Nebula: Difference between revisions
imported>C4lliope No edit summary |
|||
(2 intermediate revisions by 2 users not shown) | |||
Line 7: | Line 7: | ||
In Nebula, a "lighthouse" is a signaling node accessible through a public IP address, using UDP port 4242. | In Nebula, a "lighthouse" is a signaling node accessible through a public IP address, using UDP port 4242. | ||
Because you're likely using a cloud server option for your lighthouse, there is a chance you'll be unable to use NixOS on that node. Double check [ | Because you're likely using a cloud server option for your lighthouse, there is a chance you'll be unable to use NixOS on that node. Double check the [[NixOS_friendly_hosters| NixOS friendly hosters article]] your options for running NixOS in the cloud], or choose a secondary distribution and look for the <code>nebula</code> package, and go through [https://nebula.defined.net/docs/guides/quick-start/ the Quick Start guide]. | ||
Line 15: | Line 15: | ||
environment.systemPackages = with pkgs; [ nebula ]; | environment.systemPackages = with pkgs; [ nebula ]; | ||
services.nebula.networks.mesh = { | services.nebula.networks.mesh = { | ||
enable = | enable = true; | ||
isLighthouse = true; | isLighthouse = true; | ||
cert = "/etc/ | cert = "/etc/nebula/beacon.crt"; # The name of this lighthouse is beacon. | ||
key = "/etc/nebula/ | key = "/etc/nebula/beacon.key"; | ||
ca = "/etc/nebula/ca.crt"; | ca = "/etc/nebula/ca.crt"; | ||
}; | }; | ||
</syntaxhighlight> | |||
The configuration files in `/etc/nebula` need to be readable by the Nebula service: | |||
<syntaxhighlight lang="bash"> | |||
sudo chmod --reference /etc/nix /etc/nebula | |||
sudo chmod --reference /etc/nix/nix.conf /etc/nebula/* | |||
</syntaxhighlight> | </syntaxhighlight> | ||
Line 36: | Line 44: | ||
Of these four files produced, you should do as much as you can to keep <code>ca.key</code> secure. | Of these four files produced, you should do as much as you can to keep <code>ca.key</code> secure. | ||
[[Category:Networking]] |
Latest revision as of 22:30, 30 October 2024
Nebula is a meshing overlay network made as an open-source program by Slack. You can seamlessly mesh hundreds, thousands, or more machines across the globe, using minimal changes to your process.
Nebula runs by assigning a number of nodes the role of "lighthouse". These nodes should be assigned a public global IP address - any kind of NAT or port forwarding is likely to render your lighthouses useless. A minimal $5/mo cloud machine is good enough to run as a lighthouse node, and luckily no traffic passes through those nodes; they only broker the peer-to-peer connections of the other nodes in your mesh.
Lighthouse Node
In Nebula, a "lighthouse" is a signaling node accessible through a public IP address, using UDP port 4242.
Because you're likely using a cloud server option for your lighthouse, there is a chance you'll be unable to use NixOS on that node. Double check the NixOS friendly hosters article your options for running NixOS in the cloud], or choose a secondary distribution and look for the nebula
package, and go through the Quick Start guide.
A simple configuration may look like:
environment.systemPackages = with pkgs; [ nebula ];
services.nebula.networks.mesh = {
enable = true;
isLighthouse = true;
cert = "/etc/nebula/beacon.crt"; # The name of this lighthouse is beacon.
key = "/etc/nebula/beacon.key";
ca = "/etc/nebula/ca.crt";
};
The configuration files in `/etc/nebula` need to be readable by the Nebula service:
sudo chmod --reference /etc/nix /etc/nebula
sudo chmod --reference /etc/nix/nix.conf /etc/nebula/*
Here is a quick process for making a certificate authority (ca
) and a certificate for a lighthouse node, called "beacon
".
> mkdir ~/mesh && cd ~/mesh
> nebula-cert ca -name mesh
> nebula-cert sign -ca-crt ./ca.crt -ca-key ./ca.key -name beacon -ip 10.0.0.1
> ls
ca.crt ca.key node.crt node.key
Of these four files produced, you should do as much as you can to keep ca.key
secure.