diff --git a/system/modules/default.nix b/system/modules/default.nix new file mode 100644 index 00000000..72ba8a0d --- /dev/null +++ b/system/modules/default.nix @@ -0,0 +1,13 @@ +{ + inputs, + config, + nixosConfig, + lib, + pkgs, + mylib, + ... +}: { + imports = [ + ./systemd-networkd + ]; +} diff --git a/system/modules/systemd-networkd/default.nix b/system/modules/systemd-networkd/default.nix new file mode 100644 index 00000000..673a2740 --- /dev/null +++ b/system/modules/systemd-networkd/default.nix @@ -0,0 +1,77 @@ +{ + inputs, + config, + lib, + mylib, + pkgs, + ... +}: +with lib; +with mylib.networking; +with mylib.modules; let + cfg = config.modules.network; + +in { + options.modules.network = import ./options.nix {inherit lib mylib;}; + + config = mkIf cfg.enable { + services.resolved.enable = true; + services.resolved.llmnr = "false"; + + # Main Networks + systemd.network = { + enable = true; + networks = cfg.networks; + }; + + # Wireguard VPNs + systemd.services = cfg.wireguard-tunnels; + + # General Networking Settings + networking = { + # Gets inherited from flake in nixos mylib and passed through the module option + hostName = cfg.hostname; # Define your hostname. + enableIPv6 = true; + + # Disable a lot of stuff not needed for systemd-networkd + networkmanager.enable = false; + useDHCP = false; # Default: true, don't use with networkd + dhcpcd.enable = false; # Don't use with networkd + useNetworkd = false; # Only use this if the configuration can't be written in systemd.network completely. It translates some of the networking... options to systemd + # resolvconf.enable = true; + + # TODO: Either IWD or WiFi through systemd-networkd + wireless = { + enable = false; # Enables wireless support via wpa_supplicant. + iwd.enable = false; # Use iwd instead of NetworkManager + }; + + # Open Ports + firewall = { + enable = true; + # networking.firewall.checkReversePath = "loose"; + + trustedInterfaces = [ + "podman0" + "docker0" + ]; + + allowedTCPPorts = cfg.allowedTCPPorts; + # allowedTCPPorts = [ + # 22 # SSH + # 80 # HTTP + # 443 # HTTPS + # ]; + # allowedTCPPortRanges = []; + + allowedUDPPorts = cfg.allowedUDPPorts; + # allowedUDPPorts = [ + # 9918 # Wireguard + # 18000 # Anno 1800 + # 24727 # AusweisApp2, alternative: programs.ausweisapp.openFirewall + # ]; + # allowedUDPPortRanges = []; + }; + }; + }; +} diff --git a/system/modules/systemd-networkd/options.nix b/system/modules/systemd-networkd/options.nix new file mode 100644 index 00000000..96f8e403 --- /dev/null +++ b/system/modules/systemd-networkd/options.nix @@ -0,0 +1,59 @@ +{ + lib, + mylib, + ... +}: +with lib; +with mylib.modules; { + enable = mkEnableOpt "Systemd Network Configuration"; + + hostname = mkOption { + type = types.str; + description = "The System's Hostname"; + example = '' + "Nixinator" + ''; + }; + + networks = mkOption { + type = types.attrSet; + default = {}; + description = "Systemd-Networkd Networks"; + example = '' + { + "50-ether" = { + [...] + }; + } + ''; + }; + + wireguard-tunnels = mkOption { + type = types.attrSet; + default = {}; + description = "Wireguard VPN Tunnels"; + example = '' + wg0-de-115 = { + [...] + }; + ''; + }; + + allowedTCPPorts = mkOption { + type = types.list; + default = []; + description = "Open TCP Ports in the Firewall"; + example = '' + [22 80 443] + ''; + }; + + allowedUDPPorts = mkOption { + type = types.list; + default = []; + description = "Open UDP Ports in the Firewall"; + example = '' + [22 80 443] + ''; + }; +}