monolith: add wopus nebula vpn

2025-11-10 00:09:52 -03:00 · 2025-11-10 00:09:52 -03:00 · b8e05ad8a2
commit b8e05ad8a2
parent 67b82351a6
3 changed files with 59 additions and 3 deletions
--- a/hosts/monolith/default.nix
+++ b/hosts/monolith/default.nix
@ -25,6 +25,7 @@ in
    ./partition.nix
    ./amdgpu.nix
    ./factorio-server.nix
+    ./nebula-vpn.nix
  ];
  boot.initrd.availableKernelModules = [
    "nvme"
--- a/hosts/monolith/nebula-vpn.nix
+++ b/hosts/monolith/nebula-vpn.nix
@ -0,0 +1,51 @@
+{ pkgs, config, ... }:
+let
+  s = config.sops.secrets;
+
+  secretConfig = {
+    owner = "nebula-wopus";
+    group = "nebula-wopus";
+    restartUnits = [ "nebula@wopus.service" ];
+    sopsFile = ../../secrets/monolith/default.yaml;
+  };
+in
+{
+  environment.systemPackages = with pkgs; [ nebula ];
+
+  services.nebula.networks.wopus = {
+    enable = true;
+    isLighthouse = false;
+    lighthouses = [ "192.168.88.1" ];
+    settings = {
+      cipher = "aes";
+    };
+    cert = s."nebula-wopus-vpn/monolith-crt".path;
+    key = s."nebula-wopus-vpn/monolith-key".path;
+    ca = s."nebula-wopus-vpn/ca-crt".path;
+    staticHostMap = {
+      "192.168.88.1" = [
+        "neubla-vpn.wopus.dev:4242"
+      ];
+    };
+    firewall.outbound = [
+      {
+        host = "any";
+        port = "any";
+        proto = "any";
+      }
+    ];
+    firewall.inbound = [
+      {
+        host = "any";
+        port = "any";
+        proto = "any";
+      }
+    ];
+  };
+
+  sops.secrets = {
+    "nebula-wopus-vpn/ca-crt" = secretConfig;
+    "nebula-wopus-vpn/monolith-crt" = secretConfig;
+    "nebula-wopus-vpn/monolith-key" = secretConfig;
+  };
+}