]> Git — Sourcephile - julm/julm-nix.git/blob - share/nebula/sourcephile.fr.nix
sourcephile / git / julm / julm-nix.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
nebula: fix forgotten uses of .wg instead of .sp
[julm/julm-nix.git] / share / nebula / sourcephile.fr.nix
1 { pkgs, lib, config, inputs, hostName, ... }:
2 let
3 domain = "sourcephile.fr";
4 port = toString config.services.nebula.networks.${domain}.listen.port;
5 iface = config.services.nebula.networks.${domain}.tun.device;
6 IPv4Prefix = "10.0.0";
7 in
8 {
9 environment.systemPackages = with pkgs; [ nebula ];
10 systemd.services."nebula@${domain}" = {
11 stopIfChanged = false;
12 serviceConfig.LoadCredentialEncrypted = [
13 "${hostName}.key:${builtins.path { path = inputs.self + "/hosts/${hostName}/nebula/${hostName}.key.cred"; }}"
14 ];
15 };
16 install.target = lib.mkDefault "\"\${NIXOS_TARGET:-root@${config.networking.hostName}.sp}\"";
17 networking.hosts = {
18 "${IPv4Prefix}.1" = [ "mermet.sp" ];
19 "${IPv4Prefix}.2" = [ "losurdo.sp" ];
20 "${IPv4Prefix}.3" = [ "oignon.sp" ];
21 "${IPv4Prefix}.4" = [ "patate.sp" ];
22 "${IPv4Prefix}.5" = [ "carotte.sp" ];
23 "${IPv4Prefix}.6" = [ "aubergine.sp" ];
24 "${IPv4Prefix}.7" = [ "courge.sp" ];
25 "${IPv4Prefix}.8" = [ "blackberry.sp" ];
26 };
27 services.nebula.networks.${domain} = {
28 enable = true;
29 ca = lib.mkDefault (./. + "/${domain}/ca.crt");
30 cert = lib.mkDefault (builtins.path { path = inputs.self + "/share/nebula/${domain}/${hostName}.crt"; });
31 key = "/run/credentials/nebula@${domain}.service/${hostName}.key";
32 listen.host = lib.mkDefault "0.0.0.0";
33 tun.device = lib.mkDefault "neb-sourcephile";
34 staticHostMap = {
35 "${IPv4Prefix}.1" = [ "mermet.${domain}:10001" ];
36 "${IPv4Prefix}.2" = [ "losurdo.${domain}:10002" ];
37 };
38 lighthouses = [
39 "${IPv4Prefix}.1"
40 "${IPv4Prefix}.2"
41 ];
42 relays = [
43 "${IPv4Prefix}.1"
44 ];
45 firewall = {
46 inbound = [
47 { port = "any"; proto = "icmp"; groups = [ "sourcephile" "intra" ]; }
48 ];
49 outbound = [
50 { port = "any"; proto = "icmp"; groups = [ "sourcephile" "intra" ]; }
51 ];
52 };
53 settings = {
54 firewall = {
55 conntrack = {
56 tcp_timeout = "12m";
57 udp_timeout = "3m";
58 default_timeout = "10m";
59 };
60 };
61 logging = {
62 level = lib.mkDefault "info";
63 };
64 pki.disconnect_invalid = true;
65 preferred_ranges = [
66 "192.168.0.0/16"
67 ];
68 #cipher = "chachapoly";
69 /*
70 stats = {
71 type = "prometheus";
72 listen = "127.0.0.1:8080";
73 path = "/metrics";
74 namespace = "prometheusns";
75 subsystem = "nebula";
76 interval = "10s";
77 message_metrics = false;
78 lighthouse_metrics = false;
79 };
80 */
81 };
82 };
83 networking.nftables.ruleset = ''
84 table inet filter {
85 chain input-lan {
86 udp dport ${port} counter accept comment "Nebula ${domain}"
87 }
88 chain output-lan {
89 udp sport ${port} counter accept comment "Nebula ${domain}"
90 }
91 chain input-net {
92 udp dport ${port} counter accept comment "Nebula ${domain}"
93 }
94 chain output-net {
95 udp sport ${port} counter accept comment "Nebula ${domain}"
96 }
97 chain input-${iface} {
98 tcp dport ssh counter accept comment "SSH"
99 udp dport 60000-60100 counter accept comment "Mosh"
100 }
101 chain output-${iface} {
102 tcp dport ssh counter accept comment "SSH"
103 udp dport 60000-60100 counter accept comment "Mosh"
104 }
105 chain input {
106 iifname ${iface} jump input-${iface}
107 iifname ${iface} log level warn prefix "input-${iface}: " counter drop
108 }
109 chain output {
110 oifname ${iface} jump output-${iface}
111 oifname ${iface} log level warn prefix "output-${iface}: " counter drop
112 }
113 }
114 '';
115 networking.networkmanager.unmanaged = [ iface ];
116 services.fail2ban.ignoreIP = [
117 "${IPv4Prefix}.1" # mermet.sp
118 "${IPv4Prefix}.2" # losurdo.sp
119 "${IPv4Prefix}.3" # oignon.sp
120 ];
121 }
julm's NixOS and home-manager configs