networking: Unify underlay config across hosts

2026-03-22 20:09:07 +01:00 · 2026-01-30 20:39:59 +01:00 · 2026-01-30 20:39:59 +01:00 · 27b5c57023
commit 27b5c57023
parent 1d1709e1ba
19 changed files with 240 additions and 258 deletions
--- a/modules/system/networking/underlay.nix
+++ b/modules/system/networking/underlay.nix
@ -0,0 +1,88 @@
+{
+  config,
+  self,
+  pkgs,
+  lib,
+  ...
+}:
+let
+  cfg = config.custom.networking.underlay;
+in
+{
+  options.custom.networking.underlay = {
+    interface = lib.mkOption {
+      type = lib.types.nonEmptyStr;
+      default = "";
+    };
+    useDhcp = lib.mkEnableOption "";
+    isPublic = lib.mkEnableOption "";
+    cidr = lib.mkOption {
+      type = lib.types.nullOr lib.types.nonEmptyStr;
+      default = null;
+    };
+    address = lib.mkOption {
+      type = lib.types.nullOr lib.types.nonEmptyStr;
+      default = if cfg.cidr != null then cfg.cidr |> lib.splitString "/" |> lib.head else null;
+      readOnly = true;
+    };
+    gateway = lib.mkOption {
+      type = lib.types.nullOr lib.types.nonEmptyStr;
+      default = null;
+    };
+    wireless = {
+      enable = lib.mkEnableOption "";
+      networks = lib.mkOption {
+        type = lib.types.listOf lib.types.nonEmptyStr;
+        default = config.custom.sops.secrets.iwd |> lib.attrNames;
+      };
+    };
+  };
+
+  config = lib.mkMerge [
+    {
+      networking.useNetworkd = true;
+      systemd.network = {
+        enable = true;
+        networks."10-${cfg.interface}" = {
+          matchConfig.Name = cfg.interface;
+          linkConfig.RequiredForOnline = "routable";
+          networkConfig.DHCP = lib.mkIf cfg.useDhcp "yes";
+          address = lib.optional (cfg.cidr != null) cfg.cidr;
+          routes = lib.optional (cfg.gateway != null) {
+            Gateway = cfg.gateway;
+            GatewayOnLink = true;
+          };
+        };
+      };
+
+      services.resolved = {
+        enable = true;
+        dnssec = "allow-downgrade";
+        dnsovertls = "opportunistic";
+      };
+    }
+
+    (lib.mkIf cfg.wireless.enable {
+      environment.systemPackages = [ pkgs.iwgtk ];
+
+      networking.wireless.iwd = {
+        enable = true;
+        settings.Settings.AutoConnect = true;
+      };
+
+      systemd.network.networks."10-${cfg.interface}".networkConfig.IgnoreCarrierLoss = "3s";
+
+      sops.secrets =
+        cfg.wireless.networks
+        |> lib.map (name: "iwd/${name}")
+        |> self.lib.genAttrs (_: {
+          restartUnits = [ "iwd.service" ];
+        });
+
+      systemd.services.iwd = {
+        preStart = "install -m 600 /run/secrets/iwd/* /var/lib/iwd";
+        postStop = "rm --force /var/lib/iwd/*.{open,psk,8021x}";
+      };
+    })
+  ];
+}