diff --git a/hosts/desktop/default.nix b/hosts/desktop/default.nix index 9658d34..2627530 100644 --- a/hosts/desktop/default.nix +++ b/hosts/desktop/default.nix @@ -24,14 +24,9 @@ de.hyprland.enable = true; networking = { - overlay = { - address = "10.254.250.1"; - role = "client"; - }; - underlay = { - interface = "enp6s0"; - useDhcp = true; - }; + overlay.address = "10.254.250.1"; + underlay.interface = "enp6s0"; + isClient = true; }; services = { diff --git a/hosts/desktop/hardware.nix b/hosts/desktop/hardware.nix index 2b42c92..fb9e490 100644 --- a/hosts/desktop/hardware.nix +++ b/hosts/desktop/hardware.nix @@ -33,6 +33,16 @@ _: { ''; }; + networking.useNetworkd = true; + systemd.network = { + enable = true; + networks."10-enp6s0" = { + matchConfig.Name = "enp6s0"; + networkConfig.DHCP = "ipv4"; + linkConfig.RequiredForOnline = "routable"; + }; + }; + hardware.fancontrol = { enable = true; config = '' diff --git a/hosts/laptop/default.nix b/hosts/laptop/default.nix index 62c532a..9f50aa0 100644 --- a/hosts/laptop/default.nix +++ b/hosts/laptop/default.nix @@ -24,19 +24,15 @@ de.hyprland.enable = true; networking = { - overlay = { - address = "10.254.250.3"; - role = "client"; - }; - underlay = { - interface = "wlan0"; - useDhcp = true; - wireless.enable = true; - }; + overlay.address = "10.254.250.3"; + underlay.interface = "wlan0"; + isClient = true; }; services = { + resolved.enable = true; auto-gc.enable = true; + wlan.enable = true; bluetooth.enable = true; sound.enable = true; nebula.enable = true; diff --git a/hosts/laptop/hardware.nix b/hosts/laptop/hardware.nix index 211eb00..20515ef 100644 --- a/hosts/laptop/hardware.nix +++ b/hosts/laptop/hardware.nix @@ -40,4 +40,17 @@ HibernateDelaySec=2h HibernateOnACPower=yes ''; + + networking.useNetworkd = true; + systemd.network = { + enable = true; + networks."10-wlan0" = { + matchConfig.Name = "wlan0"; + linkConfig.RequiredForOnline = "routable"; + networkConfig = { + DHCP = "yes"; + IgnoreCarrierLoss = "3s"; + }; + }; + }; } diff --git a/hosts/vps-monitor/default.nix b/hosts/vps-monitor/default.nix index b5d7e20..16993b3 100644 --- a/hosts/vps-monitor/default.nix +++ b/hosts/vps-monitor/default.nix @@ -16,17 +16,14 @@ boot.loader.grub.enable = true; networking = { - overlay = { - address = "10.254.250.5"; - isLighthouse = true; - role = "server"; - }; + overlay.address = "10.254.250.5"; underlay = { interface = "enp1s0"; - cidr = "188.245.223.145/32"; + address = "188.245.223.145"; isPublic = true; - gateway = "172.31.1.1"; }; + isLighthouse = true; + isServer = true; }; services = { diff --git a/hosts/vps-monitor/hardware.nix b/hosts/vps-monitor/hardware.nix index ea58368..29c26de 100644 --- a/hosts/vps-monitor/hardware.nix +++ b/hosts/vps-monitor/hardware.nix @@ -1,4 +1,4 @@ -{ modulesPath, ... }: +{ modulesPath, lib, ... }: { imports = [ "${modulesPath}/profiles/qemu-guest.nix" ]; @@ -14,4 +14,22 @@ ]; zramSwap.enable = true; + + networking.useDHCP = false; + systemd.network = { + enable = true; + networks."10-enp1s0" = { + matchConfig.Name = "enp1s0"; + linkConfig.RequiredForOnline = "routable"; + address = [ "188.245.223.145/32" ]; + routes = lib.singleton { + Gateway = "172.31.1.1"; + GatewayOnLink = true; + }; + dns = [ + "1.1.1.1" + "8.8.8.8" + ]; + }; + }; } diff --git a/hosts/vps-private/default.nix b/hosts/vps-private/default.nix index e28d821..d4ef331 100644 --- a/hosts/vps-private/default.nix +++ b/hosts/vps-private/default.nix @@ -20,17 +20,14 @@ boot.loader.systemd-boot.enable = true; networking = { - overlay = { - address = "10.254.250.2"; - isLighthouse = true; - role = "server"; - }; + overlay.address = "10.254.250.2"; underlay = { interface = "enp1s0"; - cidr = "49.13.231.235/32"; + address = "49.13.231.235"; isPublic = true; - gateway = "172.31.1.1"; }; + isLighthouse = true; + isServer = true; }; services = { diff --git a/hosts/vps-private/hardware.nix b/hosts/vps-private/hardware.nix index ea58368..c178dc2 100644 --- a/hosts/vps-private/hardware.nix +++ b/hosts/vps-private/hardware.nix @@ -1,4 +1,4 @@ -{ modulesPath, ... }: +{ modulesPath, lib, ... }: { imports = [ "${modulesPath}/profiles/qemu-guest.nix" ]; @@ -14,4 +14,22 @@ ]; zramSwap.enable = true; + + networking.useDHCP = false; + systemd.network = { + enable = true; + networks."10-enp1s0" = { + matchConfig.Name = "enp1s0"; + linkConfig.RequiredForOnline = "routable"; + address = [ "49.13.231.235/32" ]; + routes = lib.singleton { + Gateway = "172.31.1.1"; + GatewayOnLink = true; + }; + dns = [ + "1.1.1.1" + "8.8.8.8" + ]; + }; + }; } diff --git a/hosts/vps-public/default.nix b/hosts/vps-public/default.nix index 817658e..b8e1a2c 100644 --- a/hosts/vps-public/default.nix +++ b/hosts/vps-public/default.nix @@ -20,16 +20,13 @@ boot.loader.systemd-boot.enable = true; networking = { - overlay = { - address = "10.254.250.4"; - role = "server"; - }; + overlay.address = "10.254.250.4"; underlay = { interface = "enp1s0"; - cidr = "167.235.73.246/32"; + address = "167.235.73.246"; isPublic = true; - gateway = "172.31.1.1"; }; + isServer = true; }; services = { diff --git a/hosts/vps-public/hardware.nix b/hosts/vps-public/hardware.nix index ea58368..1b5e794 100644 --- a/hosts/vps-public/hardware.nix +++ b/hosts/vps-public/hardware.nix @@ -1,4 +1,4 @@ -{ modulesPath, ... }: +{ modulesPath, lib, ... }: { imports = [ "${modulesPath}/profiles/qemu-guest.nix" ]; @@ -14,4 +14,22 @@ ]; zramSwap.enable = true; + + networking.useDHCP = false; + systemd.network = { + enable = true; + networks."10-enp1s0" = { + matchConfig.Name = "enp1s0"; + linkConfig.RequiredForOnline = "routable"; + address = [ "167.235.73.246/32" ]; + routes = lib.singleton { + Gateway = "172.31.1.1"; + GatewayOnLink = true; + }; + dns = [ + "1.1.1.1" + "8.8.8.8" + ]; + }; + }; } diff --git a/modules/home/programs/btop.nix b/modules/home/programs/btop.nix index 41dd253..40c0b40 100644 --- a/modules/home/programs/btop.nix +++ b/modules/home/programs/btop.nix @@ -7,7 +7,7 @@ enable = true; settings.color_theme = { - dark = "Default"; + dark = "adwaita-dark"; light = "adwaita"; } .${config.custom.theme}; diff --git a/modules/system/networking.nix b/modules/system/networking.nix new file mode 100644 index 0000000..f89a61e --- /dev/null +++ b/modules/system/networking.nix @@ -0,0 +1,96 @@ +{ + config, + self, + lib, + ... +}: +let + cfg = config.custom.networking; +in +{ + options.custom.networking = { + hostName = lib.mkOption { + type = lib.types.nonEmptyStr; + default = config.networking.hostName; + readOnly = true; + }; + isLighthouse = lib.mkEnableOption ""; + isServer = lib.mkEnableOption ""; + isClient = lib.mkEnableOption ""; + + overlay = { + networkAddress = lib.mkOption { + type = lib.types.nonEmptyStr; + default = ""; + }; + prefixLength = lib.mkOption { + type = lib.types.nullOr (lib.types.ints.between 0 32); + default = null; + }; + domain = lib.mkOption { + type = lib.types.nonEmptyStr; + default = ""; + }; + + address = lib.mkOption { + type = lib.types.nonEmptyStr; + default = ""; + }; + interface = lib.mkOption { + type = lib.types.nonEmptyStr; + default = ""; + }; + systemdUnit = lib.mkOption { + type = lib.types.nonEmptyStr; + default = ""; + }; + + dnsServers = lib.mkOption { + type = lib.types.anything; + default = + self.nixosConfigurations + |> lib.attrValues + |> lib.filter (host: host.config.custom.services.dns.enable) + |> lib.map (host: host.config.custom.networking.overlay.address); + }; + }; + + underlay = { + interface = lib.mkOption { + type = lib.types.nonEmptyStr; + default = ""; + }; + useDhcp = lib.mkEnableOption ""; + isPublic = lib.mkEnableOption ""; + address = lib.mkOption { + type = lib.types.nullOr lib.types.nonEmptyStr; + default = null; + }; + gateway = lib.mkOption { + type = lib.types.nullOr lib.types.nonEmptyStr; + default = null; + }; + }; + + nodes = lib.mkOption { + type = lib.types.anything; + default = + self.nixosConfigurations + |> lib.attrValues + |> lib.map (host: host.config.custom.networking) + |> lib.map ( + node: + lib.removeAttrs node [ + "nodes" + "peers" + ] + ); + readOnly = true; + }; + peers = lib.mkOption { + type = lib.types.anything; + default = cfg.nodes |> lib.filter (node: node.hostName != cfg.hostName); + readOnly = true; + }; + }; +} diff --git a/modules/system/networking/default.nix b/modules/system/networking/default.nix deleted file mode 100644 index 6e7280d..0000000 --- a/modules/system/networking/default.nix +++ /dev/null @@ -1,39 +0,0 @@ -{ - config, - self, - lib, - ... -}: -let - cfg = config.custom.networking; -in -{ - options.custom.networking = { - hostName = lib.mkOption { - type = lib.types.nonEmptyStr; - default = config.networking.hostName; - readOnly = true; - }; - - nodes = lib.mkOption { - type = lib.types.anything; - default = - self.nixosConfigurations - |> lib.attrValues - |> lib.map (host: host.config.custom.networking) - |> lib.map ( - node: - lib.removeAttrs node [ - "nodes" - "peers" - ] - ); - readOnly = true; - }; - peers = lib.mkOption { - type = lib.types.anything; - default = cfg.nodes |> lib.filter (node: node.hostName != cfg.hostName); - readOnly = true; - }; - }; -} diff --git a/modules/system/networking/overlay.nix b/modules/system/networking/overlay.nix deleted file mode 100644 index 21acb84..0000000 --- a/modules/system/networking/overlay.nix +++ /dev/null @@ -1,65 +0,0 @@ -{ - config, - self, - lib, - ... -}: -let - cfg = config.custom.networking.overlay; -in -{ - options.custom.networking.overlay = { - networkCidr = lib.mkOption { - type = lib.types.nonEmptyStr; - default = ""; - }; - networkAddress = lib.mkOption { - type = lib.types.nonEmptyStr; - default = cfg.networkCidr |> lib.splitString "/" |> lib.head; - readOnly = true; - }; - prefixLength = lib.mkOption { - type = lib.types.ints.between 0 32; - default = cfg.networkCidr |> lib.splitString "/" |> lib.last |> lib.toInt; - }; - domain = lib.mkOption { - type = lib.types.nonEmptyStr; - default = ""; - }; - - address = lib.mkOption { - type = lib.types.nonEmptyStr; - default = ""; - }; - cidr = lib.mkOption { - type = lib.types.nonEmptyStr; - default = "${cfg.address}/${toString cfg.prefixLength}"; - readOnly = true; - }; - interface = lib.mkOption { - type = lib.types.nonEmptyStr; - default = ""; - }; - systemdUnit = lib.mkOption { - type = lib.types.nonEmptyStr; - default = ""; - }; - - isLighthouse = lib.mkEnableOption ""; - role = lib.mkOption { - type = lib.types.enum [ - "client" - "server" - ]; - }; - - dnsServers = lib.mkOption { - type = lib.types.anything; - default = - self.nixosConfigurations - |> lib.attrValues - |> lib.filter (host: host.config.custom.services.dns.enable) - |> lib.map (host: host.config.custom.networking.overlay.address); - }; - }; -} diff --git a/modules/system/networking/underlay.nix b/modules/system/networking/underlay.nix deleted file mode 100644 index 30e0b65..0000000 --- a/modules/system/networking/underlay.nix +++ /dev/null @@ -1,88 +0,0 @@ -{ - config, - self, - pkgs, - lib, - ... -}: -let - cfg = config.custom.networking.underlay; -in -{ - options.custom.networking.underlay = { - interface = lib.mkOption { - type = lib.types.nonEmptyStr; - default = ""; - }; - useDhcp = lib.mkEnableOption ""; - isPublic = lib.mkEnableOption ""; - cidr = lib.mkOption { - type = lib.types.nullOr lib.types.nonEmptyStr; - default = null; - }; - address = lib.mkOption { - type = lib.types.nullOr lib.types.nonEmptyStr; - default = if cfg.cidr != null then cfg.cidr |> lib.splitString "/" |> lib.head else null; - readOnly = true; - }; - gateway = lib.mkOption { - type = lib.types.nullOr lib.types.nonEmptyStr; - default = null; - }; - wireless = { - enable = lib.mkEnableOption ""; - networks = lib.mkOption { - type = lib.types.listOf lib.types.nonEmptyStr; - default = config.custom.sops.secrets.iwd |> lib.attrNames; - }; - }; - }; - - config = lib.mkMerge [ - { - networking.useNetworkd = true; - systemd.network = { - enable = true; - networks."10-${cfg.interface}" = { - matchConfig.Name = cfg.interface; - linkConfig.RequiredForOnline = "routable"; - networkConfig.DHCP = lib.mkIf cfg.useDhcp "yes"; - address = lib.optional (cfg.cidr != null) cfg.cidr; - routes = lib.optional (cfg.gateway != null) { - Gateway = cfg.gateway; - GatewayOnLink = true; - }; - }; - }; - - services.resolved = { - enable = true; - dnssec = "allow-downgrade"; - dnsovertls = "opportunistic"; - }; - } - - (lib.mkIf cfg.wireless.enable { - environment.systemPackages = [ pkgs.iwgtk ]; - - networking.wireless.iwd = { - enable = true; - settings.Settings.AutoConnect = true; - }; - - systemd.network.networks."10-${cfg.interface}".networkConfig.IgnoreCarrierLoss = "3s"; - - sops.secrets = - cfg.wireless.networks - |> lib.map (name: "iwd/${name}") - |> self.lib.genAttrs (_: { - restartUnits = [ "iwd.service" ]; - }); - - systemd.services.iwd = { - preStart = "install -m 600 /run/secrets/iwd/* /var/lib/iwd"; - postStop = "rm --force /var/lib/iwd/*.{open,psk,8021x}"; - }; - }) - ]; -} diff --git a/modules/system/services/dns.nix b/modules/system/services/dns.nix index f3226b5..cb73b2e 100644 --- a/modules/system/services/dns.nix +++ b/modules/system/services/dns.nix @@ -20,7 +20,7 @@ in server = { interface = [ netCfg.overlay.interface ]; access-control = [ - "${toString netCfg.overlay.networkCidr} allow" + "${netCfg.overlay.networkAddress}/${toString netCfg.overlay.prefixLength} allow" ]; local-zone = "\"${netCfg.overlay.domain}.\" static"; diff --git a/modules/system/services/nebula/default.nix b/modules/system/services/nebula/default.nix index b37b9d7..651bf9e 100644 --- a/modules/system/services/nebula/default.nix +++ b/modules/system/services/nebula/default.nix @@ -26,12 +26,13 @@ in config = lib.mkIf cfg.enable { assertions = lib.singleton { - assertion = netCfg.overlay.isLighthouse -> netCfg.underlay.isPublic; + assertion = netCfg.isLighthouse -> netCfg.underlay.isPublic; message = "'${netCfg.hostName}' is a Nebula lighthouse, but underlay.isPublic is not set. Lighthouses must be publicly reachable."; }; custom.networking.overlay = { - networkCidr = "10.254.250.0/24"; + networkAddress = "10.254.250.0"; + prefixLength = 24; domain = "splitleaf.de"; interface = "nebula"; systemdUnit = "nebula@mesh.service"; @@ -65,10 +66,10 @@ in tun.device = netCfg.overlay.interface; listen.port = lib.mkIf netCfg.underlay.isPublic publicPort; - inherit (netCfg.overlay) isLighthouse; - lighthouses = lib.mkIf (!netCfg.overlay.isLighthouse) ( + inherit (netCfg) isLighthouse; + lighthouses = lib.mkIf (!netCfg.isLighthouse) ( netCfg.peers - |> lib.filter (peer: peer.overlay.isLighthouse) + |> lib.filter (peer: peer.isLighthouse) |> lib.map (lighthouse: lighthouse.overlay.address) ); @@ -104,7 +105,7 @@ in systemd.network.networks."40-nebula" = { matchConfig.Name = netCfg.overlay.interface; - address = [ netCfg.overlay.cidr ]; + address = [ "${netCfg.overlay.address}/${toString netCfg.overlay.prefixLength}" ]; dns = netCfg.overlay.dnsServers; domains = [ netCfg.overlay.domain ]; }; diff --git a/modules/system/services/resolved.nix b/modules/system/services/resolved.nix new file mode 100644 index 0000000..9782bde --- /dev/null +++ b/modules/system/services/resolved.nix @@ -0,0 +1,14 @@ +{ config, lib, ... }: +{ + options.custom.services.resolved.enable = lib.mkEnableOption "" // { + default = config.systemd.network.enable; + }; + + config = lib.mkIf config.custom.services.resolved.enable { + services.resolved = { + enable = true; + dnssec = "allow-downgrade"; + dnsovertls = "opportunistic"; + }; + }; +} diff --git a/modules/system/services/sshd.nix b/modules/system/services/sshd.nix index f37f707..a591940 100644 --- a/modules/system/services/sshd.nix +++ b/modules/system/services/sshd.nix @@ -30,7 +30,7 @@ in nebula.networks.mesh.firewall.inbound = netCfg.peers - |> lib.filter (node: node.overlay.role == "client") + |> lib.filter (node: node.isClient) |> lib.map (client: { port = 22; proto = "tcp"; diff --git a/modules/system/services/wlan.nix b/modules/system/services/wlan.nix new file mode 100644 index 0000000..3523359 --- /dev/null +++ b/modules/system/services/wlan.nix @@ -0,0 +1,40 @@ +{ + config, + self, + pkgs, + lib, + ... +}: +let + cfg = config.custom.services.wlan; +in +{ + options.custom.services.wlan = { + enable = lib.mkEnableOption ""; + networks = lib.mkOption { + type = lib.types.listOf lib.types.nonEmptyStr; + default = config.custom.sops.secrets.iwd |> lib.attrNames; + }; + }; + + config = lib.mkIf cfg.enable { + networking.wireless.iwd = { + enable = true; + settings.General.EnableNetworkConfiguration = true; + }; + + environment.systemPackages = [ pkgs.iwgtk ]; + + sops.secrets = + cfg.networks + |> lib.map (name: "iwd/${name}") + |> self.lib.genAttrs (_: { + restartUnits = [ "iwd.service" ]; + }); + + systemd.services.iwd = { + preStart = "install -m 600 /run/secrets/iwd/* /var/lib/iwd"; + postStop = "rm --force /var/lib/iwd/*.{open,psk,8021x}"; + }; + }; +}