SebastianStork/nixos-config
1
0
Fork 0
mirror of https://github.com/SebastianStork/nixos-config.git synced 2026-03-22 22:29:06 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

networking: Unify underlay config across hosts

Browse source
This commit is contained in:
SebastianStork 2026-01-30 20:39:59 +01:00
parent 1d1709e1ba
commit 27b5c57023
Signed by: SebastianStork
SSH key fingerprint: SHA256:tRrGdjYOwgHxpSc/wTOZQZEjxcb15P0tyXRsbAfd+2Q
19 changed files with 240 additions and 258 deletions
Download patch file Download diff file Expand all files Collapse all files

11
hosts/desktop/default.nix
View file

@ -24,9 +24,14 @@
de.hyprland.enable = true; de.hyprland.enable = true;
networking = { networking = {
overlay.address = "10.254.250.1"; overlay = {
underlay.interface = "enp6s0"; address = "10.254.250.1";
isClient = true; role = "client";
};
underlay = {
interface = "enp6s0";
useDhcp = true;
};
}; };
services = { services = {

10
hosts/desktop/hardware.nix
View file

@ -33,16 +33,6 @@ _: {
''; '';
}; };
networking.useNetworkd = true;
systemd.network = {
enable = true;
networks."10-enp6s0" = {
matchConfig.Name = "enp6s0";
networkConfig.DHCP = "ipv4";
linkConfig.RequiredForOnline = "routable";
};
};
hardware.fancontrol = { hardware.fancontrol = {
enable = true; enable = true;
config = '' config = ''

14
hosts/laptop/default.nix
View file

@ -24,15 +24,19 @@
de.hyprland.enable = true; de.hyprland.enable = true;
networking = { networking = {
overlay.address = "10.254.250.3"; overlay = {
underlay.interface = "wlan0"; address = "10.254.250.3";
isClient = true; role = "client";
};
underlay = {
interface = "wlan0";
useDhcp = true;
wireless.enable = true;
};
}; };
services = { services = {
resolved.enable = true;
auto-gc.enable = true; auto-gc.enable = true;
wlan.enable = true;
bluetooth.enable = true; bluetooth.enable = true;
sound.enable = true; sound.enable = true;
nebula.enable = true; nebula.enable = true;

13
hosts/laptop/hardware.nix
View file

@ -40,17 +40,4 @@
HibernateDelaySec=2h HibernateDelaySec=2h
HibernateOnACPower=yes HibernateOnACPower=yes
''; '';
networking.useNetworkd = true;
systemd.network = {
enable = true;
networks."10-wlan0" = {
matchConfig.Name = "wlan0";
linkConfig.RequiredForOnline = "routable";
networkConfig = {
DHCP = "yes";
IgnoreCarrierLoss = "3s";
};
};
};
} }

11
hosts/vps-monitor/default.nix
View file

@ -16,14 +16,17 @@
boot.loader.grub.enable = true; boot.loader.grub.enable = true;
networking = { networking = {
overlay.address = "10.254.250.5"; overlay = {
address = "10.254.250.5";
isLighthouse = true;
role = "server";
};
underlay = { underlay = {
interface = "enp1s0"; interface = "enp1s0";
address = "188.245.223.145"; cidr = "188.245.223.145/32";
isPublic = true; isPublic = true;
gateway = "172.31.1.1";
}; };
isLighthouse = true;
isServer = true;
}; };
services = { services = {

20
hosts/vps-monitor/hardware.nix
View file

@ -1,4 +1,4 @@
{ modulesPath, lib, ... }: { modulesPath, ... }:
{ {
imports = [ "${modulesPath}/profiles/qemu-guest.nix" ]; imports = [ "${modulesPath}/profiles/qemu-guest.nix" ];
@ -14,22 +14,4 @@
]; ];
zramSwap.enable = true; zramSwap.enable = true;
networking.useDHCP = false;
systemd.network = {
enable = true;
networks."10-enp1s0" = {
matchConfig.Name = "enp1s0";
linkConfig.RequiredForOnline = "routable";
address = [ "188.245.223.145/32" ];
routes = lib.singleton {
Gateway = "172.31.1.1";
GatewayOnLink = true;
};
dns = [
"1.1.1.1"
"8.8.8.8"
];
};
};
} }

11
hosts/vps-private/default.nix
View file

@ -20,14 +20,17 @@
boot.loader.systemd-boot.enable = true; boot.loader.systemd-boot.enable = true;
networking = { networking = {
overlay.address = "10.254.250.2"; overlay = {
address = "10.254.250.2";
isLighthouse = true;
role = "server";
};
underlay = { underlay = {
interface = "enp1s0"; interface = "enp1s0";
address = "49.13.231.235"; cidr = "49.13.231.235/32";
isPublic = true; isPublic = true;
gateway = "172.31.1.1";
}; };
isLighthouse = true;
isServer = true;
}; };
services = { services = {

20
hosts/vps-private/hardware.nix
View file

@ -1,4 +1,4 @@
{ modulesPath, lib, ... }: { modulesPath, ... }:
{ {
imports = [ "${modulesPath}/profiles/qemu-guest.nix" ]; imports = [ "${modulesPath}/profiles/qemu-guest.nix" ];
@ -14,22 +14,4 @@
]; ];
zramSwap.enable = true; zramSwap.enable = true;
networking.useDHCP = false;
systemd.network = {
enable = true;
networks."10-enp1s0" = {
matchConfig.Name = "enp1s0";
linkConfig.RequiredForOnline = "routable";
address = [ "49.13.231.235/32" ];
routes = lib.singleton {
Gateway = "172.31.1.1";
GatewayOnLink = true;
};
dns = [
"1.1.1.1"
"8.8.8.8"
];
};
};
} }

9
hosts/vps-public/default.nix
View file

@ -20,13 +20,16 @@
boot.loader.systemd-boot.enable = true; boot.loader.systemd-boot.enable = true;
networking = { networking = {
overlay.address = "10.254.250.4"; overlay = {
address = "10.254.250.4";
role = "server";
};
underlay = { underlay = {
interface = "enp1s0"; interface = "enp1s0";
address = "167.235.73.246"; cidr = "167.235.73.246/32";
isPublic = true; isPublic = true;
gateway = "172.31.1.1";
}; };
isServer = true;
}; };
services = { services = {

20
hosts/vps-public/hardware.nix
View file

@ -1,4 +1,4 @@
{ modulesPath, lib, ... }: { modulesPath, ... }:
{ {
imports = [ "${modulesPath}/profiles/qemu-guest.nix" ]; imports = [ "${modulesPath}/profiles/qemu-guest.nix" ];
@ -14,22 +14,4 @@
]; ];
zramSwap.enable = true; zramSwap.enable = true;
networking.useDHCP = false;
systemd.network = {
enable = true;
networks."10-enp1s0" = {
matchConfig.Name = "enp1s0";
linkConfig.RequiredForOnline = "routable";
address = [ "167.235.73.246/32" ];
routes = lib.singleton {
Gateway = "172.31.1.1";
GatewayOnLink = true;
};
dns = [
"1.1.1.1"
"8.8.8.8"
];
};
};
} }

96
modules/system/networking.nix
View file

@ -1,96 +0,0 @@
{
config,
self,
lib,
...
}:
let
cfg = config.custom.networking;
in
{
options.custom.networking = {
hostName = lib.mkOption {
type = lib.types.nonEmptyStr;
default = config.networking.hostName;
readOnly = true;
};
isLighthouse = lib.mkEnableOption "";
isServer = lib.mkEnableOption "";
isClient = lib.mkEnableOption "";
overlay = {
networkAddress = lib.mkOption {
type = lib.types.nonEmptyStr;
default = "";
};
prefixLength = lib.mkOption {
type = lib.types.nullOr (lib.types.ints.between 0 32);
default = null;
};
domain = lib.mkOption {
type = lib.types.nonEmptyStr;
default = "";
};
address = lib.mkOption {
type = lib.types.nonEmptyStr;
default = "";
};
interface = lib.mkOption {
type = lib.types.nonEmptyStr;
default = "";
};
systemdUnit = lib.mkOption {
type = lib.types.nonEmptyStr;
default = "";
};
dnsServers = lib.mkOption {
type = lib.types.anything;
default =
self.nixosConfigurations
|> lib.attrValues
|> lib.filter (host: host.config.custom.services.dns.enable)
|> lib.map (host: host.config.custom.networking.overlay.address);
};
};
underlay = {
interface = lib.mkOption {
type = lib.types.nonEmptyStr;
default = "";
};
useDhcp = lib.mkEnableOption "";
isPublic = lib.mkEnableOption "";
address = lib.mkOption {
type = lib.types.nullOr lib.types.nonEmptyStr;
default = null;
};
gateway = lib.mkOption {
type = lib.types.nullOr lib.types.nonEmptyStr;
default = null;
};
};
nodes = lib.mkOption {
type = lib.types.anything;
default =
self.nixosConfigurations
|> lib.attrValues
|> lib.map (host: host.config.custom.networking)
|> lib.map (
node:
lib.removeAttrs node [
"nodes"
"peers"
]
);
readOnly = true;
};
peers = lib.mkOption {
type = lib.types.anything;
default = cfg.nodes |> lib.filter (node: node.hostName != cfg.hostName);
readOnly = true;
};
};
}

39
modules/system/networking/default.nix Normal file
View file

@ -0,0 +1,39 @@
{
config,
self,
lib,
...
}:
let
cfg = config.custom.networking;
in
{
options.custom.networking = {
hostName = lib.mkOption {
type = lib.types.nonEmptyStr;
default = config.networking.hostName;
readOnly = true;
};
nodes = lib.mkOption {
type = lib.types.anything;
default =
self.nixosConfigurations
|> lib.attrValues
|> lib.map (host: host.config.custom.networking)
|> lib.map (
node:
lib.removeAttrs node [
"nodes"
"peers"
]
);
readOnly = true;
};
peers = lib.mkOption {
type = lib.types.anything;
default = cfg.nodes |> lib.filter (node: node.hostName != cfg.hostName);
readOnly = true;
};
};
}

65
modules/system/networking/overlay.nix Normal file
View file

@ -0,0 +1,65 @@
{
config,
self,
lib,
...
}:
let
cfg = config.custom.networking.overlay;
in
{
options.custom.networking.overlay = {
networkCidr = lib.mkOption {
type = lib.types.nonEmptyStr;
default = "";
};
networkAddress = lib.mkOption {
type = lib.types.nonEmptyStr;
default = cfg.networkCidr |> lib.splitString "/" |> lib.head;
readOnly = true;
};
prefixLength = lib.mkOption {
type = lib.types.ints.between 0 32;
default = cfg.networkCidr |> lib.splitString "/" |> lib.last |> lib.toInt;
};
domain = lib.mkOption {
type = lib.types.nonEmptyStr;
default = "";
};
address = lib.mkOption {
type = lib.types.nonEmptyStr;
default = "";
};
cidr = lib.mkOption {
type = lib.types.nonEmptyStr;
default = "${cfg.address}/${toString cfg.prefixLength}";
readOnly = true;
};
interface = lib.mkOption {
type = lib.types.nonEmptyStr;
default = "";
};
systemdUnit = lib.mkOption {
type = lib.types.nonEmptyStr;
default = "";
};
isLighthouse = lib.mkEnableOption "";
role = lib.mkOption {
type = lib.types.enum [
"client"
"server"
];
};
dnsServers = lib.mkOption {
type = lib.types.anything;
default =
self.nixosConfigurations
|> lib.attrValues
|> lib.filter (host: host.config.custom.services.dns.enable)
|> lib.map (host: host.config.custom.networking.overlay.address);
};
};
}

88
modules/system/networking/underlay.nix Normal file
View file

@ -0,0 +1,88 @@
{
config,
self,
pkgs,
lib,
...
}:
let
cfg = config.custom.networking.underlay;
in
{
options.custom.networking.underlay = {
interface = lib.mkOption {
type = lib.types.nonEmptyStr;
default = "";
};
useDhcp = lib.mkEnableOption "";
isPublic = lib.mkEnableOption "";
cidr = lib.mkOption {
type = lib.types.nullOr lib.types.nonEmptyStr;
default = null;
};
address = lib.mkOption {
type = lib.types.nullOr lib.types.nonEmptyStr;
default = if cfg.cidr != null then cfg.cidr |> lib.splitString "/" |> lib.head else null;
readOnly = true;
};
gateway = lib.mkOption {
type = lib.types.nullOr lib.types.nonEmptyStr;
default = null;
};
wireless = {
enable = lib.mkEnableOption "";
networks = lib.mkOption {
type = lib.types.listOf lib.types.nonEmptyStr;
default = config.custom.sops.secrets.iwd |> lib.attrNames;
};
};
};
config = lib.mkMerge [
{
networking.useNetworkd = true;
systemd.network = {
enable = true;
networks."10-${cfg.interface}" = {
matchConfig.Name = cfg.interface;
linkConfig.RequiredForOnline = "routable";
networkConfig.DHCP = lib.mkIf cfg.useDhcp "yes";
address = lib.optional (cfg.cidr != null) cfg.cidr;
routes = lib.optional (cfg.gateway != null) {
Gateway = cfg.gateway;
GatewayOnLink = true;
};
};
};
services.resolved = {
enable = true;
dnssec = "allow-downgrade";
dnsovertls = "opportunistic";
};
}
(lib.mkIf cfg.wireless.enable {
environment.systemPackages = [ pkgs.iwgtk ];
networking.wireless.iwd = {
enable = true;
settings.Settings.AutoConnect = true;
};
systemd.network.networks."10-${cfg.interface}".networkConfig.IgnoreCarrierLoss = "3s";
sops.secrets =
cfg.wireless.networks
|> lib.map (name: "iwd/${name}")
|> self.lib.genAttrs (_: {
restartUnits = [ "iwd.service" ];
});
systemd.services.iwd = {
preStart = "install -m 600 /run/secrets/iwd/* /var/lib/iwd";
postStop = "rm --force /var/lib/iwd/*.{open,psk,8021x}";
};
})
];
}

2
modules/system/services/dns.nix
View file

@ -20,7 +20,7 @@ in
server = { server = {
interface = [ netCfg.overlay.interface ]; interface = [ netCfg.overlay.interface ];
access-control = [ access-control = [
"${netCfg.overlay.networkAddress}/${toString netCfg.overlay.prefixLength} allow" "${toString netCfg.overlay.networkCidr} allow"
]; ];
local-zone = "\"${netCfg.overlay.domain}.\" static"; local-zone = "\"${netCfg.overlay.domain}.\" static";

13
modules/system/services/nebula/default.nix
View file

@ -26,13 +26,12 @@ in
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
assertions = lib.singleton { assertions = lib.singleton {
assertion = netCfg.isLighthouse -> netCfg.underlay.isPublic; assertion = netCfg.overlay.isLighthouse -> netCfg.underlay.isPublic;
message = "'${netCfg.hostName}' is a Nebula lighthouse, but underlay.isPublic is not set. Lighthouses must be publicly reachable."; message = "'${netCfg.hostName}' is a Nebula lighthouse, but underlay.isPublic is not set. Lighthouses must be publicly reachable.";
}; };
custom.networking.overlay = { custom.networking.overlay = {
networkAddress = "10.254.250.0"; networkCidr = "10.254.250.0/24";
prefixLength = 24;
domain = "splitleaf.de"; domain = "splitleaf.de";
interface = "nebula"; interface = "nebula";
systemdUnit = "nebula@mesh.service"; systemdUnit = "nebula@mesh.service";
@ -66,10 +65,10 @@ in
tun.device = netCfg.overlay.interface; tun.device = netCfg.overlay.interface;
listen.port = lib.mkIf netCfg.underlay.isPublic publicPort; listen.port = lib.mkIf netCfg.underlay.isPublic publicPort;
inherit (netCfg) isLighthouse; inherit (netCfg.overlay) isLighthouse;
lighthouses = lib.mkIf (!netCfg.isLighthouse) ( lighthouses = lib.mkIf (!netCfg.overlay.isLighthouse) (
netCfg.peers netCfg.peers
|> lib.filter (peer: peer.isLighthouse) |> lib.filter (peer: peer.overlay.isLighthouse)
|> lib.map (lighthouse: lighthouse.overlay.address) |> lib.map (lighthouse: lighthouse.overlay.address)
); );
@ -105,7 +104,7 @@ in
systemd.network.networks."40-nebula" = { systemd.network.networks."40-nebula" = {
matchConfig.Name = netCfg.overlay.interface; matchConfig.Name = netCfg.overlay.interface;
address = [ "${netCfg.overlay.address}/${toString netCfg.overlay.prefixLength}" ]; address = [ netCfg.overlay.cidr ];
dns = netCfg.overlay.dnsServers; dns = netCfg.overlay.dnsServers;
domains = [ netCfg.overlay.domain ]; domains = [ netCfg.overlay.domain ];
}; };

14
modules/system/services/resolved.nix
View file

@ -1,14 +0,0 @@
{ config, lib, ... }:
{
options.custom.services.resolved.enable = lib.mkEnableOption "" // {
default = config.systemd.network.enable;
};
config = lib.mkIf config.custom.services.resolved.enable {
services.resolved = {
enable = true;
dnssec = "allow-downgrade";
dnsovertls = "opportunistic";
};
};
}

2
modules/system/services/sshd.nix
View file

@ -30,7 +30,7 @@ in
nebula.networks.mesh.firewall.inbound = nebula.networks.mesh.firewall.inbound =
netCfg.peers netCfg.peers
|> lib.filter (node: node.isClient) |> lib.filter (node: node.overlay.role == "client")
|> lib.map (client: { |> lib.map (client: {
port = 22; port = 22;
proto = "tcp"; proto = "tcp";

40
modules/system/services/wlan.nix
View file

@ -1,40 +0,0 @@
{
config,
self,
pkgs,
lib,
...
}:
let
cfg = config.custom.services.wlan;
in
{
options.custom.services.wlan = {
enable = lib.mkEnableOption "";
networks = lib.mkOption {
type = lib.types.listOf lib.types.nonEmptyStr;
default = config.custom.sops.secrets.iwd |> lib.attrNames;
};
};
config = lib.mkIf cfg.enable {
networking.wireless.iwd = {
enable = true;
settings.General.EnableNetworkConfiguration = true;
};
environment.systemPackages = [ pkgs.iwgtk ];
sops.secrets =
cfg.networks
|> lib.map (name: "iwd/${name}")
|> self.lib.genAttrs (_: {
restartUnits = [ "iwd.service" ];
});
systemd.services.iwd = {
preStart = "install -m 600 /run/secrets/iwd/* /var/lib/iwd";
postStop = "rm --force /var/lib/iwd/*.{open,psk,8021x}";
};
};
}