nix: update input julm-nix

[sourcephile-nix.git] / hosts / mermet / nebula.nix

diff --git a/hosts/mermet/nebula.nix b/hosts/mermet/nebula.nix
index 20bd0bd1292485edd218438a1bd540b34bd454ed..0e0be8a683d92cf3ea3fbb2ea50f84c413fac40a 100644 (file)
--- a/hosts/mermet/nebula.nix
+++ b/hosts/mermet/nebula.nix
@@ -1,69 +1,26 @@
-{ pkgs, lib, inputs, hostName, ... }:
+{ pkgs, lib, config, inputs, ... }:
 let
   domain = "sourcephile.fr";
   port = 10001;
-  iface = "neb-sourcephile";
+  ipv4Prefix = "10.0.0";
 in
 {
-  environment.systemPackages = with pkgs; [ nebula ];
-  systemd.services."nebula@${domain}".serviceConfig.LoadCredentialEncrypted = [
-    "${hostName}.key:${nebula/. + "/${hostName}.key.cred"}"
+  imports = [
+    (inputs.julm-nix + "/share/nebula/sourcephile.fr.nix")
   ];
   services.nebula.networks.${domain} = {
     enable = true;
-    ca = inputs.self + "/share/nebula/${domain}/ca.crt";
-    cert = inputs.self + "/share/nebula/${domain}/${hostName}.crt";
-    key = "/run/credentials/nebula@${domain}.service/${hostName}.key";
-    listen = { host = "0.0.0.0"; port = port; };
+    listen.port = port;
     isLighthouse = true;
     isRelay = true;
-    tun.device = iface;
-    staticHostMap = {
-      #"10.0.0.1" = [ "mermet.${domain}:10001" ];
-      "10.0.0.2" = [ "losurdo.${domain}:10002" ];
-    };
-    lighthouses = [
-      "10.0.0.2"
-    ];
-    relays = [
-      #"10.0.0.2"
-    ];
     firewall = {
       outbound = [{ port = "any"; proto = "any"; host = "any"; }];
       inbound = [{ port = "any"; proto = "any"; host = "any"; }];
     };
   };
   networking.nftables.ruleset = ''
-    table inet filter {
-      chain input-net {
-        udp dport ${toString port} counter accept comment "Nebula ${domain}"
-      }
-      chain output-net {
-        udp sport ${toString port} counter accept comment "Nebula ${domain}"
-      }
-      chain input-${iface} {
-        tcp dport ssh counter accept comment "SSH"
-        udp dport 60000-60100 counter accept comment "Mosh"
-      }
-      chain output-${iface} {
-        tcp dport ssh counter accept comment "SSH"
-        udp dport 60000-60100 counter accept comment "Mosh"
-        counter accept
-      }
-      chain input {
-        iifname ${iface} jump input-${iface}
-        iifname ${iface} log level warn prefix "input-${iface}: " counter drop
-      }
-      chain output {
-        oifname ${iface} jump output-${iface}
-        oifname ${iface} log level warn prefix "output-${iface}: " counter drop
-      }
-    }
   '';
-  /*
-    services.fail2ban.ignoreIP = lib.concatMap
-    (host: host.peer.allowedIPs)
-    (lib.attrValues peers);
-    networking.networkmanager.unmanaged = [ wgIface ];
-  */
+  services.fail2ban.ignoreIP = [
+    "${ipv4Prefix}.1/24"
+  ];
 }