···
description = "Whether this node is a relay.";
87
+
lighthouse.dns.enable = lib.mkOption {
88
+
type = lib.types.bool;
90
+
description = "Whether this lighthouse node should serve DNS.";
93
+
lighthouse.dns.host = lib.mkOption {
94
+
type = lib.types.str;
95
+
default = "localhost";
97
+
IP address on which nebula lighthouse should serve DNS.
98
+
'localhost' is a good default to ensure the service does not listen on public interfaces;
99
+
use a Nebula address like 10.0.0.5 to make DNS resolution available to nebula hosts only.
103
+
lighthouse.dns.port = lib.mkOption {
104
+
type = lib.types.nullOr lib.types.port;
106
+
description = "UDP port number for lighthouse DNS server.";
lighthouses = lib.mkOption {
type = lib.types.listOf lib.types.str;
···
example = lib.literalExpression ''
197
+
lighthouse.interval = 15;
···
am_lighthouse = netCfg.isLighthouse;
hosts = netCfg.lighthouses;
225
+
serve_dns = netCfg.lighthouse.dns.enable;
226
+
dns.host = netCfg.lighthouse.dns.host;
227
+
dns.port = netCfg.lighthouse.dns.port;
am_relay = netCfg.isRelay;
···
258
+
nebulaPort = if !settings.tun.disabled then settings.listen.port else 0;
259
+
dnsPort = if settings.lighthouse.serve_dns then settings.lighthouse.dns.port else 0;
261
+
lib.concatStringsSep " " (
262
+
# creation of tunnel interfaces
263
+
lib.optional (!settings.tun.disabled) "CAP_NET_ADMIN"
264
+
# binding to privileged ports
266
+
nebulaPort > 0 && nebulaPort < 1024 || dnsPort > 0 && dnsPort < 1024
267
+
) "CAP_NET_BIND_SERVICE"
# Create the systemd service for Nebula.
···
ExecStart = "${netCfg.package}/bin/nebula -config ${configFile}";
251
-
CapabilityBoundingSet = "CAP_NET_ADMIN";
252
-
AmbientCapabilities = "CAP_NET_ADMIN";
286
+
CapabilityBoundingSet = capabilities;
287
+
AmbientCapabilities = capabilities;
PrivateDevices = false; # needs access to /dev/net/tun (below)
···
305
-
meta.maintainers = with lib.maintainers; [ numinit ];
340
+
meta.maintainers = with lib.maintainers; [
pyrox.dev