nixos/nebula: enable reloadable configuration (364ef3c5) · Commits · nix / nixpkgs

nixos/doc/manual/release-notes/rl-2511.section.md

+2 −0

Original line number	Diff line number	Diff line
		@@ -446,6 +446,8 @@ and [release notes for v18](https://goteleport.com/docs/changelog/#1800-070325).

		- `linux_libre` & `linux_latest_libre` have been removed due to a lack of maintenance.

		- `services.nebula.networks.<name>` will now store configuration files in `/etc/nebula/<name>.yml` and supports config reloading.

		- `services.pds` has been renamed to `services.bluesky-pds`.

		- `services.xserver.desktopManager.deepin` and associated packages have been removed due to being unmaintained. See issue [#422090](https://github.com/NixOS/nixpkgs/issues/422090) for more details.

nixos/modules/services/networking/nebula.nix

+81 −41

Original line number	Diff line number	Diff line
		@@ -9,8 +9,54 @@ let
		cfg = config.services.nebula;
		enabledNetworks = lib.filterAttrs (n: v: v.enable) cfg.networks;

		genSettings =
		netName: netCfg:
		lib.recursiveUpdate {
		pki = {
		ca = netCfg.ca;
		cert = netCfg.cert;
		key = netCfg.key;
		};
		static_host_map = netCfg.staticHostMap;
		lighthouse = {
		am_lighthouse = netCfg.isLighthouse;
		hosts = netCfg.lighthouses;
		serve_dns = netCfg.lighthouse.dns.enable;
		dns.host = netCfg.lighthouse.dns.host;
		dns.port = netCfg.lighthouse.dns.port;
		};
		relay = {
		am_relay = netCfg.isRelay;
		relays = netCfg.relays;
		use_relays = true;
		};
		listen = {
		host = netCfg.listen.host;
		port = resolveFinalPort netCfg;
		};
		tun = {
		disabled = netCfg.tun.disable;
		dev = if (netCfg.tun.device != null) then netCfg.tun.device else "nebula.${netName}";
		};
		firewall = {
		inbound = netCfg.firewall.inbound;
		outbound = netCfg.firewall.outbound;
		};
		} netCfg.settings;
		format = pkgs.formats.yaml { };

		genConfigFile =
		netName: settings:
		format.generate "nebula-config-${netName}.yml" (
		lib.warnIf
		((settings.lighthouse.am_lighthouse \|\| settings.relay.am_relay) && settings.listen.port == 0)
		''
		Nebula network '${netName}' is configured as a lighthouse or relay, and its port is ${builtins.toString settings.listen.port}.
		You will likely experience connectivity issues: https://nebula.defined.net/docs/config/listen/#listenport
		''
		settings
		);

		nameToId = netName: "nebula-${netName}";

		resolveFinalPort =
		@@ -60,6 +106,16 @@ in
		example = "/etc/nebula/host.key";
		};

		enableReload = lib.mkOption {
		type = lib.types.bool;
		default = false;
		description = ''
		Enable automatic config reload on config change.
		This setting is not enabled by default as nix cannot determine if the config change is reloadable.
		Please refer to the [config reference](https://nebula.defined.net/docs/config/) for documentation on reloadable changes.
		'';
		};

		staticHostMap = lib.mkOption {
		type = lib.types.attrsOf (lib.types.listOf (lib.types.str));
		default = { };
		@@ -212,47 +268,13 @@ in
		netName: netCfg:
		let
		networkId = nameToId netName;
		settings = lib.recursiveUpdate {
		pki = {
		ca = netCfg.ca;
		cert = netCfg.cert;
		key = netCfg.key;
		};
		static_host_map = netCfg.staticHostMap;
		lighthouse = {
		am_lighthouse = netCfg.isLighthouse;
		hosts = netCfg.lighthouses;
		serve_dns = netCfg.lighthouse.dns.enable;
		dns.host = netCfg.lighthouse.dns.host;
		dns.port = netCfg.lighthouse.dns.port;
		};
		relay = {
		am_relay = netCfg.isRelay;
		relays = netCfg.relays;
		use_relays = true;
		};
		listen = {
		host = netCfg.listen.host;
		port = resolveFinalPort netCfg;
		};
		tun = {
		disabled = netCfg.tun.disable;
		dev = if (netCfg.tun.device != null) then netCfg.tun.device else "nebula.${netName}";
		};
		firewall = {
		inbound = netCfg.firewall.inbound;
		outbound = netCfg.firewall.outbound;
		};
		} netCfg.settings;
		configFile = format.generate "nebula-config-${netName}.yml" (
		lib.warnIf
		((settings.lighthouse.am_lighthouse \|\| settings.relay.am_relay) && settings.listen.port == 0)
		''
		Nebula network '${netName}' is configured as a lighthouse or relay, and its port is ${builtins.toString settings.listen.port}.
		You will likely experience connectivity issues: https://nebula.defined.net/docs/config/listen/#listenport
		''
		settings
		);
		settings = genSettings netName netCfg;
		generatedConfigFile = genConfigFile netName settings;
		configFile =
		if ((lib.versionAtLeast config.system.stateVersion "25.11") \|\| netCfg.enableReload) then
		"/etc/nebula/${netName}.yml"
		else
		generatedConfigFile;
		capabilities =
		let
		nebulaPort = if !settings.tun.disabled then settings.listen.port else 0;
		@@ -278,6 +300,8 @@ in
		];
		before = [ "sshd.service" ];
		wantedBy = [ "multi-user.target" ];
		restartTriggers = lib.optional (!netCfg.enableReload) generatedConfigFile;
		reloadTriggers = lib.optional netCfg.enableReload generatedConfigFile;
		serviceConfig = {
		Type = "notify";
		Restart = "always";
		@@ -313,6 +337,22 @@ in
		) enabledNetworks
		);

		environment.etc = lib.mkMerge (
		lib.mapAttrsToList
		(netName: netCfg: {
		"nebula/${netName}.yml" = {
		source = genConfigFile netName (genSettings netName netCfg);
		mode = "0440";
		user = nameToId netName;
		};
		})
		(
		lib.filterAttrs (
		_: netCfg: netCfg.enableReload \|\| (lib.versionAtLeast config.system.stateVersion "25.11")
		) enabledNetworks
		)
		);

		# Open the chosen ports for UDP.
		networking.firewall.allowedUDPPorts = lib.unique (
		lib.filter (port: port > 0) (

Admin message