···
description = "Whether this node is a relay.";
+
lighthouse.dns.enable = lib.mkOption {
+
description = "Whether this lighthouse node should serve DNS.";
+
lighthouse.dns.host = lib.mkOption {
+
IP address on which nebula lighthouse should serve DNS.
+
'localhost' is a good default to ensure the service does not listen on public interfaces;
+
use a Nebula address like 10.0.0.5 to make DNS resolution available to nebula hosts only.
+
lighthouse.dns.port = lib.mkOption {
+
type = lib.types.nullOr lib.types.port;
+
description = "UDP port number for lighthouse DNS server.";
lighthouses = lib.mkOption {
type = lib.types.listOf lib.types.str;
···
example = lib.literalExpression ''
+
lighthouse.interval = 15;
···
am_lighthouse = netCfg.isLighthouse;
hosts = netCfg.lighthouses;
+
serve_dns = netCfg.lighthouse.dns.enable;
+
dns.host = netCfg.lighthouse.dns.host;
+
dns.port = netCfg.lighthouse.dns.port;
am_relay = netCfg.isRelay;
···
+
nebulaPort = if !settings.tun.disabled then settings.listen.port else 0;
+
dnsPort = if settings.lighthouse.serve_dns then settings.lighthouse.dns.port else 0;
+
lib.concatStringsSep " " (
+
# creation of tunnel interfaces
+
lib.optional (!settings.tun.disabled) "CAP_NET_ADMIN"
+
# binding to privileged ports
+
nebulaPort > 0 && nebulaPort < 1024 || dnsPort > 0 && dnsPort < 1024
+
) "CAP_NET_BIND_SERVICE"
# Create the systemd service for Nebula.
···
ExecStart = "${netCfg.package}/bin/nebula -config ${configFile}";
+
CapabilityBoundingSet = capabilities;
+
AmbientCapabilities = capabilities;
PrivateDevices = false; # needs access to /dev/net/tun (below)
···
+
meta.maintainers = with lib.maintainers; [
pyrox.dev