
From NixOS Wiki
Revision as of 21:31, 30 December 2024 by Yesaslrocks (talk | contribs) (added node/client config for nebula mesh network.)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Nebula is a meshing overlay network made as an open-source program by Slack. You can seamlessly mesh hundreds, thousands, or more machines across the globe, using minimal changes to your process.

Nebula runs by assigning a number of nodes the role of "lighthouse". These nodes should be assigned a public global IP address - any kind of NAT or port forwarding is likely to render your lighthouses useless. A minimal $5/mo cloud machine is good enough to run as a lighthouse node, and luckily no traffic passes through those nodes; they only broker the peer-to-peer connections of the other nodes in your mesh.

Lighthouse Node

In Nebula, a "lighthouse" is a signaling node accessible through a public IP address, using UDP port 4242.

Because you're likely using a cloud server option for your lighthouse, there is a chance you'll be unable to use NixOS on that node. Double check the NixOS friendly hosters article your options for running NixOS in the cloud], or choose a secondary distribution and look for the nebula package, and go through the Quick Start guide.

A simple lighthouse configuration may look like:

  environment.systemPackages = with pkgs; [ nebula ];
  services.nebula.networks.mesh = {
    enable = true;
    isLighthouse = true;
    cert = "/etc/nebula/beacon.crt"; # The name of this lighthouse is beacon.
    key = "/etc/nebula/beacon.key";
    ca = "/etc/nebula/ca.crt";

A node configuration may look like:

  environment.systemPackages = with pkgs; [ nebula ];
  services.nebula.networks.mesh = {
    enable = true;
    isLighthouse = false;
    lighthouses = [ "" ];
    settings = {
        cipher= "aes";
    cert = "/etc/nebula/host.crt";
    key = "/etc/nebula/host.key";
    ca = "/etc/nebula/ca.crt";
    staticHostMap = {
        "" = [
    firewall.outbound = [
    host = "any";
    port = "any";
    proto = "any";
    firewall.inbound = [
    host = "any";
    port = "any";
    proto = "any";

The configuration files in `/etc/nebula` need to be readable by the Nebula service:

sudo chmod --reference /etc/nix /etc/nebula
sudo chmod --reference /etc/nix/nix.conf /etc/nebula/*

Here is a quick process for making a certificate authority (ca) and a certificate for a lighthouse node, called "beacon".

> mkdir ~/mesh && cd ~/mesh
> nebula-cert ca -name mesh
> nebula-cert sign -ca-crt ./ca.crt -ca-key ./ca.key -name beacon -ip
> ls
ca.crt  ca.key  node.crt  node.key

Of these four files produced, you should do as much as you can to keep ca.key secure.