add dns/sshd configuration handling for lighthouse nodes

durrendal · durrendal · commit 6234f0c06ae0 · 2026-03-14T22:27:12.000-04:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,6 +4,11 @@ This project uses [Semantic Versioning](https://semver.org/) - MAJOR.MINOR.PATCH
 
 # Changelog
 
+## 1.0.1 (2026-03-14)
+
+- Added configuration handling for the built in lighthouse DNS server
+- Added configuration handling for the built in lighthouse SSHD server
+
 ## 1.0.0 (2026-03-05)
 
 - Initial release of saltext-nebula
diff --git a/WIP/saltext-nebula-patch.zip b/WIP/saltext-nebula-patch.zip
diff --git a/docs/topics/pillar-configuration.md b/docs/topics/pillar-configuration.md
@@ -174,6 +174,56 @@ base:
     - nebula.databases
 ```
 
+## Lighthouse DNS
+
+Lighthouses can serve DNS for the Nebula network, allowing hosts to resolve
+each other by name. Configure `serve_dns` and the `dns` bind address under
+the host entry:
+
+```yaml
+nebula:
+  hosts:
+    lighthouse01:
+      ip: "10.10.10.1/24"
+      is_lighthouse: true
+      serve_dns: true
+      dns:
+        host: "0.0.0.0"   # bind to all interfaces; use nebula IP to restrict to overlay only
+        port: 53           # use a non-privileged port like 5353 if not running as root
+```
+
+`serve_dns` is silently ignored for non-lighthouse hosts. Remember to open
+the chosen port in the host's inbound firewall rules and in your OS-level
+firewall (iptables, nftables, ufw, etc.).
+
+## Nebula SSH Server
+
+Nebula includes a built-in SSH server for management access that operates
+independently of the OS SSH daemon. It is disabled by default and only emitted
+in the generated config when `enabled: true` is set:
+
+```yaml
+nebula:
+  hosts:
+    myhost:
+      ip: "10.10.10.50/24"
+      sshd:
+        enabled: true
+        listen: "127.0.0.1:22"    # address:port for the nebula sshd to bind
+        host_key: "/etc/nebula/ssh_host_ed25519_key"  # omit to use this default
+        authorized_users:
+          - user: alice
+            keys:
+              - 'ssh-ed25519 AAAA...'
+        # Optional: also accept nebula CA-signed SSH certificates
+        authorized_nebula_certificate_authorities:
+          - 'ssh-ed25519 AAAA...'
+```
+
+When `host_key` is omitted it defaults to `<config_dir>/ssh_host_ed25519_key`.
+The key file must be generated separately (e.g. `ssh-keygen -t ed25519 -f
+/etc/nebula/ssh_host_ed25519_key -N ""`).
+
 ## Advanced Configuration Options
 
 ### Unsafe Routes
diff --git a/src/saltext/nebula/modules/nebula.py b/src/saltext/nebula/modules/nebula.py
@@ -624,6 +624,16 @@ def build_config(minion_id=None):
     if host_config.get("calculated_remotes"):
         lh_config["calculated_remotes"] = host_config["calculated_remotes"]
 
+    # serve_dns / dns: lighthouse-only
+    if is_lighthouse and host_config.get("serve_dns"):
+        lh_config["serve_dns"] = True
+        dns_cfg = host_config.get("dns", {})
+        if dns_cfg:
+            lh_config["dns"] = {
+                "host": dns_cfg.get("host", "0.0.0.0"),
+                "port": dns_cfg.get("port", 53),
+            }
+
     config["lighthouse"] = lh_config
 
     # --- Listen ---
@@ -658,6 +668,25 @@ def build_config(minion_id=None):
         "timestamp_format": "2006-01-02T15:04:05Z07:00",
     }
 
+    # --- SSHD (optional, host-level) ---
+    sshd_cfg = host_config.get("sshd", {})
+    if sshd_cfg.get("enabled"):
+        sshd = {
+            "enabled": True,
+            "listen": sshd_cfg.get("listen", "127.0.0.1:22"),
+            "host_key": sshd_cfg.get(
+                "host_key",
+                f"{paths['config_dir']}{_sep()}ssh_host_ed25519_key",
+            ),
+        }
+        if sshd_cfg.get("authorized_users"):
+            sshd["authorized_users"] = sshd_cfg["authorized_users"]
+        if sshd_cfg.get("authorized_nebula_certificate_authorities"):
+            sshd["authorized_nebula_certificate_authorities"] = sshd_cfg[
+                "authorized_nebula_certificate_authorities"
+            ]
+        config["sshd"] = sshd
+
     # --- Firewall ---
     # Common defaults
     common_fw = nebula_pillar.get("firewall", {})
diff --git a/tests/unit/test_modules_nebula.py b/tests/unit/test_modules_nebula.py
@@ -413,6 +413,110 @@ def test_static_host_map(self):
         assert "172.25.0.1" in config["static_host_map"]
         assert config["static_host_map"]["172.25.0.1"] == ["1.2.3.4:4242"]
 
+    def test_lighthouse_serve_dns(self):
+        """Lighthouse with serve_dns emits serve_dns and dns block inside lighthouse config."""
+        nebula_mod.__pillar__["nebula"]["hosts"]["testhost"]["is_lighthouse"] = True
+        nebula_mod.__pillar__["nebula"]["hosts"]["testhost"]["serve_dns"] = True
+        nebula_mod.__pillar__["nebula"]["hosts"]["testhost"]["dns"] = {
+            "host": "172.25.0.2",
+            "port": 5353,
+        }
+        with patch.object(
+            nebula_mod,
+            "detect_paths",
+            return_value={
+                "ca_file": "/etc/nebula/ca.crt",
+                "cert_file": "/etc/nebula/testhost.crt",
+                "key_file": "/etc/nebula/testhost.key",
+                "config_dir": "/etc/nebula",
+            },
+        ):
+            config = nebula_mod.build_config()
+
+        assert config["lighthouse"]["serve_dns"] is True
+        assert config["lighthouse"]["dns"]["host"] == "172.25.0.2"
+        assert config["lighthouse"]["dns"]["port"] == 5353
+
+    def test_serve_dns_omitted_on_non_lighthouse(self):
+        """serve_dns is not emitted for regular nodes even if set in pillar."""
+        nebula_mod.__pillar__["nebula"]["hosts"]["testhost"]["serve_dns"] = True
+        with patch.object(
+            nebula_mod,
+            "detect_paths",
+            return_value={
+                "ca_file": "/etc/nebula/ca.crt",
+                "cert_file": "/etc/nebula/testhost.crt",
+                "key_file": "/etc/nebula/testhost.key",
+                "config_dir": "/etc/nebula",
+            },
+        ):
+            config = nebula_mod.build_config()
+
+        assert "serve_dns" not in config["lighthouse"]
+        assert "dns" not in config["lighthouse"]
+
+    def test_sshd_enabled(self):
+        """sshd block is built correctly from pillar."""
+        nebula_mod.__pillar__["nebula"]["hosts"]["testhost"]["sshd"] = {
+            "enabled": True,
+            "listen": "127.0.0.1:20022",
+            "host_key": "/etc/nebula/testhost_host",
+            "authorized_users": [{"user": "alice", "keys": ["ssh-ed25519 AAAA..."]}],
+        }
+        with patch.object(
+            nebula_mod,
+            "detect_paths",
+            return_value={
+                "ca_file": "/etc/nebula/ca.crt",
+                "cert_file": "/etc/nebula/testhost.crt",
+                "key_file": "/etc/nebula/testhost.key",
+                "config_dir": "/etc/nebula",
+            },
+        ):
+            config = nebula_mod.build_config()
+
+        assert "sshd" in config
+        assert config["sshd"]["enabled"] is True
+        assert config["sshd"]["listen"] == "127.0.0.1:20022"
+        assert config["sshd"]["host_key"] == "/etc/nebula/testhost_host"
+        assert config["sshd"]["authorized_users"][0]["user"] == "alice"
+
+    def test_sshd_default_host_key(self):
+        """sshd host_key defaults to config_dir/ssh_host_ed25519_key."""
+        nebula_mod.__pillar__["nebula"]["hosts"]["testhost"]["sshd"] = {
+            "enabled": True,
+            "listen": "127.0.0.1:22",
+        }
+        with patch.object(
+            nebula_mod,
+            "detect_paths",
+            return_value={
+                "ca_file": "/etc/nebula/ca.crt",
+                "cert_file": "/etc/nebula/testhost.crt",
+                "key_file": "/etc/nebula/testhost.key",
+                "config_dir": "/etc/nebula",
+            },
+        ):
+            config = nebula_mod.build_config()
+
+        assert config["sshd"]["host_key"] == "/etc/nebula/ssh_host_ed25519_key"
+
+    def test_sshd_absent_when_not_configured(self):
+        """sshd key is not emitted when not in pillar."""
+        with patch.object(
+            nebula_mod,
+            "detect_paths",
+            return_value={
+                "ca_file": "/etc/nebula/ca.crt",
+                "cert_file": "/etc/nebula/testhost.crt",
+                "key_file": "/etc/nebula/testhost.key",
+                "config_dir": "/etc/nebula",
+            },
+        ):
+            config = nebula_mod.build_config()
+
+        assert "sshd" not in config
+
 
 # ---------------------------------------------------------------------------
 # backup_config / rollback_config
