From 1d1709e1ba8b80a660606328f68070bdc8f70ad4 Mon Sep 17 00:00:00 2001 From: SebastianStork Date: Fri, 30 Jan 2026 19:33:18 +0100 Subject: [PATCH 1/2] btop: Use different dark theme --- modules/home/programs/btop.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/home/programs/btop.nix b/modules/home/programs/btop.nix index 40c0b40..41dd253 100644 --- a/modules/home/programs/btop.nix +++ b/modules/home/programs/btop.nix @@ -7,7 +7,7 @@ enable = true; settings.color_theme = { - dark = "adwaita-dark"; + dark = "Default"; light = "adwaita"; } .${config.custom.theme}; From 27b5c57023f99cacd4f1d19dfce2f4c866b5f8cf Mon Sep 17 00:00:00 2001 From: SebastianStork Date: Fri, 30 Jan 2026 20:39:59 +0100 Subject: [PATCH 2/2] networking: Unify underlay config across hosts --- hosts/desktop/default.nix | 11 ++- hosts/desktop/hardware.nix | 10 --- hosts/laptop/default.nix | 14 ++-- hosts/laptop/hardware.nix | 13 --- hosts/vps-monitor/default.nix | 11 ++- hosts/vps-monitor/hardware.nix | 20 +---- hosts/vps-private/default.nix | 11 ++- hosts/vps-private/hardware.nix | 20 +---- hosts/vps-public/default.nix | 9 +- hosts/vps-public/hardware.nix | 20 +---- modules/system/networking.nix | 96 ---------------------- modules/system/networking/default.nix | 39 +++++++++ modules/system/networking/overlay.nix | 65 +++++++++++++++ modules/system/networking/underlay.nix | 88 ++++++++++++++++++++ modules/system/services/dns.nix | 2 +- modules/system/services/nebula/default.nix | 13 ++- modules/system/services/resolved.nix | 14 ---- modules/system/services/sshd.nix | 2 +- modules/system/services/wlan.nix | 40 --------- 19 files changed, 240 insertions(+), 258 deletions(-) delete mode 100644 modules/system/networking.nix create mode 100644 modules/system/networking/default.nix create mode 100644 modules/system/networking/overlay.nix create mode 100644 modules/system/networking/underlay.nix delete mode 100644 modules/system/services/resolved.nix delete mode 100644 modules/system/services/wlan.nix diff --git a/hosts/desktop/default.nix b/hosts/desktop/default.nix index 2627530..9658d34 100644 --- a/hosts/desktop/default.nix +++ b/hosts/desktop/default.nix @@ -24,9 +24,14 @@ de.hyprland.enable = true; networking = { - overlay.address = "10.254.250.1"; - underlay.interface = "enp6s0"; - isClient = true; + overlay = { + address = "10.254.250.1"; + role = "client"; + }; + underlay = { + interface = "enp6s0"; + useDhcp = true; + }; }; services = { diff --git a/hosts/desktop/hardware.nix b/hosts/desktop/hardware.nix index fb9e490..2b42c92 100644 --- a/hosts/desktop/hardware.nix +++ b/hosts/desktop/hardware.nix @@ -33,16 +33,6 @@ _: { ''; }; - networking.useNetworkd = true; - systemd.network = { - enable = true; - networks."10-enp6s0" = { - matchConfig.Name = "enp6s0"; - networkConfig.DHCP = "ipv4"; - linkConfig.RequiredForOnline = "routable"; - }; - }; - hardware.fancontrol = { enable = true; config = '' diff --git a/hosts/laptop/default.nix b/hosts/laptop/default.nix index 9f50aa0..62c532a 100644 --- a/hosts/laptop/default.nix +++ b/hosts/laptop/default.nix @@ -24,15 +24,19 @@ de.hyprland.enable = true; networking = { - overlay.address = "10.254.250.3"; - underlay.interface = "wlan0"; - isClient = true; + overlay = { + address = "10.254.250.3"; + role = "client"; + }; + underlay = { + interface = "wlan0"; + useDhcp = true; + wireless.enable = true; + }; }; services = { - resolved.enable = true; auto-gc.enable = true; - wlan.enable = true; bluetooth.enable = true; sound.enable = true; nebula.enable = true; diff --git a/hosts/laptop/hardware.nix b/hosts/laptop/hardware.nix index 20515ef..211eb00 100644 --- a/hosts/laptop/hardware.nix +++ b/hosts/laptop/hardware.nix @@ -40,17 +40,4 @@ HibernateDelaySec=2h HibernateOnACPower=yes ''; - - networking.useNetworkd = true; - systemd.network = { - enable = true; - networks."10-wlan0" = { - matchConfig.Name = "wlan0"; - linkConfig.RequiredForOnline = "routable"; - networkConfig = { - DHCP = "yes"; - IgnoreCarrierLoss = "3s"; - }; - }; - }; } diff --git a/hosts/vps-monitor/default.nix b/hosts/vps-monitor/default.nix index 16993b3..b5d7e20 100644 --- a/hosts/vps-monitor/default.nix +++ b/hosts/vps-monitor/default.nix @@ -16,14 +16,17 @@ boot.loader.grub.enable = true; networking = { - overlay.address = "10.254.250.5"; + overlay = { + address = "10.254.250.5"; + isLighthouse = true; + role = "server"; + }; underlay = { interface = "enp1s0"; - address = "188.245.223.145"; + cidr = "188.245.223.145/32"; isPublic = true; + gateway = "172.31.1.1"; }; - isLighthouse = true; - isServer = true; }; services = { diff --git a/hosts/vps-monitor/hardware.nix b/hosts/vps-monitor/hardware.nix index 29c26de..ea58368 100644 --- a/hosts/vps-monitor/hardware.nix +++ b/hosts/vps-monitor/hardware.nix @@ -1,4 +1,4 @@ -{ modulesPath, lib, ... }: +{ modulesPath, ... }: { imports = [ "${modulesPath}/profiles/qemu-guest.nix" ]; @@ -14,22 +14,4 @@ ]; zramSwap.enable = true; - - networking.useDHCP = false; - systemd.network = { - enable = true; - networks."10-enp1s0" = { - matchConfig.Name = "enp1s0"; - linkConfig.RequiredForOnline = "routable"; - address = [ "188.245.223.145/32" ]; - routes = lib.singleton { - Gateway = "172.31.1.1"; - GatewayOnLink = true; - }; - dns = [ - "1.1.1.1" - "8.8.8.8" - ]; - }; - }; } diff --git a/hosts/vps-private/default.nix b/hosts/vps-private/default.nix index d4ef331..e28d821 100644 --- a/hosts/vps-private/default.nix +++ b/hosts/vps-private/default.nix @@ -20,14 +20,17 @@ boot.loader.systemd-boot.enable = true; networking = { - overlay.address = "10.254.250.2"; + overlay = { + address = "10.254.250.2"; + isLighthouse = true; + role = "server"; + }; underlay = { interface = "enp1s0"; - address = "49.13.231.235"; + cidr = "49.13.231.235/32"; isPublic = true; + gateway = "172.31.1.1"; }; - isLighthouse = true; - isServer = true; }; services = { diff --git a/hosts/vps-private/hardware.nix b/hosts/vps-private/hardware.nix index c178dc2..ea58368 100644 --- a/hosts/vps-private/hardware.nix +++ b/hosts/vps-private/hardware.nix @@ -1,4 +1,4 @@ -{ modulesPath, lib, ... }: +{ modulesPath, ... }: { imports = [ "${modulesPath}/profiles/qemu-guest.nix" ]; @@ -14,22 +14,4 @@ ]; zramSwap.enable = true; - - networking.useDHCP = false; - systemd.network = { - enable = true; - networks."10-enp1s0" = { - matchConfig.Name = "enp1s0"; - linkConfig.RequiredForOnline = "routable"; - address = [ "49.13.231.235/32" ]; - routes = lib.singleton { - Gateway = "172.31.1.1"; - GatewayOnLink = true; - }; - dns = [ - "1.1.1.1" - "8.8.8.8" - ]; - }; - }; } diff --git a/hosts/vps-public/default.nix b/hosts/vps-public/default.nix index b8e1a2c..817658e 100644 --- a/hosts/vps-public/default.nix +++ b/hosts/vps-public/default.nix @@ -20,13 +20,16 @@ boot.loader.systemd-boot.enable = true; networking = { - overlay.address = "10.254.250.4"; + overlay = { + address = "10.254.250.4"; + role = "server"; + }; underlay = { interface = "enp1s0"; - address = "167.235.73.246"; + cidr = "167.235.73.246/32"; isPublic = true; + gateway = "172.31.1.1"; }; - isServer = true; }; services = { diff --git a/hosts/vps-public/hardware.nix b/hosts/vps-public/hardware.nix index 1b5e794..ea58368 100644 --- a/hosts/vps-public/hardware.nix +++ b/hosts/vps-public/hardware.nix @@ -1,4 +1,4 @@ -{ modulesPath, lib, ... }: +{ modulesPath, ... }: { imports = [ "${modulesPath}/profiles/qemu-guest.nix" ]; @@ -14,22 +14,4 @@ ]; zramSwap.enable = true; - - networking.useDHCP = false; - systemd.network = { - enable = true; - networks."10-enp1s0" = { - matchConfig.Name = "enp1s0"; - linkConfig.RequiredForOnline = "routable"; - address = [ "167.235.73.246/32" ]; - routes = lib.singleton { - Gateway = "172.31.1.1"; - GatewayOnLink = true; - }; - dns = [ - "1.1.1.1" - "8.8.8.8" - ]; - }; - }; } diff --git a/modules/system/networking.nix b/modules/system/networking.nix deleted file mode 100644 index f89a61e..0000000 --- a/modules/system/networking.nix +++ /dev/null @@ -1,96 +0,0 @@ -{ - config, - self, - lib, - ... -}: -let - cfg = config.custom.networking; -in -{ - options.custom.networking = { - hostName = lib.mkOption { - type = lib.types.nonEmptyStr; - default = config.networking.hostName; - readOnly = true; - }; - isLighthouse = lib.mkEnableOption ""; - isServer = lib.mkEnableOption ""; - isClient = lib.mkEnableOption ""; - - overlay = { - networkAddress = lib.mkOption { - type = lib.types.nonEmptyStr; - default = ""; - }; - prefixLength = lib.mkOption { - type = lib.types.nullOr (lib.types.ints.between 0 32); - default = null; - }; - domain = lib.mkOption { - type = lib.types.nonEmptyStr; - default = ""; - }; - - address = lib.mkOption { - type = lib.types.nonEmptyStr; - default = ""; - }; - interface = lib.mkOption { - type = lib.types.nonEmptyStr; - default = ""; - }; - systemdUnit = lib.mkOption { - type = lib.types.nonEmptyStr; - default = ""; - }; - - dnsServers = lib.mkOption { - type = lib.types.anything; - default = - self.nixosConfigurations - |> lib.attrValues - |> lib.filter (host: host.config.custom.services.dns.enable) - |> lib.map (host: host.config.custom.networking.overlay.address); - }; - }; - - underlay = { - interface = lib.mkOption { - type = lib.types.nonEmptyStr; - default = ""; - }; - useDhcp = lib.mkEnableOption ""; - isPublic = lib.mkEnableOption ""; - address = lib.mkOption { - type = lib.types.nullOr lib.types.nonEmptyStr; - default = null; - }; - gateway = lib.mkOption { - type = lib.types.nullOr lib.types.nonEmptyStr; - default = null; - }; - }; - - nodes = lib.mkOption { - type = lib.types.anything; - default = - self.nixosConfigurations - |> lib.attrValues - |> lib.map (host: host.config.custom.networking) - |> lib.map ( - node: - lib.removeAttrs node [ - "nodes" - "peers" - ] - ); - readOnly = true; - }; - peers = lib.mkOption { - type = lib.types.anything; - default = cfg.nodes |> lib.filter (node: node.hostName != cfg.hostName); - readOnly = true; - }; - }; -} diff --git a/modules/system/networking/default.nix b/modules/system/networking/default.nix new file mode 100644 index 0000000..6e7280d --- /dev/null +++ b/modules/system/networking/default.nix @@ -0,0 +1,39 @@ +{ + config, + self, + lib, + ... +}: +let + cfg = config.custom.networking; +in +{ + options.custom.networking = { + hostName = lib.mkOption { + type = lib.types.nonEmptyStr; + default = config.networking.hostName; + readOnly = true; + }; + + nodes = lib.mkOption { + type = lib.types.anything; + default = + self.nixosConfigurations + |> lib.attrValues + |> lib.map (host: host.config.custom.networking) + |> lib.map ( + node: + lib.removeAttrs node [ + "nodes" + "peers" + ] + ); + readOnly = true; + }; + peers = lib.mkOption { + type = lib.types.anything; + default = cfg.nodes |> lib.filter (node: node.hostName != cfg.hostName); + readOnly = true; + }; + }; +} diff --git a/modules/system/networking/overlay.nix b/modules/system/networking/overlay.nix new file mode 100644 index 0000000..21acb84 --- /dev/null +++ b/modules/system/networking/overlay.nix @@ -0,0 +1,65 @@ +{ + config, + self, + lib, + ... +}: +let + cfg = config.custom.networking.overlay; +in +{ + options.custom.networking.overlay = { + networkCidr = lib.mkOption { + type = lib.types.nonEmptyStr; + default = ""; + }; + networkAddress = lib.mkOption { + type = lib.types.nonEmptyStr; + default = cfg.networkCidr |> lib.splitString "/" |> lib.head; + readOnly = true; + }; + prefixLength = lib.mkOption { + type = lib.types.ints.between 0 32; + default = cfg.networkCidr |> lib.splitString "/" |> lib.last |> lib.toInt; + }; + domain = lib.mkOption { + type = lib.types.nonEmptyStr; + default = ""; + }; + + address = lib.mkOption { + type = lib.types.nonEmptyStr; + default = ""; + }; + cidr = lib.mkOption { + type = lib.types.nonEmptyStr; + default = "${cfg.address}/${toString cfg.prefixLength}"; + readOnly = true; + }; + interface = lib.mkOption { + type = lib.types.nonEmptyStr; + default = ""; + }; + systemdUnit = lib.mkOption { + type = lib.types.nonEmptyStr; + default = ""; + }; + + isLighthouse = lib.mkEnableOption ""; + role = lib.mkOption { + type = lib.types.enum [ + "client" + "server" + ]; + }; + + dnsServers = lib.mkOption { + type = lib.types.anything; + default = + self.nixosConfigurations + |> lib.attrValues + |> lib.filter (host: host.config.custom.services.dns.enable) + |> lib.map (host: host.config.custom.networking.overlay.address); + }; + }; +} diff --git a/modules/system/networking/underlay.nix b/modules/system/networking/underlay.nix new file mode 100644 index 0000000..30e0b65 --- /dev/null +++ b/modules/system/networking/underlay.nix @@ -0,0 +1,88 @@ +{ + config, + self, + pkgs, + lib, + ... +}: +let + cfg = config.custom.networking.underlay; +in +{ + options.custom.networking.underlay = { + interface = lib.mkOption { + type = lib.types.nonEmptyStr; + default = ""; + }; + useDhcp = lib.mkEnableOption ""; + isPublic = lib.mkEnableOption ""; + cidr = lib.mkOption { + type = lib.types.nullOr lib.types.nonEmptyStr; + default = null; + }; + address = lib.mkOption { + type = lib.types.nullOr lib.types.nonEmptyStr; + default = if cfg.cidr != null then cfg.cidr |> lib.splitString "/" |> lib.head else null; + readOnly = true; + }; + gateway = lib.mkOption { + type = lib.types.nullOr lib.types.nonEmptyStr; + default = null; + }; + wireless = { + enable = lib.mkEnableOption ""; + networks = lib.mkOption { + type = lib.types.listOf lib.types.nonEmptyStr; + default = config.custom.sops.secrets.iwd |> lib.attrNames; + }; + }; + }; + + config = lib.mkMerge [ + { + networking.useNetworkd = true; + systemd.network = { + enable = true; + networks."10-${cfg.interface}" = { + matchConfig.Name = cfg.interface; + linkConfig.RequiredForOnline = "routable"; + networkConfig.DHCP = lib.mkIf cfg.useDhcp "yes"; + address = lib.optional (cfg.cidr != null) cfg.cidr; + routes = lib.optional (cfg.gateway != null) { + Gateway = cfg.gateway; + GatewayOnLink = true; + }; + }; + }; + + services.resolved = { + enable = true; + dnssec = "allow-downgrade"; + dnsovertls = "opportunistic"; + }; + } + + (lib.mkIf cfg.wireless.enable { + environment.systemPackages = [ pkgs.iwgtk ]; + + networking.wireless.iwd = { + enable = true; + settings.Settings.AutoConnect = true; + }; + + systemd.network.networks."10-${cfg.interface}".networkConfig.IgnoreCarrierLoss = "3s"; + + sops.secrets = + cfg.wireless.networks + |> lib.map (name: "iwd/${name}") + |> self.lib.genAttrs (_: { + restartUnits = [ "iwd.service" ]; + }); + + systemd.services.iwd = { + preStart = "install -m 600 /run/secrets/iwd/* /var/lib/iwd"; + postStop = "rm --force /var/lib/iwd/*.{open,psk,8021x}"; + }; + }) + ]; +} diff --git a/modules/system/services/dns.nix b/modules/system/services/dns.nix index cb73b2e..f3226b5 100644 --- a/modules/system/services/dns.nix +++ b/modules/system/services/dns.nix @@ -20,7 +20,7 @@ in server = { interface = [ netCfg.overlay.interface ]; access-control = [ - "${netCfg.overlay.networkAddress}/${toString netCfg.overlay.prefixLength} allow" + "${toString netCfg.overlay.networkCidr} allow" ]; local-zone = "\"${netCfg.overlay.domain}.\" static"; diff --git a/modules/system/services/nebula/default.nix b/modules/system/services/nebula/default.nix index 651bf9e..b37b9d7 100644 --- a/modules/system/services/nebula/default.nix +++ b/modules/system/services/nebula/default.nix @@ -26,13 +26,12 @@ in config = lib.mkIf cfg.enable { assertions = lib.singleton { - assertion = netCfg.isLighthouse -> netCfg.underlay.isPublic; + assertion = netCfg.overlay.isLighthouse -> netCfg.underlay.isPublic; message = "'${netCfg.hostName}' is a Nebula lighthouse, but underlay.isPublic is not set. Lighthouses must be publicly reachable."; }; custom.networking.overlay = { - networkAddress = "10.254.250.0"; - prefixLength = 24; + networkCidr = "10.254.250.0/24"; domain = "splitleaf.de"; interface = "nebula"; systemdUnit = "nebula@mesh.service"; @@ -66,10 +65,10 @@ in tun.device = netCfg.overlay.interface; listen.port = lib.mkIf netCfg.underlay.isPublic publicPort; - inherit (netCfg) isLighthouse; - lighthouses = lib.mkIf (!netCfg.isLighthouse) ( + inherit (netCfg.overlay) isLighthouse; + lighthouses = lib.mkIf (!netCfg.overlay.isLighthouse) ( netCfg.peers - |> lib.filter (peer: peer.isLighthouse) + |> lib.filter (peer: peer.overlay.isLighthouse) |> lib.map (lighthouse: lighthouse.overlay.address) ); @@ -105,7 +104,7 @@ in systemd.network.networks."40-nebula" = { matchConfig.Name = netCfg.overlay.interface; - address = [ "${netCfg.overlay.address}/${toString netCfg.overlay.prefixLength}" ]; + address = [ netCfg.overlay.cidr ]; dns = netCfg.overlay.dnsServers; domains = [ netCfg.overlay.domain ]; }; diff --git a/modules/system/services/resolved.nix b/modules/system/services/resolved.nix deleted file mode 100644 index 9782bde..0000000 --- a/modules/system/services/resolved.nix +++ /dev/null @@ -1,14 +0,0 @@ -{ config, lib, ... }: -{ - options.custom.services.resolved.enable = lib.mkEnableOption "" // { - default = config.systemd.network.enable; - }; - - config = lib.mkIf config.custom.services.resolved.enable { - services.resolved = { - enable = true; - dnssec = "allow-downgrade"; - dnsovertls = "opportunistic"; - }; - }; -} diff --git a/modules/system/services/sshd.nix b/modules/system/services/sshd.nix index a591940..f37f707 100644 --- a/modules/system/services/sshd.nix +++ b/modules/system/services/sshd.nix @@ -30,7 +30,7 @@ in nebula.networks.mesh.firewall.inbound = netCfg.peers - |> lib.filter (node: node.isClient) + |> lib.filter (node: node.overlay.role == "client") |> lib.map (client: { port = 22; proto = "tcp"; diff --git a/modules/system/services/wlan.nix b/modules/system/services/wlan.nix deleted file mode 100644 index 3523359..0000000 --- a/modules/system/services/wlan.nix +++ /dev/null @@ -1,40 +0,0 @@ -{ - config, - self, - pkgs, - lib, - ... -}: -let - cfg = config.custom.services.wlan; -in -{ - options.custom.services.wlan = { - enable = lib.mkEnableOption ""; - networks = lib.mkOption { - type = lib.types.listOf lib.types.nonEmptyStr; - default = config.custom.sops.secrets.iwd |> lib.attrNames; - }; - }; - - config = lib.mkIf cfg.enable { - networking.wireless.iwd = { - enable = true; - settings.General.EnableNetworkConfiguration = true; - }; - - environment.systemPackages = [ pkgs.iwgtk ]; - - sops.secrets = - cfg.networks - |> lib.map (name: "iwd/${name}") - |> self.lib.genAttrs (_: { - restartUnits = [ "iwd.service" ]; - }); - - systemd.services.iwd = { - preStart = "install -m 600 /run/secrets/iwd/* /var/lib/iwd"; - postStop = "rm --force /var/lib/iwd/*.{open,psk,8021x}"; - }; - }; -}