{config, ...}: let netName = "m-infra"; # TODO: hardcoding # https://github.com/NixOS/nixpkgs/blob/nixos-24.05/nixos/modules/services/networking/nebula.nix#L12 userGroup = "nebula-${netName}"; in { sops.secrets."svc-nebula-key" = { mode = "0440"; owner = userGroup; group = userGroup; }; services.nebula.networks.${netName} = { ca = ../../../keys/ca.crt; cert = ../../../keys/lh-silver.crt; key = config.sops.secrets."svc-nebula-key".path; isLighthouse = true; isRelay = true; listen = { host = "0.0.0.0"; port = 4242; }; firewall.outbound = [ { port = "any"; proto = "any"; host = "any"; } ]; firewall.inbound = [ # Allow pings from anyone { port = "any"; proto = "icmp"; host = "any"; } # Allow SSH from `internal` group { port = 12208; proto = "tcp"; groups = ["internal"]; } ]; }; networking.firewall.allowedUDPPorts = [4242]; }