{config, ...}: let netName = "m-infra"; # TODO: hardcoding # https://github.com/NixOS/nixpkgs/blob/nixos-24.05/nixos/modules/services/networking/nebula.nix#L12 userGroup = "nebula-${netName}"; interface = "nebula.${netName}"; in { sops.secrets."svc-nebula-key" = { mode = "0440"; owner = userGroup; group = userGroup; }; networking.firewall = { trustedInterfaces = [interface]; allowedUDPPorts = [4242]; }; services.nebula.networks.${netName} = { ca = ../../../keys/ca.crt; cert = ../../../keys/lh-silver.crt; key = config.sops.secrets."svc-nebula-key".path; isLighthouse = true; isRelay = true; listen = { host = "0.0.0.0"; port = 4242; }; firewall.outbound = [ { port = "any"; proto = "any"; host = "any"; } ]; firewall.inbound = [ # Allow pings from anyone { port = "any"; proto = "icmp"; host = "any"; } # Allow anything from `internal` group { port = "any"; proto = "any"; groups = ["internal"]; } # Allow SSH from anyone { port = 22; proto = "tcp"; host = "any"; } # Allow `kube-apiserver` from anyone { port = 6443; proto = "tcp"; host = "any"; } ]; }; }