From 61b899ecb60db58027095d851ea1143af34b1cb2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Felix=20Schr=C3=B6ter?= <dev@felschr.com> Date: Sat, 10 May 2025 15:56:47 +0200 Subject: [PATCH] feat(networking): enable systemd-networkd --- home/modules/seven/default.nix | 22 ++++++++++ home/modules/seven/ntfy.nix | 40 +++++++++++++++++ modules/wg0.nix | 67 +++++++++++++++++++++++++++++ secrets/wireguard/cmdframe.key.age | 7 +++ secrets/wireguard/home-pc.key.age | Bin 0 -> 367 bytes system/networking.nix | 12 +++++- 6 files changed, 147 insertions(+), 1 deletion(-) create mode 100644 home/modules/seven/default.nix create mode 100644 home/modules/seven/ntfy.nix create mode 100644 modules/wg0.nix create mode 100644 secrets/wireguard/cmdframe.key.age create mode 100644 secrets/wireguard/home-pc.key.age diff --git a/home/modules/seven/default.nix b/home/modules/seven/default.nix new file mode 100644 index 0000000..67e1168 --- /dev/null +++ b/home/modules/seven/default.nix @@ -0,0 +1,22 @@ +{ config, lib, ... }: + +let + cfg = config.custom.seven; +in +{ + imports = [ ./seven-ntfy.nix ]; + + options = { + custom.seven = { + enable = lib.mkEnableOption (lib.mdDoc "Seven"); + ssh.enable = lib.mkEnableOption (lib.mdDoc "Seven SSH"); + }; + }; + + config = lib.mkIf cfg.enable { + programs.ssh.extraConfig = lib.mkIf cfg.ssh.enable '' + Host *.factory.secunet.com + User fschroeter + ''; + }; +} diff --git a/home/modules/seven/ntfy.nix b/home/modules/seven/ntfy.nix new file mode 100644 index 0000000..d4b54a9 --- /dev/null +++ b/home/modules/seven/ntfy.nix @@ -0,0 +1,40 @@ +{ + config, + pkgs, + lib, + ... +}: + +let + cfg = config.custom.seven.ntfy; +in +{ + options = { + custom.seven.ntfy = { + enable = lib.mkEnableOption (lib.mdDoc "ntfy service for seven"); + }; + }; + + config = lib.mkIf cfg.enable { + systemd.user = { + services.ntfy = { + Unit = { + Description = "ntfy alert scubscription"; + After = "network-online.target"; + PartOf = [ "graphical-session.target" ]; + }; + Service = + let + topic = "https://grafana.factory.secunet.com/ntfy/alerts"; + notify-send = lib.getExe pkgs.libnotify; + in + { + Environment = "PATH=${pkgs.bash}/bin:\${PATH}"; + ExecStart = "${pkgs.ntfy-sh}/bin/ntfy sub ${topic} '${notify-send} \"$t\" \"$m\"'"; + Restart = "always"; + }; + Install.WantedBy = [ "default.target" ]; + }; + }; + }; +} diff --git a/modules/wg0.nix b/modules/wg0.nix new file mode 100644 index 0000000..1ebcdfe --- /dev/null +++ b/modules/wg0.nix @@ -0,0 +1,67 @@ +{ config, lib, ... }: + +let + cfg = config.custom.wg0; +in +{ + options = { + custom.wg0 = { + enable = lib.mkEnableOption (lib.mdDoc "Wireguard config"); + + addresses = lib.mkOption { + type = lib.types.listOf lib.types.str; + description = "IP addresses for this machine within VPN."; + }; + + privateKeyFile = lib.mkOption { + type = lib.types.str; + example = "/path/to/secret.key"; + description = "Private key file."; + }; + }; + }; + + config = lib.mkIf cfg.enable { + age.secrets.wireguard-home-pc-key = { + file = ../secrets/wireguard/home-pc.key.age; + owner = "systemd-network"; + }; + age.secrets.wireguard-cmdframe-key = { + file = ../secrets/wireguard/cmdframe.key.age; + owner = "systemd-network"; + }; + + systemd.network = { + enable = true; + # TODO cannot push this to public git like this + netdevs."40-wg0" = { + netdevConfig = { + Kind = "wireguard"; + Name = "wg0"; + MTUBytes = "1280"; + }; + wireguardConfig = { + PrivateKeyFile = cfg.privateKeyFile; + }; + wireguardPeers = [ + { + PublicKey = "ZVayNyJeOn848aus5bqYU2ujNxvnYtV3ACoerLtDpg8="; + AllowedIPs = [ + "198.18.0.0/15" + "fd00:5ec::/48" + ]; + # TODO remove endpoint from config + Endpoint = "gateway.seven.secunet.com:51821"; + } + ]; + }; + networks."40-wg0" = { + matchConfig.Name = "wg0"; + address = cfg.addresses; + networkConfig = { + IPMasquerade = "ipv4"; + }; + }; + }; + }; +} diff --git a/secrets/wireguard/cmdframe.key.age b/secrets/wireguard/cmdframe.key.age new file mode 100644 index 0000000..81f1bfa --- /dev/null +++ b/secrets/wireguard/cmdframe.key.age @@ -0,0 +1,7 @@ +age-encryption.org/v1 +-> ssh-ed25519 OAZQhA yHDlGU8tW/fiMocPl0nldeEEn7NvPDMNCqL9hO7B5VY +71ZALgVNzj0FJG4wW5qK+0rhF2hMMkkvqOl6wvpI1xo +-> ssh-ed25519 lJaKnA 32vsGauSIeEy8gMq3rOuJV5OOVR/qbNCaJ96gvaYc38 +3f8ZLzGFg4g2XNfUPS+ePMc9AZHMLUjh6y0q2gaRwio +--- PZeKDBBgibYk1Xl5Sd1S38kx322Gi6KnI0lj2NyhFUU +?�y)�Sk*����gz�_�E�>| J�*9� �h����aI�9p�?�(�J���F�x:;�1yKP�]VQ2�J;Y�� \ No newline at end of file diff --git a/secrets/wireguard/home-pc.key.age b/secrets/wireguard/home-pc.key.age new file mode 100644 index 0000000000000000000000000000000000000000..3b761bd470f7a7b7097ac6532f41703189ef90ec GIT binary patch literal 367 zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCUlcZ>?ma8#)9H!t$@ z4z3K-FUj&rw8)A`^w6)!$#hEe^fO7$DK*csu*~%F&I+lF@Z>V{&=0Q&3aqkl4-R!T z@+;NXPtwkEiS){e$aKv!H%==q3Ji*LjxsWEwm`Qn$1Bl0&r!k4FtakEBs4rDHM25N zyUHvusxZervoOy%Pdhg`*V8m4yx7M$SU=3txtJ@;$ty4*EFdJj+|#(QxG>4nywcRQ zFrdo7F}b4DRlD3h!o)N*#5L78GM!6TS69I;qqNB1x5TR?GNZ!KFSszuz`QWeHP_WU zH9XQaD9t_FC&)WFN<ZDZDxXV^m8GOsf&YO;+@8IYUojlenO*L`ZovjoF)NQpF)9~b zvKtE+(l@cqa?I^6_!s`>S3+Z6M#iiJ4+|9@_E^t=X>R{k?l^2bch7FORTiZHf69J! literal 0 HcmV?d00001 diff --git a/system/networking.nix b/system/networking.nix index 24e8003..7aedcc2 100644 --- a/system/networking.nix +++ b/system/networking.nix @@ -5,7 +5,17 @@ "127.0.0.1" "::1" ]; - networking.networkmanager.dns = "systemd-resolved"; + + networking.nftables.enable = true; + networking.networkmanager = { + enable = true; + dns = "systemd-resolved"; + }; + + systemd.network = { + enable = true; + wait-online.ignoredInterfaces = [ "tailscale0" ]; + }; services.dnsmasq.enable = false; services.resolved = {