIFczeW/dIc1oPRfagnKECS4g==,iv:HSIcmYJib6SsuTbDV4zFePBryCIy0nzV8O5NSAjwuQs=,tag:bonhzMDsyvC/Gn5HLHrJkQ==,type:str]
+    stonehenge-key: ENC[AES256_GCM,data:HstlV1VXX6edP5XrPUanUfO8yK20imHXwYsV/q/W4IyA+yEH9inYt4oiw3cIvGawx7gfvOpsqU4IUxLsNr4EE83qg3YqkMrnGjYuHTe1LfGsktGhibbCqw4+kcqb12bywuXmPLb9EI4KBCzUi7EQTh4sLEGsqiujS0aUC4qutQ==,iv:RKT2ZM1NeA4MmfbyVvIQ96lNvErSydF8668oHyo4LHg=,tag:EhZlHF7PdAQ0whu/JxIbWw==,type:str]
 sops:
     age:
         - recipient: age1zrgu7w8059xydagm60phnffghvfe9h2ca58cx8qwagqpyfuvs9fqw79c8h
@@ -22,8 +26,8 @@ sops:
             dC9MaDUvcG96djVFU1Fpb1NKZThNaUEKkxPikf5+veTmrXHU4sxtJO/LsQ3YB4j+
             vkIWWw4qV8zRrh+XxFXrFUURhDp11m/nlpzPERxjNzRs13VS2tXTrw==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-01-01T21:41:02Z"
+    lastmodified: "2026-01-01T22:54:16Z"
-    mac: ENC[AES256_GCM,data:VItjDJ1zVRc8qGty9651o1ZlHjPne98JrKeUT/2WAElK+A29IY+UVIlUtooOwwvSPC7kphoGfFSYK5+4emd4EyVbWovPyeYp04tV5/JGdj/3cVaSiXCD3HPM/v2BeiDy3aDAkaqeIg54PueddiSVU0snobCWB2/+DXU8Xly/+sM=,iv:x/3nXue1HkeZt9hKqk2Y9ciU2GK0Bbcp5zcJQdAiO58=,tag:OCKaxQQfTgfVvzYgqaqvsA==,type:str]
+    mac: ENC[AES256_GCM,data:OF2RLQTbuiW3ba9VBhmJCq3UUlVACe/lxhY9RAjctaZBXTutjH84JuYG9idXiJkZkkG5l9OIez3WueLsU44RG1UgkbHAM5d6RrXsvsleVux0hViH0CIAB4K7NaeA+urgM3TQbXlBVgY2w18bA/BpcbxH3HiMC+9/iOWWJMBZ0RM=,iv:MtRBqhc71fzjLXE8S54woNnCL+0iqFhQ28N+Zz9RSyM=,tag:Aa+wJcyaTjamZ0fA2P9oQg==,type:str]
     pgp:
         - created_at: "2026-01-01T21:36:47Z"
           enc: |-

switch-stonehenge

@@ -0,0 +1 @@
+nixos-rebuild switch --flake .#stonehenge -L --target-host stonehenge-lan --build-host stonehenge-lan --sudo