diff --git a/home/modules/seven/default.nix b/home/modules/seven/default.nix
new file mode 100644
index 0000000..67e1168
--- /dev/null
+++ b/home/modules/seven/default.nix
@@ -0,0 +1,22 @@
+{ config, lib, ... }:
+
+let
+ cfg = config.custom.seven;
+in
+{
+ imports = [ ./seven-ntfy.nix ];
+
+ options = {
+ custom.seven = {
+ enable = lib.mkEnableOption (lib.mdDoc "Seven");
+ ssh.enable = lib.mkEnableOption (lib.mdDoc "Seven SSH");
+ };
+ };
+
+ config = lib.mkIf cfg.enable {
+ programs.ssh.extraConfig = lib.mkIf cfg.ssh.enable ''
+ Host *.factory.secunet.com
+ User fschroeter
+ '';
+ };
+}
diff --git a/home/modules/seven/ntfy.nix b/home/modules/seven/ntfy.nix
new file mode 100644
index 0000000..d4b54a9
--- /dev/null
+++ b/home/modules/seven/ntfy.nix
@@ -0,0 +1,40 @@
+{
+ config,
+ pkgs,
+ lib,
+ ...
+}:
+
+let
+ cfg = config.custom.seven.ntfy;
+in
+{
+ options = {
+ custom.seven.ntfy = {
+ enable = lib.mkEnableOption (lib.mdDoc "ntfy service for seven");
+ };
+ };
+
+ config = lib.mkIf cfg.enable {
+ systemd.user = {
+ services.ntfy = {
+ Unit = {
+ Description = "ntfy alert scubscription";
+ After = "network-online.target";
+ PartOf = [ "graphical-session.target" ];
+ };
+ Service =
+ let
+ topic = "https://grafana.factory.secunet.com/ntfy/alerts";
+ notify-send = lib.getExe pkgs.libnotify;
+ in
+ {
+ Environment = "PATH=${pkgs.bash}/bin:\${PATH}";
+ ExecStart = "${pkgs.ntfy-sh}/bin/ntfy sub ${topic} '${notify-send} \"$t\" \"$m\"'";
+ Restart = "always";
+ };
+ Install.WantedBy = [ "default.target" ];
+ };
+ };
+ };
+}
diff --git a/modules/wg0.nix b/modules/wg0.nix
new file mode 100644
index 0000000..1ebcdfe
--- /dev/null
+++ b/modules/wg0.nix
@@ -0,0 +1,67 @@
+{ config, lib, ... }:
+
+let
+ cfg = config.custom.wg0;
+in
+{
+ options = {
+ custom.wg0 = {
+ enable = lib.mkEnableOption (lib.mdDoc "Wireguard config");
+
+ addresses = lib.mkOption {
+ type = lib.types.listOf lib.types.str;
+ description = "IP addresses for this machine within VPN.";
+ };
+
+ privateKeyFile = lib.mkOption {
+ type = lib.types.str;
+ example = "/path/to/secret.key";
+ description = "Private key file.";
+ };
+ };
+ };
+
+ config = lib.mkIf cfg.enable {
+ age.secrets.wireguard-home-pc-key = {
+ file = ../secrets/wireguard/home-pc.key.age;
+ owner = "systemd-network";
+ };
+ age.secrets.wireguard-cmdframe-key = {
+ file = ../secrets/wireguard/cmdframe.key.age;
+ owner = "systemd-network";
+ };
+
+ systemd.network = {
+ enable = true;
+ # TODO cannot push this to public git like this
+ netdevs."40-wg0" = {
+ netdevConfig = {
+ Kind = "wireguard";
+ Name = "wg0";
+ MTUBytes = "1280";
+ };
+ wireguardConfig = {
+ PrivateKeyFile = cfg.privateKeyFile;
+ };
+ wireguardPeers = [
+ {
+ PublicKey = "ZVayNyJeOn848aus5bqYU2ujNxvnYtV3ACoerLtDpg8=";
+ AllowedIPs = [
+ "198.18.0.0/15"
+ "fd00:5ec::/48"
+ ];
+ # TODO remove endpoint from config
+ Endpoint = "gateway.seven.secunet.com:51821";
+ }
+ ];
+ };
+ networks."40-wg0" = {
+ matchConfig.Name = "wg0";
+ address = cfg.addresses;
+ networkConfig = {
+ IPMasquerade = "ipv4";
+ };
+ };
+ };
+ };
+}
diff --git a/secrets/wireguard/cmdframe.key.age b/secrets/wireguard/cmdframe.key.age
new file mode 100644
index 0000000..81f1bfa
--- /dev/null
+++ b/secrets/wireguard/cmdframe.key.age
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 OAZQhA yHDlGU8tW/fiMocPl0nldeEEn7NvPDMNCqL9hO7B5VY
+71ZALgVNzj0FJG4wW5qK+0rhF2hMMkkvqOl6wvpI1xo
+-> ssh-ed25519 lJaKnA 32vsGauSIeEy8gMq3rOuJV5OOVR/qbNCaJ96gvaYc38
+3f8ZLzGFg4g2XNfUPS+ePMc9AZHMLUjh6y0q2gaRwio
+--- PZeKDBBgibYk1Xl5Sd1S38kx322Gi6KnI0lj2NyhFUU
+?�y)�Sk*�����gz�_�E�>|
J�*9� �h�����aI�9p��?�(�J���F���x:;�1yKP�]VQ2�J;Y��
\ No newline at end of file
diff --git a/secrets/wireguard/home-pc.key.age b/secrets/wireguard/home-pc.key.age
new file mode 100644
index 0000000..3b761bd
Binary files /dev/null and b/secrets/wireguard/home-pc.key.age differ
diff --git a/system/networking.nix b/system/networking.nix
index 24e8003..7aedcc2 100644
--- a/system/networking.nix
+++ b/system/networking.nix
@@ -5,7 +5,17 @@
"127.0.0.1"
"::1"
];
- networking.networkmanager.dns = "systemd-resolved";
+
+ networking.nftables.enable = true;
+ networking.networkmanager = {
+ enable = true;
+ dns = "systemd-resolved";
+ };
+
+ systemd.network = {
+ enable = true;
+ wait-online.ignoredInterfaces = [ "tailscale0" ];
+ };
services.dnsmasq.enable = false;
services.resolved = {