1  # SPDX-FileCopyrightText: 2024-2025 sntx <sntx@sntx.space>
 2  # SPDX-License-Identifier: AGPL-3.0-or-later
 3  
 4  { config, inputs, ... }:
 5  let
 6    isLighthouse = (builtins.elem config.networking.hostName [ "mars" ]);
 7    inherit (inputs.cells.meta.lib) l;
 8  in
 9  {
10  
11    nebula.networks."nebula" = {
12      inherit isLighthouse;
13      enable = true;
14      ca = config.age.secrets."ca.crt".path;
15      cert = config.age.secrets."host.crt".path;
16      key = config.age.secrets."host.key".path;
17      staticHostMap = {
18        "10.0.3.1" = [ "138.201.244.137:4242" ];
19      };
20      lighthouses = l.mkIf (!isLighthouse) [ "10.0.3.1" ];
21      settings.punchy = {
22        punch = true;
23        respond = true;
24      };
25      firewall = {
26        inbound = [
27          {
28            host = "any";
29            port = "any";
30            proto = "icmp";
31          }
32        ]
33        ++ (l.concatLists (
34          l.forEach [ "iovis" "apollo" ] (
35            host:
36            l.forEach [ "udp" "tcp" ] (proto: {
37              inherit host proto;
38              port = "any";
39            })
40          )
41        ))
42        ++ l.forEach config.networking.firewall.allowedTCPPorts (port: {
43          host = "any";
44          port = port;
45          proto = "tcp";
46        })
47        ++ l.forEach config.networking.firewall.allowedUDPPorts (port: {
48          host = "any";
49          port = port;
50          proto = "udp";
51        });
52        outbound = [
53          {
54            host = "any";
55            port = "any";
56            proto = "any";
57          }
58        ];
59      };
60    };
61  }