102 lines
1.9 KiB
Nix
102 lines
1.9 KiB
Nix
{
|
|
config,
|
|
lib,
|
|
...
|
|
}:
|
|
with lib; let
|
|
inherit (import ./shared.nix) netName interface;
|
|
|
|
ca = ../../keys/ca.crt;
|
|
|
|
baseFirewall = {
|
|
outbound = [
|
|
# Allow all outbound traffic
|
|
{
|
|
port = "any";
|
|
proto = "any";
|
|
host = "any";
|
|
}
|
|
];
|
|
inbound = [
|
|
# Allow pings from anyone
|
|
{
|
|
port = "any";
|
|
proto = "icmp";
|
|
host = "any";
|
|
}
|
|
# Allow anything from `internal` group
|
|
{
|
|
port = "any";
|
|
proto = "any";
|
|
groups = ["internal"];
|
|
}
|
|
# Allow SSH from anyone
|
|
{
|
|
port = 22;
|
|
proto = "tcp";
|
|
host = "any";
|
|
}
|
|
];
|
|
};
|
|
|
|
baseServer = {
|
|
isLighthouse = true;
|
|
|
|
listen = {
|
|
host = "0.0.0.0";
|
|
port = 4242;
|
|
};
|
|
};
|
|
baseClient = let
|
|
lhs = {"10.13.0.1" = ["66.23.198.122:4242"];};
|
|
lhsInternal = attrNames lhs;
|
|
in {
|
|
lighthouses = lhsInternal;
|
|
staticHostMap = lhs;
|
|
|
|
settings.punchy = {
|
|
punch = true;
|
|
respond = true;
|
|
};
|
|
};
|
|
|
|
cfg = config.gen.nebula;
|
|
in {
|
|
options.gen.nebula = {
|
|
enable = mkEnableOption "nebula mesh vpn";
|
|
enableLighthouse = mkEnableOption "lighthouse functionality";
|
|
|
|
cert = mkOption {
|
|
type = types.path;
|
|
description = "nebula node cert path";
|
|
};
|
|
key = mkOption {
|
|
type = types.path;
|
|
description = "nebula node key path";
|
|
};
|
|
|
|
extraInbound = mkOption {
|
|
type = types.listOf types.attrs;
|
|
description = "extra inbound firewall rules";
|
|
};
|
|
};
|
|
|
|
config = mkIf cfg.enable {
|
|
networking.firewall.trustedInterfaces = [interface];
|
|
|
|
services.nebula.networks.${netName} = mkMerge [
|
|
{
|
|
inherit ca;
|
|
inherit (cfg) cert key;
|
|
|
|
firewall = {
|
|
inherit (baseFirewall) outbound;
|
|
inbound = baseFirewall.inbound ++ cfg.extraInbound;
|
|
};
|
|
}
|
|
(mkIf cfg.enableLighthouse baseServer)
|
|
(mkIf (!cfg.enableLighthouse) baseClient)
|
|
];
|
|
};
|
|
}
|