]> Git — Sourcephile - julm/julm-nix.git/blob - share/nebula/sourcephile.fr.nix
ldns: move to essential
[julm/julm-nix.git] / share / nebula / sourcephile.fr.nix
1 { pkgs, lib, config, inputs, hostName, ... }:
2 let
3 domain = "sourcephile.fr";
4 port = toString config.services.nebula.networks.${domain}.listen.port;
5 iface = config.services.nebula.networks.${domain}.tun.device;
6 IPv4Prefix = "10.0.0";
7 in
8 {
9 environment.systemPackages = with pkgs; [ nebula ];
10 systemd.services."nebula@${domain}".serviceConfig.LoadCredentialEncrypted = [
11 "${hostName}.key:${inputs.self + "/hosts/${hostName}/nebula/${hostName}.key.cred"}"
12 ];
13 install.target = lib.mkDefault "\"\${NIXOS_TARGET:-root@${config.networking.hostName}.sp}\"";
14 networking.hosts = {
15 "${IPv4Prefix}.1" = [ "mermet.sp" ];
16 "${IPv4Prefix}.2" = [ "losurdo.sp" ];
17 "${IPv4Prefix}.3" = [ "oignon.sp" ];
18 "${IPv4Prefix}.4" = [ "patate.sp" ];
19 "${IPv4Prefix}.5" = [ "carotte.sp" ];
20 "${IPv4Prefix}.6" = [ "aubergine.sp" ];
21 "${IPv4Prefix}.7" = [ "courge.sp" ];
22 };
23 services.nebula.networks.${domain} = {
24 enable = true;
25 ca = lib.mkDefault (./. + "/${domain}/ca.crt");
26 cert = lib.mkDefault (inputs.self + "/share/nebula/${domain}/${hostName}.crt");
27 key = "/run/credentials/nebula@${domain}.service/${hostName}.key";
28 listen.host = lib.mkDefault "0.0.0.0";
29 tun.device = lib.mkDefault "neb-sourcephile";
30 staticHostMap = {
31 "${IPv4Prefix}.1" = [ "mermet.${domain}:10001" ];
32 "${IPv4Prefix}.2" = [ "losurdo.${domain}:10002" ];
33 };
34 lighthouses = [
35 "${IPv4Prefix}.1"
36 "${IPv4Prefix}.2"
37 ];
38 relays = [
39 "${IPv4Prefix}.1"
40 ];
41 firewall = {
42 inbound = [
43 { port = "any"; proto = "icmp"; groups = [ "sourcephile" "intra" ]; }
44 ];
45 outbound = [
46 { port = "any"; proto = "icmp"; groups = [ "sourcephile" "intra" ]; }
47 ];
48 };
49 settings = {
50 firewall = {
51 conntrack = {
52 tcp_timeout = "12m";
53 udp_timeout = "3m";
54 default_timeout = "10m";
55 };
56 };
57 logging = {
58 level = lib.mkDefault "info";
59 };
60 pki.disconnect_invalid = true;
61 preferred_ranges = [
62 "192.168.0.0/16"
63 ];
64 /*
65 stats = {
66 type = "prometheus";
67 listen = "127.0.0.1:8080";
68 path = "/metrics";
69 namespace = "prometheusns";
70 subsystem = "nebula";
71 interval = "10s";
72 message_metrics = false;
73 lighthouse_metrics = false;
74 };
75 */
76 };
77 };
78 networking.nftables.ruleset = ''
79 table inet filter {
80 chain input-lan {
81 udp dport ${port} counter accept comment "Nebula ${domain}"
82 }
83 chain output-lan {
84 udp sport ${port} counter accept comment "Nebula ${domain}"
85 }
86 chain input-net {
87 udp dport ${port} counter accept comment "Nebula ${domain}"
88 }
89 chain output-net {
90 udp sport ${port} counter accept comment "Nebula ${domain}"
91 }
92 chain input-${iface} {
93 tcp dport ssh counter accept comment "SSH"
94 udp dport 60000-60100 counter accept comment "Mosh"
95 }
96 chain output-${iface} {
97 tcp dport ssh counter accept comment "SSH"
98 udp dport 60000-60100 counter accept comment "Mosh"
99 }
100 chain input {
101 iifname ${iface} jump input-${iface}
102 iifname ${iface} log level warn prefix "input-${iface}: " counter drop
103 }
104 chain output {
105 oifname ${iface} jump output-${iface}
106 oifname ${iface} log level warn prefix "output-${iface}: " counter drop
107 }
108 }
109 '';
110 networking.networkmanager.unmanaged = [ iface ];
111 services.fail2ban.ignoreIP = [
112 "${IPv4Prefix}.1" # mermet.sp
113 "${IPv4Prefix}.2" # losurdo.sp
114 "${IPv4Prefix}.3" # oignon.sp
115 ];
116 }