]> Git — Sourcephile - sourcephile-nix.git/blob - hosts/losurdo/nebula.nix
carotte: try to upgrade
[sourcephile-nix.git] / hosts / losurdo / nebula.nix
1 { pkgs, lib, inputs, hostName, ... }:
2 let
3 domain = "sourcephile.fr";
4 port = 10002;
5 iface = "neb-sourcephile";
6 in
7 {
8 environment.systemPackages = with pkgs; [ nebula ];
9 systemd.services."nebula@${domain}" = {
10 serviceConfig = {
11 LoadCredentialEncrypted = [
12 "${hostName}.key:${nebula/. + "/${hostName}.key.cred"}"
13 ];
14 };
15 unitConfig = {
16 Upholds = [ "upnpc-${toString port}.service" ];
17 };
18 };
19 services.nebula.networks.${domain} = {
20 enable = true;
21 ca = inputs.self + "/share/nebula/${domain}/ca.crt";
22 cert = inputs.self + "/share/nebula/${domain}/${hostName}.crt";
23 key = "/run/credentials/nebula@${domain}.service/${hostName}.key";
24 listen = { host = "0.0.0.0"; port = port; };
25 isLighthouse = true;
26 isRelay = false;
27 tun.device = iface;
28 staticHostMap = {
29 "10.0.0.1" = [ "mermet.${domain}:10001" ];
30 #"10.0.0.2" = [ "losurdo.${domain}:10002" ];
31 };
32 lighthouses = [
33 "10.0.0.1"
34 ];
35 relays = [
36 "10.0.0.1"
37 ];
38 firewall = {
39 outbound = [{ port = "any"; proto = "any"; host = "any"; }];
40 inbound = [{ port = "any"; proto = "any"; host = "any"; }];
41 };
42 };
43 networking.nftables.ruleset = ''
44 table inet filter {
45 chain input-net {
46 udp dport ${toString port} counter accept comment "Nebula ${domain}"
47 }
48 chain output-net {
49 udp sport ${toString port} counter accept comment "Nebula ${domain}"
50 }
51 chain input-${iface} {
52 tcp dport ssh counter accept comment "SSH"
53 udp dport 60000-60100 counter accept comment "Mosh"
54 }
55 chain output-${iface} {
56 tcp dport ssh counter accept comment "SSH"
57 udp dport 60000-60100 counter accept comment "Mosh"
58 counter accept
59 }
60 chain input {
61 iifname ${iface} jump input-${iface}
62 iifname ${iface} log level warn prefix "input-${iface}: " counter drop
63 }
64 chain output {
65 oifname ${iface} jump output-${iface}
66 oifname ${iface} log level warn prefix "output-${iface}: " counter drop
67 }
68 }
69 '';
70 /*
71 services.fail2ban.ignoreIP = lib.concatMap
72 (host: host.peer.allowedIPs)
73 (lib.attrValues peers);
74 networking.networkmanager.unmanaged = [ wgIface ];
75 */
76 # Apparently required to get NAT reflection.
77 services.upnpc.enable = true;
78 services.upnpc.redirections = [
79 {
80 description = "Nebula ${domain}";
81 externalPort = port;
82 protocol = "UDP";
83 duration = 30 * 60;
84 service.requiredBy = [ "nebula@${domain}.service" ];
85 service.before = [ "nebula@${domain}.service" ];
86 }
87 ];
88 #boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
89 }