hosts/aubergine/nebula.nix

   1 {
   2   pkgs,
   3   lib,
   4   config,
   5   inputs,
   6   hostName,
   7   ...
   8 }:
   9 let
  10   domain = "sourcephile.fr";
  11   iface = config.services.nebula.networks.${domain}.tun.device;
  12 in
  13 {
  14   imports = [
  15     ../../domains/sourcephile.fr/nebula.nix
  16   ];
  17   services.nebula.networks.${domain} = {
  18     listen.port = 10006;
  19     firewall = {
  20       inbound = [
  21         {
  22           port = "any";
  23           proto = "any";
  24           groups = [
  25             "sourcephile"
  26             "intra"
  27           ];
  28         }
  29       ];
  30       outbound = [
  31         {
  32           port = "any";
  33           proto = "any";
  34           host = "any";
  35         }
  36       ];
  37     };
  38     settings = {
  39       punchy = {
  40         #punch = true;
  41         respond = true;
  42       };
  43     };
  44   };
  45   networking.nftables.ruleset = ''
  46     table inet filter {
  47       chain input-${iface} {
  48         tcp dport ipp counter accept comment "cupsd: IPP"
  49         tcp dport sane-port counter accept comment "saned: control port"
  50         # NoticeNote: not actually useful because there is a rule `ct related accept` before
  51         ct helper "sane" counter accept comment "saned: data ports"
  52       }
  53     }
  54   '';
  55 }