]> Git — Sourcephile - julm/julm-nix.git/blob - share/nebula/sourcephile.fr.nix
nix-tree: only on x86_64 where ghc is in the binary caches
[julm/julm-nix.git] / share / nebula / sourcephile.fr.nix
1 { pkgs, lib, config, inputs, hostName, ... }:
2 let
3 domain = "sourcephile.fr";
4 port = toString config.services.nebula.networks.${domain}.listen.port;
5 iface = config.services.nebula.networks.${domain}.tun.device;
6 in
7 {
8 environment.systemPackages = with pkgs; [ nebula ];
9 systemd.services."nebula@${domain}".serviceConfig.LoadCredentialEncrypted = [
10 "${hostName}.key:${inputs.self + "/hosts/${hostName}/nebula/${hostName}.key.cred"}"
11 ];
12 install.target = lib.mkDefault "\"\${NIXOS_TARGET:-root@${config.networking.hostName}.sp}\"";
13 networking.hosts = {
14 "10.0.0.1" = [ "mermet.sp" ];
15 "10.0.0.2" = [ "losurdo.sp" ];
16 "10.0.0.3" = [ "oignon.sp" ];
17 "10.0.0.4" = [ "patate.sp" ];
18 "10.0.0.5" = [ "carotte.sp" ];
19 "10.0.0.6" = [ "aubergine.sp" ];
20 "10.0.0.7" = [ "courge.sp" ];
21 };
22 services.nebula.networks.${domain} = {
23 enable = true;
24 ca = lib.mkDefault (./. + "/${domain}/ca.crt");
25 cert = lib.mkDefault (inputs.self + "/share/nebula/${domain}/${hostName}.crt");
26 key = "/run/credentials/nebula@${domain}.service/${hostName}.key";
27 listen.host = lib.mkDefault "0.0.0.0";
28 tun.device = lib.mkDefault "neb-sourcephile";
29 staticHostMap = {
30 "10.0.0.1" = [ "mermet.${domain}:10001" ];
31 "10.0.0.2" = [ "losurdo.${domain}:10002" ];
32 };
33 lighthouses = [
34 "10.0.0.1"
35 "10.0.0.2"
36 ];
37 relays = [
38 "10.0.0.1"
39 ];
40 firewall = {
41 inbound = [
42 { port = "any"; proto = "icmp"; groups = [ "sourcephile" "intra" ]; }
43 ];
44 outbound = [
45 { port = "any"; proto = "icmp"; groups = [ "sourcephile" "intra" ]; }
46 ];
47 };
48 settings = {
49 firewall = {
50 conntrack = {
51 tcp_timeout = "12m";
52 udp_timeout = "3m";
53 default_timeout = "10m";
54 };
55 };
56 logging = {
57 level = lib.mkDefault "info";
58 };
59 pki.disconnect_invalid = true;
60 preferred_ranges = [
61 "192.168.0.0/16"
62 ];
63 /*
64 stats = {
65 type = "prometheus";
66 listen = "127.0.0.1:8080";
67 path = "/metrics";
68 namespace = "prometheusns";
69 subsystem = "nebula";
70 interval = "10s";
71 message_metrics = false;
72 lighthouse_metrics = false;
73 };
74 */
75 };
76 };
77 networking.nftables.ruleset = ''
78 table inet filter {
79 chain input-lan {
80 udp dport ${port} counter accept comment "Nebula ${domain}"
81 }
82 chain output-lan {
83 udp sport ${port} counter accept comment "Nebula ${domain}"
84 }
85 chain input-net {
86 udp dport ${port} counter accept comment "Nebula ${domain}"
87 }
88 chain output-net {
89 udp sport ${port} counter accept comment "Nebula ${domain}"
90 }
91 chain input-${iface} {
92 tcp dport ssh counter accept comment "SSH"
93 udp dport 60000-60100 counter accept comment "Mosh"
94 }
95 chain output-${iface} {
96 tcp dport ssh counter accept comment "SSH"
97 udp dport 60000-60100 counter accept comment "Mosh"
98 }
99 chain input {
100 iifname ${iface} jump input-${iface}
101 iifname ${iface} log level warn prefix "input-${iface}: " counter drop
102 }
103 chain output {
104 oifname ${iface} jump output-${iface}
105 oifname ${iface} log level warn prefix "output-${iface}: " counter drop
106 }
107 }
108 '';
109 networking.networkmanager.unmanaged = [ iface ];
110 }