From 61b899ecb60db58027095d851ea1143af34b1cb2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Felix=20Schr=C3=B6ter?= <dev@felschr.com>
Date: Sat, 10 May 2025 15:56:47 +0200
Subject: [PATCH] feat(networking): enable systemd-networkd

---
 home/modules/seven/default.nix     |  22 ++++++++++
 home/modules/seven/ntfy.nix        |  40 +++++++++++++++++
 modules/wg0.nix                    |  67 +++++++++++++++++++++++++++++
 secrets/wireguard/cmdframe.key.age |   7 +++
 secrets/wireguard/home-pc.key.age  | Bin 0 -> 367 bytes
 system/networking.nix              |  12 +++++-
 6 files changed, 147 insertions(+), 1 deletion(-)
 create mode 100644 home/modules/seven/default.nix
 create mode 100644 home/modules/seven/ntfy.nix
 create mode 100644 modules/wg0.nix
 create mode 100644 secrets/wireguard/cmdframe.key.age
 create mode 100644 secrets/wireguard/home-pc.key.age

diff --git a/home/modules/seven/default.nix b/home/modules/seven/default.nix
new file mode 100644
index 0000000..67e1168
--- /dev/null
+++ b/home/modules/seven/default.nix
@@ -0,0 +1,22 @@
+{ config, lib, ... }:
+
+let
+  cfg = config.custom.seven;
+in
+{
+  imports = [ ./seven-ntfy.nix ];
+
+  options = {
+    custom.seven = {
+      enable = lib.mkEnableOption (lib.mdDoc "Seven");
+      ssh.enable = lib.mkEnableOption (lib.mdDoc "Seven SSH");
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    programs.ssh.extraConfig = lib.mkIf cfg.ssh.enable ''
+      Host *.factory.secunet.com
+      User fschroeter
+    '';
+  };
+}
diff --git a/home/modules/seven/ntfy.nix b/home/modules/seven/ntfy.nix
new file mode 100644
index 0000000..d4b54a9
--- /dev/null
+++ b/home/modules/seven/ntfy.nix
@@ -0,0 +1,40 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+
+let
+  cfg = config.custom.seven.ntfy;
+in
+{
+  options = {
+    custom.seven.ntfy = {
+      enable = lib.mkEnableOption (lib.mdDoc "ntfy service for seven");
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    systemd.user = {
+      services.ntfy = {
+        Unit = {
+          Description = "ntfy alert scubscription";
+          After = "network-online.target";
+          PartOf = [ "graphical-session.target" ];
+        };
+        Service =
+          let
+            topic = "https://grafana.factory.secunet.com/ntfy/alerts";
+            notify-send = lib.getExe pkgs.libnotify;
+          in
+          {
+            Environment = "PATH=${pkgs.bash}/bin:\${PATH}";
+            ExecStart = "${pkgs.ntfy-sh}/bin/ntfy sub ${topic} '${notify-send} \"$t\" \"$m\"'";
+            Restart = "always";
+          };
+        Install.WantedBy = [ "default.target" ];
+      };
+    };
+  };
+}
diff --git a/modules/wg0.nix b/modules/wg0.nix
new file mode 100644
index 0000000..1ebcdfe
--- /dev/null
+++ b/modules/wg0.nix
@@ -0,0 +1,67 @@
+{ config, lib, ... }:
+
+let
+  cfg = config.custom.wg0;
+in
+{
+  options = {
+    custom.wg0 = {
+      enable = lib.mkEnableOption (lib.mdDoc "Wireguard config");
+
+      addresses = lib.mkOption {
+        type = lib.types.listOf lib.types.str;
+        description = "IP addresses for this machine within VPN.";
+      };
+
+      privateKeyFile = lib.mkOption {
+        type = lib.types.str;
+        example = "/path/to/secret.key";
+        description = "Private key file.";
+      };
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    age.secrets.wireguard-home-pc-key = {
+      file = ../secrets/wireguard/home-pc.key.age;
+      owner = "systemd-network";
+    };
+    age.secrets.wireguard-cmdframe-key = {
+      file = ../secrets/wireguard/cmdframe.key.age;
+      owner = "systemd-network";
+    };
+
+    systemd.network = {
+      enable = true;
+      # TODO cannot push this to public git like this
+      netdevs."40-wg0" = {
+        netdevConfig = {
+          Kind = "wireguard";
+          Name = "wg0";
+          MTUBytes = "1280";
+        };
+        wireguardConfig = {
+          PrivateKeyFile = cfg.privateKeyFile;
+        };
+        wireguardPeers = [
+          {
+            PublicKey = "ZVayNyJeOn848aus5bqYU2ujNxvnYtV3ACoerLtDpg8=";
+            AllowedIPs = [
+              "198.18.0.0/15"
+              "fd00:5ec::/48"
+            ];
+            # TODO remove endpoint from config
+            Endpoint = "gateway.seven.secunet.com:51821";
+          }
+        ];
+      };
+      networks."40-wg0" = {
+        matchConfig.Name = "wg0";
+        address = cfg.addresses;
+        networkConfig = {
+          IPMasquerade = "ipv4";
+        };
+      };
+    };
+  };
+}
diff --git a/secrets/wireguard/cmdframe.key.age b/secrets/wireguard/cmdframe.key.age
new file mode 100644
index 0000000..81f1bfa
--- /dev/null
+++ b/secrets/wireguard/cmdframe.key.age
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 OAZQhA yHDlGU8tW/fiMocPl0nldeEEn7NvPDMNCqL9hO7B5VY
+71ZALgVNzj0FJG4wW5qK+0rhF2hMMkkvqOl6wvpI1xo
+-> ssh-ed25519 lJaKnA 32vsGauSIeEy8gMq3rOuJV5OOVR/qbNCaJ96gvaYc38
+3f8ZLzGFg4g2XNfUPS+ePMc9AZHMLUjh6y0q2gaRwio
+--- PZeKDBBgibYk1Xl5Sd1S38kx322Gi6KnI0lj2NyhFUU
+?�y)�Sk*����gz�_�E�>|
J�׭*9�	�h����aI�9p�?�(�J���F�x:;�1yKP�]VQ2�J;Y��
\ No newline at end of file
diff --git a/secrets/wireguard/home-pc.key.age b/secrets/wireguard/home-pc.key.age
new file mode 100644
index 0000000000000000000000000000000000000000..3b761bd470f7a7b7097ac6532f41703189ef90ec
GIT binary patch
literal 367
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCUlcZ>?ma8#)9H!t$@
z4z3K-FUj&rw8)A`^w6)!$#hEe^fO7$DK*csu*~%F&I+lF@Z>V{&=0Q&3aqkl4-R!T
z@+;NXPtwkEiS){e$aKv!H%==q3Ji*LjxsWEwm`Qn$1Bl0&r!k4FtakEBs4rDHM25N
zyUHvusxZervoOy%Pdhg`*V8m4yx7M$SU=3txtJ@;$ty4*EFdJj+|#(QxG>4nywcRQ
zFrdo7F}b4DRlD3h!o)N*#5L78GM!6TS69I;qqNB1x5TR?GNZ!KFSszuz`QWeHP_WU
zH9XQaD9t_FC&)WFN<ZDZDxXV^m8GOsf&YO;+@8IYUojlenO*L`ZovjoF)NQpF)9~b
zvKtE+(l@cqa?I^6_!s`>S3+Z6M#iiJ4+|9@_E^t=X>R{k?l^2bch7FORTiZHf69J!

literal 0
HcmV?d00001

diff --git a/system/networking.nix b/system/networking.nix
index 24e8003..7aedcc2 100644
--- a/system/networking.nix
+++ b/system/networking.nix
@@ -5,7 +5,17 @@
     "127.0.0.1"
     "::1"
   ];
-  networking.networkmanager.dns = "systemd-resolved";
+
+  networking.nftables.enable = true;
+  networking.networkmanager = {
+    enable = true;
+    dns = "systemd-resolved";
+  };
+
+  systemd.network = {
+    enable = true;
+    wait-online.ignoredInterfaces = [ "tailscale0" ];
+  };
 
   services.dnsmasq.enable = false;
   services.resolved = {