nixos/nebula: default to port 0 for hosts other than lighthouse/relay

This commit is contained in:
Morgan Jones 2024-01-13 15:27:20 -08:00
parent 28dbc86c49
commit cdd95bd39c
No known key found for this signature in database
GPG key ID: 52BAC54ED447974E
2 changed files with 33 additions and 6 deletions

View file

@ -95,8 +95,15 @@ in
}; };
listen.port = mkOption { listen.port = mkOption {
type = types.port; type = types.nullOr types.port;
default = 4242; default = null;
defaultText = lib.literalExpression ''
if (config.services.nebula.networks.''${name}.isLighthouse ||
config.services.nebula.networks.''${name}.isRelay) then
4242
else
0;
'';
description = lib.mdDoc "Port number to listen on."; description = lib.mdDoc "Port number to listen on.";
}; };
@ -174,7 +181,15 @@ in
}; };
listen = { listen = {
host = netCfg.listen.host; host = netCfg.listen.host;
port = netCfg.listen.port; port = (
if netCfg.listen.port == null then
if (netCfg.isLighthouse || netCfg.isRelay) then
4242
else
0
else
netCfg.listen.port
);
}; };
tun = { tun = {
disabled = netCfg.tun.disable; disabled = netCfg.tun.disable;
@ -185,7 +200,15 @@ in
outbound = netCfg.firewall.outbound; outbound = netCfg.firewall.outbound;
}; };
} netCfg.settings; } netCfg.settings;
configFile = format.generate "nebula-config-${netName}.yml" settings; configFile = format.generate "nebula-config-${netName}.yml" (
warnIf
((settings.lighthouse.am_lighthouse || settings.relay.am_relay) && settings.listen.port < 1)
''
Nebula network '${netName}' is configured as a lighthouse or relay, and its port is ${builtins.toString settings.listen.port}.
You will experience connectivity issues.
''
settings
);
in in
{ {
# Create the systemd service for Nebula. # Create the systemd service for Nebula.
@ -229,7 +252,7 @@ in
# Open the chosen ports for UDP. # Open the chosen ports for UDP.
networking.firewall.allowedUDPPorts = networking.firewall.allowedUDPPorts =
unique (mapAttrsToList (netName: netCfg: netCfg.listen.port) enabledNetworks); unique (filter (port: port != null && port > 0) (mapAttrsToList (netName: netCfg: netCfg.listen.port) enabledNetworks));
# Create the service users and groups. # Create the service users and groups.
users.users = mkMerge (mapAttrsToList (netName: netCfg: users.users = mkMerge (mapAttrsToList (netName: netCfg:

View file

@ -10,6 +10,7 @@ import ./make-test-python.nix ({ pkgs, lib, ... }: let
environment.systemPackages = [ pkgs.nebula ]; environment.systemPackages = [ pkgs.nebula ];
users.users.root.openssh.authorizedKeys.keys = [ snakeOilPublicKey ]; users.users.root.openssh.authorizedKeys.keys = [ snakeOilPublicKey ];
services.openssh.enable = true; services.openssh.enable = true;
networking.firewall.enable = true; # Implicitly true, but let's make sure.
networking.interfaces.eth1.useDHCP = false; networking.interfaces.eth1.useDHCP = false;
services.nebula.networks.smoke = { services.nebula.networks.smoke = {
@ -17,7 +18,10 @@ import ./make-test-python.nix ({ pkgs, lib, ... }: let
ca = "/etc/nebula/ca.crt"; ca = "/etc/nebula/ca.crt";
cert = "/etc/nebula/${name}.crt"; cert = "/etc/nebula/${name}.crt";
key = "/etc/nebula/${name}.key"; key = "/etc/nebula/${name}.key";
listen = { host = "0.0.0.0"; port = 4242; }; listen = {
host = "0.0.0.0";
port = if (config.services.nebula.networks.smoke.isLighthouse || config.services.nebula.networks.smoke.isRelay) then 4242 else 0;
};
}; };
} }
extraConfig extraConfig