add firewall for non-lighthouse

2026-01-11 09:44:08 -05:00 · 2025-08-07 12:00:29 -04:00 · 2025-08-07 12:00:29 -04:00 · 435d11e9e5
commit 435d11e9e5
parent 403b747449
1 changed files with 16 additions and 0 deletions
--- a/hosts/common/core/nebula.nix
+++ b/hosts/common/core/nebula.nix
@ -20,5 +20,21 @@ in {
    inherit (s.hosts.${config.hostSpec.hostName}) cert isLighthouse;
    key = config.sops.secrets."keys/nebula".path;
    enable = true;
+    firewall = lib.mkIf (!config.services.nebula.networks.wce.isLighthouse) {
+      inbound = [
+        {
+          host = "any";
+          port = "any";
+          proto = "any";
+        }
+      ];
+      outbound = [
+        {
+          host = "any";
+          port = "any";
+          proto = "any";
+        }
+      ];
+    };
  };
 }