SebastianStork/nixos-config
1
0
Fork 0
mirror of https://github.com/SebastianStork/nixos-config.git synced 2026-03-22 17:49:07 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

overlay, nebula: Add functionality to accommodate port forwarding

Browse source
This commit is contained in:
SebastianStork 2026-03-04 19:14:34 +01:00
parent d9a85536a2
commit 96c4dbe626
Signed by: SebastianStork
SSH key fingerprint: SHA256:tRrGdjYOwgHxpSc/wTOZQZEjxcb15P0tyXRsbAfd+2Q
2 changed files with 28 additions and 9 deletions
Download patch file Download diff file Expand all files Collapse all files

16
modules/nixos/networking/overlay.nix
View file

@ -51,6 +51,22 @@ in
}; };
isLighthouse = lib.mkEnableOption ""; isLighthouse = lib.mkEnableOption "";
advertise = {
address = lib.mkOption {
type = lib.types.nullOr lib.types.nonEmptyStr;
default =
if config.custom.networking.underlay.isPublic then
config.custom.networking.underlay.address
else
null;
};
port = lib.mkOption {
type = lib.types.nullOr lib.types.port;
default = if cfg.advertise.address != null then config.custom.services.nebula.listenPort else null;
};
};
role = lib.mkOption { role = lib.mkOption {
type = lib.types.enum [ type = lib.types.enum [
"client" "client"

21
modules/nixos/services/nebula/default.nix
View file

@ -8,8 +8,6 @@ let
cfg = config.custom.services.nebula; cfg = config.custom.services.nebula;
netCfg = config.custom.networking; netCfg = config.custom.networking;
publicPort = 47141;
lighthouses = lighthouses =
netCfg.peers netCfg.peers
|> lib.filter (peer: peer.overlay.isLighthouse) |> lib.filter (peer: peer.overlay.isLighthouse)
@ -27,6 +25,11 @@ in
++ lib.optional config.custom.services.syncthing.enable "syncthing"; ++ lib.optional config.custom.services.syncthing.enable "syncthing";
}; };
listenPort = lib.mkOption {
type = lib.types.port;
default = if (netCfg.overlay.advertise.address != null) then 47141 else 0;
};
caCertificateFile = lib.mkOption { caCertificateFile = lib.mkOption {
type = self.lib.types.existingPath; type = self.lib.types.existingPath;
default = ./ca.crt; default = ./ca.crt;
@ -47,8 +50,8 @@ in
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
assertions = lib.singleton { assertions = lib.singleton {
assertion = netCfg.overlay.isLighthouse -> netCfg.underlay.isPublic; assertion = netCfg.overlay.isLighthouse -> netCfg.overlay.advertise.address != null;
message = "`${netCfg.hostName}` is a Nebula lighthouse, but `underlay.isPublic` is not set. Lighthouses must be publicly reachable."; message = "`${netCfg.hostName}` is a Nebula lighthouse, but `underlay.isPublic` or `overlay.advertise.address` are not set. Lighthouses must be publicly reachable.";
}; };
sops.secrets."nebula/host-key" = lib.mkIf (cfg.privateKeyFile == null) { sops.secrets."nebula/host-key" = lib.mkIf (cfg.privateKeyFile == null) {
@ -83,7 +86,7 @@ in
tun.device = netCfg.overlay.interface; tun.device = netCfg.overlay.interface;
listen = { listen = {
host = lib.mkIf (netCfg.underlay.address != null) netCfg.underlay.address; host = lib.mkIf (netCfg.underlay.address != null) netCfg.underlay.address;
port = lib.mkIf netCfg.underlay.isPublic publicPort; port = cfg.listenPort;
}; };
inherit (netCfg.overlay) isLighthouse; inherit (netCfg.overlay) isLighthouse;
@ -94,10 +97,10 @@ in
staticHostMap = staticHostMap =
netCfg.peers netCfg.peers
|> lib.filter (peer: peer.underlay.isPublic) |> lib.filter (peer: peer.overlay.advertise.address != null)
|> lib.map (publicPeer: { |> lib.map (peer: {
name = publicPeer.overlay.address; name = peer.overlay.address;
value = lib.singleton "${publicPeer.underlay.address}:${toString publicPort}"; value = lib.singleton "${peer.overlay.advertise.address}:${toString peer.overlay.advertise.port}";
}) })
|> lib.listToAttrs; |> lib.listToAttrs;