From 509ac5cdefa6ae683e1fdd761c4650a590d93697 Mon Sep 17 00:00:00 2001 From: Gabriel Arazas Date: Tue, 12 Dec 2023 21:20:55 +0800 Subject: [PATCH] hosts/ni: format into new host-specific module structure --- hosts/ni/default.nix | 9 +- hosts/ni/hardware-configuration.nix | 1 - hosts/ni/modules/default.nix | 7 ++ .../ni/modules/hardware/systemd-networkd.nix | 51 ---------- .../hardware/traditional-networking.nix | 21 ---- hosts/ni/modules/networking.nix | 40 -------- hosts/ni/modules/networking/setup.nix | 97 +++++++++++++++++++ .../ni/modules/{ => networking}/wireguard.nix | 30 +++--- modules/home-manager/profiles/dev.nix | 1 - 9 files changed, 127 insertions(+), 130 deletions(-) create mode 100644 hosts/ni/modules/default.nix delete mode 100644 hosts/ni/modules/hardware/systemd-networkd.nix delete mode 100644 hosts/ni/modules/hardware/traditional-networking.nix delete mode 100644 hosts/ni/modules/networking.nix create mode 100644 hosts/ni/modules/networking/setup.nix rename hosts/ni/modules/{ => networking}/wireguard.nix (82%) diff --git a/hosts/ni/default.nix b/hosts/ni/default.nix index af3db497..f2416fea 100644 --- a/hosts/ni/default.nix +++ b/hosts/ni/default.nix @@ -4,9 +4,7 @@ imports = [ # Include the results of the hardware scan. ./hardware-configuration.nix - - ./modules/networking.nix - ./modules/wireguard.nix + ./modules (lib.mapHomeManagerUser "foo-dogsquared" { extraGroups = [ @@ -27,6 +25,11 @@ }) ]; + hosts.ni = { + networking.setup = "networkmanager"; + networking.wireguard.enable = true; + }; + disko.devices = import ./disko.nix { disks = [ "/dev/nvme0n1" ]; }; diff --git a/hosts/ni/hardware-configuration.nix b/hosts/ni/hardware-configuration.nix index c0f1dd58..450e68b9 100644 --- a/hosts/ni/hardware-configuration.nix +++ b/hosts/ni/hardware-configuration.nix @@ -3,7 +3,6 @@ { imports = [ (modulesPath + "/installer/scan/not-detected.nix") - ./modules/hardware/traditional-networking.nix ]; # Get the latest kernel for the desktop experience. diff --git a/hosts/ni/modules/default.nix b/hosts/ni/modules/default.nix new file mode 100644 index 00000000..2dfff773 --- /dev/null +++ b/hosts/ni/modules/default.nix @@ -0,0 +1,7 @@ +# Only optional modules should be imported here. +{ + imports = [ + ./networking/setup.nix + ./networking/wireguard.nix + ]; +} diff --git a/hosts/ni/modules/hardware/systemd-networkd.nix b/hosts/ni/modules/hardware/systemd-networkd.nix deleted file mode 100644 index f4145dcb..00000000 --- a/hosts/ni/modules/hardware/systemd-networkd.nix +++ /dev/null @@ -1,51 +0,0 @@ -{ config, lib, pkgs, ... }: - -{ - networking = { - usePredictableInterfaceNames = true; - useNetworkd = true; - - # We're using networkd to configure so we're disabling this - # service. - useDHCP = false; - dhcpcd.enable = false; - }; - - # Enable systemd-resolved. This is mostly setup by `systemd.network.enable` - # by we're being explicit just to be safe. - services.resolved = { - enable = true; - llmnr = "true"; - }; - - # Combining my ethernet and wireless network interfaces. - systemd.network = { - enable = false; - netdevs."40-bond1" = { - netdevConfig = { - Name = "bond1"; - Kind = "bond"; - }; - }; - - networks = { - "40-bond1" = { - matchConfig.Name = "bond1"; - networkConfig.DHCP = "yes"; - }; - - "40-bond1-dev1" = { - matchConfig.Name = "enp1s0"; - networkConfig.Bond = "bond1"; - }; - - "40-bond1-dev2" = { - matchConfig.Name = "wlp2s0"; - networkConfig = { - Bond = "bond1"; - IgnoreCarrierLoss = "15"; - }; - }; - }; - }; -} diff --git a/hosts/ni/modules/hardware/traditional-networking.nix b/hosts/ni/modules/hardware/traditional-networking.nix deleted file mode 100644 index c84ad396..00000000 --- a/hosts/ni/modules/hardware/traditional-networking.nix +++ /dev/null @@ -1,21 +0,0 @@ -{ config, lib, pkgs, ... }: - -{ - networking = { - usePredictableInterfaceNames = true; - - useDHCP = false; - dhcpcd.enable = true; - - interfaces.enp1s0.useDHCP = true; - interfaces.wlp2s0.useDHCP = true; - - bonds.bond0 = { - driverOptions = { - miimon = "100"; - mode = "active-backup"; - }; - interfaces = [ "enp1s0" "wlp2s0" ]; - }; - }; -} diff --git a/hosts/ni/modules/networking.nix b/hosts/ni/modules/networking.nix deleted file mode 100644 index 8862115f..00000000 --- a/hosts/ni/modules/networking.nix +++ /dev/null @@ -1,40 +0,0 @@ -{ config, lib, pkgs, ... }: - -{ - # Be a networking doctor or something. - programs.mtr.enable = true; - - # Wanna be a wannabe haxxor, kid? - programs.wireshark.package = pkgs.wireshark; - - # Modern version of SSH. - programs.mosh.enable = true; - - # Just supporting local systems, businesses, and business systems. - services.avahi = { - enable = true; - nssmdns = true; - publish = { - enable = true; - userServices = true; - }; - }; - - # We'll go with a software firewall. We're mostly configuring it as if we're - # using a server even though the chances of that is pretty slim. - networking = { - nftables.enable = true; - firewall = { - enable = true; - allowedTCPPorts = [ - 22 # Secure Shells. - ]; - }; - }; - - services.resolved.domains = [ - "~plover.foodogsquared.one" - "~0.27.172.in-addr.arpa" - "~0.28.172.in-addr.arpa" - ]; -} diff --git a/hosts/ni/modules/networking/setup.nix b/hosts/ni/modules/networking/setup.nix new file mode 100644 index 00000000..197b9101 --- /dev/null +++ b/hosts/ni/modules/networking/setup.nix @@ -0,0 +1,97 @@ +{ config, lib, pkgs, ... }: + +let + hostCfg = config.hosts.ni; + cfg = hostCfg.networking.setup; +in +{ + options.hosts.ni.networking.setup = lib.mkOption { + type = lib.types.enum [ "networkd" "networkmanager" ]; + default = "networkmanager"; + description = '' + Indicates the component of the network setup. In practice, you'll most + likely just use NetworkManager since it is what is being supported by + most desktop setups such as GNOME. + + ::: {.warning} + Using systemd-networkd setup is considered experimental. Use at your own + risk. + ::: + ''; + example = "networkd"; + }; + + config = lib.mkMerge [ + (lib.mkIf (cfg.setup == "networkd") { + networking = { + usePredictableInterfaceNames = true; + useNetworkd = true; + + # We're using networkd to configure so we're disabling this + # service. + useDHCP = false; + dhcpcd.enable = false; + }; + + # Enable systemd-resolved. This is mostly setup by `systemd.network.enable` + # by we're being explicit just to be safe. + services.resolved = { + enable = true; + llmnr = "true"; + }; + + # Combining my ethernet and wireless network interfaces. + systemd.network.enable = true; + + # Setting up the bond devices. + systemd.networks."40-bond1-dev1" = { + matchConfig.Name = "enp1s0"; + networkConfig.Bond = "bond1"; + }; + + systemd.networks."40-bond1-dev2" = { + matchConfig.Name = "wlp2s0"; + networkConfig = { + Bond = "bond1"; + IgnoreCarrierLoss = "15"; + }; + }; + + # Creating the ethernet-wireless-network bond. + systemd.netdevs."40-bond1".netdevConfig = { + Name = "bond1"; + Kind = "bond"; + }; + systemd.networks."40-bond1" = { + matchConfig.Name = "bond1"; + networkConfig.DHCP = "yes"; + }; + }) + + (lib.mkIf (cfg.setup == "networkmanager") { + networking.usePredictableInterfaceNames = true; + + # Enable and configure NetworkManager. + networking.networkmanager = { + enable = true; + dhcp = lib.mkIf (config.networking.dhcpcd.enable) "dhcpcd"; + }; + + # We'll configure individual network interfaces to use DHCP since it can + # fail wait-online-interface.service. + networking.useDHCP = false; + networking.dhcpcd.enable = true; + networking.interfaces.enp1s0.useDHCP = true; + networking.interfaces.wlp2s0.useDHCP = true; + + # Configure the networking bonds. + networking.bonds.bond0 = { + driverOptions = { + miimon = "100"; + mode = "active-backup"; + }; + interfaces = [ "enp1s0" "wlp2s0" ]; + }; + }) + ]; +} diff --git a/hosts/ni/modules/wireguard.nix b/hosts/ni/modules/networking/wireguard.nix similarity index 82% rename from hosts/ni/modules/wireguard.nix rename to hosts/ni/modules/networking/wireguard.nix index 1c4de7dc..3a8fcd05 100644 --- a/hosts/ni/modules/wireguard.nix +++ b/hosts/ni/modules/networking/wireguard.nix @@ -1,9 +1,13 @@ { config, lib, pkgs, ... }: let - network = import ../../plover/modules/hardware/networks.nix; + hostCfg = config.hosts.ni; + cfg = hostCfg.networking.wireguard; + + networkSetup = hostCfg.networking.setup; + inherit (builtins) toString; - inherit (network) + inherit (import ../../../plover/modules/hardware/networks.nix) interfaces wireguardPort wireguardPeers; @@ -21,20 +25,20 @@ let ]; in { - # Setting up Wireguard as a VPN tunnel. Since this is a laptop that meant to - # be used anywhere, we're configuring Wireguard here as a "client". - config = lib.mkMerge [ + options.hosts.ni.networking.wireguard.enable = lib.mkEnableOption "Wireguard setup"; + + config = lib.mkIf (hostCfg.networking.enable && cfg.enable) (lib.mkMerge [ { environment.systemPackages = with pkgs; [ wireguard-tools ]; networking.firewall.allowedUDPPorts = [ wireguardPort ]; - sops.secrets = lib.getSecrets ../secrets/secrets.yaml { + sops.secrets = lib.getSecrets ../../secrets/secrets.yaml { "wireguard/private-key" = { }; "wireguard/preshared-keys/plover" = { }; "wireguard/preshared-keys/phone" = { }; }; } - (lib.mkIf config.networking.networkmanager.enable { + (lib.mkIf (networkSetup == "networkmanager") { networking.wg-quick.interfaces.wireguard0 = { privateKeyFile = config.sops.secrets."wireguard/private-key".path; listenPort = wireguardPort; @@ -57,7 +61,7 @@ in peers = [ # The "server" peer. { - publicKey = lib.removeSuffix "\n" (lib.readFile ../../plover/files/wireguard/wireguard-public-key-plover); + publicKey = lib.removeSuffix "\n" (lib.readFile ../../../plover/files/wireguard/wireguard-public-key-plover); presharedKeyFile = config.sops.secrets."wireguard/preshared-keys/plover".path; allowedIPs = wireguardAllowedIPs; endpoint = "${interfaces.wan.IPv4.address}:${toString wireguardPort}"; @@ -66,7 +70,7 @@ in # The "phone" peer. { - publicKey = lib.removeSuffix "\n" (lib.readFile ../../plover/files/wireguard/wireguard-public-key-phone); + publicKey = lib.removeSuffix "\n" (lib.readFile ../../../plover/files/wireguard/wireguard-public-key-phone); presharedKeyFile = config.sops.secrets."wireguard/preshared-keys/phone".path; allowedIPs = wireguardAllowedIPs; } @@ -74,7 +78,7 @@ in }; }) - (lib.mkIf config.systemd.network.enable { + (lib.mkIf (networkSetup == "networkd") { # Just apply the appropriate permissions for systemd-networkd. sops.secrets = let @@ -108,7 +112,7 @@ in wireguardPeers = [ # The "server" peer. { - PublicKey = lib.readFile ../../plover/files/wireguard/wireguard-public-key-plover; + PublicKey = lib.readFile ../../../plover/files/wireguard/wireguard-public-key-plover; PresharedKeyFile = config.sops.secrets."wireguard/preshared-keys/plover".path; AllowedIPs = lib.concatStringsSep "," wireguardAllowedIPs; Endpoint = "${interfaces.wan.IPv4.address}:${toString wireguardPort}"; @@ -117,7 +121,7 @@ in # The "phone" peer. { - PublicKey = lib.readFile ../../plover/files/wireguard/wireguard-public-key-phone; + PublicKey = lib.readFile ../../../plover/files/wireguard/wireguard-public-key-phone; PresharedKeyFile = config.sops.secrets."wireguard/preshared-keys/phone".path; AllowedIPs = lib.concatStringsSep "," wireguardAllowedIPs; } @@ -137,5 +141,5 @@ in }; }; }) - ]; + ]); } diff --git a/modules/home-manager/profiles/dev.nix b/modules/home-manager/profiles/dev.nix index cd1dae09..efde8d7a 100644 --- a/modules/home-manager/profiles/dev.nix +++ b/modules/home-manager/profiles/dev.nix @@ -21,7 +21,6 @@ in { home.packages = with pkgs; [ cookiecutter # Cookiecutter templates for your mama (which is you). dasel # Universal version of jq. - gopass # An improved version of the password manager for hipsters. moar # More 'more'. perlPackages.vidir # Bulk rename for your organizing needs in the terminal. ];