hosts/aubergine/nebula.nix

   1 { pkgs, lib, config, inputs, hostName, ... }:
   2 let
   3   domain = "sourcephile.fr";
   4   iface = config.services.nebula.networks.${domain}.tun.device;
   5 in
   6 {
   7   imports = [
   8     ../../domains/sourcephile.fr/nebula.nix
   9   ];
  10   services.nebula.networks.${domain} = {
  11     listen.port = 10006;
  12     firewall = {
  13       inbound = [
  14         { port = "any"; proto = "any"; groups = [ "sourcephile" "intra" ]; }
  15       ];
  16       outbound = [
  17         { port = "any"; proto = "any"; host = "any"; }
  18       ];
  19     };
  20     settings = {
  21       punchy = {
  22         #punch = true;
  23         respond = true;
  24       };
  25     };
  26   };
  27   networking.nftables.ruleset = ''
  28     table inet filter {
  29       chain input-${iface} {
  30         tcp dport ipp counter accept comment "cupsd: IPP"
  31         tcp dport sane-port counter accept comment "saned: control port"
  32         # NoticeNote: not actually useful because there is a rule `ct related accept` before
  33         ct helper "sane" counter accept comment "saned: data ports"
  34       }
  35     }
  36   '';
  37 }