domains/sourcephile.fr/nebula.nix

   1 { pkgs, lib, config, inputs, hostName, ... }:
   2 let
   3   domain = "sourcephile.fr";
   4   port = toString config.services.nebula.networks.${domain}.listen.port;
   5   iface = config.services.nebula.networks.${domain}.tun.device;
   6   IPv4Prefix = "10.0.0";
   7 in
   8 {
   9   environment.systemPackages = with pkgs; [ nebula ];
  10   systemd.services."nebula@${domain}" = {
  11     reloadIfChanged = false;
  12     stopIfChanged = false;
  13     serviceConfig.LoadCredentialEncrypted = [
  14       "${hostName}.key:${builtins.path { path = inputs.self + "/hosts/${hostName}/nebula/${domain}/${hostName}.key.cred"; }}"
  15     ];
  16   };
  17   install.target = lib.mkDefault "\"\${NIXOS_TARGET:-root@${config.networking.hostName}.sp}\"";
  18   networking.hosts = {
  19     "${IPv4Prefix}.1" = [ "mermet.sp" ];
  20     "${IPv4Prefix}.2" = [ "losurdo.sp" ];
  21     "${IPv4Prefix}.3" = [ "oignon.sp" ];
  22     "${IPv4Prefix}.4" = [ "patate.sp" ];
  23     "${IPv4Prefix}.5" = [ "carotte.sp" ];
  24     "${IPv4Prefix}.6" = [ "aubergine.sp" ];
  25     "${IPv4Prefix}.7" = [ "courge.sp" ];
  26     "${IPv4Prefix}.8" = [ "blackberry.sp" ];
  27     "${IPv4Prefix}.9" = [ "pumpkin.sp" ];
  28   };
  29   services.nebula.networks.${domain} = {
  30     enable = true;
  31     ca = lib.mkDefault (builtins.path { path = inputs.self + "/domains/${domain}/nebula/ca.crt"; });
  32     cert = lib.mkDefault (builtins.path { path = inputs.self + "/hosts/${hostName}/nebula/${domain}/${hostName}.crt"; });
  33     key = "/run/credentials/nebula@${domain}.service/${hostName}.key";
  34     listen.host = lib.mkDefault "0.0.0.0";
  35     tun.device = lib.mkDefault "neb-sourcephile";
  36     staticHostMap = {
  37       "${IPv4Prefix}.1" = [ "mermet.${domain}:10001" ];
  38       "${IPv4Prefix}.2" = [ "losurdo.${domain}:10002" ];
  39     };
  40     lighthouses = [
  41       "${IPv4Prefix}.1"
  42       "${IPv4Prefix}.2"
  43     ];
  44     relays = [
  45       "${IPv4Prefix}.1"
  46     ];
  47     firewall = {
  48       inbound = [
  49         { port = "any"; proto = "icmp"; groups = [ "sourcephile" "intra" ]; }
  50       ];
  51       outbound = [
  52         { port = "any"; proto = "icmp"; groups = [ "sourcephile" "intra" ]; }
  53       ];
  54     };
  55     settings = {
  56       firewall = {
  57         conntrack = {
  58           tcp_timeout = "12m";
  59           udp_timeout = "3m";
  60           default_timeout = "10m";
  61         };
  62       };
  63       logging = {
  64         level = lib.mkDefault "info";
  65       };
  66       pki.disconnect_invalid = true;
  67       preferred_ranges = [
  68         "192.168.0.0/16"
  69       ];
  70       #cipher = "chachapoly";
  71       /*
  72       stats = {
  73         type = "prometheus";
  74         listen = "127.0.0.1:8080";
  75         path = "/metrics";
  76         namespace = "prometheusns";
  77         subsystem = "nebula";
  78         interval = "10s";
  79         message_metrics = false;
  80         lighthouse_metrics = false;
  81       };
  82       */
  83     };
  84   };
  85   networking.nftables.ruleset = ''
  86     table inet filter {
  87       chain input-lan {
  88         udp dport ${port} counter accept comment "Nebula ${domain}"
  89       }
  90       chain output-lan {
  91         udp sport ${port} counter accept comment "Nebula ${domain}"
  92       }
  93       chain input-net {
  94         udp dport ${port} counter accept comment "Nebula ${domain}"
  95       }
  96       chain output-net {
  97         udp sport ${port} counter accept comment "Nebula ${domain}"
  98       }
  99       chain input-${iface} {
 100         tcp dport ssh counter accept comment "SSH"
 101         udp dport 60000-60100 counter accept comment "Mosh"
 102       }
 103       chain output-${iface} {
 104         tcp dport ssh counter accept comment "SSH"
 105         udp dport 60000-60100 counter accept comment "Mosh"
 106       }
 107       chain input {
 108         iifname ${iface} jump input-${iface} comment "MUST be before the address-based jumps to input-lan"
 109         iifname ${iface} log level warn prefix "input-${iface}: " counter drop
 110       }
 111       chain output {
 112         oifname ${iface} jump output-${iface}
 113         oifname ${iface} log level warn prefix "output-${iface}: " counter drop
 114       }
 115     }
 116   '' + lib.optionalString config.services.printing.enable ''
 117     table inet filter {
 118       chain output-${iface} {
 119         tcp dport { ipp, ipps } counter accept comment "printing: IPP"
 120       }
 121     }
 122   '' + lib.optionalString config.hardware.sane.enable ''
 123     table inet filter {
 124       chain output-${iface} {
 125         tcp dport sane-port counter accept comment "sane-net: SANE"
 126       }
 127     }
 128   '';
 129   networking.networkmanager.unmanaged = [ iface ];
 130   services.fail2ban.ignoreIP = [
 131     "${IPv4Prefix}.1" # mermet.sp
 132     "${IPv4Prefix}.2" # losurdo.sp
 133     "${IPv4Prefix}.3" # oignon.sp
 134     "${IPv4Prefix}.9" # pumpkin.sp
 135   ];
 136 }