Merge pull request #109 from SleepyLeslie/nebula

Add Nebula sysext
flatcar · Feb 6, 2025 · 37df707 · 37df707
2 parents b031afe + 221736a
commit 37df707
Show file tree

Hide file tree

Showing 3 changed files with 127 additions and 0 deletions.
diff --git a/create_nebula_sysext.sh b/create_nebula_sysext.sh
@@ -0,0 +1,78 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+export ARCH="${ARCH-x86-64}"
+SCRIPTFOLDER="$(dirname "$(readlink -f "$0")")"
+
+if [ $# -lt 2 ] || [ "$1" = "-h" ] || [ "$1" = "--help" ]; then
+  echo "Usage: $0 VERSION SYSEXTNAME"
+  echo "The script will download nebula release binaries and create a sysext squashfs image with the name SYSEXTNAME.raw in the current folder."
+  echo "A temporary directory named SYSEXTNAME in the current folder will be created and deleted again."
+  echo "All files in the sysext image will be owned by root."
+  echo "To use arm64 pass 'ARCH=arm64' as environment variable (current value is '${ARCH}')."
+  "${SCRIPTFOLDER}"/bake.sh --help
+  exit 1
+fi
+
+VERSION="$1"
+SYSEXTNAME="$2"
+
+if [ "${ARCH}" = "x86_64" ] || [ "${ARCH}" = "x86-64" ]; then
+  ARCH="amd64"
+elif [ "${ARCH}" = "aarch64" ]; then
+  ARCH="arm64"
+fi
+
+VERSION="v${VERSION#v}"
+
+TARBALL="nebula-linux-${ARCH}.tar.gz"
+SHASUM="SHASUM256.txt"
+
+TARBALL_URL="https://github.com/slackhq/nebula/releases/download/${VERSION}/${TARBALL}"
+SHASUM_URL="https://github.com/slackhq/nebula/releases/download/${VERSION}/${SHASUM}"
+
+rm -rf "${SYSEXTNAME}"
+
+TMP_DIR="${SYSEXTNAME}/tmp"
+mkdir -p "${TMP_DIR}"
+
+curl --parallel --fail --silent --show-error --location \
+  --output "${TMP_DIR}/${TARBALL}" "${TARBALL_URL}" \
+  --output "${TMP_DIR}/${SHASUM}" "${SHASUM_URL}"
+
+pushd "${TMP_DIR}" > /dev/null
+grep "${TARBALL}$" "${SHASUM}" | sha256sum -c -
+popd  > /dev/null
+
+mkdir -p "${SYSEXTNAME}/usr/bin"
+
+tar --force-local -xf "${TMP_DIR}/${TARBALL}" -C "${SYSEXTNAME}/usr/bin"
+chmod +x "${SYSEXTNAME}/usr/bin/nebula"
+chmod +x "${SYSEXTNAME}/usr/bin/nebula-cert"
+
+mkdir -p "${SYSEXTNAME}/usr/lib/systemd/system"
+cat > "${SYSEXTNAME}/usr/lib/systemd/system/nebula.service" <<-'EOF'
+[Unit]
+Description=Nebula overlay networking tool
+Wants=basic.target network-online.target nss-lookup.target time-sync.target
+After=basic.target network.target network-online.target
+
+[Service]
+Type=notify
+NotifyAccess=main
+SyslogIdentifier=nebula
+ExecReload=/bin/kill -HUP $MAINPID
+ExecStart=/usr/bin/nebula -config /etc/nebula/config.yaml
+Restart=always
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+mkdir -p "${SYSEXTNAME}"/usr/lib/systemd/system/multi-user.target.d
+{ echo "[Unit]"; echo "Upholds=nebula.service"; } > "${SYSEXTNAME}"/usr/lib/systemd/system/multi-user.target.d/10-nebula.conf
+
+rm -rf "${TMP_DIR}"
+
+RELOAD=1 "${SCRIPTFOLDER}"/bake.sh "${SYSEXTNAME}"
+rm -rf "${SYSEXTNAME}"
diff --git a/docs/nebula.md b/docs/nebula.md
@@ -0,0 +1,47 @@
+# Nebula sysext
+
+This sysext ships [Nebula](https://github.com/slackhq/nebula).
+
+## Usage
+
+Refer to the following Butane snippet that enables Nebula v1.9.5 for an x86-64 machine with automated updates using `systemd-sysupdate`.
+
+Note that you will also need to supply a [Nebula config file](https://github.com/slackhq/nebula/blob/master/examples/config.yml) at `/etc/nebula/config.yaml`, as well as necessary key files. You can embed them into the `files` section of your Butane configuration.
+
+```yaml
+variant: flatcar
+version: 1.0.0
+
+storage:
+  files:
+    - path: /opt/extensions/nebula/nebula-v1.9.5-x86-64.raw
+      mode: 0644
+      contents:
+        source: https://github.com/flatcar/sysext-bakery/releases/download/latest/nebula-v1.9.5-x86-64.raw
+    - path: /etc/sysupdate.nebula.d/nebula.conf
+      contents:
+        source: https://github.com/flatcar/sysext-bakery/releases/download/latest/nebula.conf
+    - path: /etc/sysupdate.d/noop.conf
+      contents:
+        source: https://github.com/flatcar/sysext-bakery/releases/download/latest/noop.conf
+  links:
+    - path: /etc/systemd/system/multi-user.target.wants/nebula.service
+      target: /usr/lib/systemd/system/nebula.service
+      overwrite: true
+    - target: /opt/extensions/nebula/nebula-v1.9.5-x86-64.raw
+      path: /etc/extensions/nebula.raw
+      hard: false
+systemd:
+  units:
+    - name: systemd-sysupdate.timer
+      enabled: true
+    - name: systemd-sysupdate.service
+      dropins:
+        - name: nebula.conf
+          contents: |
+            [Service]
+            ExecStartPre=/usr/bin/sh -c "readlink --canonicalize /etc/extensions/nebula.raw > /tmp/nebula"
+            ExecStartPre=/usr/lib/systemd/systemd-sysupdate -C nebula update
+            ExecStartPost=/usr/bin/sh -c "readlink --canonicalize /etc/extensions/nebula.raw > /tmp/nebula-new"
+            ExecStartPost=/usr/bin/sh -c "if ! cmp --silent /tmp/nebula /tmp/nebula-new; then touch /run/reboot-required; fi"
+```
diff --git a/release_build_versions.txt b/release_build_versions.txt
@@ -26,6 +26,8 @@ wasmcloud-1.2.1
 
 tailscale-1.76.6
 
+nebula-1.9.5
+
 nvidia_runtime-v1.16.2
 
 ollama-0.3.9