From d43a6891884ca785ab9ddcf44d0705cf73a46a8e Mon Sep 17 00:00:00 2001
From: bloominstrong <github@mail.bloominstrong.net>
Date: Wed, 22 Oct 2025 13:20:19 +0000
Subject: [PATCH] nixos/nebula-lighthouse-service: init module

---
 .../manual/release-notes/rl-2511.section.md   |  2 +
 nixos/modules/module-list.nix                 |  1 +
 .../networking/nebula-lighthouse-service.nix  | 59 +++++++++++++++++++
 nixos/tests/all-tests.nix                     |  1 +
 nixos/tests/nebula-lighthouse-service.nix     | 33 +++++++++++
 .../ne/nebula-lighthouse-service/package.nix  |  5 ++
 6 files changed, 101 insertions(+)
 create mode 100644 nixos/modules/services/networking/nebula-lighthouse-service.nix
 create mode 100644 nixos/tests/nebula-lighthouse-service.nix

diff --git a/nixos/doc/manual/release-notes/rl-2511.section.md b/nixos/doc/manual/release-notes/rl-2511.section.md
index 724c84fe3811..9bfbf1ea13b1 100644
--- a/nixos/doc/manual/release-notes/rl-2511.section.md
+++ b/nixos/doc/manual/release-notes/rl-2511.section.md
@@ -128,6 +128,8 @@
 
 - [dwl](https://codeberg.org/dwl/dwl), a compact, hackable compositor for Wayland based on wlroots. Available as [programs.dwl](#opt-programs.dwl.enable).
 
+- [nebula-lighthouse-service](https://github.com/manuels/nebula-lighthouse-service), a public nebula lighthouse service. Avaliable as [services.nebula-lighthouse-service](#opt-services.nebula-lighthouse-service.enable).
+
 - [angrr](https://github.com/linyinfeng/angrr), a service that automatically cleans up old auto GC roots. Available as [services.angrr](#opt-services.angrr.enable).
 
 - [Sharkey](https://joinsharkey.org), a Sharkish microblogging platform. Available as [services.sharkey](#opt-services.sharkey.enable).
diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix
index ab964994d908..79fb9e5885b2 100644
--- a/nixos/modules/module-list.nix
+++ b/nixos/modules/module-list.nix
@@ -1267,6 +1267,7 @@
   ./services/networking/ncdns.nix
   ./services/networking/ncps.nix
   ./services/networking/ndppd.nix
+  ./services/networking/nebula-lighthouse-service.nix
   ./services/networking/nebula.nix
   ./services/networking/netbird.nix
   ./services/networking/netbird/server.nix
diff --git a/nixos/modules/services/networking/nebula-lighthouse-service.nix b/nixos/modules/services/networking/nebula-lighthouse-service.nix
new file mode 100644
index 000000000000..758c2112e6f1
--- /dev/null
+++ b/nixos/modules/services/networking/nebula-lighthouse-service.nix
@@ -0,0 +1,59 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+
+let
+  cfg = config.services.nebula-lighthouse-service;
+  settingsFormat = pkgs.formats.yaml { };
+in
+{
+
+  options.services.nebula-lighthouse-service = {
+    enable = lib.mkEnableOption ''If enabled, NixOS will enable a systemd unit for nebula-lighthouse-service'';
+    settings = lib.mkOption {
+      type = settingsFormat.type;
+      default = { };
+      description = ''
+        Configuration for nebula-lighthouse-service.
+      '';
+      example = ''
+        max-port = 65535;
+        min-port = 49152;
+        "webserver.ip" = "127.0.0.1";
+        "webserver.port" = 8080;
+      '';
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    services.nebula-lighthouse-service.settings = {
+      min-port = lib.mkDefault 49152;
+      max-port = lib.mkDefault 65535;
+      "webserver.port" = lib.mkDefault 8080;
+      "webserver.ip" = lib.mkDefault "127.0.0.1";
+    };
+    environment.etc."nebula-lighthouse-service/config.yaml".source =
+      settingsFormat.generate "nebula-lighthouse-service-config.yaml" cfg.settings;
+    systemd.services.nebula-lighthouse-service = {
+      description = "Run nebula-lighthouse-service";
+      wants = [ "basic.target" ];
+      after = [
+        "basic.target"
+        "network.target"
+      ];
+      wantedBy = [ "multi-user.target" ];
+      serviceConfig = {
+        Type = "exec";
+        Restart = "always";
+        ExecStart = "${pkgs.nebula-lighthouse-service}/bin/nebula-lighthouse-service";
+        StateDirectory = "nebula-lighthouse-service";
+      };
+    };
+  };
+  meta.maintainers = with lib.maintainers; [
+    bloominstrong
+  ];
+}
diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix
index f37373c70cee..0c5f6b9fbc16 100644
--- a/nixos/tests/all-tests.nix
+++ b/nixos/tests/all-tests.nix
@@ -1013,6 +1013,7 @@ in
   ndppd = runTest ./ndppd.nix;
   nebula.connectivity = runTest ./nebula/connectivity.nix;
   nebula.reload = runTest ./nebula/reload.nix;
+  nebula-lighthouse-service = runTest ./nebula-lighthouse-service.nix;
   neo4j = runTest ./neo4j.nix;
   netbird = runTest ./netbird.nix;
   netbox-upgrade = runTest ./web-apps/netbox-upgrade.nix;
diff --git a/nixos/tests/nebula-lighthouse-service.nix b/nixos/tests/nebula-lighthouse-service.nix
new file mode 100644
index 000000000000..c88f73d6c070
--- /dev/null
+++ b/nixos/tests/nebula-lighthouse-service.nix
@@ -0,0 +1,33 @@
+{ pkgs, lib, ... }:
+{
+  name = "nebula-lighthouse-service";
+
+  meta.maintainers = with lib.maintainers; [
+    bloominstrong
+  ];
+
+  nodes.machine =
+    { ... }:
+    {
+      environment.systemPackages = with pkgs; [
+        nebula
+      ];
+      services.nebula-lighthouse-service.enable = true;
+
+    };
+
+  testScript = ''
+    start_all()
+    machine.succeed(
+      'nebula-cert ca -duration $((10*365*24*60))m -name "NLS Test" -out-crt ca.crt -out-key ca.key',
+      'nebula-cert sign -duration $((365*24*60))m -ca-crt ca.crt -ca-key ca.key -name "lighthouse" -groups "lighthouse" -ip "10.0.100.1/24" -out-crt lighthouse.crt -out-key lighthouse.key'
+    )
+    machine.wait_for_unit("nebula-lighthouse-service.service")
+    machine.wait_for_open_port(8080)
+    machine.succeed(
+      'curl -X POST "http://127.0.0.1:8080/lighthouse/" -F ca_crt=@./ca.crt -F host_crt=@./lighthouse.crt -F host_key=@./lighthouse.key',
+      'curl -X GET "http://127.0.0.1:8080/lighthouse/" -F ca_crt=@./ca.crt -F host_crt=@./lighthouse.crt -F host_key=@./lighthouse.key',
+      'pgrep -x nebula'
+    )
+  '';
+}
diff --git a/pkgs/by-name/ne/nebula-lighthouse-service/package.nix b/pkgs/by-name/ne/nebula-lighthouse-service/package.nix
index e08fd3b8e385..c1a2bfc49a7b 100644
--- a/pkgs/by-name/ne/nebula-lighthouse-service/package.nix
+++ b/pkgs/by-name/ne/nebula-lighthouse-service/package.nix
@@ -3,6 +3,7 @@
   fetchFromGitHub,
   python3Packages,
   nebula,
+  nixosTests,
 }:
 
 python3Packages.buildPythonApplication rec {
@@ -45,6 +46,10 @@ python3Packages.buildPythonApplication rec {
     "nebula_lighthouse_service"
   ];
 
+  passthru.tests = {
+    nebula-lighthouse-service = nixosTests.nebula-lighthouse-service;
+  };
+
   meta = {
     description = "Public Nebula VPN Lighthouse Service, you can use it in case you don’t have a publicly accessible server to run your own Nebula Lighthouse";
     homepage = "https://github.com/manuels/nebula-lighthouse-service";