share/nebula/sourcephile.fr.nix

   1 { pkgs, lib, config, inputs, hostName, ... }:
   2 let
   3   domain = "sourcephile.fr";
   4   port = toString config.services.nebula.networks.${domain}.listen.port;
   5   iface = config.services.nebula.networks.${domain}.tun.device;
   6 in
   7 {
   8   environment.systemPackages = with pkgs; [ nebula ];
   9   systemd.services."nebula@${domain}".serviceConfig.LoadCredentialEncrypted = [
  10     "${hostName}.key:${inputs.self + "/hosts/${hostName}/nebula/${hostName}.key.cred"}"
  11   ];
  12   networking.hosts = {
  13     "10.0.0.1" = [ "mermet.sp" ];
  14     "10.0.0.2" = [ "losurdo.sp" ];
  15     "10.0.0.3" = [ "oignon.sp" ];
  16     "10.0.0.4" = [ "patate.sp" ];
  17     "10.0.0.5" = [ "carotte.sp" ];
  18     "10.0.0.6" = [ "aubergine.sp" ];
  19     "10.0.0.7" = [ "courge.sp" ];
  20   };
  21   services.nebula.networks.${domain} = {
  22     enable = true;
  23     ca = ./. + "/${domain}/ca.crt";
  24     cert = ./. + "/${domain}/${hostName}.crt";
  25     key = "/run/credentials/nebula@${domain}.service/${hostName}.key";
  26     listen.host = lib.mkDefault "0.0.0.0";
  27     tun.device = lib.mkDefault "neb-sourcephile";
  28     staticHostMap = {
  29       "10.0.0.1" = [ "mermet.${domain}:10001" ];
  30       "10.0.0.2" = [ "losurdo.${domain}:10002" ];
  31     };
  32     lighthouses = [
  33       "10.0.0.1"
  34       "10.0.0.2"
  35     ];
  36     relays = [
  37       "10.0.0.1"
  38     ];
  39     firewall = {
  40       inbound = [
  41         { port = "any"; proto = "icmp"; groups = [ "sourcephile" "intra" ]; }
  42       ];
  43       outbound = [
  44         { port = "any"; proto = "icmp"; groups = [ "sourcephile" "intra" ]; }
  45       ];
  46     };
  47     settings = {
  48       firewall = {
  49         conntrack = {
  50           tcp_timeout = "12m";
  51           udp_timeout = "3m";
  52           default_timeout = "10m";
  53         };
  54       };
  55       logging = {
  56         level = lib.mkDefault "info";
  57       };
  58       pki.disconnect_invalid = true;
  59       preferred_ranges = [
  60         "192.168.0.0/16"
  61       ];
  62       /*
  63       stats = {
  64         type = "prometheus";
  65         listen = "127.0.0.1:8080";
  66         path = "/metrics";
  67         namespace = "prometheusns";
  68         subsystem = "nebula";
  69         interval = "10s";
  70         message_metrics = false;
  71         lighthouse_metrics = false;
  72       };
  73       */
  74     };
  75   };
  76   networking.nftables.ruleset = ''
  77     table inet filter {
  78       chain input-lan {
  79         udp dport ${port} counter accept comment "Nebula ${domain}"
  80       }
  81       chain output-lan {
  82         udp sport ${port} counter accept comment "Nebula ${domain}"
  83       }
  84       chain input-net {
  85         udp dport ${port} counter accept comment "Nebula ${domain}"
  86       }
  87       chain output-net {
  88         udp sport ${port} counter accept comment "Nebula ${domain}"
  89       }
  90       chain input-${iface} {
  91         tcp dport ssh counter accept comment "SSH"
  92         udp dport 60000-60100 counter accept comment "Mosh"
  93       }
  94       chain output-${iface} {
  95         tcp dport ssh counter accept comment "SSH"
  96         udp dport 60000-60100 counter accept comment "Mosh"
  97       }
  98       chain input {
  99         iifname ${iface} jump input-${iface}
 100         iifname ${iface} log level warn prefix "input-${iface}: " counter drop
 101       }
 102       chain output {
 103         oifname ${iface} jump output-${iface}
 104         oifname ${iface} log level warn prefix "output-${iface}: " counter drop
 105       }
 106     }
 107   '';
 108 }