hosts/losurdo/nebula.nix

   1 {
   2   pkgs,
   3   lib,
   4   config,
   5   inputs,
   6   ...
   7 }:
   8 let
   9   domain = "sourcephile.fr";
  10   port = 10002;
  11   ipv4Prefix = "10.0.0";
  12 in
  13 {
  14   imports = [
  15     (inputs.julm-nix + "/domains/sourcephile.fr/nebula.nix")
  16   ];
  17   services.nebula.networks.${domain} = {
  18     enable = true;
  19     listen.port = port;
  20     isLighthouse = true;
  21     isRelay = false;
  22     firewall = {
  23       outbound = [
  24         {
  25           port = "any";
  26           proto = "any";
  27           host = "any";
  28         }
  29       ];
  30       inbound = [
  31         {
  32           port = "any";
  33           proto = "any";
  34           host = "any";
  35         }
  36       ];
  37     };
  38   };
  39   networking.nftables.ruleset = '''';
  40   services.fail2ban.ignoreIP = [
  41     "${ipv4Prefix}.1/24"
  42   ];
  43   networking.networkmanager.unmanaged = [ config.services.nebula.networks.${domain}.tun.device ];
  44   # Apparently required to get NAT reflection.
  45   services.upnpc.enable = true;
  46   services.upnpc.redirections = [
  47     {
  48       description = "Nebula ${domain}";
  49       externalPort = port;
  50       protocol = "UDP";
  51       duration = 30 * 60;
  52       service.requiredBy = [ "nebula@${domain}.service" ];
  53       service.before = [ "nebula@${domain}.service" ];
  54     }
  55   ];
  56   systemd.services."nebula@${domain}" = {
  57     unitConfig = {
  58       Upholds = [ "upnpc-${toString port}.service" ];
  59     };
  60   };
  61   #boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
  62 }