SebastianStork/nixos-config
1
0
Fork 0
mirror of https://github.com/SebastianStork/nixos-config.git synced 2026-01-21 12:51:34 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

nebula: Enable firewall and restrict ssh access by role

Browse source
This commit is contained in:
SebastianStork 2026-01-03 00:41:13 +01:00
parent 382dae6cbb
commit 61f5c54196
Signed by: SebastianStork
SSH key fingerprint: SHA256:tRrGdjYOwgHxpSc/wTOZQZEjxcb15P0tyXRsbAfd+2Q
5 changed files with 69 additions and 46 deletions
Download patch file Download diff file Expand all files Collapse all files

1
hosts/desktop/default.nix
View file

@ -33,6 +33,7 @@
nebula.node = { nebula.node = {
enable = true; enable = true;
address = "10.254.250.1"; address = "10.254.250.1";
isClient = true;
}; };
syncthing = { syncthing = {
enable = true; enable = true;

1
hosts/laptop/default.nix
View file

@ -36,6 +36,7 @@
nebula.node = { nebula.node = {
enable = true; enable = true;
address = "10.254.250.3"; address = "10.254.250.3";
isClient = true;
}; };
syncthing = { syncthing = {
enable = true; enable = true;

3
hosts/vps-private/default.nix
View file

@ -34,8 +34,9 @@
nebula.node = { nebula.node = {
enable = true; enable = true;
address = "10.254.250.2"; address = "10.254.250.2";
isLighthouse = true;
routableAddress = "49.13.231.235"; routableAddress = "49.13.231.235";
isLighthouse = true;
isServer = true;
}; };
syncthing = { syncthing = {

85
modules/system/services/nebula/default.nix
View file

@ -6,49 +6,58 @@
}: }:
let let
cfg = config.custom.services.nebula.node; cfg = config.custom.services.nebula.node;
peers = config.custom.services.nebula.peers;
hostname = config.networking.hostName; hostname = config.networking.hostName;
nodes = lighthouses = peers |> lib.filter (node: node.isLighthouse);
self.nixosConfigurations
|> lib.filterAttrs (name: _: name != hostname)
|> lib.attrValues
|> lib.map (value: value.config.custom.services.nebula.node)
|> lib.filter (node: node.enable);
lighthouses = nodes |> lib.filter (node: node.isLighthouse); routablePeers = peers |> lib.filter (node: node.routableAddress != null);
routableNodes = nodes |> lib.filter (node: node.routableAddress != null);
in in
{ {
options.custom.services.nebula.node = { options.custom.services.nebula = {
enable = lib.mkEnableOption ""; node = {
name = lib.mkOption { enable = lib.mkEnableOption "";
type = lib.types.nonEmptyStr; name = lib.mkOption {
default = config.networking.hostName; type = lib.types.nonEmptyStr;
}; default = hostname;
address = lib.mkOption { };
type = lib.types.nonEmptyStr; address = lib.mkOption {
default = ""; type = lib.types.nonEmptyStr;
}; default = "";
isLighthouse = lib.mkEnableOption ""; };
isLighthouse = lib.mkEnableOption "";
isServer = lib.mkEnableOption "";
isClient = lib.mkEnableOption "";
routableAddress = lib.mkOption { routableAddress = lib.mkOption {
type = lib.types.nullOr lib.types.nonEmptyStr; type = lib.types.nullOr lib.types.nonEmptyStr;
default = null; default = null;
}; };
routablePort = lib.mkOption { routablePort = lib.mkOption {
type = lib.types.nullOr lib.types.port; type = lib.types.nullOr lib.types.port;
default = if cfg.routableAddress != null then 47141 else null; default = if cfg.routableAddress != null then 47141 else null;
};
publicKeyPath = lib.mkOption {
type = lib.types.path;
default = "${self}/hosts/${hostname}/keys/nebula.pub";
};
certificatePath = lib.mkOption {
type = lib.types.path;
default = "${self}/hosts/${hostname}/keys/nebula.crt";
};
}; };
publicKeyPath = lib.mkOption { peers = lib.mkOption {
type = lib.types.path; type = lib.types.anything;
default = "${self}/hosts/${hostname}/keys/nebula.pub"; default =
}; self.nixosConfigurations
certificatePath = lib.mkOption { |> lib.filterAttrs (name: _: name != hostname)
type = lib.types.path; |> lib.attrValues
default = "${self}/hosts/${hostname}/keys/nebula.crt"; |> lib.map (value: value.config.custom.services.nebula.node)
|> lib.filter (node: node.enable);
readOnly = true;
}; };
}; };
@ -80,7 +89,7 @@ in
); );
staticHostMap = staticHostMap =
routableNodes routablePeers
|> lib.map (lighthouse: { |> lib.map (lighthouse: {
name = lighthouse.address; name = lighthouse.address;
value = lib.singleton "${lighthouse.routableAddress}:${toString lighthouse.routablePort}"; value = lib.singleton "${lighthouse.routableAddress}:${toString lighthouse.routablePort}";
@ -89,14 +98,14 @@ in
firewall = { firewall = {
outbound = lib.singleton { outbound = lib.singleton {
host = "any";
port = "any"; port = "any";
proto = "any"; proto = "any";
host = "any";
}; };
inbound = lib.singleton { inbound = lib.singleton {
host = "any";
port = "any"; port = "any";
proto = "any"; proto = "icmp";
host = "any";
}; };
}; };

25
modules/system/services/nebula/sshd.nix
View file

@ -16,14 +16,25 @@ in
config = lib.mkIf (cfg.enable && cfg.sshd.enable) { config = lib.mkIf (cfg.enable && cfg.sshd.enable) {
meta.ports.tcp = [ cfg.sshd.port ]; meta.ports.tcp = [ cfg.sshd.port ];
services.openssh = { services = {
enable = true; openssh = {
openFirewall = false; enable = true;
ports = [ ]; openFirewall = false;
listenAddresses = lib.singleton { ports = [ ];
addr = cfg.address; listenAddresses = lib.singleton {
inherit (cfg.sshd) port; addr = cfg.address;
inherit (cfg.sshd) port;
};
}; };
nebula.networks.mesh.firewall.inbound =
config.custom.services.nebula.peers
|> lib.filter (node: node.isClient)
|> lib.map (nebula: {
port = "22";
proto = "tcp";
host = nebula.name;
});
}; };
systemd.services.sshd = { systemd.services.sshd = {