51 lines
1.0 KiB
Nix
51 lines
1.0 KiB
Nix
|
{config, ...}: let
|
||
|
|
netName = "m-infra";
|
||
|
|
# https://github.com/NixOS/nixpkgs/blob/nixos-24.05/nixos/modules/services/networking/nebula.nix#L12
|
||
|
|
userGroup = "nebula-${netName}";
|
||
|
|
in {
|
||
|
|
sops.secrets."svc-nebula-key" = {
|
||
|
|
mode = "0440";
|
||
|
|
owner = userGroup;
|
||
|
|
group = userGroup;
|
||
|
|
};
|
||
|
|
|
||
|
|
services.nebula.networks.${netName} = {
|
||
|
|
ca = ../../../keys/ca.crt;
|
||
|
|
cert = ../../../keys/lh-silver.crt;
|
||
|
|
key = config.sops.secrets."svc-nebula-key".path;
|
||
|
|
|
||
|
|
isLighthouse = true;
|
||
|
|
isRelay = true;
|
||
|
|
|
||
|
|
listen = {
|
||
|
|
host = "0.0.0.0";
|
||
|
|
port = 4242;
|
||
|
|
};
|
||
|
|
|
||
|
|
firewall.outbound = [
|
||
|
|
{
|
||
|
|
port = "any";
|
||
|
|
proto = "any";
|
||
|
|
host = "any";
|
||
|
|
}
|
||
|
|
];
|
||
|
|
|
||
|
|
firewall.inbound = [
|
||
|
|
# Allow pings from anyone
|
||
|
|
{
|
||
|
|
port = "any";
|
||
|
|
proto = "icmp";
|
||
|
|
host = "any";
|
||
|
|
}
|
||
|
|
# Allow SSH from `internal` group
|
||
|
|
{
|
||
|
|
port = 12208;
|
||
|
|
proto = "tcp";
|
||
|
|
groups = ["internal"];
|
||
|
|
}
|
||
|
|
];
|
||
|
|
};
|
||
|
|
|
||
|
|
networking.firewall.allowedUDPPorts = [4242];
|
||
|
|
}
|