]> Git — Sourcephile - sourcephile-nix.git/blob - hosts/mermet/nebula.nix
carotte: apply git-crypt
[sourcephile-nix.git] / hosts / mermet / nebula.nix
1 { pkgs, lib, inputs, hostName, ... }:
2 let
3 domain = "sourcephile.fr";
4 port = 10001;
5 iface = "neb-sourcephile";
6 in
7 {
8 environment.systemPackages = with pkgs; [ nebula ];
9 systemd.services."nebula@${domain}".serviceConfig.LoadCredentialEncrypted = [
10 "${hostName}.key:${nebula/. + "/${hostName}.key.cred"}"
11 ];
12 services.nebula.networks.${domain} = {
13 enable = true;
14 ca = inputs.self + "/share/nebula/${domain}/ca.crt";
15 cert = inputs.self + "/share/nebula/${domain}/${hostName}.crt";
16 key = "/run/credentials/nebula@${domain}.service/${hostName}.key";
17 listen = { host = "0.0.0.0"; port = port; };
18 isLighthouse = true;
19 isRelay = true;
20 tun.device = iface;
21 staticHostMap = {
22 #"10.0.0.1" = [ "mermet.${domain}:10001" ];
23 "10.0.0.2" = [ "losurdo.${domain}:10002" ];
24 };
25 lighthouses = [
26 "10.0.0.2"
27 ];
28 relays = [
29 #"10.0.0.2"
30 ];
31 firewall = {
32 outbound = [{ port = "any"; proto = "any"; host = "any"; }];
33 inbound = [{ port = "any"; proto = "any"; host = "any"; }];
34 };
35 };
36 networking.nftables.ruleset = ''
37 table inet filter {
38 chain input-net {
39 udp dport ${toString port} counter accept comment "Nebula ${domain}"
40 }
41 chain output-net {
42 udp sport ${toString port} counter accept comment "Nebula ${domain}"
43 }
44 chain input-${iface} {
45 tcp dport ssh counter accept comment "SSH"
46 udp dport 60000-60100 counter accept comment "Mosh"
47 }
48 chain output-${iface} {
49 tcp dport ssh counter accept comment "SSH"
50 udp dport 60000-60100 counter accept comment "Mosh"
51 counter accept
52 }
53 chain input {
54 iifname ${iface} jump input-${iface}
55 iifname ${iface} log level warn prefix "input-${iface}: " counter drop
56 }
57 chain output {
58 oifname ${iface} jump output-${iface}
59 oifname ${iface} log level warn prefix "output-${iface}: " counter drop
60 }
61 }
62 '';
63 /*
64 services.fail2ban.ignoreIP = lib.concatMap
65 (host: host.peer.allowedIPs)
66 (lib.attrValues peers);
67 networking.networkmanager.unmanaged = [ wgIface ];
68 */
69 }