Skip to content

Commit

Permalink
fix(nebula): connectivity issues
Browse files Browse the repository at this point in the history
Enabled NAT punching, IPv6 connectivity and filtered out Docker
addresses.
  • Loading branch information
diogotcorreia committed Jun 21, 2024
1 parent 6392b6c commit 7cc2e5f
Showing 1 changed file with 38 additions and 7 deletions.
45 changes: 38 additions & 7 deletions modules/services/nebula.nix
Original file line number Diff line number Diff line change
Expand Up @@ -5,8 +5,14 @@
secretsDir,
...
}: let
inherit (builtins) attrNames;
inherit (lib) mkEnableOption mkOption types mkIf;
cfg = config.modules.services.nebula;

lighthouses = {
"192.168.100.1" = ["zeus.diogotc.com:4242"];
"192.168.100.7" = ["phobos.diogotc.com:4242"];
};
in {
options.modules.services.nebula = {
enable = mkEnableOption "nebula";
Expand Down Expand Up @@ -72,10 +78,10 @@ in {
cert = cfg.cert;
key = cfg.key;
isLighthouse = cfg.isLighthouse;
lighthouses = lib.lists.optionals (!cfg.isLighthouse) [
"192.168.100.1"
"192.168.100.7"
];
isRelay = cfg.isLighthouse; # assume all lighthouses are relays as well
lighthouses = lib.lists.optionals (!cfg.isLighthouse) (attrNames lighthouses);
# listen on both ipv4 and ipv6
listen.host = "[::]";

firewall.outbound =
[
Expand All @@ -94,9 +100,34 @@ in {
})
++ cfg.firewall.inbound;

staticHostMap = {
"192.168.100.1" = ["zeus.diogotc.com:4242"];
"192.168.100.7" = ["phobos.diogotc.com:4242"];
staticHostMap = lighthouses;

settings = {
# punch through firewall NATs
punchy = {
punch = true;
respond = true;
};

static_map = {
# fetch both A and AAAA DNS records for lighthouses
network = "ip";
};

lighthouse = {
local_allow_list = {
interfaces = {
# don't advertise docker IPs to lighthouse
"docker.*" = false;
"br-[0-9a-f]{12}" = false;
};
};
};

relay = {
relays = lib.lists.optionals (!cfg.isLighthouse) (builtins.attrNames lighthouses);
use_relays = !cfg.isLighthouse;
};
};
};
};
Expand Down

0 comments on commit 7cc2e5f

Please sign in to comment.