]> Git — Sourcephile - julm/julm-nix.git/blob - domains/sourcephile.fr/nebula.nix
aubergine: cups: do not enforce HTTPS
[julm/julm-nix.git] / domains / sourcephile.fr / nebula.nix
1 { pkgs, lib, config, inputs, hostName, ... }:
2 let
3 domain = "sourcephile.fr";
4 port = toString config.services.nebula.networks.${domain}.listen.port;
5 iface = config.services.nebula.networks.${domain}.tun.device;
6 IPv4Prefix = "10.0.0";
7 in
8 {
9 environment.systemPackages = with pkgs; [ nebula ];
10 systemd.services."nebula@${domain}" = {
11 reloadIfChanged = false;
12 stopIfChanged = false;
13 serviceConfig.LoadCredentialEncrypted = [
14 "${hostName}.key:${builtins.path { path = inputs.self + "/hosts/${hostName}/nebula/${domain}/${hostName}.key.cred"; }}"
15 ];
16 };
17 install.target = lib.mkDefault "\"\${NIXOS_TARGET:-root@${config.networking.hostName}.sp}\"";
18 networking.hosts = {
19 "${IPv4Prefix}.1" = [ "mermet.sp" ];
20 "${IPv4Prefix}.2" = [ "losurdo.sp" ];
21 "${IPv4Prefix}.3" = [ "oignon.sp" ];
22 "${IPv4Prefix}.4" = [ "patate.sp" ];
23 "${IPv4Prefix}.5" = [ "carotte.sp" ];
24 "${IPv4Prefix}.6" = [ "aubergine.sp" ];
25 "${IPv4Prefix}.7" = [ "courge.sp" ];
26 "${IPv4Prefix}.8" = [ "blackberry.sp" ];
27 "${IPv4Prefix}.9" = [ "pumpkin.sp" ];
28 };
29 services.nebula.networks.${domain} = {
30 enable = true;
31 ca = lib.mkDefault (builtins.path { path = inputs.self + "/domains/${domain}/nebula/ca.crt"; });
32 cert = lib.mkDefault (builtins.path { path = inputs.self + "/hosts/${hostName}/nebula/${domain}/${hostName}.crt"; });
33 key = "/run/credentials/nebula@${domain}.service/${hostName}.key";
34 listen.host = lib.mkDefault "0.0.0.0";
35 tun.device = lib.mkDefault "neb-sourcephile";
36 staticHostMap = {
37 "${IPv4Prefix}.1" = [ "mermet.${domain}:10001" ];
38 "${IPv4Prefix}.2" = [ "losurdo.${domain}:10002" ];
39 };
40 lighthouses = [
41 "${IPv4Prefix}.1"
42 "${IPv4Prefix}.2"
43 ];
44 relays = [
45 "${IPv4Prefix}.1"
46 ];
47 firewall = {
48 inbound = [
49 { port = "any"; proto = "icmp"; groups = [ "sourcephile" "intra" ]; }
50 ];
51 outbound = [
52 { port = "any"; proto = "icmp"; groups = [ "sourcephile" "intra" ]; }
53 ];
54 };
55 settings = {
56 firewall = {
57 conntrack = {
58 tcp_timeout = "12m";
59 udp_timeout = "3m";
60 default_timeout = "10m";
61 };
62 };
63 logging = {
64 level = lib.mkDefault "info";
65 };
66 pki.disconnect_invalid = true;
67 preferred_ranges = [
68 "192.168.0.0/16"
69 ];
70 #cipher = "chachapoly";
71 /*
72 stats = {
73 type = "prometheus";
74 listen = "127.0.0.1:8080";
75 path = "/metrics";
76 namespace = "prometheusns";
77 subsystem = "nebula";
78 interval = "10s";
79 message_metrics = false;
80 lighthouse_metrics = false;
81 };
82 */
83 };
84 };
85 networking.nftables.ruleset = ''
86 table inet filter {
87 chain input-lan {
88 udp dport ${port} counter accept comment "Nebula ${domain}"
89 }
90 chain output-lan {
91 udp sport ${port} counter accept comment "Nebula ${domain}"
92 }
93 chain input-net {
94 udp dport ${port} counter accept comment "Nebula ${domain}"
95 }
96 chain output-net {
97 udp sport ${port} counter accept comment "Nebula ${domain}"
98 }
99 chain input-${iface} {
100 tcp dport ssh counter accept comment "SSH"
101 udp dport 60000-60100 counter accept comment "Mosh"
102 }
103 chain output-${iface} {
104 tcp dport ssh counter accept comment "SSH"
105 udp dport 60000-60100 counter accept comment "Mosh"
106 }
107 chain input {
108 iifname ${iface} jump input-${iface} comment "MUST be before the address-based jumps to input-lan"
109 iifname ${iface} log level warn prefix "input-${iface}: " counter drop
110 }
111 chain output {
112 oifname ${iface} jump output-${iface}
113 oifname ${iface} log level warn prefix "output-${iface}: " counter drop
114 }
115 }
116 '' + lib.optionalString config.services.printing.enable ''
117 table inet filter {
118 chain output-${iface} {
119 tcp dport { ipp, ipps } counter accept comment "printing: IPP"
120 }
121 }
122 '' + lib.optionalString config.hardware.sane.enable ''
123 table inet filter {
124 chain output-${iface} {
125 tcp dport sane-port counter accept comment "sane-net: SANE"
126 }
127 }
128 '';
129 networking.networkmanager.unmanaged = [ iface ];
130 services.fail2ban.ignoreIP = [
131 "${IPv4Prefix}.1" # mermet.sp
132 "${IPv4Prefix}.2" # losurdo.sp
133 "${IPv4Prefix}.3" # oignon.sp
134 "${IPv4Prefix}.9" # pumpkin.sp
135 ];
136 }