From de16ca49e8f5269f9f3ed75a388173681636aceb Mon Sep 17 00:00:00 2001
From: SebastianStork <git@sstork.dev>
Date: Thu, 25 Dec 2025 20:00:44 +0100
Subject: [PATCH] nebula: Assert routability of lighthouses

---
 modules/system/services/nebula/default.nix | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/modules/system/services/nebula/default.nix b/modules/system/services/nebula/default.nix
index 130940d..9ae8915 100644
--- a/modules/system/services/nebula/default.nix
+++ b/modules/system/services/nebula/default.nix
@@ -55,6 +55,11 @@ in
   config = lib.mkIf cfg.enable {
     meta.ports.udp = lib.optional (cfg.routablePort != null) cfg.routablePort;
 
+    assertions = lib.singleton {
+      assertion = cfg.isLighthouse -> cfg.routableAddress != null;
+      message = "'${hostname}' is a Nebula lighthouse, but routableAddress is not set. Lighthouses must be publicly reachable.";
+    };
+
     sops.secrets."nebula/host-key" = {
       owner = config.users.users.nebula-main.name;
       restartUnits = [ "nebula@main.service" ];