1 { pkgs, lib, inputs, hostName, ... }:
3 domain = "sourcephile.fr";
5 iface = "neb-sourcephile";
8 environment.systemPackages = with pkgs; [ nebula ];
9 systemd.services."nebula@${domain}" = {
11 LoadCredentialEncrypted = [
12 "${hostName}.key:${nebula/. + "/${hostName}.key.cred"}"
16 Upholds = [ "upnpc-${toString port}.service" ];
19 services.nebula.networks.${domain} = {
21 ca = inputs.self + "/share/nebula/${domain}/ca.crt";
22 cert = inputs.self + "/share/nebula/${domain}/${hostName}.crt";
23 key = "/run/credentials/nebula@${domain}.service/${hostName}.key";
24 listen = { host = "0.0.0.0"; port = port; };
29 "10.0.0.1" = [ "mermet.${domain}:10001" ];
30 #"10.0.0.2" = [ "losurdo.${domain}:10002" ];
39 outbound = [{ port = "any"; proto = "any"; host = "any"; }];
40 inbound = [{ port = "any"; proto = "any"; host = "any"; }];
43 networking.nftables.ruleset = ''
46 udp dport ${toString port} counter accept comment "Nebula ${domain}"
49 udp sport ${toString port} counter accept comment "Nebula ${domain}"
51 chain input-${iface} {
52 tcp dport ssh counter accept comment "SSH"
53 udp dport 60000-60100 counter accept comment "Mosh"
55 chain output-${iface} {
56 tcp dport ssh counter accept comment "SSH"
57 udp dport 60000-60100 counter accept comment "Mosh"
61 iifname ${iface} jump input-${iface}
62 iifname ${iface} log level warn prefix "input-${iface}: " counter drop
65 oifname ${iface} jump output-${iface}
66 oifname ${iface} log level warn prefix "output-${iface}: " counter drop
71 services.fail2ban.ignoreIP = lib.concatMap
72 (host: host.peer.allowedIPs)
73 (lib.attrValues peers);
74 networking.networkmanager.unmanaged = [ wgIface ];
76 # Apparently required to get NAT reflection.
77 services.upnpc.enable = true;
78 services.upnpc.redirections = [
80 description = "Nebula ${domain}";
84 service.requiredBy = [ "nebula@${domain}.service" ];
85 service.before = [ "nebula@${domain}.service" ];
88 #boot.kernel.sysctl."net.ipv4.ip_forward" = 1;