hosts/mermet/nebula.nix

   1 { pkgs, lib, inputs, hostName, ... }:
   2 let
   3   domain = "sourcephile.fr";
   4   port = 10001;
   5   iface = "neb-sourcephile";
   6 in
   7 {
   8   environment.systemPackages = with pkgs; [ nebula ];
   9   systemd.services."nebula@${domain}".serviceConfig.LoadCredentialEncrypted = [
  10     "${hostName}.key:${nebula/. + "/${hostName}.key.cred"}"
  11   ];
  12   services.nebula.networks.${domain} = {
  13     enable = true;
  14     ca = inputs.self + "/share/nebula/${domain}/ca.crt";
  15     cert = inputs.self + "/share/nebula/${domain}/${hostName}.crt";
  16     key = "/run/credentials/nebula@${domain}.service/${hostName}.key";
  17     listen = { host = "0.0.0.0"; port = port; };
  18     isLighthouse = true;
  19     isRelay = true;
  20     tun.device = iface;
  21     staticHostMap = {
  22       #"10.0.0.1" = [ "mermet.${domain}:10001" ];
  23       "10.0.0.2" = [ "losurdo.${domain}:10002" ];
  24     };
  25     lighthouses = [
  26       "10.0.0.2"
  27     ];
  28     relays = [
  29       #"10.0.0.2"
  30     ];
  31     firewall = {
  32       outbound = [{ port = "any"; proto = "any"; host = "any"; }];
  33       inbound = [{ port = "any"; proto = "any"; host = "any"; }];
  34     };
  35   };
  36   networking.nftables.ruleset = ''
  37     table inet filter {
  38       chain input-net {
  39         udp dport ${toString port} counter accept comment "Nebula ${domain}"
  40       }
  41       chain output-net {
  42         udp sport ${toString port} counter accept comment "Nebula ${domain}"
  43       }
  44       chain input-${iface} {
  45         tcp dport ssh counter accept comment "SSH"
  46         udp dport 60000-60100 counter accept comment "Mosh"
  47       }
  48       chain output-${iface} {
  49         tcp dport ssh counter accept comment "SSH"
  50         udp dport 60000-60100 counter accept comment "Mosh"
  51         counter accept
  52       }
  53       chain input {
  54         iifname ${iface} jump input-${iface}
  55         iifname ${iface} log level warn prefix "input-${iface}: " counter drop
  56       }
  57       chain output {
  58         oifname ${iface} jump output-${iface}
  59         oifname ${iface} log level warn prefix "output-${iface}: " counter drop
  60       }
  61     }
  62   '';
  63   /*
  64     services.fail2ban.ignoreIP = lib.concatMap
  65     (host: host.peer.allowedIPs)
  66     (lib.attrValues peers);
  67     networking.networkmanager.unmanaged = [ wgIface ];
  68   */
  69 }