{ pkgs, lib, config, inputs, hostName, ... }: let domain = "sourcephile.fr"; iface = config.services.nebula.networks.${domain}.tun.device; in { imports = [ ../../domains/sourcephile.fr/nebula.nix ]; services.nebula.networks.${domain} = { listen.port = 10006; firewall = { inbound = [ { port = "any"; proto = "any"; groups = [ "sourcephile" "intra" ]; } ]; outbound = [ { port = "any"; proto = "any"; host = "any"; } ]; }; settings = { punchy = { #punch = true; respond = true; }; }; }; networking.nftables.ruleset = '' table inet filter { chain input-${iface} { tcp dport ipp counter accept comment "cupsd: IPP" tcp dport sane-port counter accept comment "saned: control port" # NoticeNote: not actually useful because there is a rule `ct related accept` before ct helper "sane" counter accept comment "saned: data ports" } } ''; }