-{ pkgs, lib, inputs, hostName, ... }:
+{ pkgs, lib, config, inputs, ... }:
let
domain = "sourcephile.fr";
port = 10002;
- iface = "neb-sourcephile";
+ ipv4Prefix = "10.0.0";
in
{
- environment.systemPackages = with pkgs; [ nebula ];
- systemd.services."nebula@${domain}" = {
- serviceConfig = {
- LoadCredentialEncrypted = [
- "${hostName}.key:${nebula/. + "/${hostName}.key.cred"}"
- ];
- };
- unitConfig = {
- Upholds = [ "upnpc-${toString port}.service" ];
- };
- };
+ imports = [
+ (inputs.julm-nix + "/share/nebula/sourcephile.fr.nix")
+ ];
services.nebula.networks.${domain} = {
enable = true;
- ca = inputs.self + "/share/nebula/${domain}/ca.crt";
- cert = inputs.self + "/share/nebula/${domain}/${hostName}.crt";
- key = "/run/credentials/nebula@${domain}.service/${hostName}.key";
- listen = { host = "0.0.0.0"; port = port; };
+ listen.port = port;
isLighthouse = true;
isRelay = false;
- tun.device = iface;
- staticHostMap = {
- "10.0.0.1" = [ "mermet.${domain}:10001" ];
- #"10.0.0.2" = [ "losurdo.${domain}:10002" ];
- };
- lighthouses = [
- "10.0.0.1"
- ];
- relays = [
- "10.0.0.1"
- ];
firewall = {
outbound = [{ port = "any"; proto = "any"; host = "any"; }];
inbound = [{ port = "any"; proto = "any"; host = "any"; }];
};
};
networking.nftables.ruleset = ''
- table inet filter {
- chain input-net {
- udp dport ${toString port} counter accept comment "Nebula ${domain}"
- }
- chain output-net {
- udp sport ${toString port} counter accept comment "Nebula ${domain}"
- }
- chain input-${iface} {
- tcp dport ssh counter accept comment "SSH"
- udp dport 60000-60100 counter accept comment "Mosh"
- }
- chain output-${iface} {
- tcp dport ssh counter accept comment "SSH"
- udp dport 60000-60100 counter accept comment "Mosh"
- counter accept
- }
- chain input {
- iifname ${iface} jump input-${iface}
- iifname ${iface} log level warn prefix "input-${iface}: " counter drop
- }
- chain output {
- oifname ${iface} jump output-${iface}
- oifname ${iface} log level warn prefix "output-${iface}: " counter drop
- }
- }
'';
- /*
- services.fail2ban.ignoreIP = lib.concatMap
- (host: host.peer.allowedIPs)
- (lib.attrValues peers);
- networking.networkmanager.unmanaged = [ wgIface ];
- */
+ services.fail2ban.ignoreIP = [
+ "${ipv4Prefix}.1/24"
+ ];
+ networking.networkmanager.unmanaged = [ config.services.nebula.networks.${domain}.tun.device ];
# Apparently required to get NAT reflection.
services.upnpc.enable = true;
services.upnpc.redirections = [
service.before = [ "nebula@${domain}.service" ];
}
];
+ systemd.services."nebula@${domain}" = {
+ unitConfig = {
+ Upholds = [ "upnpc-${toString port}.service" ];
+ };
+ };
#boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
}