networking: Unify underlay config across hosts

modules/system/services/dns.nix

@@ -20,7 +20,7 @@ in
           server = {
             interface = [ netCfg.overlay.interface ];
             access-control = [
-              "${netCfg.overlay.networkAddress}/${toString netCfg.overlay.prefixLength} allow"
+              "${toString netCfg.overlay.networkCidr} allow"
             ];
 
             local-zone = "\"${netCfg.overlay.domain}.\" static";

modules/system/services/nebula/default.nix

@@ -26,13 +26,12 @@ in
 
   config = lib.mkIf cfg.enable {
     assertions = lib.singleton {
-      assertion = netCfg.isLighthouse -> netCfg.underlay.isPublic;
+      assertion = netCfg.overlay.isLighthouse -> netCfg.underlay.isPublic;
       message = "'${netCfg.hostName}' is a Nebula lighthouse, but underlay.isPublic is not set. Lighthouses must be publicly reachable.";
     };
 
     custom.networking.overlay = {
-      networkAddress = "10.254.250.0";
-      prefixLength = 24;
+      networkCidr = "10.254.250.0/24";
       domain = "splitleaf.de";
       interface = "nebula";
       systemdUnit = "nebula@mesh.service";
@@ -66,10 +65,10 @@ in
       tun.device = netCfg.overlay.interface;
       listen.port = lib.mkIf netCfg.underlay.isPublic publicPort;
 
-      inherit (netCfg) isLighthouse;
-      lighthouses = lib.mkIf (!netCfg.isLighthouse) (
+      inherit (netCfg.overlay) isLighthouse;
+      lighthouses = lib.mkIf (!netCfg.overlay.isLighthouse) (
         netCfg.peers
-        |> lib.filter (peer: peer.isLighthouse)
+        |> lib.filter (peer: peer.overlay.isLighthouse)
         |> lib.map (lighthouse: lighthouse.overlay.address)
       );
 
@@ -105,7 +104,7 @@ in
 
     systemd.network.networks."40-nebula" = {
       matchConfig.Name = netCfg.overlay.interface;
-      address = [ "${netCfg.overlay.address}/${toString netCfg.overlay.prefixLength}" ];
+      address = [ netCfg.overlay.cidr ];
       dns = netCfg.overlay.dnsServers;
       domains = [ netCfg.overlay.domain ];
     };

modules/system/services/resolved.nix

@@ -1,14 +0,0 @@
-{ config, lib, ... }:
-{
-  options.custom.services.resolved.enable = lib.mkEnableOption "" // {
-    default = config.systemd.network.enable;
-  };
-
-  config = lib.mkIf config.custom.services.resolved.enable {
-    services.resolved = {
-      enable = true;
-      dnssec = "allow-downgrade";
-      dnsovertls = "opportunistic";
-    };
-  };
-}

modules/system/services/sshd.nix

@@ -30,7 +30,7 @@ in
 
       nebula.networks.mesh.firewall.inbound =
         netCfg.peers
-        |> lib.filter (node: node.isClient)
+        |> lib.filter (node: node.overlay.role == "client")
         |> lib.map (client: {
           port = 22;
           proto = "tcp";

modules/system/services/wlan.nix

@@ -1,40 +0,0 @@
-{
-  config,
-  self,
-  pkgs,
-  lib,
-  ...
-}:
-let
-  cfg = config.custom.services.wlan;
-in
-{
-  options.custom.services.wlan = {
-    enable = lib.mkEnableOption "";
-    networks = lib.mkOption {
-      type = lib.types.listOf lib.types.nonEmptyStr;
-      default = config.custom.sops.secrets.iwd |> lib.attrNames;
-    };
-  };
-
-  config = lib.mkIf cfg.enable {
-    networking.wireless.iwd = {
-      enable = true;
-      settings.General.EnableNetworkConfiguration = true;
-    };
-
-    environment.systemPackages = [ pkgs.iwgtk ];
-
-    sops.secrets =
-      cfg.networks
-      |> lib.map (name: "iwd/${name}")
-      |> self.lib.genAttrs (_: {
-        restartUnits = [ "iwd.service" ];
-      });
-
-    systemd.services.iwd = {
-      preStart = "install -m 600 /run/secrets/iwd/* /var/lib/iwd";
-      postStop = "rm --force /var/lib/iwd/*.{open,psk,8021x}";
-    };
-  };
-}