diff options
Diffstat (limited to 'nixos/modules/services/networking/nebula.nix')
| -rw-r--r-- | nixos/modules/services/networking/nebula.nix | 49 |
1 files changed, 31 insertions, 18 deletions
diff --git a/nixos/modules/services/networking/nebula.nix b/nixos/modules/services/networking/nebula.nix index 2bedafc5d9f..c5d395b3406 100644 --- a/nixos/modules/services/networking/nebula.nix +++ b/nixos/modules/services/networking/nebula.nix @@ -68,6 +68,12 @@ in description = lib.mdDoc "Whether this node is a lighthouse."; }; + isRelay = mkOption { + type = types.bool; + default = false; + description = lib.mdDoc "Whether this node is a relay."; + }; + lighthouses = mkOption { type = types.listOf types.str; default = []; @@ -78,6 +84,15 @@ in example = [ "192.168.100.1" ]; }; + relays = mkOption { + type = types.listOf types.str; + default = []; + description = lib.mdDoc '' + List of IPs of relays that this node should allow traffic from. + ''; + example = [ "192.168.100.1" ]; + }; + listen.host = mkOption { type = types.str; default = "0.0.0.0"; @@ -157,6 +172,10 @@ in am_lighthouse = netCfg.isLighthouse; hosts = netCfg.lighthouses; }; + relay = { + am_relay = netCfg.isRelay; + relays = netCfg.relays; + }; listen = { host = netCfg.listen.host; port = netCfg.listen.port; @@ -173,25 +192,22 @@ in configFile = format.generate "nebula-config-${netName}.yml" settings; in { - # Create systemd service for Nebula. + # Create the systemd service for Nebula. "nebula@${netName}" = { description = "Nebula VPN service for ${netName}"; wants = [ "basic.target" ]; after = [ "basic.target" "network.target" ]; before = [ "sshd.service" ]; wantedBy = [ "multi-user.target" ]; - serviceConfig = mkMerge [ - { - Type = "simple"; - Restart = "always"; - ExecStart = "${netCfg.package}/bin/nebula -config ${configFile}"; - } - # The service needs to launch as root to access the tun device, if it's enabled. - (mkIf netCfg.tun.disable { - User = networkId; - Group = networkId; - }) - ]; + serviceConfig = { + Type = "simple"; + Restart = "always"; + ExecStart = "${netCfg.package}/bin/nebula -config ${configFile}"; + CapabilityBoundingSet = "CAP_NET_ADMIN"; + AmbientCapabilities = "CAP_NET_ADMIN"; + User = networkId; + Group = networkId; + }; unitConfig.StartLimitIntervalSec = 0; # ensure Restart=always is always honoured (networks can go down for arbitrarily long) }; }) enabledNetworks); @@ -202,7 +218,7 @@ in # Create the service users and groups. users.users = mkMerge (mapAttrsToList (netName: netCfg: - mkIf netCfg.tun.disable { + { ${nameToId netName} = { group = nameToId netName; description = "Nebula service user for network ${netName}"; @@ -210,9 +226,6 @@ in }; }) enabledNetworks); - users.groups = mkMerge (mapAttrsToList (netName: netCfg: - mkIf netCfg.tun.disable { - ${nameToId netName} = {}; - }) enabledNetworks); + users.groups = mkMerge (mapAttrsToList (netName: netCfg: { ${nameToId netName} = {}; }) enabledNetworks); }; } |