double-rainbow: add wopus nebula vpn connection
This commit is contained in:
parent
b8e05ad8a2
commit
cf9059013c
3 changed files with 58 additions and 2 deletions
|
|
@ -20,6 +20,7 @@ in
|
||||||
imports = [
|
imports = [
|
||||||
(modulesPath + "/installer/scan/not-detected.nix")
|
(modulesPath + "/installer/scan/not-detected.nix")
|
||||||
./gitlab-runner.nix
|
./gitlab-runner.nix
|
||||||
|
./nebula-vpn.nix
|
||||||
];
|
];
|
||||||
|
|
||||||
my.nix-ld.enable = true;
|
my.nix-ld.enable = true;
|
||||||
|
|
|
||||||
51
hosts/double-rainbow/nebula-vpn.nix
Normal file
51
hosts/double-rainbow/nebula-vpn.nix
Normal file
|
|
@ -0,0 +1,51 @@
|
||||||
|
{ pkgs, config, ... }:
|
||||||
|
let
|
||||||
|
s = config.sops.secrets;
|
||||||
|
|
||||||
|
secretConfig = {
|
||||||
|
owner = "nebula-wopus";
|
||||||
|
group = "nebula-wopus";
|
||||||
|
restartUnits = [ "nebula@wopus.service" ];
|
||||||
|
sopsFile = ../../secrets/double-rainbow/default.yaml;
|
||||||
|
};
|
||||||
|
in
|
||||||
|
{
|
||||||
|
environment.systemPackages = with pkgs; [ nebula ];
|
||||||
|
|
||||||
|
services.nebula.networks.wopus = {
|
||||||
|
enable = true;
|
||||||
|
isLighthouse = false;
|
||||||
|
lighthouses = [ "192.168.88.1" ];
|
||||||
|
settings = {
|
||||||
|
cipher = "aes";
|
||||||
|
};
|
||||||
|
cert = s."nebula-wopus-vpn/double-rainbow-crt".path;
|
||||||
|
key = s."nebula-wopus-vpn/double-rainbow-key".path;
|
||||||
|
ca = s."nebula-wopus-vpn/ca-crt".path;
|
||||||
|
staticHostMap = {
|
||||||
|
"192.168.88.1" = [
|
||||||
|
"neubla-vpn.wopus.dev:4242"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
firewall.outbound = [
|
||||||
|
{
|
||||||
|
host = "any";
|
||||||
|
port = "any";
|
||||||
|
proto = "any";
|
||||||
|
}
|
||||||
|
];
|
||||||
|
firewall.inbound = [
|
||||||
|
{
|
||||||
|
host = "any";
|
||||||
|
port = "any";
|
||||||
|
proto = "any";
|
||||||
|
}
|
||||||
|
];
|
||||||
|
};
|
||||||
|
|
||||||
|
sops.secrets = {
|
||||||
|
"nebula-wopus-vpn/ca-crt" = secretConfig;
|
||||||
|
"nebula-wopus-vpn/double-rainbow-crt" = secretConfig;
|
||||||
|
"nebula-wopus-vpn/double-rainbow-key" = secretConfig;
|
||||||
|
};
|
||||||
|
}
|
||||||
|
|
@ -2,6 +2,10 @@ gitlab-runners:
|
||||||
wopus-gitlab-nix: ENC[AES256_GCM,data:n/bm5W5Q/h7MxMZX7yz4qeUBpfZDrI7A7/PlnLncMto5V5itVTXRvfd3+D/d2r9PVuJSogfMgMAh0cwuvPspjlm9ToPxrmgGdYbnAkhnFeTHdCfcF1x2DG2JkHe54wUhcQa9QEJkWZ5jJM//2jU=,iv:63lrYCCBMSr5toulba7Rni+iun0Bl2vMFbIsTVvOWQs=,tag:Z1GHj91q09sOWCaLPIKJ4Q==,type:str]
|
wopus-gitlab-nix: ENC[AES256_GCM,data:n/bm5W5Q/h7MxMZX7yz4qeUBpfZDrI7A7/PlnLncMto5V5itVTXRvfd3+D/d2r9PVuJSogfMgMAh0cwuvPspjlm9ToPxrmgGdYbnAkhnFeTHdCfcF1x2DG2JkHe54wUhcQa9QEJkWZ5jJM//2jU=,iv:63lrYCCBMSr5toulba7Rni+iun0Bl2vMFbIsTVvOWQs=,tag:Z1GHj91q09sOWCaLPIKJ4Q==,type:str]
|
||||||
wopus-ssh-nix-cache-pk: ENC[AES256_GCM,data:+5I7INvMNfegjjC0xPNOSj+vFakXe6V4N/S5wvL64DOxfPXhSQAjVtdMslp/LlJXH4XWbkQ8ErLbySB3WMDMRDnDRY+6+UKXsP6MFpvEtho0lN+8ZeAGC25ehadYDSFTX43wz6cLRuoAqRQdhPKM96wcYif7nF40cStgaAQhkNemK7AenSA9LQ4J72dWovFuwfTZml8qH6W/O+YEqfOgZsyJ/LobcM1fiuN1S4NnCOJSWB2Ahsu0tiMOSRxKWeUS9+ewh+x1xnZL3y4vax5GgtS2KojtXq0U4qgNi4Gwnmef7HmH1tVgeMO2ykCsuCCZ9iJR0IOqTHU2l+U6hTzf5vehpgK5/tsthkXRsLUmVRnjUaQwaEq9JYltGpEdk6U0UnD+Mf0f5BsDw23lHgannLeduhrSFrPFj+BVodnPxjyYJTPXwXfbWrKIQ8s5kWfIq9x0VePsteIgEH4xLL0yFtyZzrYeCq9WF3j5xTvJsOlG0ehQzX22orrM4RzrFVmeLYOIc/V4bQeyIf1lWemr,iv:UNaUnlVayrzF7qpgIVi9gxPFGCzIP24jNUpO295JPog=,tag:a5OlD+AJH3u6y+Lo3lOQWw==,type:str]
|
wopus-ssh-nix-cache-pk: ENC[AES256_GCM,data:+5I7INvMNfegjjC0xPNOSj+vFakXe6V4N/S5wvL64DOxfPXhSQAjVtdMslp/LlJXH4XWbkQ8ErLbySB3WMDMRDnDRY+6+UKXsP6MFpvEtho0lN+8ZeAGC25ehadYDSFTX43wz6cLRuoAqRQdhPKM96wcYif7nF40cStgaAQhkNemK7AenSA9LQ4J72dWovFuwfTZml8qH6W/O+YEqfOgZsyJ/LobcM1fiuN1S4NnCOJSWB2Ahsu0tiMOSRxKWeUS9+ewh+x1xnZL3y4vax5GgtS2KojtXq0U4qgNi4Gwnmef7HmH1tVgeMO2ykCsuCCZ9iJR0IOqTHU2l+U6hTzf5vehpgK5/tsthkXRsLUmVRnjUaQwaEq9JYltGpEdk6U0UnD+Mf0f5BsDw23lHgannLeduhrSFrPFj+BVodnPxjyYJTPXwXfbWrKIQ8s5kWfIq9x0VePsteIgEH4xLL0yFtyZzrYeCq9WF3j5xTvJsOlG0ehQzX22orrM4RzrFVmeLYOIc/V4bQeyIf1lWemr,iv:UNaUnlVayrzF7qpgIVi9gxPFGCzIP24jNUpO295JPog=,tag:a5OlD+AJH3u6y+Lo3lOQWw==,type:str]
|
||||||
wopus-ssh-nix-cache-pub: ENC[AES256_GCM,data:aknblYwAAGaso/Vhr9f1RX64tA3uOh3qxc1dBI7DQmk4TUlQn/AYrKF7wanIhhydrasRulDEam3CBiiyeW/ejcXG07wKIUyZ94TOYfcyRd1yo+PGkmb1yycU6PdjaP5/zwUPAnjMhR2quW+8iwADaUMYKXIJkdQaqUW9a845vBKIxgNgBskWMGMzldb+aUnr2eCb,iv:MQdEUrNugzv+QL6f/MNUqh9M+nFVsWI4VHlMrgQOTEg=,tag:olNTQyCSOhv3sgSjuIXKBA==,type:str]
|
wopus-ssh-nix-cache-pub: ENC[AES256_GCM,data:aknblYwAAGaso/Vhr9f1RX64tA3uOh3qxc1dBI7DQmk4TUlQn/AYrKF7wanIhhydrasRulDEam3CBiiyeW/ejcXG07wKIUyZ94TOYfcyRd1yo+PGkmb1yycU6PdjaP5/zwUPAnjMhR2quW+8iwADaUMYKXIJkdQaqUW9a845vBKIxgNgBskWMGMzldb+aUnr2eCb,iv:MQdEUrNugzv+QL6f/MNUqh9M+nFVsWI4VHlMrgQOTEg=,tag:olNTQyCSOhv3sgSjuIXKBA==,type:str]
|
||||||
|
nebula-wopus-vpn:
|
||||||
|
ca-crt: ENC[AES256_GCM,data:zNESDEqeRPBsaY53cDKx6DMYdHIdEjxAsX7rLMrGkd0+aw2zOEJDJ5jb/zIeatf7xBj5DkJa+CDWmWsu5v9p0QUu0LEEvdin3utuGa5GQEYR+1LCCrlB52klTvKEK6ck5cYewVR5bmq0NTvw4aVxZJoMKMXICYhNEs20ZMCIrbX8UOddXKt6OxeOzVZ/9uFg1gY9qkHe3Wn5mmNLwvXoHvzwtr+Oc9xT+SRMPYkGUkbyxQ5zRjJUKS79aPQ8R6ZgZVJqUmr9wS58D2To1Sfk4Ykrd4Q2lIlbTXdswp1im3LSTy0YosHu5P6mmBq9u3M=,iv:hnCrHDkQiUsoaFTImtWlvM+tuSplU5p4s6kkm/ysLZ0=,tag:5vH6oEWwUOA/QsiW0XvBag==,type:str]
|
||||||
|
double-rainbow-crt: ENC[AES256_GCM,data:gdR79bE2RdE8cc9HdIxoiTCbyzsaTrSRg8uouVLmq6IRnb8B7tltIitli0SRXzMWqfg1IUIQbXHbIvPgeQ+puCHqr1ghYK1GzrDLz6GIGTn8g+9MnDbRTghdlWKKrKVxJnrSecJvV0qEkDr2/WEAsXalstxcDEPNq2Rb+c7bv/P2oFNjKN1eeWsE5TgpFj61RLEWx/wPzQKyNx2ZFu1l4r63II6npvlZ8rwdrJAeZIT8oaU53zQzMMs0tHGYTJeaZcPgdBKfVSCmzGxrE2kuwR0bxSSB2knqdBmtl1aVxs3bF2Fkm1+wovCadCze+Ta6Vgtk4v8d3Ta+wE5qzek8shb2m7lXTixki356wOG0r3B+180Kzk5B7q4tIycrk9ggKPKAA+2XNHVFM9L8PojflK3BY+U=,iv:wNoELN2y8QrFGPJYQdrAVsaLrhMzD8ep313o/jpT9fM=,tag:8sRBtkfd1TVMK7R64sMXqw==,type:str]
|
||||||
|
double-rainbow-key: ENC[AES256_GCM,data:I0LGhV9biErwZw4PzOX6mbqyh+8n2XbpikwOqLe70g9+pfO72e8qdXvzYko8zLGIL0x8ZUYn6XCP63ZYzP866cLHCgglZ0+PQeBbqzp3lgfYDd7zBHDJE0NQobPtV6n1enbpzRtBe+ROeYQxCV5sZmEoxbzUyR0aSJ3JaGgZNw==,iv:Y5Iy32zHnQgqIH3d9U81FlsW+Mg8u06fk+AMnTcGejk=,tag:1ojEKwVALA9grJRzyNc+9g==,type:str]
|
||||||
sops:
|
sops:
|
||||||
age:
|
age:
|
||||||
- recipient: age1zrgu7w8059xydagm60phnffghvfe9h2ca58cx8qwagqpyfuvs9fqw79c8h
|
- recipient: age1zrgu7w8059xydagm60phnffghvfe9h2ca58cx8qwagqpyfuvs9fqw79c8h
|
||||||
|
|
@ -31,8 +35,8 @@ sops:
|
||||||
WUZrTkg0cklJSUg5MndsN0ZPcVk4U0kKPsj787kDFDMxsBt5qk4Bp121AMTE++99
|
WUZrTkg0cklJSUg5MndsN0ZPcVk4U0kKPsj787kDFDMxsBt5qk4Bp121AMTE++99
|
||||||
m2X4lL6ona9fUe8e8wGhdgxZmqvJL2RCaVWJJy5SAbJ/skP3y7i2mw==
|
m2X4lL6ona9fUe8e8wGhdgxZmqvJL2RCaVWJJy5SAbJ/skP3y7i2mw==
|
||||||
-----END AGE ENCRYPTED FILE-----
|
-----END AGE ENCRYPTED FILE-----
|
||||||
lastmodified: "2025-09-09T20:29:01Z"
|
lastmodified: "2025-11-12T16:38:27Z"
|
||||||
mac: ENC[AES256_GCM,data:forfO9i1DJvf38Q2B6ETUuOmGB3XVNQEURlUH4h6+6qEZqpZb/c7yUlMpXTUk9kgXn+IcfUhymFN3lrS7KVhSG5SxOTqwpOLF39+XFXcam3X4jf1/H4uBVqmntWAFG2+SvPxvL5jUKw9j8O0xBPWlbnx6BOQU4ifjcoPMOWanBQ=,iv:wj6F/5AV4oieoASZXb6oBtDYA0cA+1ujPWkziMTAhQ0=,tag:29lR7wsFT3vhp2ztMHBlsA==,type:str]
|
mac: ENC[AES256_GCM,data:XMsrBwV2G1jRA2c/T3y4015p6bJdggfrbI62bHZ1PQtbOImQUpxChVI9JhZqOIzWpyYB32HavRHwCe5nfam+L2tWNlVMRSogKBpDuanxyf3o2EHHStQqZYUuJrYtOL5cdeYMIXKRWS6LmHdHkcI2ixHsL+NXIG5o3XIYMaEBufo=,iv:G20hevYygnonf5l4qGZqs+b9f1FC+cfnYIKZcs+mUP4=,tag:p5rITlVoOwqdrG8Kcmjieg==,type:str]
|
||||||
pgp:
|
pgp:
|
||||||
- created_at: "2025-09-09T20:27:32Z"
|
- created_at: "2025-09-09T20:27:32Z"
|
||||||
enc: |-
|
enc: |-
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue