{ pkgs, lib, inputs, hostName, ... }: let domain = "sourcephile.fr"; port = 10001; iface = "neb-sourcephile"; in { environment.systemPackages = with pkgs; [ nebula ]; systemd.services."nebula@${domain}".serviceConfig.LoadCredentialEncrypted = [ "${hostName}.key:${nebula/. + "/${hostName}.key.cred"}" ]; services.nebula.networks.${domain} = { enable = true; ca = inputs.self + "/share/nebula/${domain}/ca.crt"; cert = inputs.self + "/share/nebula/${domain}/${hostName}.crt"; key = "/run/credentials/nebula@${domain}.service/${hostName}.key"; listen = { host = "0.0.0.0"; port = port; }; isLighthouse = true; isRelay = true; tun.device = iface; staticHostMap = { #"10.0.0.1" = [ "mermet.${domain}:10001" ]; "10.0.0.2" = [ "losurdo.${domain}:10002" ]; }; lighthouses = [ "10.0.0.2" ]; relays = [ #"10.0.0.2" ]; firewall = { outbound = [{ port = "any"; proto = "any"; host = "any"; }]; inbound = [{ port = "any"; proto = "any"; host = "any"; }]; }; }; networking.nftables.ruleset = '' table inet filter { chain input-net { udp dport ${toString port} counter accept comment "Nebula ${domain}" } chain output-net { udp sport ${toString port} counter accept comment "Nebula ${domain}" } chain input-${iface} { tcp dport ssh counter accept comment "SSH" udp dport 60000-60100 counter accept comment "Mosh" } chain output-${iface} { tcp dport ssh counter accept comment "SSH" udp dport 60000-60100 counter accept comment "Mosh" counter accept } chain input { iifname ${iface} jump input-${iface} iifname ${iface} log level warn prefix "input-${iface}: " counter drop } chain output { oifname ${iface} jump output-${iface} oifname ${iface} log level warn prefix "output-${iface}: " counter drop } } ''; /* services.fail2ban.ignoreIP = lib.concatMap (host: host.peer.allowedIPs) (lib.attrValues peers); networking.networkmanager.unmanaged = [ wgIface ]; */ }