Nebula: Difference between revisions

(5 intermediate revisions by 3 users not shown)

Line 1:

[https://github.com/slackhq/nebula Nebula] is a meshing overlay network made as an open-source program by Slack. You can seamlessly mesh hundreds, thousands, or more machines across the globe, using minimal changes to your process.

~~This guide assumes there are~~ a ~~couple~~ of ~~Nix machines you'd like to connect, though you can go through~~ the "~~Lighthouse Node~~" ~~section on~~ a ~~single~~ machine as a ~~sample~~.

Nebula runs by assigning a number of nodes the role of "lighthouse". These nodes should be assigned a public global IP address - any kind of NAT or port forwarding is likely to render your lighthouses useless. A minimal $5/mo cloud machine is good enough to run as a lighthouse node, and luckily no traffic passes through those nodes; they only broker the peer-to-peer connections of the other nodes in your mesh.

== Lighthouse Node ==

In Nebula, a "lighthouse" is a signaling node accessible through a public IP address, using UDP port 4242. A simple configuration may look like:

In Nebula, a "lighthouse" is a signaling node accessible through a public IP address, using UDP port 4242.

Because you're likely using a cloud server option for your lighthouse, there is a chance you'll be unable to use NixOS on that node. Double check the [[NixOS_friendly_hosters| NixOS friendly hosters article]] your options for running NixOS in the cloud], or choose a secondary distribution and look for the <code>nebula</code> package, and go through [https://nebula.defined.net/docs/guides/quick-start/ the Quick Start guide].

A simple lighthouse configuration may look like:

environment.systemPackages = with pkgs; [ nebula ];

services.nebula.networks.mesh = {

enable = ~~false~~;

enable = true;

isLighthouse = true;

cert = "/~~home~~/~~user~~/~~mesh/node~~.crt";

cert = "/etc/nebula/beacon.crt"; # The name of this lighthouse is beacon.

key = "/~~home/user~~/~~mesh~~/~~node~~.key";

key = "/etc/nebula/beacon.key";

ca = "/~~home/user~~/~~mesh~~/ca.crt";

ca = "/etc/nebula/ca.crt";

};

</syntaxhighlight>

~~Please use your normal login username, or choose some other place on your disk as you~~ like.

A node configuration may look like:

~~Before enabling the service, do you see those certificates referenced under~~ <~~code~~>cert</~~code>, <code>~~key</~~code>, and <code>~~ca</~~code~~>~~? They're easy enough to make.~~

environment.systemPackages = with pkgs; [ nebula ];

services.nebula.networks.mesh = {

enable = true;

isLighthouse = false;

lighthouses = [ "192.168.100.1" ];

settings = {

cipher= "aes";

};

cert = "/etc/nebula/host.crt";

key = "/etc/nebula/host.key";

ca = "/etc/nebula/ca.crt";

staticHostMap = {

"192.168.100.1" = [

"PUBLICLIGHTHOUSEIPHERE:4242"

];

};

firewall.outbound = [

{

host = "any";

port = "any";

proto = "any";

}

];

firewall.inbound = [

{

host = "any";

port = "any";

proto = "any";

}

];

};

</syntaxhighlight>

~~Be sure you make~~ the ~~certs on the filepath used in your~~ nix ~~config,~~ and ~~use the IP you'd like your~~ lighthouse node ~~to be assigned~~.

The configuration files in `/etc/nebula` need to be readable by the Nebula service:

sudo chmod --reference /etc/nix /etc/nebula

sudo chmod --reference /etc/nix/nix.conf /etc/nebula/*

</syntaxhighlight>

Here is a quick process for making a certificate authority (<code>ca</code>) and a certificate for a lighthouse node, called "<code>beacon</code>".

> mkdir ~/mesh && cd ~/mesh

> nebula-cert ca -name mesh

> nebula-cert sign -ca-crt ./ca.crt -ca-key ./ca.key -name ~~node~~ -ip 10.0.0.~~180~~

> nebula-cert sign -ca-crt ./ca.crt -ca-key ./ca.key -name beacon -ip 10.0.0.1

> ls

ca.crt ca.key node.crt node.key

</syntaxhighlight>

Of these four, you should do as much as you can to keep <code>ca.key</code> secure.

Of these four files produced, you should do as much as you can to keep <code>ca.key</code> secure.

~~(...more coming soon...)~~

[[Category:Networking]]

~~<syntaxhighlight lang="nix">~~

~~</syntaxhighlight>~~

~~<syntaxhighlight lang="nix">~~

~~</syntaxhighlight>~~

~~<syntaxhighlight lang="nix">~~

~~</syntaxhighlight>~~

@@ Line 1: / Line 1: @@
 [https://github.com/slackhq/nebula Nebula] is a meshing overlay network made as an open-source program by Slack. You can seamlessly mesh hundreds, thousands, or more machines across the globe, using minimal changes to your process.
-This guide assumes there are a couple of Nix machines you'd like to connect, though you can go through the "Lighthouse Node" section on a single machine as a sample.
+Nebula runs by assigning a number of nodes the role of "lighthouse". These nodes should be assigned a public global IP address - any kind of NAT or port forwarding is likely to render your lighthouses useless. A minimal $5/mo cloud machine is good enough to run as a lighthouse node, and luckily no traffic passes through those nodes; they only broker the peer-to-peer connections of the other nodes in your mesh.
 == Lighthouse Node ==
-In Nebula, a "lighthouse" is a signaling node accessible through a public IP address, using UDP port 4242. A simple configuration may look like:
+In Nebula, a "lighthouse" is a signaling node accessible through a public IP address, using UDP port 4242.
+Because you're likely using a cloud server option for your lighthouse, there is a chance you'll be unable to use NixOS on that node. Double check the [[NixOS_friendly_hosters| NixOS friendly hosters article]] your options for running NixOS in the cloud], or choose a secondary distribution and look for the <code>nebula</code> package, and go through [https://nebula.defined.net/docs/guides/quick-start/ the Quick Start guide].
+A simple lighthouse configuration may look like:
 <syntaxhighlight lang="nix">
    environment.systemPackages = with pkgs; [ nebula ];
    services.nebula.networks.mesh = {
-     enable = false;
+     enable = true;
      isLighthouse = true;
-     cert = "/home/user/mesh/node.crt";
+     cert = "/etc/nebula/beacon.crt"; # The name of this lighthouse is beacon.
-     key = "/home/user/mesh/node.key";
+     key = "/etc/nebula/beacon.key";
-     ca = "/home/user/mesh/ca.crt";
+     ca = "/etc/nebula/ca.crt";
    };
 </syntaxhighlight>
-Please use your normal login username, or choose some other place on your disk as you like.
+A node configuration may look like:
-Before enabling the service, do you see those certificates referenced under <code>cert</code>, <code>key</code>, and <code>ca</code>? They're easy enough to make.
+<syntaxhighlight lang="nix">
+  environment.systemPackages = with pkgs; [ nebula ];
+  services.nebula.networks.mesh = {
+    enable = true;
+    isLighthouse = false;
+    lighthouses = [ "192.168.100.1" ];
+    settings = {
+        cipher= "aes";
+        };
+    cert = "/etc/nebula/host.crt";
+    key = "/etc/nebula/host.key";
+    ca = "/etc/nebula/ca.crt";
+    staticHostMap = {
+        "192.168.100.1" = [
+                "PUBLICLIGHTHOUSEIPHERE:4242"
+                ];
+        };
+    firewall.outbound = [
+  {
+    host = "any";
+    port = "any";
+    proto = "any";
+  }
+];
+    firewall.inbound = [
+  {
+    host = "any";
+    port = "any";
+    proto = "any";
+  }
+];
+  };
+</syntaxhighlight>
-Be sure you make the certs on the filepath used in your nix config, and use the IP you'd like your lighthouse node to be assigned.
+The configuration files in `/etc/nebula` need to be readable by the Nebula service:
+<syntaxhighlight lang="bash">
+sudo chmod --reference /etc/nix /etc/nebula
+sudo chmod --reference /etc/nix/nix.conf /etc/nebula/*
+</syntaxhighlight>
+Here is a quick process for making a certificate authority (<code>ca</code>) and a certificate for a lighthouse node, called "<code>beacon</code>".
 <syntaxhighlight lang="bash">
 > mkdir ~/mesh && cd ~/mesh
 > nebula-cert ca -name mesh
-> nebula-cert sign -ca-crt ./ca.crt -ca-key ./ca.key -name node -ip 10.0.0.180
+> nebula-cert sign -ca-crt ./ca.crt -ca-key ./ca.key -name beacon -ip 10.0.0.1
 > ls
 ca.crt  ca.key  node.crt  node.key
 </syntaxhighlight>
-Of these four, you should do as much as you can to keep <code>ca.key</code> secure.
+Of these four files produced, you should do as much as you can to keep <code>ca.key</code> secure.
-(...more coming soon...)
+[[Category:Networking]]
-<syntaxhighlight lang="nix">
-</syntaxhighlight>
-<syntaxhighlight lang="nix">
-</syntaxhighlight>
-<syntaxhighlight lang="nix">
-</syntaxhighlight>