nebula: Enable firewall and restrict ssh access by role

hosts/desktop/default.nix

@@ -33,6 +33,7 @@
       nebula.node = {
         enable = true;
         address = "10.254.250.1";
+        isClient = true;
       };
       syncthing = {
         enable = true;

hosts/laptop/default.nix

@@ -36,6 +36,7 @@
       nebula.node = {
         enable = true;
         address = "10.254.250.3";
+        isClient = true;
       };
       syncthing = {
         enable = true;

hosts/vps-private/default.nix

@@ -34,8 +34,9 @@
         nebula.node = {
           enable = true;
           address = "10.254.250.2";
-          isLighthouse = true;
           routableAddress = "49.13.231.235";
+          isLighthouse = true;
+          isServer = true;
         };
 
         syncthing = {

modules/system/services/nebula/default.nix

@@ -6,32 +6,29 @@
 }:
 let
   cfg = config.custom.services.nebula.node;
+  peers = config.custom.services.nebula.peers;
 
   hostname = config.networking.hostName;
 
-  nodes =
+  lighthouses = peers |> lib.filter (node: node.isLighthouse);
-    self.nixosConfigurations
-    |> lib.filterAttrs (name: _: name != hostname)
-    |> lib.attrValues
-    |> lib.map (value: value.config.custom.services.nebula.node)
-    |> lib.filter (node: node.enable);
 
-  lighthouses = nodes |> lib.filter (node: node.isLighthouse);
+  routablePeers = peers |> lib.filter (node: node.routableAddress != null);
-
-  routableNodes = nodes |> lib.filter (node: node.routableAddress != null);
 in
 {
-  options.custom.services.nebula.node = {
+  options.custom.services.nebula = {
+    node = {
       enable = lib.mkEnableOption "";
       name = lib.mkOption {
         type = lib.types.nonEmptyStr;
-      default = config.networking.hostName;
+        default = hostname;
       };
       address = lib.mkOption {
         type = lib.types.nonEmptyStr;
         default = "";
       };
       isLighthouse = lib.mkEnableOption "";
+      isServer = lib.mkEnableOption "";
+      isClient = lib.mkEnableOption "";
 
       routableAddress = lib.mkOption {
         type = lib.types.nullOr lib.types.nonEmptyStr;
@@ -52,6 +49,18 @@ in
       };
     };
 
+    peers = lib.mkOption {
+      type = lib.types.anything;
+      default =
+        self.nixosConfigurations
+        |> lib.filterAttrs (name: _: name != hostname)
+        |> lib.attrValues
+        |> lib.map (value: value.config.custom.services.nebula.node)
+        |> lib.filter (node: node.enable);
+      readOnly = true;
+    };
+  };
+
   config = lib.mkIf cfg.enable {
     meta.ports.udp = lib.optional (cfg.routablePort != null) cfg.routablePort;
 
@@ -80,7 +89,7 @@ in
       );
 
       staticHostMap =
-        routableNodes
+        routablePeers
         |> lib.map (lighthouse: {
           name = lighthouse.address;
           value = lib.singleton "${lighthouse.routableAddress}:${toString lighthouse.routablePort}";
@@ -89,14 +98,14 @@ in
 
       firewall = {
         outbound = lib.singleton {
-          host = "any";
           port = "any";
           proto = "any";
+          host = "any";
         };
         inbound = lib.singleton {
-          host = "any";
           port = "any";
-          proto = "any";
+          proto = "icmp";
+          host = "any";
         };
       };
 

modules/system/services/nebula/sshd.nix

@@ -16,7 +16,8 @@ in
   config = lib.mkIf (cfg.enable && cfg.sshd.enable) {
     meta.ports.tcp = [ cfg.sshd.port ];
 
-    services.openssh = {
+    services = {
+      openssh = {
         enable = true;
         openFirewall = false;
         ports = [ ];
@@ -26,6 +27,16 @@ in
         };
       };
 
+      nebula.networks.mesh.firewall.inbound =
+        config.custom.services.nebula.peers
+        |> lib.filter (node: node.isClient)
+        |> lib.map (nebula: {
+          port = "22";
+          proto = "tcp";
+          host = nebula.name;
+        });
+    };
+
     systemd.services.sshd = {
       requires = [ "nebula@mesh.service" ];
       after = [ "nebula@mesh.service" ];