{ pkgs, lib, inputs, hostName, ... }: let domain = "sourcephile.fr"; port = 10002; iface = "neb-sourcephile"; in { environment.systemPackages = with pkgs; [ nebula ]; systemd.services."nebula@${domain}" = { serviceConfig = { LoadCredentialEncrypted = [ "${hostName}.key:${nebula/. + "/${hostName}.key.cred"}" ]; }; unitConfig = { Upholds = [ "upnpc-${toString port}.service" ]; }; }; services.nebula.networks.${domain} = { enable = true; ca = inputs.self + "/share/nebula/${domain}/ca.crt"; cert = inputs.self + "/share/nebula/${domain}/${hostName}.crt"; key = "/run/credentials/nebula@${domain}.service/${hostName}.key"; listen = { host = "0.0.0.0"; port = port; }; isLighthouse = true; isRelay = false; tun.device = iface; staticHostMap = { "10.0.0.1" = [ "mermet.${domain}:10001" ]; #"10.0.0.2" = [ "losurdo.${domain}:10002" ]; }; lighthouses = [ "10.0.0.1" ]; relays = [ "10.0.0.1" ]; firewall = { outbound = [{ port = "any"; proto = "any"; host = "any"; }]; inbound = [{ port = "any"; proto = "any"; host = "any"; }]; }; }; networking.nftables.ruleset = '' table inet filter { chain input-net { udp dport ${toString port} counter accept comment "Nebula ${domain}" } chain output-net { udp sport ${toString port} counter accept comment "Nebula ${domain}" } chain input-${iface} { tcp dport ssh counter accept comment "SSH" udp dport 60000-60100 counter accept comment "Mosh" } chain output-${iface} { tcp dport ssh counter accept comment "SSH" udp dport 60000-60100 counter accept comment "Mosh" counter accept } chain input { iifname ${iface} jump input-${iface} iifname ${iface} log level warn prefix "input-${iface}: " counter drop } chain output { oifname ${iface} jump output-${iface} oifname ${iface} log level warn prefix "output-${iface}: " counter drop } } ''; /* services.fail2ban.ignoreIP = lib.concatMap (host: host.peer.allowedIPs) (lib.attrValues peers); networking.networkmanager.unmanaged = [ wgIface ]; */ # Apparently required to get NAT reflection. services.upnpc.enable = true; services.upnpc.redirections = [ { description = "Nebula ${domain}"; externalPort = port; protocol = "UDP"; duration = 30 * 60; service.requiredBy = [ "nebula@${domain}.service" ]; service.before = [ "nebula@${domain}.service" ]; } ]; #boot.kernel.sysctl."net.ipv4.ip_forward" = 1; }