Initial nebula config

modules/nixos/core/default.nix

@@ -8,6 +8,7 @@
 {
   imports = [
     ./users.nix
+    ./nebula.nix
   ];
 
   i18n.defaultLocale = "en_US.UTF-8";
@@ -66,7 +67,7 @@
   environment.systemPackages = with pkgs; [
     nvd nixpkgs-fmt nix-output-monitor
     coreutils mime-types file
-    usbutils pciutils gitFull
+    usbutils pciutils gitFull git-crypt
   ];
 
   nix = let

modules/nixos/core/nebula.nix

@@ -0,0 +1,46 @@
+{
+  config,
+  lib,
+  inputs,
+  ...
+}:
+
+{
+  services.nebula.networks.bbs = {
+    enable = lib.mkDefault true;
+    ca = "${inputs.self}/secrets/nebula/ca.crt";
+    cert = "${inputs.self}/secrets/nebula/${config.networking.hostName}.bbs.lan.crt";
+    key = "${inputs.self}/secrets/nebula/${config.networking.hostName}.bbs.lan.key";
+    staticHostMap = {
+      "10.7.0.1" = [ "5.161.60.61:4242" ];
+    };
+    lighthouses = [ "10.7.0.1" ];
+    firewall = {
+      outbound = [
+        {
+          port = "any";
+          proto = "any";
+          host = "any";
+        }
+      ];
+      inbound = [
+        {
+          port = "any";
+          proto = "icmp";
+          host = "any";
+        }
+      ] ++ lib.optional config.services.openssh.enable {
+        port = 22;
+        proto = "tcp";
+        group = "any";
+      };
+    };
+    settings = {
+      punchy = {
+        punch = true;
+      };
+    };
+  };
+  networking.networkmanager.insertNameservers =
+    lib.optional config.services.nebula.networks.bbs.enable "10.7.0.1";
+}