From 48ad6c80e91966e2b82670ae81349cf3ca3cc58c Mon Sep 17 00:00:00 2001
From: "RingOfStorms (Josh)" <ringofstorms@gmail.com>
Date: Mon, 13 May 2024 11:36:47 -0500
Subject: [PATCH] nebula!

---
 flake.lock                          |  6 ++--
 hosts/_common/components/nebula.nix | 52 ++++++++++++++++++++++++++---
 users/_common/home_manager/ssh.nix  |  2 +-
 3 files changed, 52 insertions(+), 8 deletions(-)

diff --git a/flake.lock b/flake.lock
index ccce632..f2fca48 100644
--- a/flake.lock
+++ b/flake.lock
@@ -232,11 +232,11 @@
         "rust-overlay": "rust-overlay_2"
       },
       "locked": {
-        "lastModified": 1715576186,
-        "narHash": "sha256-taN5/bY6xDXA7+z0GJE0q24Lt/2zEJIetKfvrkpgHAo=",
+        "lastModified": 1715614284,
+        "narHash": "sha256-L62xtqhJiFCcCKRIH+4j83vrgI2AcjQdHYDgEBrqLx8=",
         "owner": "RingOfStorms",
         "repo": "nvim",
-        "rev": "20633579746615fa55c6c6b8dfdf45899095aca0",
+        "rev": "9bce2b0d423168b24bc4e855f55a9bd490f6fb79",
         "type": "github"
       },
       "original": {
diff --git a/hosts/_common/components/nebula.nix b/hosts/_common/components/nebula.nix
index 5e00588..684a970 100644
--- a/hosts/_common/components/nebula.nix
+++ b/hosts/_common/components/nebula.nix
@@ -1,6 +1,50 @@
-{ ... }:
+{ pkgs, ... }:
 {
-  # services.tailscale = {
-  #   enable = true;
-  # };
+  environment.systemPackages = with pkgs; [
+    nebula
+  ];
+
+  networking.firewall.allowedUDPPorts = [ 4242 ];
+
+  systemd.services."nebula" = {
+    description = "Nebula VPN service";
+    wants = [ "basic.target" ];
+    after = [
+      "basic.target"
+      "network.target"
+    ];
+    before = [ "sshd.service" ];
+    wantedBy = [ "multi-user.target" ];
+    serviceConfig = {
+      Type = "notify";
+      Restart = "always";
+      RestartSec = 1;
+      ExecStart = "${pkgs.nebula}/bin/nebula -config /etc/nebula";
+      UMask = "0027";
+      CapabilityBoundingSet = "CAP_NET_ADMIN";
+      AmbientCapabilities = "CAP_NET_ADMIN";
+      LockPersonality = true;
+      NoNewPrivileges = true;
+      PrivateDevices = false; # needs access to /dev/net/tun (below)
+      DeviceAllow = "/dev/net/tun rw";
+      DevicePolicy = "closed";
+      PrivateTmp = true;
+      PrivateUsers = false; # CapabilityBoundingSet needs to apply to the host namespace
+      ProtectClock = true;
+      ProtectControlGroups = true;
+      ProtectHome = true;
+      ProtectHostname = true;
+      ProtectKernelLogs = true;
+      ProtectKernelModules = true;
+      ProtectKernelTunables = true;
+      ProtectProc = "invisible";
+      ProtectSystem = "strict";
+      RestrictNamespaces = true;
+      RestrictSUIDSGID = true;
+    };
+    unitConfig = {
+      StartLimitIntervalSec = 5;
+      StartLimitBurst = 3;
+    };
+  };
 }
diff --git a/users/_common/home_manager/ssh.nix b/users/_common/home_manager/ssh.nix
index 60610c4..affa66d 100644
--- a/users/_common/home_manager/ssh.nix
+++ b/users/_common/home_manager/ssh.nix
@@ -18,7 +18,7 @@
       };
       "t" = {
         identityFile = age.secrets.nix2t.path;
-        hostname = "10.12.14.103";
+        hostname = "10.20.40.4"; # TODO get these from flake.nix hosts?
         user = "joshua.bell";
         localForwards = [
           {