gador/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

nixos/nebula: enable reloadable configuration

Browse Source 
optional support for reloading instead of restarting. This also moves
the config into /etc/nebula/${netName}.yml, if stateVersion >= 25.11,
regardless of enableReload.
This commit is contained in:
Cobalt
2025-07-28 03:19:17 +02:00
committed by Tim Van Baak
parent f82db1be9f
commit 364ef3c59b
2 changed files with 83 additions and 41 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
nixos/doc/manual/release-notes/rl-2511.section.md
View File

@@ -446,6 +446,8 @@ and [release notes for v18](https://goteleport.com/docs/changelog/#1800-070325).
- `linux_libre` & `linux_latest_libre` have been removed due to a lack of maintenance.
- `services.nebula.networks.<name>` will now store configuration files in `/etc/nebula/<name>.yml` and supports config reloading.
- `services.pds` has been renamed to `services.bluesky-pds`.
- `services.xserver.desktopManager.deepin` and associated packages have been removed due to being unmaintained. See issue [#422090](https://github.com/NixOS/nixpkgs/issues/422090) for more details.

122
nixos/modules/services/networking/nebula.nix
View File

@@ -9,8 +9,54 @@ let
cfg = config.services.nebula;
enabledNetworks = lib.filterAttrs (n: v: v.enable) cfg.networks;
genSettings =
netName: netCfg:
lib.recursiveUpdate {
pki = {
ca = netCfg.ca;
cert = netCfg.cert;
key = netCfg.key;
};
static_host_map = netCfg.staticHostMap;
lighthouse = {
am_lighthouse = netCfg.isLighthouse;
hosts = netCfg.lighthouses;
serve_dns = netCfg.lighthouse.dns.enable;
dns.host = netCfg.lighthouse.dns.host;
dns.port = netCfg.lighthouse.dns.port;
};
relay = {
am_relay = netCfg.isRelay;
relays = netCfg.relays;
use_relays = true;
};
listen = {
host = netCfg.listen.host;
port = resolveFinalPort netCfg;
};
tun = {
disabled = netCfg.tun.disable;
dev = if (netCfg.tun.device != null) then netCfg.tun.device else "nebula.${netName}";
};
firewall = {
inbound = netCfg.firewall.inbound;
outbound = netCfg.firewall.outbound;
};
} netCfg.settings;
format = pkgs.formats.yaml { };
genConfigFile =
netName: settings:
format.generate "nebula-config-${netName}.yml" (
lib.warnIf
((settings.lighthouse.am_lighthouse || settings.relay.am_relay) && settings.listen.port == 0)
''
Nebula network '${netName}' is configured as a lighthouse or relay, and its port is ${builtins.toString settings.listen.port}.
You will likely experience connectivity issues: https://nebula.defined.net/docs/config/listen/#listenport
''
settings
);
nameToId = netName: "nebula-${netName}";
resolveFinalPort =
@@ -60,6 +106,16 @@ in
example = "/etc/nebula/host.key";
};
enableReload = lib.mkOption {
type = lib.types.bool;
default = false;
description = ''
Enable automatic config reload on config change.
This setting is not enabled by default as nix cannot determine if the config change is reloadable.
Please refer to the [config reference](https://nebula.defined.net/docs/config/) for documentation on reloadable changes.
'';
};
staticHostMap = lib.mkOption {
type = lib.types.attrsOf (lib.types.listOf (lib.types.str));
default = { };
@@ -212,47 +268,13 @@ in
netName: netCfg:
let
networkId = nameToId netName;
settings = lib.recursiveUpdate {
pki = {
ca = netCfg.ca;
cert = netCfg.cert;
key = netCfg.key;
};
static_host_map = netCfg.staticHostMap;
lighthouse = {
am_lighthouse = netCfg.isLighthouse;
hosts = netCfg.lighthouses;
serve_dns = netCfg.lighthouse.dns.enable;
dns.host = netCfg.lighthouse.dns.host;
dns.port = netCfg.lighthouse.dns.port;
};
relay = {
am_relay = netCfg.isRelay;
relays = netCfg.relays;
use_relays = true;
};
listen = {
host = netCfg.listen.host;
port = resolveFinalPort netCfg;
};
tun = {
disabled = netCfg.tun.disable;
dev = if (netCfg.tun.device != null) then netCfg.tun.device else "nebula.${netName}";
};
firewall = {
inbound = netCfg.firewall.inbound;
outbound = netCfg.firewall.outbound;
};
} netCfg.settings;
configFile = format.generate "nebula-config-${netName}.yml" (
lib.warnIf
((settings.lighthouse.am_lighthouse || settings.relay.am_relay) && settings.listen.port == 0)
''
Nebula network '${netName}' is configured as a lighthouse or relay, and its port is ${builtins.toString settings.listen.port}.
You will likely experience connectivity issues: https://nebula.defined.net/docs/config/listen/#listenport
''
settings
);
settings = genSettings netName netCfg;
generatedConfigFile = genConfigFile netName settings;
configFile =
if ((lib.versionAtLeast config.system.stateVersion "25.11") || netCfg.enableReload) then
"/etc/nebula/${netName}.yml"
else
generatedConfigFile;
capabilities =
let
nebulaPort = if !settings.tun.disabled then settings.listen.port else 0;
@@ -278,6 +300,8 @@ in
];
before = [ "sshd.service" ];
wantedBy = [ "multi-user.target" ];
restartTriggers = lib.optional (!netCfg.enableReload) generatedConfigFile;
reloadTriggers = lib.optional netCfg.enableReload generatedConfigFile;
serviceConfig = {
Type = "notify";
Restart = "always";
@@ -313,6 +337,22 @@ in
) enabledNetworks
);
environment.etc = lib.mkMerge (
lib.mapAttrsToList
(netName: netCfg: {
"nebula/${netName}.yml" = {
source = genConfigFile netName (genSettings netName netCfg);
mode = "0440";
user = nameToId netName;
};
})
(
lib.filterAttrs (
_: netCfg: netCfg.enableReload || (lib.versionAtLeast config.system.stateVersion "25.11")
) enabledNetworks
)
);
# Open the chosen ports for UDP.
networking.firewall.allowedUDPPorts = lib.unique (
lib.filter (port: port > 0) (