nix: update nixpkgs

[julm/julm-nix.git] / share / nebula / sourcephile.fr.nix
diff --git a/share/nebula/sourcephile.fr.nix b/share/nebula/sourcephile.fr.nix

index af7c84fc76ab28363aababff3693b10cf387e4b3..e3c692b55a684f6a6826f026869337b35dbc1a95 100644 (file)
--- a/share/nebula/sourcephile.fr.nix
+++ b/share/nebula/sourcephile.fr.nix
@@ -3,39 +3,43 @@ let
    domain = "sourcephile.fr";
    port = toString config.services.nebula.networks.${domain}.listen.port;
    iface = config.services.nebula.networks.${domain}.tun.device;
+  IPv4Prefix = "10.0.0";
  in
  {
    environment.systemPackages = with pkgs; [ nebula ];
-  systemd.services."nebula@${domain}".serviceConfig.LoadCredentialEncrypted = [
-    "${hostName}.key:${inputs.self + "/hosts/${hostName}/nebula/${hostName}.key.cred"}"
-  ];
+  systemd.services."nebula@${domain}" = {
+    stopIfChanged = false;
+    serviceConfig.LoadCredentialEncrypted = [
+      "${hostName}.key:${builtins.path { path = inputs.self + "/hosts/${hostName}/nebula/${hostName}.key.cred"; }}"
+    ];
+  };
    install.target = lib.mkDefault "\"\${NIXOS_TARGET:-root@${config.networking.hostName}.sp}\"";
    networking.hosts = {
-    "10.0.0.1" = [ "mermet.sp" ];
-    "10.0.0.2" = [ "losurdo.sp" ];
-    "10.0.0.3" = [ "oignon.sp" ];
-    "10.0.0.4" = [ "patate.sp" ];
-    "10.0.0.5" = [ "carotte.sp" ];
-    "10.0.0.6" = [ "aubergine.sp" ];
-    "10.0.0.7" = [ "courge.sp" ];
+    "${IPv4Prefix}.1" = [ "mermet.sp" ];
+    "${IPv4Prefix}.2" = [ "losurdo.sp" ];
+    "${IPv4Prefix}.3" = [ "oignon.sp" ];
+    "${IPv4Prefix}.4" = [ "patate.sp" ];
+    "${IPv4Prefix}.5" = [ "carotte.sp" ];
+    "${IPv4Prefix}.6" = [ "aubergine.sp" ];
+    "${IPv4Prefix}.7" = [ "courge.sp" ];
    };
    services.nebula.networks.${domain} = {
      enable = true;
      ca = lib.mkDefault (./. + "/${domain}/ca.crt");
-    cert = lib.mkDefault (inputs.self + "/share/nebula/${domain}/${hostName}.crt");
+    cert = lib.mkDefault (builtins.path { path = inputs.self + "/share/nebula/${domain}/${hostName}.crt"; });
      key = "/run/credentials/nebula@${domain}.service/${hostName}.key";
      listen.host = lib.mkDefault "0.0.0.0";
      tun.device = lib.mkDefault "neb-sourcephile";
      staticHostMap = {
-      "10.0.0.1" = [ "mermet.${domain}:10001" ];
-      "10.0.0.2" = [ "losurdo.${domain}:10002" ];
+      "${IPv4Prefix}.1" = [ "mermet.${domain}:10001" ];
+      "${IPv4Prefix}.2" = [ "losurdo.${domain}:10002" ];
      };
      lighthouses = [
-      "10.0.0.1"
-      "10.0.0.2"
+      "${IPv4Prefix}.1"
+      "${IPv4Prefix}.2"
      ];
      relays = [
-      "10.0.0.1"
+      "${IPv4Prefix}.1"
      ];
      firewall = {
        inbound = [
@@ -60,6 +64,7 @@ in
        preferred_ranges = [
          "192.168.0.0/16"
        ];
+      #cipher = "chachapoly";
        /*
        stats = {
          type = "prometheus";
@@ -107,4 +112,9 @@ in
      }
    '';
    networking.networkmanager.unmanaged = [ iface ];
+  services.fail2ban.ignoreIP = [
+    "${IPv4Prefix}.1" # mermet.sp
+    "${IPv4Prefix}.2" # losurdo.sp
+    "${IPv4Prefix}.3" # oignon.sp
+  ];
  }