commit 90581c977ff1dc2442a79fd9d173ae1e307f6e53 · pyrox.dev/nixpkgs

+22

nixos/doc/manual/from_md/release-notes/rl-2305.section.xml

···

       414
       414
        
             </listitem>

     

       415
       415
        
             <listitem>

     

       416
       416
        
               <para>

     

       417
       417
       +
                 Nebula now runs as a system user and group created for each

     

       418
       418
       +
                 nebula network, using the <literal>CAP_NET_ADMIN</literal>

     

       419
       419
       +
                 ambient capability on launch rather than starting as root.

     

       420
       420
       +
                 Ensure that any files each Nebula instance needs to access are

     

       421
       421
       +
                 owned by the correct user and group, by default

     

       422
       422
       +
                 <literal>nebula-${networkName}</literal>.

     

       423
       423
       +
               </para>

     

       424
       424
       +
             </listitem>

     

       425
       425
       +
             <listitem>

     

       426
       426
       +
               <para>

     

       417
       427
        
                 In <literal>mastodon</literal> it is now necessary to specify

     

       418
       428
        
                 location of file with <literal>PostgreSQL</literal> database

     

       419
       429
        
                 password. In

     
···

       792
       802
        
                 <link xlink:href="options.html#opt-services.garage.package">services.garage.package</link>

     

       793
       803
        
                 or upgrade accordingly

     

       794
       804
        
                 <link xlink:href="options.html#opt-system.stateVersion">system.stateVersion</link>.

     

       805
       805
       +
               </para>

     

       806
       806
       +
             </listitem>

     

       807
       807
       +
             <listitem>

     

       808
       808
       +
               <para>

     

       809
       809
       +
                 Nebula now supports the

     

       810
       810
       +
                 <literal>services.nebula.networks.&lt;name&gt;.isRelay</literal>

     

       811
       811
       +
                 and

     

       812
       812
       +
                 <literal>services.nebula.networks.&lt;name&gt;.relays</literal>

     

       813
       813
       +
                 configuration options for setting up or allowing traffic

     

       814
       814
       +
                 relaying. See the

     

       815
       815
       +
                 <link xlink:href="https://www.defined.net/blog/announcing-relay-support-in-nebula/">announcement</link>

     

       816
       816
       +
                 for more details about relays.

     

       795
       817
        
               </para>

     

       796
       818
        
             </listitem>

     

       797
       819
        
             <listitem>

nixos/doc/manual/release-notes/rl-2305.section.md

···

       99
       99
        
       

     

       100
       100
        
       - The [services.wordpress.sites.&lt;name&gt;.plugins](#opt-services.wordpress.sites._name_.plugins) and [services.wordpress.sites.&lt;name&gt;.themes](#opt-services.wordpress.sites._name_.themes) options have been converted from sets to attribute sets to allow for consumers to specify explicit install paths via attribute name.

     

       101
       101
        
       

     

       102
       102
       +
       - Nebula now runs as a system user and group created for each nebula network, using the `CAP_NET_ADMIN` ambient capability on launch rather than starting as root. Ensure that any files each Nebula instance needs to access are owned by the correct user and group, by default `nebula-${networkName}`.

     

       103
       103
       +
       

     

       102
       104
        
       - In `mastodon` it is now necessary to specify location of file with `PostgreSQL` database password. In `services.mastodon.database.passwordFile` parameter default value `/var/lib/mastodon/secrets/db-password` has been changed to `null`.

     

       103
       105
        
       

     

       104
       106
        
       - The `--target-host` and `--build-host` options of `nixos-rebuild` no longer treat the `localhost` value specially – to build on/deploy to local machine, omit the relevant flag.

     
···

       196
       198
        
         - Increased the minimum length of a response that will be gzipped.

     

       197
       199
        
       

     

       198
       200
        
       - [Garage](https://garagehq.deuxfleurs.fr/) version is based on [system.stateVersion](options.html#opt-system.stateVersion), existing installations will keep using version 0.7. New installations will use version 0.8. In order to upgrade a Garage cluster, please follow [upstream instructions](https://garagehq.deuxfleurs.fr/documentation/cookbook/upgrading/) and force [services.garage.package](options.html#opt-services.garage.package) or upgrade accordingly [system.stateVersion](options.html#opt-system.stateVersion).

     

       201
       201
       +
       

     

       202
       202
       +
       - Nebula now supports the `services.nebula.networks.<name>.isRelay` and `services.nebula.networks.<name>.relays` configuration options for setting up or allowing traffic relaying. See the [announcement](https://www.defined.net/blog/announcing-relay-support-in-nebula/) for more details about relays.

     

       199
       203
        
       

     

       200
       204
        
       - `hip` has been separated into `hip`, `hip-common` and `hipcc`.

     

       201
       205

+31 -18

nixos/modules/services/networking/nebula.nix

···

       68
       68
        
                     description = lib.mdDoc "Whether this node is a lighthouse.";

     

       69
       69
        
                   };

     

       70
       70
        
       

     

       71
       71
       +
                   isRelay = mkOption {

     

       72
       72
       +
                     type = types.bool;

     

       73
       73
       +
                     default = false;

     

       74
       74
       +
                     description = lib.mdDoc "Whether this node is a relay.";

     

       75
       75
       +
                   };

     

       76
       76
       +
       

     

       71
       77
        
                   lighthouses = mkOption {

     

       72
       78
        
                     type = types.listOf types.str;

     

       73
       79
        
                     default = [];

     

       74
       80
        
                     description = lib.mdDoc ''

     

       75
       81
        
                       List of IPs of lighthouse hosts this node should report to and query from. This should be empty on lighthouse

     

       76
       82
        
                       nodes. The IPs should be the lighthouse's Nebula IPs, not their external IPs.

     

       83
       83
       +
                     '';

     

       84
       84
       +
                     example = [ "192.168.100.1" ];

     

       85
       85
       +
                   };

     

       86
       86
       +
       

     

       87
       87
       +
                   relays = mkOption {

     

       88
       88
       +
                     type = types.listOf types.str;

     

       89
       89
       +
                     default = [];

     

       90
       90
       +
                     description = lib.mdDoc ''

     

       91
       91
       +
                       List of IPs of relays that this node should allow traffic from.

     

       77
       92
        
                     '';

     

       78
       93
        
                     example = [ "192.168.100.1" ];

     

       79
       94
        
                   };

     
···

       157
       172
        
                   am_lighthouse = netCfg.isLighthouse;

     

       158
       173
        
                   hosts = netCfg.lighthouses;

     

       159
       174
        
                 };

     

       175
       175
       +
                 relay = {

     

       176
       176
       +
                   am_relay = netCfg.isRelay;

     

       177
       177
       +
                   relays = netCfg.relays;

     

       178
       178
       +
                 };

     

       160
       179
        
                 listen = {

     

       161
       180
        
                   host = netCfg.listen.host;

     

       162
       181
        
                   port = netCfg.listen.port;

     
···

       173
       192
        
               configFile = format.generate "nebula-config-${netName}.yml" settings;

     

       174
       193
        
               in

     

       175
       194
        
               {

     

       176
       176
       -
                 # Create systemd service for Nebula.

     

       195
       195
       +
                 # Create the systemd service for Nebula.

     

       177
       196
        
                 "nebula@${netName}" = {

     

       178
       197
        
                   description = "Nebula VPN service for ${netName}";

     

       179
       198
        
                   wants = [ "basic.target" ];

     

       180
       199
        
                   after = [ "basic.target" "network.target" ];

     

       181
       200
        
                   before = [ "sshd.service" ];

     

       182
       201
        
                   wantedBy = [ "multi-user.target" ];

     

       183
       183
       -
                   serviceConfig = mkMerge [

     

       184
       184
       -
                     {

     

       185
       185
       -
                       Type = "simple";

     

       186
       186
       -
                       Restart = "always";

     

       187
       187
       -
                       ExecStart = "${netCfg.package}/bin/nebula -config ${configFile}";

     

       188
       188
       -
                     }

     

       189
       189
       -
                     # The service needs to launch as root to access the tun device, if it's enabled.

     

       190
       190
       -
                     (mkIf netCfg.tun.disable {

     

       191
       191
       -
                       User = networkId;

     

       192
       192
       -
                       Group = networkId;

     

       193
       193
       -
                     })

     

       194
       194
       -
                   ];

     

       202
       202
       +
                   serviceConfig = {

     

       203
       203
       +
                     Type = "simple";

     

       204
       204
       +
                     Restart = "always";

     

       205
       205
       +
                     ExecStart = "${netCfg.package}/bin/nebula -config ${configFile}";

     

       206
       206
       +
                     CapabilityBoundingSet = "CAP_NET_ADMIN";

     

       207
       207
       +
                     AmbientCapabilities = "CAP_NET_ADMIN";

     

       208
       208
       +
                     User = networkId;

     

       209
       209
       +
                     Group = networkId;

     

       210
       210
       +
                   };

     

       195
       211
        
                   unitConfig.StartLimitIntervalSec = 0; # ensure Restart=always is always honoured (networks can go down for arbitrarily long)

     

       196
       212
        
                 };

     

       197
       213
        
               }) enabledNetworks);

     
···

       202
       218
        
       

     

       203
       219
        
           # Create the service users and groups.

     

       204
       220
        
           users.users = mkMerge (mapAttrsToList (netName: netCfg:

     

       205
       205
       -
             mkIf netCfg.tun.disable {

     

       221
       221
       +
             {

     

       206
       222
        
               ${nameToId netName} = {

     

       207
       223
        
                 group = nameToId netName;

     

       208
       224
        
                 description = "Nebula service user for network ${netName}";

     
···

       210
       226
        
               };

     

       211
       227
        
             }) enabledNetworks);

     

       212
       228
        
       

     

       213
       213
       -
           users.groups = mkMerge (mapAttrsToList (netName: netCfg:

     

       214
       214
       -
             mkIf netCfg.tun.disable {

     

       215
       215
       -
               ${nameToId netName} = {};

     

       216
       216
       -
             }) enabledNetworks);

     

       229
       229
       +
           users.groups = mkMerge (mapAttrsToList (netName: netCfg: { ${nameToId netName} = {}; }) enabledNetworks);

     

       217
       230
        
         };

     

       218
       231
        
       }

+9 -8

nixos/tests/nebula.nix

···

       123
       123
        
         testScript = let

     

       124
       124
        
       

     

       125
       125
        
           setUpPrivateKey = name: ''

     

       126
       126
       -
           ${name}.succeed(

     

       127
       127
       -
               "mkdir -p /root/.ssh",

     

       128
       128
       -
               "chown 700 /root/.ssh",

     

       129
       129
       -
               "cat '${snakeOilPrivateKey}' > /root/.ssh/id_snakeoil",

     

       130
       130
       -
               "chown 600 /root/.ssh/id_snakeoil",

     

       131
       131
       -
           )

     

       126
       126
       +
             ${name}.start()

     

       127
       127
       +
             ${name}.succeed(

     

       128
       128
       +
                 "mkdir -p /root/.ssh",

     

       129
       129
       +
                 "chown 700 /root/.ssh",

     

       130
       130
       +
                 "cat '${snakeOilPrivateKey}' > /root/.ssh/id_snakeoil",

     

       131
       131
       +
                 "chown 600 /root/.ssh/id_snakeoil",

     

       132
       132
       +
             )

     

       132
       133
        
           '';

     

       133
       134
        
       

     

       134
       135
        
           # From what I can tell, StrictHostKeyChecking=no is necessary for ssh to work between machines.

     
···

       154
       155
        
             ${name}.succeed(

     

       155
       156
        
                 "scp ${sshOpts} 192.168.1.1:/tmp/${name}.crt /etc/nebula/${name}.crt",

     

       156
       157
        
                 "scp ${sshOpts} 192.168.1.1:/etc/nebula/ca.crt /etc/nebula/ca.crt",

     

       158
       158
       +
                 '(id nebula-smoke >/dev/null && chown -R nebula-smoke:nebula-smoke /etc/nebula) || true'

     

       157
       159
        
             )

     

       158
       160
        
           '';

     

       159
       161
        
       

     

       160
       162
        
         in ''

     

       161
       161
       -
           start_all()

     

       162
       162
       -
       

     

       163
       163
        
           # Create the certificate and sign the lighthouse's keys.

     

       164
       164
        
           ${setUpPrivateKey "lighthouse"}

     

       165
       165
        
           lighthouse.succeed(

     

       166
       166
        
               "mkdir -p /etc/nebula",

     

       167
       167
        
               'nebula-cert ca -name "Smoke Test" -out-crt /etc/nebula/ca.crt -out-key /etc/nebula/ca.key',

     

       168
       168
        
               'nebula-cert sign -ca-crt /etc/nebula/ca.crt -ca-key /etc/nebula/ca.key -name "lighthouse" -groups "lighthouse" -ip "10.0.100.1/24" -out-crt /etc/nebula/lighthouse.crt -out-key /etc/nebula/lighthouse.key',

     

       169
       169
       +
               'chown -R nebula-smoke:nebula-smoke /etc/nebula'

     

       169
       170
        
           )

     

       170
       171
        
       

     

       171
       172
        
           # Reboot the lighthouse and verify that the nebula service comes up on boot.