foodogsquared/nixos-config
1
0
Fork 0
mirror of https://github.com/foo-dogsquared/nixos-config.git synced 2025-04-27 18:19:11 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

hosts/ni: format into new host-specific module structure

Browse Source
This commit is contained in:
Gabriel Arazas 2023-12-12 21:20:55 +08:00
parent f3f896d769
commit 509ac5cdef
No known key found for this signature in database
GPG Key ID: ADE0C41DAB221FCC
9 changed files with 127 additions and 130 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
hosts/ni/default.nix
View File

@ -4,9 +4,7 @@
imports = [ imports = [
# Include the results of the hardware scan. # Include the results of the hardware scan.
./hardware-configuration.nix ./hardware-configuration.nix
./modules
./modules/networking.nix
./modules/wireguard.nix
(lib.mapHomeManagerUser "foo-dogsquared" { (lib.mapHomeManagerUser "foo-dogsquared" {
extraGroups = [ extraGroups = [
@ -27,6 +25,11 @@
}) })
]; ];
hosts.ni = {
networking.setup = "networkmanager";
networking.wireguard.enable = true;
};
disko.devices = import ./disko.nix { disko.devices = import ./disko.nix {
disks = [ "/dev/nvme0n1" ]; disks = [ "/dev/nvme0n1" ];
}; };

1
hosts/ni/hardware-configuration.nix
View File

@ -3,7 +3,6 @@
{ {
imports = [ imports = [
(modulesPath + "/installer/scan/not-detected.nix") (modulesPath + "/installer/scan/not-detected.nix")
./modules/hardware/traditional-networking.nix
]; ];
# Get the latest kernel for the desktop experience. # Get the latest kernel for the desktop experience.

7
hosts/ni/modules/default.nix Normal file
View File

@ -0,0 +1,7 @@
# Only optional modules should be imported here.
{
imports = [
./networking/setup.nix
./networking/wireguard.nix
];
}

51
hosts/ni/modules/hardware/systemd-networkd.nix
View File

@ -1,51 +0,0 @@
{ config, lib, pkgs, ... }:
{
networking = {
usePredictableInterfaceNames = true;
useNetworkd = true;
# We're using networkd to configure so we're disabling this
# service.
useDHCP = false;
dhcpcd.enable = false;
};
# Enable systemd-resolved. This is mostly setup by `systemd.network.enable`
# by we're being explicit just to be safe.
services.resolved = {
enable = true;
llmnr = "true";
};
# Combining my ethernet and wireless network interfaces.
systemd.network = {
enable = false;
netdevs."40-bond1" = {
netdevConfig = {
Name = "bond1";
Kind = "bond";
};
};
networks = {
"40-bond1" = {
matchConfig.Name = "bond1";
networkConfig.DHCP = "yes";
};
"40-bond1-dev1" = {
matchConfig.Name = "enp1s0";
networkConfig.Bond = "bond1";
};
"40-bond1-dev2" = {
matchConfig.Name = "wlp2s0";
networkConfig = {
Bond = "bond1";
IgnoreCarrierLoss = "15";
};
};
};
};
}

21
hosts/ni/modules/hardware/traditional-networking.nix
View File

@ -1,21 +0,0 @@
{ config, lib, pkgs, ... }:
{
networking = {
usePredictableInterfaceNames = true;
useDHCP = false;
dhcpcd.enable = true;
interfaces.enp1s0.useDHCP = true;
interfaces.wlp2s0.useDHCP = true;
bonds.bond0 = {
driverOptions = {
miimon = "100";
mode = "active-backup";
};
interfaces = [ "enp1s0" "wlp2s0" ];
};
};
}

40
hosts/ni/modules/networking.nix
View File

@ -1,40 +0,0 @@
{ config, lib, pkgs, ... }:
{
# Be a networking doctor or something.
programs.mtr.enable = true;
# Wanna be a wannabe haxxor, kid?
programs.wireshark.package = pkgs.wireshark;
# Modern version of SSH.
programs.mosh.enable = true;
# Just supporting local systems, businesses, and business systems.
services.avahi = {
enable = true;
nssmdns = true;
publish = {
enable = true;
userServices = true;
};
};
# We'll go with a software firewall. We're mostly configuring it as if we're
# using a server even though the chances of that is pretty slim.
networking = {
nftables.enable = true;
firewall = {
enable = true;
allowedTCPPorts = [
22 # Secure Shells.
];
};
};
services.resolved.domains = [
"~plover.foodogsquared.one"
"~0.27.172.in-addr.arpa"
"~0.28.172.in-addr.arpa"
];
}

97
hosts/ni/modules/networking/setup.nix Normal file
View File

@ -0,0 +1,97 @@
{ config, lib, pkgs, ... }:
let
hostCfg = config.hosts.ni;
cfg = hostCfg.networking.setup;
in
{
options.hosts.ni.networking.setup = lib.mkOption {
type = lib.types.enum [ "networkd" "networkmanager" ];
default = "networkmanager";
description = ''
Indicates the component of the network setup. In practice, you'll most
likely just use NetworkManager since it is what is being supported by
most desktop setups such as GNOME.
::: {.warning}
Using systemd-networkd setup is considered experimental. Use at your own
risk.
:::
'';
example = "networkd";
};
config = lib.mkMerge [
(lib.mkIf (cfg.setup == "networkd") {
networking = {
usePredictableInterfaceNames = true;
useNetworkd = true;
# We're using networkd to configure so we're disabling this
# service.
useDHCP = false;
dhcpcd.enable = false;
};
# Enable systemd-resolved. This is mostly setup by `systemd.network.enable`
# by we're being explicit just to be safe.
services.resolved = {
enable = true;
llmnr = "true";
};
# Combining my ethernet and wireless network interfaces.
systemd.network.enable = true;
# Setting up the bond devices.
systemd.networks."40-bond1-dev1" = {
matchConfig.Name = "enp1s0";
networkConfig.Bond = "bond1";
};
systemd.networks."40-bond1-dev2" = {
matchConfig.Name = "wlp2s0";
networkConfig = {
Bond = "bond1";
IgnoreCarrierLoss = "15";
};
};
# Creating the ethernet-wireless-network bond.
systemd.netdevs."40-bond1".netdevConfig = {
Name = "bond1";
Kind = "bond";
};
systemd.networks."40-bond1" = {
matchConfig.Name = "bond1";
networkConfig.DHCP = "yes";
};
})
(lib.mkIf (cfg.setup == "networkmanager") {
networking.usePredictableInterfaceNames = true;
# Enable and configure NetworkManager.
networking.networkmanager = {
enable = true;
dhcp = lib.mkIf (config.networking.dhcpcd.enable) "dhcpcd";
};
# We'll configure individual network interfaces to use DHCP since it can
# fail wait-online-interface.service.
networking.useDHCP = false;
networking.dhcpcd.enable = true;
networking.interfaces.enp1s0.useDHCP = true;
networking.interfaces.wlp2s0.useDHCP = true;
# Configure the networking bonds.
networking.bonds.bond0 = {
driverOptions = {
miimon = "100";
mode = "active-backup";
};
interfaces = [ "enp1s0" "wlp2s0" ];
};
})
];
}

30
hosts/ni/modules/wireguard.nix → hosts/ni/modules/networking/wireguard.nix
View File

@ -1,9 +1,13 @@
{ config, lib, pkgs, ... }: { config, lib, pkgs, ... }:
let let
network = import ../../plover/modules/hardware/networks.nix; hostCfg = config.hosts.ni;
cfg = hostCfg.networking.wireguard;
networkSetup = hostCfg.networking.setup;
inherit (builtins) toString; inherit (builtins) toString;
inherit (network) inherit (import ../../../plover/modules/hardware/networks.nix)
interfaces interfaces
wireguardPort wireguardPort
wireguardPeers; wireguardPeers;
@ -21,20 +25,20 @@ let
]; ];
in in
{ {
# Setting up Wireguard as a VPN tunnel. Since this is a laptop that meant to options.hosts.ni.networking.wireguard.enable = lib.mkEnableOption "Wireguard setup";
# be used anywhere, we're configuring Wireguard here as a "client".
config = lib.mkMerge [ config = lib.mkIf (hostCfg.networking.enable && cfg.enable) (lib.mkMerge [
{ {
environment.systemPackages = with pkgs; [ wireguard-tools ]; environment.systemPackages = with pkgs; [ wireguard-tools ];
networking.firewall.allowedUDPPorts = [ wireguardPort ]; networking.firewall.allowedUDPPorts = [ wireguardPort ];
sops.secrets = lib.getSecrets ../secrets/secrets.yaml { sops.secrets = lib.getSecrets ../../secrets/secrets.yaml {
"wireguard/private-key" = { }; "wireguard/private-key" = { };
"wireguard/preshared-keys/plover" = { }; "wireguard/preshared-keys/plover" = { };
"wireguard/preshared-keys/phone" = { }; "wireguard/preshared-keys/phone" = { };
}; };
} }
(lib.mkIf config.networking.networkmanager.enable { (lib.mkIf (networkSetup == "networkmanager") {
networking.wg-quick.interfaces.wireguard0 = { networking.wg-quick.interfaces.wireguard0 = {
privateKeyFile = config.sops.secrets."wireguard/private-key".path; privateKeyFile = config.sops.secrets."wireguard/private-key".path;
listenPort = wireguardPort; listenPort = wireguardPort;
@ -57,7 +61,7 @@ in
peers = [ peers = [
# The "server" peer. # The "server" peer.
{ {
publicKey = lib.removeSuffix "\n" (lib.readFile ../../plover/files/wireguard/wireguard-public-key-plover); publicKey = lib.removeSuffix "\n" (lib.readFile ../../../plover/files/wireguard/wireguard-public-key-plover);
presharedKeyFile = config.sops.secrets."wireguard/preshared-keys/plover".path; presharedKeyFile = config.sops.secrets."wireguard/preshared-keys/plover".path;
allowedIPs = wireguardAllowedIPs; allowedIPs = wireguardAllowedIPs;
endpoint = "${interfaces.wan.IPv4.address}:${toString wireguardPort}"; endpoint = "${interfaces.wan.IPv4.address}:${toString wireguardPort}";
@ -66,7 +70,7 @@ in
# The "phone" peer. # The "phone" peer.
{ {
publicKey = lib.removeSuffix "\n" (lib.readFile ../../plover/files/wireguard/wireguard-public-key-phone); publicKey = lib.removeSuffix "\n" (lib.readFile ../../../plover/files/wireguard/wireguard-public-key-phone);
presharedKeyFile = config.sops.secrets."wireguard/preshared-keys/phone".path; presharedKeyFile = config.sops.secrets."wireguard/preshared-keys/phone".path;
allowedIPs = wireguardAllowedIPs; allowedIPs = wireguardAllowedIPs;
} }
@ -74,7 +78,7 @@ in
}; };
}) })
(lib.mkIf config.systemd.network.enable { (lib.mkIf (networkSetup == "networkd") {
# Just apply the appropriate permissions for systemd-networkd. # Just apply the appropriate permissions for systemd-networkd.
sops.secrets = sops.secrets =
let let
@ -108,7 +112,7 @@ in
wireguardPeers = [ wireguardPeers = [
# The "server" peer. # The "server" peer.
{ {
PublicKey = lib.readFile ../../plover/files/wireguard/wireguard-public-key-plover; PublicKey = lib.readFile ../../../plover/files/wireguard/wireguard-public-key-plover;
PresharedKeyFile = config.sops.secrets."wireguard/preshared-keys/plover".path; PresharedKeyFile = config.sops.secrets."wireguard/preshared-keys/plover".path;
AllowedIPs = lib.concatStringsSep "," wireguardAllowedIPs; AllowedIPs = lib.concatStringsSep "," wireguardAllowedIPs;
Endpoint = "${interfaces.wan.IPv4.address}:${toString wireguardPort}"; Endpoint = "${interfaces.wan.IPv4.address}:${toString wireguardPort}";
@ -117,7 +121,7 @@ in
# The "phone" peer. # The "phone" peer.
{ {
PublicKey = lib.readFile ../../plover/files/wireguard/wireguard-public-key-phone; PublicKey = lib.readFile ../../../plover/files/wireguard/wireguard-public-key-phone;
PresharedKeyFile = config.sops.secrets."wireguard/preshared-keys/phone".path; PresharedKeyFile = config.sops.secrets."wireguard/preshared-keys/phone".path;
AllowedIPs = lib.concatStringsSep "," wireguardAllowedIPs; AllowedIPs = lib.concatStringsSep "," wireguardAllowedIPs;
} }
@ -137,5 +141,5 @@ in
}; };
}; };
}) })
]; ]);
} }

1
modules/home-manager/profiles/dev.nix
View File

@ -21,7 +21,6 @@ in {
home.packages = with pkgs; [ home.packages = with pkgs; [
cookiecutter # Cookiecutter templates for your mama (which is you). cookiecutter # Cookiecutter templates for your mama (which is you).
dasel # Universal version of jq. dasel # Universal version of jq.
gopass # An improved version of the password manager for hipsters.
moar # More 'more'. moar # More 'more'.
perlPackages.vidir # Bulk rename for your organizing needs in the terminal. perlPackages.vidir # Bulk rename for your organizing needs in the terminal.
]; ];