knot: sourcephile.fr: setup lebureau as a secondary NS
[sourcephile-nix.git] / hosts / losurdo / nebula.nix
index 31591c9a9c31a03eb858a7d11322f16861eba421..6ad5e229d5fa2e0736e9fd522d86e929547b36ec 100644 (file)
@@ -1,78 +1,29 @@
-{ pkgs, lib, inputs, hostName, ... }:
+{ pkgs, lib, config, inputs, ... }:
 let
   domain = "sourcephile.fr";
   port = 10002;
-  iface = "neb-sourcephile";
+  ipv4Prefix = "10.0.0";
 in
 {
-  environment.systemPackages = with pkgs; [ nebula ];
-  systemd.services."nebula@${domain}" = {
-    serviceConfig = {
-      LoadCredentialEncrypted = [
-        "${hostName}.key:${nebula/. + "/${hostName}.key.cred"}"
-      ];
-    };
-    unitConfig = {
-      Upholds = [ "upnpc-${toString port}.service" ];
-    };
-  };
+  imports = [
+    (inputs.julm-nix + "/share/nebula/sourcephile.fr.nix")
+  ];
   services.nebula.networks.${domain} = {
     enable = true;
-    ca = inputs.self + "/share/nebula/${domain}/ca.crt";
-    cert = inputs.self + "/share/nebula/${domain}/${hostName}.crt";
-    key = "/run/credentials/nebula@${domain}.service/${hostName}.key";
-    listen = { host = "0.0.0.0"; port = port; };
+    listen.port = port;
     isLighthouse = true;
     isRelay = false;
-    tun.device = iface;
-    staticHostMap = {
-      "10.0.0.1" = [ "mermet.${domain}:10001" ];
-      #"10.0.0.2" = [ "losurdo.${domain}:10002" ];
-    };
-    lighthouses = [
-      "10.0.0.1"
-    ];
-    relays = [
-      "10.0.0.1"
-    ];
     firewall = {
       outbound = [{ port = "any"; proto = "any"; host = "any"; }];
       inbound = [{ port = "any"; proto = "any"; host = "any"; }];
     };
   };
   networking.nftables.ruleset = ''
-    table inet filter {
-      chain input-net {
-        udp dport ${toString port} counter accept comment "Nebula ${domain}"
-      }
-      chain output-net {
-        udp sport ${toString port} counter accept comment "Nebula ${domain}"
-      }
-      chain input-${iface} {
-        tcp dport ssh counter accept comment "SSH"
-        udp dport 60000-60100 counter accept comment "Mosh"
-      }
-      chain output-${iface} {
-        tcp dport ssh counter accept comment "SSH"
-        udp dport 60000-60100 counter accept comment "Mosh"
-        counter accept
-      }
-      chain input {
-        iifname ${iface} jump input-${iface}
-        iifname ${iface} log level warn prefix "input-${iface}: " counter drop
-      }
-      chain output {
-        oifname ${iface} jump output-${iface}
-        oifname ${iface} log level warn prefix "output-${iface}: " counter drop
-      }
-    }
   '';
-  /*
-    services.fail2ban.ignoreIP = lib.concatMap
-    (host: host.peer.allowedIPs)
-    (lib.attrValues peers);
-    networking.networkmanager.unmanaged = [ wgIface ];
-  */
+  services.fail2ban.ignoreIP = [
+    "${ipv4Prefix}.1/24"
+  ];
+  networking.networkmanager.unmanaged = [ config.services.nebula.networks.${domain}.tun.device ];
   # Apparently required to get NAT reflection.
   services.upnpc.enable = true;
   services.upnpc.redirections = [
@@ -85,5 +36,10 @@ in
       service.before = [ "nebula@${domain}.service" ];
     }
   ];
+  systemd.services."nebula@${domain}" = {
+    unitConfig = {
+      Upholds = [ "upnpc-${toString port}.service" ];
+    };
+  };
   #boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
 }