hosts/ni: format into new host-specific module structure

2025-04-24 18:19:11 +00:00 · 2023-12-12 21:20:55 +08:00 · 2023-12-12 21:20:55 +08:00 · 509ac5cdef
commit 509ac5cdef
parent f3f896d769
9 changed files with 127 additions and 130 deletions
--- a/hosts/ni/default.nix
+++ b/hosts/ni/default.nix
@ -4,9 +4,7 @@
  imports = [
    # Include the results of the hardware scan.
    ./hardware-configuration.nix
-
-    ./modules/networking.nix
-    ./modules/wireguard.nix
+    ./modules

    (lib.mapHomeManagerUser "foo-dogsquared" {
      extraGroups = [
@ -27,6 +25,11 @@
    })
  ];

+  hosts.ni = {
+    networking.setup = "networkmanager";
+    networking.wireguard.enable = true;
+  };
+
  disko.devices = import ./disko.nix {
    disks = [ "/dev/nvme0n1" ];
  };
--- a/hosts/ni/hardware-configuration.nix
+++ b/hosts/ni/hardware-configuration.nix
@ -3,7 +3,6 @@
 {
  imports = [
    (modulesPath + "/installer/scan/not-detected.nix")
-    ./modules/hardware/traditional-networking.nix
  ];

  # Get the latest kernel for the desktop experience.
--- a/hosts/ni/modules/default.nix
+++ b/hosts/ni/modules/default.nix
@ -0,0 +1,7 @@
+# Only optional modules should be imported here.
+{
+  imports = [
+    ./networking/setup.nix
+    ./networking/wireguard.nix
+  ];
+}
--- a/hosts/ni/modules/hardware/systemd-networkd.nix
+++ b/hosts/ni/modules/hardware/systemd-networkd.nix
@ -1,51 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-{
-  networking = {
-    usePredictableInterfaceNames = true;
-    useNetworkd = true;
-
-    # We're using networkd to configure so we're disabling this
-    # service.
-    useDHCP = false;
-    dhcpcd.enable = false;
-  };
-
-  # Enable systemd-resolved. This is mostly setup by `systemd.network.enable`
-  # by we're being explicit just to be safe.
-  services.resolved = {
-    enable = true;
-    llmnr = "true";
-  };
-
-  # Combining my ethernet and wireless network interfaces.
-  systemd.network = {
-    enable = false;
-    netdevs."40-bond1" = {
-      netdevConfig = {
-        Name = "bond1";
-        Kind = "bond";
-      };
-    };
-
-    networks = {
-      "40-bond1" = {
-        matchConfig.Name = "bond1";
-        networkConfig.DHCP = "yes";
-      };
-
-      "40-bond1-dev1" = {
-        matchConfig.Name = "enp1s0";
-        networkConfig.Bond = "bond1";
-      };
-
-      "40-bond1-dev2" = {
-        matchConfig.Name = "wlp2s0";
-        networkConfig = {
-          Bond = "bond1";
-          IgnoreCarrierLoss = "15";
-        };
-      };
-    };
-  };
-}
--- a/hosts/ni/modules/hardware/traditional-networking.nix
+++ b/hosts/ni/modules/hardware/traditional-networking.nix
@ -1,21 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-{
-  networking = {
-    usePredictableInterfaceNames = true;
-
-    useDHCP = false;
-    dhcpcd.enable = true;
-
-    interfaces.enp1s0.useDHCP = true;
-    interfaces.wlp2s0.useDHCP = true;
-
-    bonds.bond0 = {
-      driverOptions = {
-        miimon = "100";
-        mode = "active-backup";
-      };
-      interfaces = [ "enp1s0" "wlp2s0" ];
-    };
-  };
-}
--- a/hosts/ni/modules/networking.nix
+++ b/hosts/ni/modules/networking.nix
@ -1,40 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-{
-  # Be a networking doctor or something.
-  programs.mtr.enable = true;
-
-  # Wanna be a wannabe haxxor, kid?
-  programs.wireshark.package = pkgs.wireshark;
-
-  # Modern version of SSH.
-  programs.mosh.enable = true;
-
-  # Just supporting local systems, businesses, and business systems.
-  services.avahi = {
-    enable = true;
-    nssmdns = true;
-    publish = {
-      enable = true;
-      userServices = true;
-    };
-  };
-
-  # We'll go with a software firewall. We're mostly configuring it as if we're
-  # using a server even though the chances of that is pretty slim.
-  networking = {
-    nftables.enable = true;
-    firewall = {
-      enable = true;
-      allowedTCPPorts = [
-        22 # Secure Shells.
-      ];
-    };
-  };
-
-  services.resolved.domains = [
-    "~plover.foodogsquared.one"
-    "~0.27.172.in-addr.arpa"
-    "~0.28.172.in-addr.arpa"
-  ];
-}
--- a/hosts/ni/modules/networking/setup.nix
+++ b/hosts/ni/modules/networking/setup.nix
@ -0,0 +1,97 @@
+{ config, lib, pkgs, ... }:
+
+let
+  hostCfg = config.hosts.ni;
+  cfg = hostCfg.networking.setup;
+in
+{
+  options.hosts.ni.networking.setup = lib.mkOption {
+    type = lib.types.enum [ "networkd" "networkmanager" ];
+    default = "networkmanager";
+    description = ''
+      Indicates the component of the network setup. In practice, you'll most
+      likely just use NetworkManager since it is what is being supported by
+      most desktop setups such as GNOME.
+
+      ::: {.warning}
+      Using systemd-networkd setup is considered experimental. Use at your own
+      risk.
+      :::
+    '';
+    example = "networkd";
+  };
+
+  config = lib.mkMerge [
+    (lib.mkIf (cfg.setup == "networkd") {
+      networking = {
+        usePredictableInterfaceNames = true;
+        useNetworkd = true;
+
+        # We're using networkd to configure so we're disabling this
+        # service.
+        useDHCP = false;
+        dhcpcd.enable = false;
+      };
+
+      # Enable systemd-resolved. This is mostly setup by `systemd.network.enable`
+      # by we're being explicit just to be safe.
+      services.resolved = {
+        enable = true;
+        llmnr = "true";
+      };
+
+      # Combining my ethernet and wireless network interfaces.
+      systemd.network.enable = true;
+
+      # Setting up the bond devices.
+      systemd.networks."40-bond1-dev1" = {
+        matchConfig.Name = "enp1s0";
+        networkConfig.Bond = "bond1";
+      };
+
+      systemd.networks."40-bond1-dev2" = {
+        matchConfig.Name = "wlp2s0";
+        networkConfig = {
+          Bond = "bond1";
+          IgnoreCarrierLoss = "15";
+        };
+      };
+
+      # Creating the ethernet-wireless-network bond.
+      systemd.netdevs."40-bond1".netdevConfig = {
+        Name = "bond1";
+        Kind = "bond";
+      };
+      systemd.networks."40-bond1" = {
+        matchConfig.Name = "bond1";
+        networkConfig.DHCP = "yes";
+      };
+    })
+
+    (lib.mkIf (cfg.setup == "networkmanager") {
+      networking.usePredictableInterfaceNames = true;
+
+      # Enable and configure NetworkManager.
+      networking.networkmanager = {
+        enable = true;
+        dhcp = lib.mkIf (config.networking.dhcpcd.enable) "dhcpcd";
+      };
+
+      # We'll configure individual network interfaces to use DHCP since it can
+      # fail wait-online-interface.service.
+      networking.useDHCP = false;
+      networking.dhcpcd.enable = true;
+      networking.interfaces.enp1s0.useDHCP = true;
+      networking.interfaces.wlp2s0.useDHCP = true;
+
+      # Configure the networking bonds.
+      networking.bonds.bond0 = {
+        driverOptions = {
+          miimon = "100";
+          mode = "active-backup";
+        };
+        interfaces = [ "enp1s0" "wlp2s0" ];
+      };
+    })
+  ];
+}
--- a/hosts/ni/modules/networking/wireguard.nix
+++ b/hosts/ni/modules/networking/wireguard.nix
@ -1,9 +1,13 @@
 { config, lib, pkgs, ... }:

 let
-  network = import ../../plover/modules/hardware/networks.nix;
+  hostCfg = config.hosts.ni;
+  cfg = hostCfg.networking.wireguard;
+
+  networkSetup = hostCfg.networking.setup;
+
  inherit (builtins) toString;
-  inherit (network)
+  inherit (import ../../../plover/modules/hardware/networks.nix)
    interfaces
    wireguardPort
    wireguardPeers;
@ -21,20 +25,20 @@ let
  ];
 in
 {
-  # Setting up Wireguard as a VPN tunnel. Since this is a laptop that meant to
-  # be used anywhere, we're configuring Wireguard here as a "client".
-  config = lib.mkMerge [
+  options.hosts.ni.networking.wireguard.enable = lib.mkEnableOption "Wireguard setup";
+
+  config = lib.mkIf (hostCfg.networking.enable && cfg.enable) (lib.mkMerge [
    {
      environment.systemPackages = with pkgs; [ wireguard-tools ];
      networking.firewall.allowedUDPPorts = [ wireguardPort ];
-      sops.secrets = lib.getSecrets ../secrets/secrets.yaml {
+      sops.secrets = lib.getSecrets ../../secrets/secrets.yaml {
        "wireguard/private-key" = { };
        "wireguard/preshared-keys/plover" = { };
        "wireguard/preshared-keys/phone" = { };
      };
    }

-    (lib.mkIf config.networking.networkmanager.enable {
+    (lib.mkIf (networkSetup == "networkmanager") {
      networking.wg-quick.interfaces.wireguard0 = {
        privateKeyFile = config.sops.secrets."wireguard/private-key".path;
        listenPort = wireguardPort;
@ -57,7 +61,7 @@ in
        peers = [
          # The "server" peer.
          {
-            publicKey = lib.removeSuffix "\n" (lib.readFile ../../plover/files/wireguard/wireguard-public-key-plover);
+            publicKey = lib.removeSuffix "\n" (lib.readFile ../../../plover/files/wireguard/wireguard-public-key-plover);
            presharedKeyFile = config.sops.secrets."wireguard/preshared-keys/plover".path;
            allowedIPs = wireguardAllowedIPs;
            endpoint = "${interfaces.wan.IPv4.address}:${toString wireguardPort}";
@ -66,7 +70,7 @@ in

          # The "phone" peer.
          {
-            publicKey = lib.removeSuffix "\n" (lib.readFile ../../plover/files/wireguard/wireguard-public-key-phone);
+            publicKey = lib.removeSuffix "\n" (lib.readFile ../../../plover/files/wireguard/wireguard-public-key-phone);
            presharedKeyFile = config.sops.secrets."wireguard/preshared-keys/phone".path;
            allowedIPs = wireguardAllowedIPs;
          }
@ -74,7 +78,7 @@ in
      };
    })

-    (lib.mkIf config.systemd.network.enable {
+    (lib.mkIf (networkSetup == "networkd") {
      # Just apply the appropriate permissions for systemd-networkd.
      sops.secrets =
        let
@ -108,7 +112,7 @@ in
          wireguardPeers = [
            # The "server" peer.
            {
-              PublicKey = lib.readFile ../../plover/files/wireguard/wireguard-public-key-plover;
+              PublicKey = lib.readFile ../../../plover/files/wireguard/wireguard-public-key-plover;
              PresharedKeyFile = config.sops.secrets."wireguard/preshared-keys/plover".path;
              AllowedIPs = lib.concatStringsSep "," wireguardAllowedIPs;
              Endpoint = "${interfaces.wan.IPv4.address}:${toString wireguardPort}";
@ -117,7 +121,7 @@ in

            # The "phone" peer.
            {
-              PublicKey = lib.readFile ../../plover/files/wireguard/wireguard-public-key-phone;
+              PublicKey = lib.readFile ../../../plover/files/wireguard/wireguard-public-key-phone;
              PresharedKeyFile = config.sops.secrets."wireguard/preshared-keys/phone".path;
              AllowedIPs = lib.concatStringsSep "," wireguardAllowedIPs;
            }
@ -137,5 +141,5 @@ in
        };
      };
    })
-  ];
+  ]);
 }
--- a/modules/home-manager/profiles/dev.nix
+++ b/modules/home-manager/profiles/dev.nix
@ -21,7 +21,6 @@ in {
      home.packages = with pkgs; [
        cookiecutter # Cookiecutter templates for your mama (which is you).
        dasel # Universal version of jq.
-        gopass # An improved version of the password manager for hipsters.
        moar # More 'more'.
        perlPackages.vidir # Bulk rename for your organizing needs in the terminal.
      ];