{config, ...}: let netName = "m-infra"; # https://github.com/NixOS/nixpkgs/blob/nixos-24.05/nixos/modules/services/networking/nebula.nix#L12 userGroup = "nebula-${netName}"; interface = "nebula.${netName}"; service = "nebula@${netName}.service"; lhs = {"10.13.0.1" = ["min.rip:4242"];}; # TODO: hardcoding lhsInt = builtins.attrNames lhs; in { sops.secrets."nebula-key" = { mode = "0440"; owner = userGroup; group = userGroup; }; networking.firewall.trustedInterfaces = [interface]; # Make sure sshd starts after nebula systemd.services.sshd.after = [service]; services.nebula.networks.${netName} = { ca = ../../keys/ca.crt; cert = ../../keys/n-srv-eidola.crt; key = config.sops.secrets."nebula-key".path; lighthouses = lhsInt; relays = lhsInt; staticHostMap = lhs; settings.punchy.punch = true; firewall.outbound = [ { port = "any"; proto = "any"; host = "any"; } ]; firewall.inbound = [ # Allow pings from anyone { port = "any"; proto = "icmp"; host = "any"; } # Allow anything from `internal` group { port = "any"; proto = "any"; groups = ["internal"]; } # Allow SSH from anyone { port = 22; proto = "tcp"; host = "any"; } # Allow `kube-apiserver` from anyone { port = 6443; proto = "tcp"; host = "any"; } # Allow Proxmox Web from anyone { port = 8006; proto = "tcp"; host = "any"; } # Allow iperf3 from anyone { port = 5201; proto = "any"; host = "any"; } ]; }; }