2024-10-15 16:53:31 -05:00
|
|
|
{config, ...}: let
|
|
|
|
netName = "m-infra";
|
|
|
|
# https://github.com/NixOS/nixpkgs/blob/nixos-24.05/nixos/modules/services/networking/nebula.nix#L12
|
|
|
|
userGroup = "nebula-${netName}";
|
2024-11-03 20:30:30 -06:00
|
|
|
interface = "nebula.${netName}";
|
2024-10-17 17:32:14 -05:00
|
|
|
lhs = {"10.13.0.1" = ["min.rip:4242"];}; # TODO: hardcoding
|
2024-10-15 16:53:31 -05:00
|
|
|
lhsInt = builtins.attrNames lhs;
|
|
|
|
in {
|
|
|
|
sops.secrets."nebula-key" = {
|
|
|
|
mode = "0440";
|
|
|
|
owner = userGroup;
|
|
|
|
group = userGroup;
|
|
|
|
};
|
|
|
|
|
2024-11-03 20:30:30 -06:00
|
|
|
networking.firewall.trustedInterfaces = [interface];
|
|
|
|
|
2024-10-15 16:53:31 -05:00
|
|
|
services.nebula.networks.${netName} = {
|
|
|
|
ca = ../../keys/ca.crt;
|
|
|
|
cert = ../../keys/n-srv-eidola.crt;
|
|
|
|
key = config.sops.secrets."nebula-key".path;
|
|
|
|
|
|
|
|
lighthouses = lhsInt;
|
|
|
|
relays = lhsInt;
|
|
|
|
staticHostMap = lhs;
|
|
|
|
|
|
|
|
settings.punchy.punch = true;
|
|
|
|
|
|
|
|
firewall.outbound = [
|
|
|
|
{
|
|
|
|
port = "any";
|
|
|
|
proto = "any";
|
|
|
|
host = "any";
|
|
|
|
}
|
|
|
|
];
|
|
|
|
|
|
|
|
firewall.inbound = [
|
|
|
|
# Allow pings from anyone
|
|
|
|
{
|
|
|
|
port = "any";
|
|
|
|
proto = "icmp";
|
|
|
|
host = "any";
|
|
|
|
}
|
2024-11-03 20:30:30 -06:00
|
|
|
# Allow anything from `internal` group
|
|
|
|
{
|
|
|
|
port = "any";
|
|
|
|
proto = "any";
|
|
|
|
groups = ["internal"];
|
|
|
|
}
|
|
|
|
# Allow SSH from anyone
|
2024-10-15 16:53:31 -05:00
|
|
|
{
|
|
|
|
port = 22;
|
|
|
|
proto = "tcp";
|
2024-11-03 20:30:30 -06:00
|
|
|
host = "any";
|
2024-10-15 16:53:31 -05:00
|
|
|
}
|
2024-11-12 20:02:15 -06:00
|
|
|
# Allow `kube-apiserver` from anyone
|
|
|
|
{
|
|
|
|
port = 6443;
|
|
|
|
proto = "tcp";
|
|
|
|
host = "any";
|
|
|
|
}
|
2024-10-15 16:53:31 -05:00
|
|
|
];
|
|
|
|
};
|
|
|
|
}
|