System: Declaratively define networkmanager profiles

home/christoph/default.nix

@@ -331,6 +331,9 @@ rec {
       cifs-utils # Mount samba shares
       nfs-utils # Mount NFS shares
       sshfs # Mount remote directories via SSH
+
+      protonvpn-gui
+      protonmail-bridge-gui
       protonvpn-cli_2 # TODO: Not compatible with systemd-networkd?
       protonmail-bridge # TODO: Enable on startup, email module
 

home/modules/rofi/default.nix

@@ -2,6 +2,7 @@
 #       VPN and Container modules should use this rofi module to enable their menus then
 {
   config,
+  nixosConfig,
   lib,
   mylib,
   pkgs,
@@ -146,16 +147,18 @@ in {
 
       vpn-menu = pkgs.writeScript "rofi-menu-vpn" (builtins.readFile ./menus/vpn.fish);
       keybinds-menu = pkgs.writeScript "rofi-menu-keybinds" (builtins.readFile ./menus/keybinds.fish);
-
-      # TODO: Expand on that
       lectures-menu = pkgs.writeScript "rofi-menu-lectures" (builtins.readFile ./menus/lectures.fish);
     in {
-      bindings = {
+      bindings = lib.mergeAttrsList [
-        "$mainMod, escape" = ["exec, \"${power-menu}\""];
+        {
-        "$mainMod, O" = ["exec, \"${lectures-menu}\""];
+          "$mainMod, escape" = ["exec, \"${power-menu}\""];
-        "$mainMod, M" = ["exec, \"${keybinds-menu}\""];
+          "$mainMod, M" = ["exec, \"${keybinds-menu}\""];
-        "$mainMod, U" = ["exec, \"${vpn-menu}\""];
+          # "$mainMod, O" = ["exec, \"${lectures-menu}\""]; # TODO: Broken, expand on that
-      };
+        }
+        (lib.optionalAttrs (!nixosConfig.modules.network.useNetworkManager) {
+          "$mainMod, U" = ["exec, \"${vpn-menu}\""];
+        })
+      ];
     };
   };
 }

lib/networking.nix

@@ -79,6 +79,29 @@
     };
   };
 
+  # TODO: What other config options are there?
+  mkStaticNetworkManagerProfile = {
+    id,
+    interface,
+    ip,
+    router,
+    nameserver,
+    autoconnect,
+  }: {
+    connection = {
+      inherit id autoconnect;
+      type = "ethernet";
+      interface-name = interface;
+    };
+
+    ipv4 = {
+      method = "manual";
+      addresses = ip;
+      gateway = router;
+      dns = nameserver;
+    };
+  };
+
   mkNetworkNamespace = name: ''
     ${pkgs.iproute2}/bin/ip netns add ${name} # Create the Namespace
     ${pkgs.iproute2}/bin/ip -n ${name} link set lo up # Enable the Loopback device

system/default.nix

@@ -25,9 +25,10 @@ with mylib.networking; {
   modules = {
     polkit.enable = true;
 
-    systemd-networkd = {
+    network = {
       inherit hostname;
       enable = true;
+      useNetworkManager = true;
 
       networks = {
         # Default wildcard ethernet network for all hosts

system/modules/default.nix

@@ -1,6 +1,6 @@
 {...}: {
   imports = [
     ./polkit
-    ./systemd-networkd
+    ./network
   ];
 }

system/modules/network/default.nix

@@ -8,17 +8,26 @@
 with lib;
 with mylib.networking;
 with mylib.modules; let
-  cfg = config.modules.systemd-networkd;
+  cfg = config.modules.network;
 in {
-  options.modules.systemd-networkd = import ./options.nix {inherit lib mylib;};
+  options.modules.network = import ./options.nix {inherit lib mylib;};
 
   config = mkIf cfg.enable {
     services.resolved.enable = true;
     services.resolved.llmnr = "false";
 
+    # Use the programs.nm-applet instead
+    # environment.systemPackages = with pkgs;
+    #   builtins.concatLists [
+    #     []
+    #     (lib.optionals cfg.useNetworkManager [networkmanagerapplet]) # This is started by hyprland if enabled
+    #   ];
+
+    programs.nm-applet.enable = cfg.useNetworkManager;
+
     # Main Networks
     systemd.network = {
-      enable = true;
+      enable = !cfg.useNetworkManager;
       wait-online.timeout = 10;
 
       # Don't wait for all networks to be configured, as e.g. wg0 will only be upon manual activation
@@ -31,11 +40,12 @@ in {
       #   "enp5s0"
       # ];
 
-      networks = cfg.networks;
+      # networks = cfg.networks;
+      inherit (cfg) networks;
     };
 
     # Wireguard VPNs
-    systemd.services = cfg.wireguard-tunnels;
+    systemd.services = mkIf (!cfg.useNetworkManager) cfg.wireguard-tunnels;
 
     # NOTE: I can connect to TU Dortmund directly
     # TODO: Use config with netns, like with wireguard
@@ -49,11 +59,11 @@ in {
 
     # TODO: Rewrite with lib.pipe
     # Generate list of vpns for rofi menu
-    environment.etc."rofi-vpns".text = let
+    environment.etc."rofi-vpns" = let
       names-list = attrNames cfg.wireguard-tunnels;
       names = concatStringsSep "\n" names-list;
     in
-      names;
+      mkIf (!cfg.useNetworkManager) {text = names;};
 
     # Allow to enable/disable tunnels without root password
     modules.polkit.allowed-system-services = let
@@ -62,7 +72,7 @@ in {
         (map (v: "${v}.service"))
       ];
     in
-      vpn-services;
+      mkIf (!cfg.useNetworkManager) vpn-services;
 
     # General Networking Settings
     networking = {
@@ -71,16 +81,27 @@ in {
       enableIPv6 = false;
 
       # Disable a lot of stuff not needed for systemd-networkd
-      networkmanager.enable = false;
+      networkmanager = {
+        enable = cfg.useNetworkManager;
+        ensureProfiles.profiles = cfg.profiles;
+
+        insertNameservers = [
+          "192.168.86.26"
+        ];
+
+        wifi = {
+          backend = "iwd";
+        };
+      };
+
       useDHCP = false; # Default: true, don't use with networkd
       dhcpcd.enable = false; # Don't use with networkd
       useNetworkd = false; # Only use this if the configuration can't be written in systemd.network completely. It translates some of the networking... options to systemd
       # resolvconf.enable = true;
 
-      # TODO
       wireless = {
         enable = false; # Enables wireless support via wpa_supplicant.
-        iwd.enable = false; # Use iwd instead of NetworkManager
+        iwd.enable = true; # Use iwd instead of wpa_supplicant
       };
 
       # Open Ports
@@ -94,11 +115,11 @@ in {
           "docker0"
         ];
 
-        allowedTCPPorts = cfg.allowedTCPPorts;
+        # allowedTCPPorts = cfg.allowedTCPPorts;
         # allowedTCPPortRanges = [];
-
+        # allowedUDPPorts = cfg.allowedUDPPorts;
-        allowedUDPPorts = cfg.allowedUDPPorts;
         # allowedUDPPortRanges = [];
+        inherit (cfg) allowedTCPPorts allowedUDPPorts;
       };
     };
   };

system/modules/network/options.nix

@@ -7,6 +7,8 @@ with lib;
 with mylib.modules; {
   enable = mkEnableOption "Systemd Network Configuration";
 
+  useNetworkManager = mkEnableOption "Use NetworkManager instead of systemd-networkd";
+
   hostname = mkOption {
     type = types.str;
     description = "The System's Hostname";
@@ -28,6 +30,17 @@ with mylib.modules; {
     '';
   };
 
+  profiles = mkOption {
+    type = types.attrs;
+    default = {};
+    description = "NetworkManager Profiles";
+    example = ''
+      "50-ether" = {
+        [...]
+      };
+    '';
+  };
+
   wireguard-tunnels = mkOption {
     type = types.attrs;
     default = {};

system/nixinator/default.nix

@@ -11,7 +11,8 @@
   ];
 
   modules = {
-    systemd-networkd = {
+    network = {
+      # Systemd-networkd configs
       networks = {
         # This should override the default network 50-ether
         "10-ether-2_5G" = mylib.networking.mkStaticSystemdNetwork {
@@ -31,6 +32,26 @@
         # "10-ether-1G" = mylib.networking.mkStaticSystemdNetwork {...};
       };
 
+      # NetworkManager profiles
+      profiles = {
+        "10-ether-2_5G" = mylib.networking.mkStaticNetworkManagerProfile {
+          id = "Wired 2.5G";
+          interface = "enp8s0";
+          ip = "192.168.86.50/24";
+          router = "192.168.86.5";
+          nameserver = "192.168.86.26";
+          autoconnect = true;
+        };
+        "10-ether-1G" = mylib.networking.mkStaticNetworkManagerProfile {
+          id = "Wired 1G";
+          interface = "enp5s0";
+          ip = "192.168.86.50/24";
+          router = "192.168.86.5";
+          nameserver = "192.168.86.26";
+          autoconnect = false;
+        };
+      };
+
       allowedTCPPorts = [
         # 7777 # AvaTalk
         # 12777 # AvaTalk

system/nixtop/default.nix

@@ -6,7 +6,7 @@
   ];
 
   modules = {
-    systemd-networkd = {
+    network = {
       wireguard-tunnels = {
         wg0-de-74 =
           mylib.networking.mkWireguardService