diff --git a/hosts/double-rainbow/default.nix b/hosts/double-rainbow/default.nix index fe58c97..efdacc0 100644 --- a/hosts/double-rainbow/default.nix +++ b/hosts/double-rainbow/default.nix @@ -20,6 +20,7 @@ in imports = [ (modulesPath + "/installer/scan/not-detected.nix") ./gitlab-runner.nix + ./nebula-vpn.nix ]; my.nix-ld.enable = true; diff --git a/hosts/double-rainbow/nebula-vpn.nix b/hosts/double-rainbow/nebula-vpn.nix new file mode 100644 index 0000000..7ad6268 --- /dev/null +++ b/hosts/double-rainbow/nebula-vpn.nix @@ -0,0 +1,51 @@ +{ pkgs, config, ... }: +let + s = config.sops.secrets; + + secretConfig = { + owner = "nebula-wopus"; + group = "nebula-wopus"; + restartUnits = [ "nebula@wopus.service" ]; + sopsFile = ../../secrets/double-rainbow/default.yaml; + }; +in +{ + environment.systemPackages = with pkgs; [ nebula ]; + + services.nebula.networks.wopus = { + enable = true; + isLighthouse = false; + lighthouses = [ "192.168.88.1" ]; + settings = { + cipher = "aes"; + }; + cert = s."nebula-wopus-vpn/double-rainbow-crt".path; + key = s."nebula-wopus-vpn/double-rainbow-key".path; + ca = s."nebula-wopus-vpn/ca-crt".path; + staticHostMap = { + "192.168.88.1" = [ + "neubla-vpn.wopus.dev:4242" + ]; + }; + firewall.outbound = [ + { + host = "any"; + port = "any"; + proto = "any"; + } + ]; + firewall.inbound = [ + { + host = "any"; + port = "any"; + proto = "any"; + } + ]; + }; + + sops.secrets = { + "nebula-wopus-vpn/ca-crt" = secretConfig; + "nebula-wopus-vpn/double-rainbow-crt" = secretConfig; + "nebula-wopus-vpn/double-rainbow-key" = secretConfig; + }; +} diff --git a/secrets/double-rainbow/default.yaml b/secrets/double-rainbow/default.yaml index cf28a34..12785ff 100644 --- a/secrets/double-rainbow/default.yaml +++ b/secrets/double-rainbow/default.yaml @@ -2,6 +2,10 @@ gitlab-runners: wopus-gitlab-nix: ENC[AES256_GCM,data:n/bm5W5Q/h7MxMZX7yz4qeUBpfZDrI7A7/PlnLncMto5V5itVTXRvfd3+D/d2r9PVuJSogfMgMAh0cwuvPspjlm9ToPxrmgGdYbnAkhnFeTHdCfcF1x2DG2JkHe54wUhcQa9QEJkWZ5jJM//2jU=,iv:63lrYCCBMSr5toulba7Rni+iun0Bl2vMFbIsTVvOWQs=,tag:Z1GHj91q09sOWCaLPIKJ4Q==,type:str] wopus-ssh-nix-cache-pk: ENC[AES256_GCM,data:+5I7INvMNfegjjC0xPNOSj+vFakXe6V4N/S5wvL64DOxfPXhSQAjVtdMslp/LlJXH4XWbkQ8ErLbySB3WMDMRDnDRY+6+UKXsP6MFpvEtho0lN+8ZeAGC25ehadYDSFTX43wz6cLRuoAqRQdhPKM96wcYif7nF40cStgaAQhkNemK7AenSA9LQ4J72dWovFuwfTZml8qH6W/O+YEqfOgZsyJ/LobcM1fiuN1S4NnCOJSWB2Ahsu0tiMOSRxKWeUS9+ewh+x1xnZL3y4vax5GgtS2KojtXq0U4qgNi4Gwnmef7HmH1tVgeMO2ykCsuCCZ9iJR0IOqTHU2l+U6hTzf5vehpgK5/tsthkXRsLUmVRnjUaQwaEq9JYltGpEdk6U0UnD+Mf0f5BsDw23lHgannLeduhrSFrPFj+BVodnPxjyYJTPXwXfbWrKIQ8s5kWfIq9x0VePsteIgEH4xLL0yFtyZzrYeCq9WF3j5xTvJsOlG0ehQzX22orrM4RzrFVmeLYOIc/V4bQeyIf1lWemr,iv:UNaUnlVayrzF7qpgIVi9gxPFGCzIP24jNUpO295JPog=,tag:a5OlD+AJH3u6y+Lo3lOQWw==,type:str] wopus-ssh-nix-cache-pub: ENC[AES256_GCM,data:aknblYwAAGaso/Vhr9f1RX64tA3uOh3qxc1dBI7DQmk4TUlQn/AYrKF7wanIhhydrasRulDEam3CBiiyeW/ejcXG07wKIUyZ94TOYfcyRd1yo+PGkmb1yycU6PdjaP5/zwUPAnjMhR2quW+8iwADaUMYKXIJkdQaqUW9a845vBKIxgNgBskWMGMzldb+aUnr2eCb,iv:MQdEUrNugzv+QL6f/MNUqh9M+nFVsWI4VHlMrgQOTEg=,tag:olNTQyCSOhv3sgSjuIXKBA==,type:str] +nebula-wopus-vpn: + ca-crt: ENC[AES256_GCM,data:zNESDEqeRPBsaY53cDKx6DMYdHIdEjxAsX7rLMrGkd0+aw2zOEJDJ5jb/zIeatf7xBj5DkJa+CDWmWsu5v9p0QUu0LEEvdin3utuGa5GQEYR+1LCCrlB52klTvKEK6ck5cYewVR5bmq0NTvw4aVxZJoMKMXICYhNEs20ZMCIrbX8UOddXKt6OxeOzVZ/9uFg1gY9qkHe3Wn5mmNLwvXoHvzwtr+Oc9xT+SRMPYkGUkbyxQ5zRjJUKS79aPQ8R6ZgZVJqUmr9wS58D2To1Sfk4Ykrd4Q2lIlbTXdswp1im3LSTy0YosHu5P6mmBq9u3M=,iv:hnCrHDkQiUsoaFTImtWlvM+tuSplU5p4s6kkm/ysLZ0=,tag:5vH6oEWwUOA/QsiW0XvBag==,type:str] + double-rainbow-crt: ENC[AES256_GCM,data:gdR79bE2RdE8cc9HdIxoiTCbyzsaTrSRg8uouVLmq6IRnb8B7tltIitli0SRXzMWqfg1IUIQbXHbIvPgeQ+puCHqr1ghYK1GzrDLz6GIGTn8g+9MnDbRTghdlWKKrKVxJnrSecJvV0qEkDr2/WEAsXalstxcDEPNq2Rb+c7bv/P2oFNjKN1eeWsE5TgpFj61RLEWx/wPzQKyNx2ZFu1l4r63II6npvlZ8rwdrJAeZIT8oaU53zQzMMs0tHGYTJeaZcPgdBKfVSCmzGxrE2kuwR0bxSSB2knqdBmtl1aVxs3bF2Fkm1+wovCadCze+Ta6Vgtk4v8d3Ta+wE5qzek8shb2m7lXTixki356wOG0r3B+180Kzk5B7q4tIycrk9ggKPKAA+2XNHVFM9L8PojflK3BY+U=,iv:wNoELN2y8QrFGPJYQdrAVsaLrhMzD8ep313o/jpT9fM=,tag:8sRBtkfd1TVMK7R64sMXqw==,type:str] + double-rainbow-key: ENC[AES256_GCM,data:I0LGhV9biErwZw4PzOX6mbqyh+8n2XbpikwOqLe70g9+pfO72e8qdXvzYko8zLGIL0x8ZUYn6XCP63ZYzP866cLHCgglZ0+PQeBbqzp3lgfYDd7zBHDJE0NQobPtV6n1enbpzRtBe+ROeYQxCV5sZmEoxbzUyR0aSJ3JaGgZNw==,iv:Y5Iy32zHnQgqIH3d9U81FlsW+Mg8u06fk+AMnTcGejk=,tag:1ojEKwVALA9grJRzyNc+9g==,type:str] sops: age: - recipient: age1zrgu7w8059xydagm60phnffghvfe9h2ca58cx8qwagqpyfuvs9fqw79c8h @@ -31,8 +35,8 @@ sops: WUZrTkg0cklJSUg5MndsN0ZPcVk4U0kKPsj787kDFDMxsBt5qk4Bp121AMTE++99 m2X4lL6ona9fUe8e8wGhdgxZmqvJL2RCaVWJJy5SAbJ/skP3y7i2mw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-09-09T20:29:01Z" - mac: ENC[AES256_GCM,data:forfO9i1DJvf38Q2B6ETUuOmGB3XVNQEURlUH4h6+6qEZqpZb/c7yUlMpXTUk9kgXn+IcfUhymFN3lrS7KVhSG5SxOTqwpOLF39+XFXcam3X4jf1/H4uBVqmntWAFG2+SvPxvL5jUKw9j8O0xBPWlbnx6BOQU4ifjcoPMOWanBQ=,iv:wj6F/5AV4oieoASZXb6oBtDYA0cA+1ujPWkziMTAhQ0=,tag:29lR7wsFT3vhp2ztMHBlsA==,type:str] + lastmodified: "2025-11-12T16:38:27Z" + mac: ENC[AES256_GCM,data:XMsrBwV2G1jRA2c/T3y4015p6bJdggfrbI62bHZ1PQtbOImQUpxChVI9JhZqOIzWpyYB32HavRHwCe5nfam+L2tWNlVMRSogKBpDuanxyf3o2EHHStQqZYUuJrYtOL5cdeYMIXKRWS6LmHdHkcI2ixHsL+NXIG5o3XIYMaEBufo=,iv:G20hevYygnonf5l4qGZqs+b9f1FC+cfnYIKZcs+mUP4=,tag:p5rITlVoOwqdrG8Kcmjieg==,type:str] pgp: - created_at: "2025-09-09T20:27:32Z" enc: |-