domains/sourcephile.fr/nebula.nix

   1 {
   2   pkgs,
   3   lib,
   4   config,
   5   inputs,
   6   hostName,
   7   ...
   8 }:
   9 let
  10   domain = "sourcephile.fr";
  11   port = toString config.services.nebula.networks.${domain}.listen.port;
  12   iface = config.services.nebula.networks.${domain}.tun.device;
  13   IPv4Prefix = "10.0.0";
  14 in
  15 {
  16   environment.systemPackages = with pkgs; [ nebula ];
  17   systemd.services."nebula@${domain}" = {
  18     reloadIfChanged = false;
  19     stopIfChanged = false;
  20     after = [ "chronyd.service" ];
  21     serviceConfig.LoadCredentialEncrypted = [
  22       "${hostName}.key:${
  23         builtins.path { path = inputs.self + "/hosts/${hostName}/nebula/${domain}/${hostName}.key.cred"; }
  24       }"
  25     ];
  26   };
  27   install.target = lib.mkDefault "\"\${NIXOS_TARGET:-root@${config.networking.hostName}.sp}\"";
  28   networking.hosts = {
  29     "${IPv4Prefix}.1" = [ "mermet.sp" ];
  30     "${IPv4Prefix}.2" = [ "losurdo.sp" ];
  31     "${IPv4Prefix}.3" = [ "oignon.sp" ];
  32     "${IPv4Prefix}.4" = [ "patate.sp" ];
  33     "${IPv4Prefix}.5" = [ "carotte.sp" ];
  34     "${IPv4Prefix}.6" = [ "aubergine.sp" ];
  35     "${IPv4Prefix}.7" = [ "courge.sp" ];
  36     "${IPv4Prefix}.8" = [ "blackberry.sp" ];
  37     "${IPv4Prefix}.9" = [ "pumpkin.sp" ];
  38   };
  39   services.nebula.networks.${domain} = {
  40     enable = true;
  41     ca = lib.mkDefault (builtins.path { path = inputs.self + "/domains/${domain}/nebula/ca.crt"; });
  42     cert = lib.mkDefault (
  43       builtins.path { path = inputs.self + "/hosts/${hostName}/nebula/${domain}/${hostName}.crt"; }
  44     );
  45     key = "/run/credentials/nebula@${domain}.service/${hostName}.key";
  46     listen.host = lib.mkDefault "0.0.0.0";
  47     tun.device = lib.mkDefault "neb-sourcephile";
  48     staticHostMap = {
  49       "${IPv4Prefix}.1" = [ "mermet.${domain}:10001" ];
  50       "${IPv4Prefix}.2" = [ "losurdo.${domain}:10002" ];
  51     };
  52     lighthouses = [
  53       "${IPv4Prefix}.1"
  54       "${IPv4Prefix}.2"
  55     ];
  56     relays = [
  57       "${IPv4Prefix}.1"
  58     ];
  59     firewall = {
  60       inbound = [
  61         {
  62           port = "any";
  63           proto = "icmp";
  64           groups = [
  65             "sourcephile"
  66             "intra"
  67           ];
  68         }
  69       ];
  70       outbound = [
  71         {
  72           port = "any";
  73           proto = "icmp";
  74           groups = [
  75             "sourcephile"
  76             "intra"
  77           ];
  78         }
  79       ];
  80     };
  81     settings = {
  82       firewall = {
  83         conntrack = {
  84           tcp_timeout = "12m";
  85           udp_timeout = "3m";
  86           default_timeout = "10m";
  87         };
  88       };
  89       logging = {
  90         level = lib.mkDefault "info";
  91       };
  92       pki.disconnect_invalid = true;
  93       preferred_ranges = [
  94         "192.168.0.0/16"
  95       ];
  96       #cipher = "chachapoly";
  97       /*
  98         stats = {
  99           type = "prometheus";
 100           listen = "127.0.0.1:8080";
 101           path = "/metrics";
 102           namespace = "prometheusns";
 103           subsystem = "nebula";
 104           interval = "10s";
 105           message_metrics = false;
 106           lighthouse_metrics = false;
 107         };
 108       */
 109     };
 110   };
 111   networking.nftables.ruleset =
 112     ''
 113       table inet filter {
 114         chain input-lan {
 115           udp dport ${port} counter accept comment "Nebula ${domain}"
 116         }
 117         chain output-lan {
 118           udp sport ${port} counter accept comment "Nebula ${domain}"
 119         }
 120         chain input-net {
 121           udp dport ${port} counter accept comment "Nebula ${domain}"
 122         }
 123         chain output-net {
 124           udp sport ${port} counter accept comment "Nebula ${domain}"
 125         }
 126         chain input-${iface} {
 127           tcp dport ssh counter accept comment "SSH"
 128           udp dport 60000-60100 counter accept comment "Mosh"
 129         }
 130         chain output-${iface} {
 131           tcp dport ssh counter accept comment "SSH"
 132           tcp dport {http,https} counter accept comment "HTTP"
 133           udp dport 60000-60100 counter accept comment "Mosh"
 134         }
 135         chain input {
 136           iifname ${iface} jump input-${iface} comment "MUST be before the address-based jumps to input-lan"
 137           iifname ${iface} log level warn prefix "input-${iface}: " counter drop
 138         }
 139         chain output {
 140           oifname ${iface} jump output-${iface}
 141           oifname ${iface} log level warn prefix "output-${iface}: " counter drop
 142         }
 143       }
 144     ''
 145     + lib.optionalString config.services.printing.enable ''
 146       table inet filter {
 147         chain output-${iface} {
 148           tcp dport { ipp, ipps } counter accept comment "printing: IPP"
 149         }
 150       }
 151     ''
 152     + lib.optionalString config.hardware.sane.enable ''
 153       table inet filter {
 154         chain output-${iface} {
 155           tcp dport sane-port counter accept comment "sane-net: SANE"
 156         }
 157       }
 158     '';
 159   networking.networkmanager.unmanaged = [ iface ];
 160   services.fail2ban.ignoreIP = [
 161     "${IPv4Prefix}.1" # mermet.sp
 162     "${IPv4Prefix}.2" # losurdo.sp
 163     "${IPv4Prefix}.3" # oignon.sp
 164     "${IPv4Prefix}.9" # pumpkin.sp
 165   ];
 166 }