From 2249318fbcff4d262edf34cc636f636fe23b9152 Mon Sep 17 00:00:00 2001
From: Diogo Correia <me@diogotc.com>
Date: Fri, 21 Jun 2024 12:43:19 +0100
Subject: [PATCH] fix(nebula): connectivity issues

Enabled NAT punching, IPv6 connectivity and filtered out Docker
addresses.
---
 modules/services/nebula.nix | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/modules/services/nebula.nix b/modules/services/nebula.nix
index 64f2e7a..0e3c12d 100644
--- a/modules/services/nebula.nix
+++ b/modules/services/nebula.nix
@@ -76,6 +76,8 @@ in {
         "192.168.100.1"
         "192.168.100.7"
       ];
+      # listen on both ipv4 and ipv6
+      listen.host = "[::]";
 
       firewall.outbound =
         [
@@ -98,6 +100,29 @@ in {
         "192.168.100.1" = ["zeus.diogotc.com:4242"];
         "192.168.100.7" = ["phobos.diogotc.com:4242"];
       };
+
+      settings = {
+        # punch through firewall NATs
+        punchy = {
+          punch = true;
+          respond = true;
+        };
+
+        static_map = {
+          # fetch both A and AAAA DNS records for lighthouses
+          network = "ip";
+        };
+
+        lighthouse = {
+          local_allow_list = {
+            interfaces = {
+              # don't advertise docker IPs to lighthouse
+              "docker.*" = false;
+              "br-[0-9a-f]{12}" = false;
+            };
+          };
+        };
+      };
     };
   };
 }