nebula!
This commit is contained in:
RingOfStorms (Josh)
parent
acb556f98f
commit
48ad6c80e9
3 changed files with 52 additions and 8 deletions
6
flake.lock
generated
6
flake.lock
generated
|
|
@ -232,11 +232,11 @@
|
||||||
"rust-overlay": "rust-overlay_2"
|
"rust-overlay": "rust-overlay_2"
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1715576186,
|
"lastModified": 1715614284,
|
||||||
"narHash": "sha256-taN5/bY6xDXA7+z0GJE0q24Lt/2zEJIetKfvrkpgHAo=",
|
"narHash": "sha256-L62xtqhJiFCcCKRIH+4j83vrgI2AcjQdHYDgEBrqLx8=",
|
||||||
"owner": "RingOfStorms",
|
"owner": "RingOfStorms",
|
||||||
"repo": "nvim",
|
"repo": "nvim",
|
||||||
"rev": "20633579746615fa55c6c6b8dfdf45899095aca0",
|
"rev": "9bce2b0d423168b24bc4e855f55a9bd490f6fb79",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
|
|
||||||
|
|
@ -1,6 +1,50 @@
|
||||||
{ ... }:
|
{ pkgs, ... }:
|
||||||
{
|
{
|
||||||
# services.tailscale = {
|
environment.systemPackages = with pkgs; [
|
||||||
# enable = true;
|
nebula
|
||||||
# };
|
];
|
||||||
|
|
||||||
|
networking.firewall.allowedUDPPorts = [ 4242 ];
|
||||||
|
|
||||||
|
systemd.services."nebula" = {
|
||||||
|
description = "Nebula VPN service";
|
||||||
|
wants = [ "basic.target" ];
|
||||||
|
after = [
|
||||||
|
"basic.target"
|
||||||
|
"network.target"
|
||||||
|
];
|
||||||
|
before = [ "sshd.service" ];
|
||||||
|
wantedBy = [ "multi-user.target" ];
|
||||||
|
serviceConfig = {
|
||||||
|
Type = "notify";
|
||||||
|
Restart = "always";
|
||||||
|
RestartSec = 1;
|
||||||
|
ExecStart = "${pkgs.nebula}/bin/nebula -config /etc/nebula";
|
||||||
|
UMask = "0027";
|
||||||
|
CapabilityBoundingSet = "CAP_NET_ADMIN";
|
||||||
|
AmbientCapabilities = "CAP_NET_ADMIN";
|
||||||
|
LockPersonality = true;
|
||||||
|
NoNewPrivileges = true;
|
||||||
|
PrivateDevices = false; # needs access to /dev/net/tun (below)
|
||||||
|
DeviceAllow = "/dev/net/tun rw";
|
||||||
|
DevicePolicy = "closed";
|
||||||
|
PrivateTmp = true;
|
||||||
|
PrivateUsers = false; # CapabilityBoundingSet needs to apply to the host namespace
|
||||||
|
ProtectClock = true;
|
||||||
|
ProtectControlGroups = true;
|
||||||
|
ProtectHome = true;
|
||||||
|
ProtectHostname = true;
|
||||||
|
ProtectKernelLogs = true;
|
||||||
|
ProtectKernelModules = true;
|
||||||
|
ProtectKernelTunables = true;
|
||||||
|
ProtectProc = "invisible";
|
||||||
|
ProtectSystem = "strict";
|
||||||
|
RestrictNamespaces = true;
|
||||||
|
RestrictSUIDSGID = true;
|
||||||
|
};
|
||||||
|
unitConfig = {
|
||||||
|
StartLimitIntervalSec = 5;
|
||||||
|
StartLimitBurst = 3;
|
||||||
|
};
|
||||||
|
};
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -18,7 +18,7 @@
|
||||||
};
|
};
|
||||||
"t" = {
|
"t" = {
|
||||||
identityFile = age.secrets.nix2t.path;
|
identityFile = age.secrets.nix2t.path;
|
||||||
hostname = "10.12.14.103";
|
hostname = "10.20.40.4"; # TODO get these from flake.nix hosts?
|
||||||
user = "joshua.bell";
|
user = "joshua.bell";
|
||||||
localForwards = [
|
localForwards = [
|
||||||
{
|
{
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue