10 domain = "sourcephile.fr";
11 port = toString config.services.nebula.networks.${domain}.listen.port;
12 iface = config.services.nebula.networks.${domain}.tun.device;
13 IPv4Prefix = "10.0.0";
16 environment.systemPackages = with pkgs; [ nebula ];
17 systemd.services."nebula@${domain}" = {
18 reloadIfChanged = false;
19 stopIfChanged = false;
20 after = [ "chronyd.service" ];
21 serviceConfig.LoadCredentialEncrypted = [
23 builtins.path { path = inputs.self + "/hosts/${hostName}/nebula/${domain}/${hostName}.key.cred"; }
27 install.target = lib.mkDefault "root@${config.networking.hostName}.sp";
29 "${IPv4Prefix}.1" = [ "mermet.sp" ];
30 "${IPv4Prefix}.2" = [ "losurdo.sp" ];
31 "${IPv4Prefix}.3" = [ "oignon.sp" ];
32 "${IPv4Prefix}.4" = [ "patate.sp" ];
33 "${IPv4Prefix}.5" = [ "carotte.sp" ];
34 "${IPv4Prefix}.6" = [ "aubergine.sp" ];
35 "${IPv4Prefix}.7" = [ "courge.sp" ];
36 "${IPv4Prefix}.8" = [ "blackberry.sp" ];
37 "${IPv4Prefix}.9" = [ "pumpkin.sp" ];
38 "${IPv4Prefix}.10" = [ "nan2gua1.sp" ];
40 services.nebula.networks.${domain} = {
42 ca = lib.mkDefault (builtins.path { path = inputs.self + "/domains/${domain}/nebula/ca.crt"; });
43 cert = lib.mkDefault (
44 builtins.path { path = inputs.self + "/hosts/${hostName}/nebula/${domain}/${hostName}.crt"; }
46 key = "/run/credentials/nebula@${domain}.service/${hostName}.key";
47 listen.host = lib.mkDefault "0.0.0.0";
48 tun.device = lib.mkDefault "neb-sourcephile";
51 "mermet.${domain}:10001"
55 "losurdo.${domain}:10002"
93 default_timeout = "10m";
97 level = lib.mkDefault "info";
99 pki.disconnect_invalid = true;
103 #cipher = "chachapoly";
107 listen = "127.0.0.1:8080";
109 namespace = "prometheusns";
110 subsystem = "nebula";
112 message_metrics = false;
113 lighthouse_metrics = false;
118 networking.nftables.ruleset = ''
121 udp dport ${port} counter accept comment "Nebula ${domain}"
124 udp sport ${port} counter accept comment "Nebula ${domain}"
127 udp dport ${port} counter accept comment "Nebula ${domain}"
130 udp sport ${port} counter accept comment "Nebula ${domain}"
132 chain input-${iface} {
133 tcp dport ssh counter accept comment "SSH"
134 udp dport 60000-60100 counter accept comment "Mosh"
136 chain output-${iface} {
137 tcp dport ssh counter accept comment "SSH"
138 tcp dport {http,https} counter accept comment "HTTP"
139 udp dport 60000-60100 counter accept comment "Mosh"
142 iifname ${iface} jump input-${iface} comment "MUST be before the address-based jumps to input-lan"
143 iifname ${iface} log level warn prefix "input-${iface}: " counter drop
146 oifname ${iface} jump output-${iface}
147 oifname ${iface} log level warn prefix "output-${iface}: " counter drop
151 + lib.optionalString config.services.printing.enable ''
153 chain output-${iface} {
154 tcp dport { ipp, ipps } counter accept comment "printing: IPP"
158 + lib.optionalString config.hardware.sane.enable ''
160 chain output-${iface} {
161 tcp dport sane-port counter accept comment "sane-net: SANE"
165 networking.networkmanager.unmanaged = [ iface ];
166 services.fail2ban.ignoreIP = [
167 "${IPv4Prefix}.1" # mermet.sp
168 "${IPv4Prefix}.2" # losurdo.sp
169 "${IPv4Prefix}.3" # oignon.sp
170 "${IPv4Prefix}.9" # pumpkin.sp
171 "${IPv4Prefix}.10" # nan2gua1.sp
sourcephile / git / julm / julm-nix.git / blob