domains/sourcephile.fr/nebula.nix

   1 {
   2   pkgs,
   3   lib,
   4   config,
   5   inputs,
   6   hostName,
   7   ...
   8 }:
   9 let
  10   domain = "sourcephile.fr";
  11   port = toString config.services.nebula.networks.${domain}.listen.port;
  12   iface = config.services.nebula.networks.${domain}.tun.device;
  13   IPv4Prefix = "10.0.0";
  14 in
  15 {
  16   environment.systemPackages = with pkgs; [ nebula ];
  17   systemd.services."nebula@${domain}" = {
  18     reloadIfChanged = false;
  19     stopIfChanged = false;
  20     after = [ "chronyd.service" ];
  21     serviceConfig.LoadCredentialEncrypted = [
  22       "${hostName}.key:${
  23         builtins.path { path = inputs.self + "/hosts/${hostName}/nebula/${domain}/${hostName}.key.cred"; }
  24       }"
  25     ];
  26   };
  27   install.target = lib.mkDefault "root@${config.networking.hostName}.sp";
  28   networking.hosts = {
  29     "${IPv4Prefix}.1" = [ "mermet.sp" ];
  30     "${IPv4Prefix}.2" = [ "losurdo.sp" ];
  31     "${IPv4Prefix}.3" = [ "oignon.sp" ];
  32     "${IPv4Prefix}.4" = [ "patate.sp" ];
  33     "${IPv4Prefix}.5" = [ "carotte.sp" ];
  34     "${IPv4Prefix}.6" = [ "aubergine.sp" ];
  35     "${IPv4Prefix}.7" = [ "courge.sp" ];
  36     "${IPv4Prefix}.8" = [ "blackberry.sp" ];
  37     "${IPv4Prefix}.9" = [ "pumpkin.sp" ];
  38     "${IPv4Prefix}.10" = [ "nan2gua1.sp" ];
  39   };
  40   services.nebula.networks.${domain} = {
  41     enable = true;
  42     ca = lib.mkDefault (builtins.path { path = inputs.self + "/domains/${domain}/nebula/ca.crt"; });
  43     cert = lib.mkDefault (
  44       builtins.path { path = inputs.self + "/hosts/${hostName}/nebula/${domain}/${hostName}.crt"; }
  45     );
  46     key = "/run/credentials/nebula@${domain}.service/${hostName}.key";
  47     listen.host = lib.mkDefault "0.0.0.0";
  48     tun.device = lib.mkDefault "neb-sourcephile";
  49     staticHostMap = {
  50       "${IPv4Prefix}.1" = [
  51         "mermet.${domain}:10001"
  52         "80.67.180.129:10001"
  53         "88.140.48.201:10001"
  54       ];
  55       "${IPv4Prefix}.2" = [
  56         "losurdo.${domain}:10002"
  57         "88.140.48.201:10002"
  58       ];
  59     };
  60     lighthouses = [
  61       "${IPv4Prefix}.1"
  62       "${IPv4Prefix}.2"
  63     ];
  64     relays = [
  65       "${IPv4Prefix}.1"
  66     ];
  67     firewall = {
  68       inbound = [
  69         {
  70           port = "any";
  71           proto = "icmp";
  72           groups = [
  73             "sourcephile"
  74             "intra"
  75           ];
  76         }
  77       ];
  78       outbound = [
  79         {
  80           port = "any";
  81           proto = "icmp";
  82           groups = [
  83             "sourcephile"
  84             "intra"
  85           ];
  86         }
  87       ];
  88     };
  89     settings = {
  90       firewall = {
  91         conntrack = {
  92           tcp_timeout = "12m";
  93           udp_timeout = "3m";
  94           default_timeout = "10m";
  95         };
  96       };
  97       logging = {
  98         level = lib.mkDefault "info";
  99       };
 100       pki.disconnect_invalid = true;
 101       preferred_ranges = [
 102         "192.168.0.0/16"
 103       ];
 104       #cipher = "chachapoly";
 105       /*
 106         stats = {
 107           type = "prometheus";
 108           listen = "127.0.0.1:8080";
 109           path = "/metrics";
 110           namespace = "prometheusns";
 111           subsystem = "nebula";
 112           interval = "10s";
 113           message_metrics = false;
 114           lighthouse_metrics = false;
 115         };
 116       */
 117     };
 118   };
 119   networking.nftables.ruleset = ''
 120     table inet filter {
 121       chain input-lan {
 122         udp dport ${port} counter accept comment "Nebula ${domain}"
 123       }
 124       chain output-lan {
 125         udp sport ${port} counter accept comment "Nebula ${domain}"
 126       }
 127       chain input-net {
 128         udp dport ${port} counter accept comment "Nebula ${domain}"
 129       }
 130       chain output-net {
 131         udp sport ${port} counter accept comment "Nebula ${domain}"
 132       }
 133       chain input-${iface} {
 134         tcp dport ssh counter accept comment "SSH"
 135         udp dport 60000-60100 counter accept comment "Mosh"
 136       }
 137       chain output-${iface} {
 138         tcp dport ssh counter accept comment "SSH"
 139         tcp dport {http,https} counter accept comment "HTTP"
 140         udp dport 60000-60100 counter accept comment "Mosh"
 141       }
 142       chain input {
 143         iifname ${iface} jump input-${iface} comment "MUST be before the address-based jumps to input-lan"
 144         iifname ${iface} log level warn prefix "input-${iface}: " counter drop
 145       }
 146       chain output {
 147         oifname ${iface} jump output-${iface}
 148         oifname ${iface} log level warn prefix "output-${iface}: " counter drop
 149       }
 150     }
 151   ''
 152   + lib.optionalString config.services.printing.enable ''
 153     table inet filter {
 154       chain output-${iface} {
 155         tcp dport { ipp, ipps } counter accept comment "printing: IPP"
 156       }
 157     }
 158   ''
 159   + lib.optionalString config.hardware.sane.enable ''
 160     table inet filter {
 161       chain output-${iface} {
 162         tcp dport sane-port counter accept comment "sane-net: SANE"
 163       }
 164     }
 165   '';
 166   networking.networkmanager.unmanaged = [ iface ];
 167   services.fail2ban.ignoreIP = [
 168     "${IPv4Prefix}.1" # mermet.sp
 169     "${IPv4Prefix}.2" # losurdo.sp
 170     "${IPv4Prefix}.3" # oignon.sp
 171     "${IPv4Prefix}.9" # pumpkin.sp
 172     "${IPv4Prefix}.10" # nan2gua1.sp
 173   ];
 174 }