diff --git a/machine/backyard/default.nix b/machine/backyard/default.nix index 4f1b3ea..45f0104 100644 --- a/machine/backyard/default.nix +++ b/machine/backyard/default.nix @@ -24,32 +24,6 @@ ]; }; - services.nebula.networks.beatific = { - enable = true; - - ca = "/etc/nebula/beatific/beatific.crt"; - cert = "/etc/nebula/beatific/backyard.crt"; - key = "/etc/nebula/beatific/backyard.key"; - - listen.port = 4242; - - # Connect to the lighthouse at empyrean - # This should be a VPN address in the static host map - lighthouses = [ "10.22.20.1" ]; - - # Map the lighthouse address to its public address - staticHostMap = { "10.22.20.1" = [ "vpn.alogoulogoi.com:4242" ]; }; - - # Don't filter at the VPN level - firewall.outbound = [ { port = "any"; proto = "any"; host = "any"; } ]; - firewall.inbound = [ { port = "any"; proto = "any"; host = "any"; } ]; - - settings = { - # Enable UDP holepunching both ways, which allows nodes to establish more direct connections with each other - punchy = { punch = true; response = true; }; - }; - }; - # This value governs how some stateful data, like databases, are handled # across different versions of NixOS. This should not be changed to a new # release unless the sysadmin has determined that no services would be diff --git a/modules/beatific.nix b/modules/beatific.nix index f3ef28a..206ee27 100644 --- a/modules/beatific.nix +++ b/modules/beatific.nix @@ -20,6 +20,12 @@ in { description = "Hostname"; }; + isLighthouse = mkOption { + type = types.bool; + description = "Whether this host is a Nebula lighthouse"; + default = false; + }; + # Groups of related defaults can be disabled by flipping off the switches here: # beatific.defaults.${category} = false; # They default to true because the point is to do these things by default. @@ -27,7 +33,8 @@ in { time = mkFlag "Default time zone and NTP"; i18n = mkFlag "Default locale settings"; programs = mkFlag "Default installed programs"; - ssh = mkFlag "Enable openssh"; + ssh = mkFlag "Default sshd settings"; + nebula = mkFlag "Default beatific nebula settings"; tvb = mkFlag "Default tvb account"; }; }; @@ -92,6 +99,42 @@ in { networking.firewall.allowedTCPPorts = [ 22 ]; }) + (mkIf cfg.defaults.nebula { + services.nebula.networks.beatific = let + empyreanExternalDns = "vpn.alogoulogoi.com"; + empyreanInternalIp = "10.22.20.1"; + nebulaPort = 4242; + in { + enable = true; + + # The lighthouse only listens on the designated subdomain + listen.host = if cfg.isLighthouse then empyreanExternalDns else "0.0.0.0"; + listen.port = nebulaPort; + + # Standard certificate paths + ca = "/etc/nebula/beatific/beatific.crt"; + cert = "/etc/nebula/beatific/${cfg.hostName}.crt"; + key = "/etc/nebula/beatific/${cfg.hostName}.key"; + + isLighthouse = cfg.isLighthouse; + # Non-lighthouses connect to the lighthouse at empyrean + # This should be a VPN address in the static host map + lighthouses = mkIf (! cfg.isLighthouse) [ empyreanInternalIp ]; + + # Currently there is no VPN-level traffic filtering + firewall.outbound = [ { port = "any"; proto = "any"; host = "any"; } ]; + firewall.inbound = [ { port = "any"; proto = "any"; host = "any"; } ]; + + # Map the lighthouse address to its public address + staticHostMap = { ${empyreanInternalIp} = [ "${empyreanExternalDns}:${toString nebulaPort}" ]; }; + + settings = { + # Enable UDP holepunching both ways, which allows nodes to establish more direct connections with each other + punchy = { punch = true; response = true; }; + }; + }; + }) + (mkIf cfg.defaults.tvb { users.groups.tvb = {}; users.users.tvb = {