diff --git a/system/default.nix b/system/default.nix index 7495e22b..2722d591 100644 --- a/system/default.nix +++ b/system/default.nix @@ -12,13 +12,54 @@ }: with mylib.networking; { imports = [ + # Import my system modules + ./modules + # Import the host-specific system config - ../modules ./${hostname} ./cachix.nix ]; + modules = { + systemd-networkd = { + enable = true; + hostname = hostname; + + networks = { + # Default wildcard ethernet network for all hosts + "50-ether" = mkSystemdNetwork "enp*"; + }; + + wireguard-tunnels = { + wg0-de-115 = (mkWireguardService + "wg0-de-115" + "proton-de-115.key" + "9+CorlxrTsQR7qjIOVKsEkk8Z7UUS5WT3R1ccF7a0ic=" + "194.126.177.14" + ); + + wg0-lu-16 = (mkWireguardService + "wg0-lu-16" + "proton-lu-16.key" + "asu9KtQoZ3iKwELsDTgjPEiFNcD1XtgGgy3O4CZFg2w=" + "92.223.89.133" + ); + }; + + allowedTCPPorts = [ + 22 # SSH + 80 # HTTP + 443 # HTTPS + ]; + allowedUDPPorts = [ + 9918 # Wireguard + 18000 # Anno 1800 + 24727 # AusweisApp2 + ]; + }; + }; + # Enable flakes nix = { package = pkgs.nixVersions.stable; @@ -142,43 +183,6 @@ with mylib.networking; { # https://github.com/NixOS/nixpkgs/issues/179486 i18n.supportedLocales = ["en_US.UTF-8/UTF-8" "de_DE.UTF-8/UTF-8"]; - systemd-networkd = { - enable = true; - hostname = hostname; - - networks = { - # Default wildcard ethernet network for all hosts - "50-ether" = mkSystemdNetwork "enp*"; - }; - - wireguard-tunnels = { - wg0-de-115 = (mkWireguardService - "wg0-de-115" - "proton-de-115.key" - "9+CorlxrTsQR7qjIOVKsEkk8Z7UUS5WT3R1ccF7a0ic=" - "194.126.177.14" - ); - - wg0-lu-16 = (mkWireguardService - "wg0-lu-16" - "proton-lu-16.key" - "asu9KtQoZ3iKwELsDTgjPEiFNcD1XtgGgy3O4CZFg2w=" - "92.223.89.133" - ); - }; - - allowedTCPPorts = [ - 22 # SSH - 80 # HTTP - 443 # HTTPS - ]; - allowedUDPPorts = [ - 9918 # Wireguard - 18000 # Anno 1800 - 24727 # AusweisApp2 - ]; - }; - # Enable the X11 windowing system. services.xserver = { enable = true; diff --git a/system/modules/systemd-networkd/default.nix b/system/modules/systemd-networkd/default.nix index 673a2740..360e9215 100644 --- a/system/modules/systemd-networkd/default.nix +++ b/system/modules/systemd-networkd/default.nix @@ -9,10 +9,9 @@ with lib; with mylib.networking; with mylib.modules; let - cfg = config.modules.network; - + cfg = config.modules.systemd-networkd; in { - options.modules.network = import ./options.nix {inherit lib mylib;}; + options.modules.systemd-networkd = import ./options.nix {inherit lib mylib;}; config = mkIf cfg.enable { services.resolved.enable = true; @@ -57,19 +56,9 @@ in { ]; allowedTCPPorts = cfg.allowedTCPPorts; - # allowedTCPPorts = [ - # 22 # SSH - # 80 # HTTP - # 443 # HTTPS - # ]; # allowedTCPPortRanges = []; allowedUDPPorts = cfg.allowedUDPPorts; - # allowedUDPPorts = [ - # 9918 # Wireguard - # 18000 # Anno 1800 - # 24727 # AusweisApp2, alternative: programs.ausweisapp.openFirewall - # ]; # allowedUDPPortRanges = []; }; }; diff --git a/system/modules/systemd-networkd/options.nix b/system/modules/systemd-networkd/options.nix index 96f8e403..5ca38768 100644 --- a/system/modules/systemd-networkd/options.nix +++ b/system/modules/systemd-networkd/options.nix @@ -16,7 +16,7 @@ with mylib.modules; { }; networks = mkOption { - type = types.attrSet; + type = types.attrs; default = {}; description = "Systemd-Networkd Networks"; example = '' @@ -29,7 +29,7 @@ with mylib.modules; { }; wireguard-tunnels = mkOption { - type = types.attrSet; + type = types.attrs; default = {}; description = "Wireguard VPN Tunnels"; example = '' @@ -40,7 +40,7 @@ with mylib.modules; { }; allowedTCPPorts = mkOption { - type = types.list; + type = types.listOf types.int; default = []; description = "Open TCP Ports in the Firewall"; example = '' @@ -49,7 +49,7 @@ with mylib.modules; { }; allowedUDPPorts = mkOption { - type = types.list; + type = types.listOf types.int; default = []; description = "Open UDP Ports in the Firewall"; example = ''