infra/nixos/hosts/silver/services/nebula.nix

61 lines
1.2 KiB
Nix
Raw Normal View History

2024-10-15 16:02:42 -05:00
{config, ...}: let
2024-10-17 17:32:14 -05:00
netName = "m-infra"; # TODO: hardcoding
2024-10-15 16:02:42 -05:00
# https://github.com/NixOS/nixpkgs/blob/nixos-24.05/nixos/modules/services/networking/nebula.nix#L12
userGroup = "nebula-${netName}";
2024-11-03 20:30:30 -06:00
interface = "nebula.${netName}";
2024-10-15 16:02:42 -05:00
in {
sops.secrets."svc-nebula-key" = {
mode = "0440";
owner = userGroup;
group = userGroup;
};
2024-11-03 20:30:30 -06:00
networking.firewall = {
trustedInterfaces = [interface];
allowedUDPPorts = [4242];
};
2024-10-15 16:02:42 -05:00
services.nebula.networks.${netName} = {
ca = ../../../keys/ca.crt;
cert = ../../../keys/lh-silver.crt;
key = config.sops.secrets."svc-nebula-key".path;
isLighthouse = true;
isRelay = true;
listen = {
host = "0.0.0.0";
port = 4242;
};
firewall.outbound = [
{
port = "any";
proto = "any";
host = "any";
}
];
firewall.inbound = [
# Allow pings from anyone
{
port = "any";
proto = "icmp";
host = "any";
}
2024-11-03 20:30:30 -06:00
# Allow anything from `internal` group
2024-10-15 16:02:42 -05:00
{
2024-11-03 20:30:30 -06:00
port = "any";
proto = "any";
2024-10-15 16:02:42 -05:00
groups = ["internal"];
}
2024-11-03 20:30:30 -06:00
# Allow SSH from anyone
{
port = 22;
proto = "tcp";
host = "any";
}
2024-10-15 16:02:42 -05:00
];
};
}