domains/sourcephile.fr/nebula.nix

   1 {
   2   pkgs,
   3   lib,
   4   config,
   5   inputs,
   6   hostName,
   7   ...
   8 }:
   9 let
  10   domain = "sourcephile.fr";
  11   port = toString config.services.nebula.networks.${domain}.listen.port;
  12   iface = config.services.nebula.networks.${domain}.tun.device;
  13   IPv4Prefix = "10.0.0";
  14 in
  15 {
  16   environment.systemPackages = with pkgs; [ nebula ];
  17   systemd.services."nebula@${domain}" = {
  18     reloadIfChanged = false;
  19     stopIfChanged = false;
  20     serviceConfig.LoadCredentialEncrypted = [
  21       "${hostName}.key:${
  22         builtins.path { path = inputs.self + "/hosts/${hostName}/nebula/${domain}/${hostName}.key.cred"; }
  23       }"
  24     ];
  25   };
  26   install.target = lib.mkDefault "\"\${NIXOS_TARGET:-root@${config.networking.hostName}.sp}\"";
  27   networking.hosts = {
  28     "${IPv4Prefix}.1" = [ "mermet.sp" ];
  29     "${IPv4Prefix}.2" = [ "losurdo.sp" ];
  30     "${IPv4Prefix}.3" = [ "oignon.sp" ];
  31     "${IPv4Prefix}.4" = [ "patate.sp" ];
  32     "${IPv4Prefix}.5" = [ "carotte.sp" ];
  33     "${IPv4Prefix}.6" = [ "aubergine.sp" ];
  34     "${IPv4Prefix}.7" = [ "courge.sp" ];
  35     "${IPv4Prefix}.8" = [ "blackberry.sp" ];
  36     "${IPv4Prefix}.9" = [ "pumpkin.sp" ];
  37   };
  38   services.nebula.networks.${domain} = {
  39     enable = true;
  40     ca = lib.mkDefault (builtins.path { path = inputs.self + "/domains/${domain}/nebula/ca.crt"; });
  41     cert = lib.mkDefault (
  42       builtins.path { path = inputs.self + "/hosts/${hostName}/nebula/${domain}/${hostName}.crt"; }
  43     );
  44     key = "/run/credentials/nebula@${domain}.service/${hostName}.key";
  45     listen.host = lib.mkDefault "0.0.0.0";
  46     tun.device = lib.mkDefault "neb-sourcephile";
  47     staticHostMap = {
  48       "${IPv4Prefix}.1" = [ "mermet.${domain}:10001" ];
  49       "${IPv4Prefix}.2" = [ "losurdo.${domain}:10002" ];
  50     };
  51     lighthouses = [
  52       "${IPv4Prefix}.1"
  53       "${IPv4Prefix}.2"
  54     ];
  55     relays = [
  56       "${IPv4Prefix}.1"
  57     ];
  58     firewall = {
  59       inbound = [
  60         {
  61           port = "any";
  62           proto = "icmp";
  63           groups = [
  64             "sourcephile"
  65             "intra"
  66           ];
  67         }
  68       ];
  69       outbound = [
  70         {
  71           port = "any";
  72           proto = "icmp";
  73           groups = [
  74             "sourcephile"
  75             "intra"
  76           ];
  77         }
  78       ];
  79     };
  80     settings = {
  81       firewall = {
  82         conntrack = {
  83           tcp_timeout = "12m";
  84           udp_timeout = "3m";
  85           default_timeout = "10m";
  86         };
  87       };
  88       logging = {
  89         level = lib.mkDefault "info";
  90       };
  91       pki.disconnect_invalid = true;
  92       preferred_ranges = [
  93         "192.168.0.0/16"
  94       ];
  95       #cipher = "chachapoly";
  96       /*
  97         stats = {
  98           type = "prometheus";
  99           listen = "127.0.0.1:8080";
 100           path = "/metrics";
 101           namespace = "prometheusns";
 102           subsystem = "nebula";
 103           interval = "10s";
 104           message_metrics = false;
 105           lighthouse_metrics = false;
 106         };
 107       */
 108     };
 109   };
 110   networking.nftables.ruleset =
 111     ''
 112       table inet filter {
 113         chain input-lan {
 114           udp dport ${port} counter accept comment "Nebula ${domain}"
 115         }
 116         chain output-lan {
 117           udp sport ${port} counter accept comment "Nebula ${domain}"
 118         }
 119         chain input-net {
 120           udp dport ${port} counter accept comment "Nebula ${domain}"
 121         }
 122         chain output-net {
 123           udp sport ${port} counter accept comment "Nebula ${domain}"
 124         }
 125         chain input-${iface} {
 126           tcp dport ssh counter accept comment "SSH"
 127           udp dport 60000-60100 counter accept comment "Mosh"
 128         }
 129         chain output-${iface} {
 130           tcp dport ssh counter accept comment "SSH"
 131           udp dport 60000-60100 counter accept comment "Mosh"
 132         }
 133         chain input {
 134           iifname ${iface} jump input-${iface} comment "MUST be before the address-based jumps to input-lan"
 135           iifname ${iface} log level warn prefix "input-${iface}: " counter drop
 136         }
 137         chain output {
 138           oifname ${iface} jump output-${iface}
 139           oifname ${iface} log level warn prefix "output-${iface}: " counter drop
 140         }
 141       }
 142     ''
 143     + lib.optionalString config.services.printing.enable ''
 144       table inet filter {
 145         chain output-${iface} {
 146           tcp dport { ipp, ipps } counter accept comment "printing: IPP"
 147         }
 148       }
 149     ''
 150     + lib.optionalString config.hardware.sane.enable ''
 151       table inet filter {
 152         chain output-${iface} {
 153           tcp dport sane-port counter accept comment "sane-net: SANE"
 154         }
 155       }
 156     '';
 157   networking.networkmanager.unmanaged = [ iface ];
 158   services.fail2ban.ignoreIP = [
 159     "${IPv4Prefix}.1" # mermet.sp
 160     "${IPv4Prefix}.2" # losurdo.sp
 161     "${IPv4Prefix}.3" # oignon.sp
 162     "${IPv4Prefix}.9" # pumpkin.sp
 163   ];
 164 }