julm: pumpkin: enable music profile

[julm/julm-nix.git] / domains / sourcephile.fr / nebula.nix

diff --git a/domains/sourcephile.fr/nebula.nix b/domains/sourcephile.fr/nebula.nix
index 7c4b5021453f73708f2aa2318298671a2a2c9563..e2f3a9ad4e5a230c5458bf15b9ebc34a3aa93634 100644 (file)
--- a/domains/sourcephile.fr/nebula.nix
+++ b/domains/sourcephile.fr/nebula.nix
@@ -1,4 +1,11 @@
-{ pkgs, lib, config, inputs, hostName, ... }:
+{
+  pkgs,
+  lib,
+  config,
+  inputs,
+  hostName,
+  ...
+}:
 let
   domain = "sourcephile.fr";
   port = toString config.services.nebula.networks.${domain}.listen.port;
@@ -11,7 +18,9 @@ in
     reloadIfChanged = false;
     stopIfChanged = false;
     serviceConfig.LoadCredentialEncrypted = [
-      "${hostName}.key:${builtins.path { path = inputs.self + "/hosts/${hostName}/nebula/${domain}/${hostName}.key.cred"; }}"
+      "${hostName}.key:${
+        builtins.path { path = inputs.self + "/hosts/${hostName}/nebula/${domain}/${hostName}.key.cred"; }
+      }"
     ];
   };
   install.target = lib.mkDefault "\"\${NIXOS_TARGET:-root@${config.networking.hostName}.sp}\"";
@@ -29,7 +38,9 @@ in
   services.nebula.networks.${domain} = {
     enable = true;
     ca = lib.mkDefault (builtins.path { path = inputs.self + "/domains/${domain}/nebula/ca.crt"; });
-    cert = lib.mkDefault (builtins.path { path = inputs.self + "/hosts/${hostName}/nebula/${domain}/${hostName}.crt"; });
+    cert = lib.mkDefault (
+      builtins.path { path = inputs.self + "/hosts/${hostName}/nebula/${domain}/${hostName}.crt"; }
+    );
     key = "/run/credentials/nebula@${domain}.service/${hostName}.key";
     listen.host = lib.mkDefault "0.0.0.0";
     tun.device = lib.mkDefault "neb-sourcephile";
@@ -46,10 +57,24 @@ in
     ];
     firewall = {
       inbound = [
-        { port = "any"; proto = "icmp"; groups = [ "sourcephile" "intra" ]; }
+        {
+          port = "any";
+          proto = "icmp";
+          groups = [
+            "sourcephile"
+            "intra"
+          ];
+        }
       ];
       outbound = [
-        { port = "any"; proto = "icmp"; groups = [ "sourcephile" "intra" ]; }
+        {
+          port = "any";
+          proto = "icmp";
+          groups = [
+            "sourcephile"
+            "intra"
+          ];
+        }
       ];
     };
     settings = {
@@ -69,51 +94,66 @@ in
       ];
       #cipher = "chachapoly";
       /*
-      stats = {
-        type = "prometheus";
-        listen = "127.0.0.1:8080";
-        path = "/metrics";
-        namespace = "prometheusns";
-        subsystem = "nebula";
-        interval = "10s";
-        message_metrics = false;
-        lighthouse_metrics = false;
-      };
+        stats = {
+          type = "prometheus";
+          listen = "127.0.0.1:8080";
+          path = "/metrics";
+          namespace = "prometheusns";
+          subsystem = "nebula";
+          interval = "10s";
+          message_metrics = false;
+          lighthouse_metrics = false;
+        };
       */
     };
   };
-  networking.nftables.ruleset = ''
-    table inet filter {
-      chain input-lan {
-        udp dport ${port} counter accept comment "Nebula ${domain}"
-      }
-      chain output-lan {
-        udp sport ${port} counter accept comment "Nebula ${domain}"
-      }
-      chain input-net {
-        udp dport ${port} counter accept comment "Nebula ${domain}"
-      }
-      chain output-net {
-        udp sport ${port} counter accept comment "Nebula ${domain}"
-      }
-      chain input-${iface} {
-        tcp dport ssh counter accept comment "SSH"
-        udp dport 60000-60100 counter accept comment "Mosh"
-      }
-      chain output-${iface} {
-        tcp dport ssh counter accept comment "SSH"
-        udp dport 60000-60100 counter accept comment "Mosh"
+  networking.nftables.ruleset =
+    ''
+      table inet filter {
+        chain input-lan {
+          udp dport ${port} counter accept comment "Nebula ${domain}"
+        }
+        chain output-lan {
+          udp sport ${port} counter accept comment "Nebula ${domain}"
+        }
+        chain input-net {
+          udp dport ${port} counter accept comment "Nebula ${domain}"
+        }
+        chain output-net {
+          udp sport ${port} counter accept comment "Nebula ${domain}"
+        }
+        chain input-${iface} {
+          tcp dport ssh counter accept comment "SSH"
+          udp dport 60000-60100 counter accept comment "Mosh"
+        }
+        chain output-${iface} {
+          tcp dport ssh counter accept comment "SSH"
+          udp dport 60000-60100 counter accept comment "Mosh"
+        }
+        chain input {
+          iifname ${iface} jump input-${iface} comment "MUST be before the address-based jumps to input-lan"
+          iifname ${iface} log level warn prefix "input-${iface}: " counter drop
+        }
+        chain output {
+          oifname ${iface} jump output-${iface}
+          oifname ${iface} log level warn prefix "output-${iface}: " counter drop
+        }
       }
-      chain input {
-        iifname ${iface} jump input-${iface} comment "MUST be before the address-based jumps to input-lan"
-        iifname ${iface} log level warn prefix "input-${iface}: " counter drop
+    ''
+    + lib.optionalString config.services.printing.enable ''
+      table inet filter {
+        chain output-${iface} {
+          tcp dport { ipp, ipps } counter accept comment "printing: IPP"
+        }
       }
-      chain output {
-        oifname ${iface} jump output-${iface}
-        oifname ${iface} log level warn prefix "output-${iface}: " counter drop
+    ''
+    + lib.optionalString config.hardware.sane.enable ''
+      table inet filter {
+        chain output-${iface} {
+          tcp dport sane-port counter accept comment "sane-net: SANE"
+        }
       }
-    }
-  '';
+    '';
   networking.networkmanager.unmanaged = [ iface ];
   services.fail2ban.ignoreIP = [
     "${IPv4Prefix}.1" # mermet.sp