From 39e2d8f4e577a35017a88603c2dd316245010e43 Mon Sep 17 00:00:00 2001 From: coolneng Date: Tue, 20 Dec 2022 15:04:11 +0100 Subject: [PATCH] Migrate to systemd-networkd --- configuration.nix | 6 ++- modules/networking.nix | 86 +++++++++++++++++++++++------------------- 2 files changed, 53 insertions(+), 39 deletions(-) diff --git a/configuration.nix b/configuration.nix index 21d8451..f56bd23 100644 --- a/configuration.nix +++ b/configuration.nix @@ -105,7 +105,11 @@ with pkgs; # Specify secrets age = { - secrets.wireguard.file = secrets/wireguard.age; + secrets.wireguard = { + file = secrets/wireguard.age; + owner = "systemd-network"; + group = "systemd-network"; + }; secrets.syncthing.file = secrets/syncthing.age; secrets.msmtp.file = secrets/msmtp.age; secrets.gitea = { diff --git a/modules/networking.nix b/modules/networking.nix index 3c544e4..0a906c9 100644 --- a/modules/networking.nix +++ b/modules/networking.nix @@ -3,23 +3,24 @@ let wireguard_port = 1194; in { - # Assign a static IP + # Enable systemd-networkd networking = { hostName = "zion"; hostId = "4e74ea68"; - interfaces.eth0 = { - useDHCP = false; - ipv4.addresses = [{ - address = "192.168.13.2"; - prefixLength = 24; - }]; - }; - defaultGateway = { - address = "192.168.13.1"; - interface = "eth0"; - }; - nameservers = [ "51.158.108.203" "137.220.55.93" ]; - enableIPv6 = false; + useDHCP = false; + useNetworkd = true; + dhcpcd.enable = false; + }; + systemd.services."systemd-networkd-wait-online".enable = false; + + # Assign a static IP + systemd.network.networks."24-home" = { + name = "eth0"; + matchConfig.Name = "eth0"; + address = [ "192.168.13.2/24" ]; + gateway = [ "192.168.13.1" ]; + dns = [ "51.158.108.203" "137.220.55.93" ]; + networkConfig.DNSSEC = "no"; }; # Enable zeroconf @@ -61,38 +62,47 @@ in { ''; }; - # Enable NAT for wireguard - networking.nat = { - enable = true; - externalInterface = "eth0"; - internalInterfaces = [ "wg0" ]; + # Wireguard setup + systemd.network.netdevs."wg0" = { + netdevConfig = { + Kind = "wireguard"; + Name = "wg0"; + }; + wireguardConfig = { + ListenPort = wireguard_port; + PrivateKeyFile = config.age.secrets.wireguard.path; + }; + wireguardPeers = [ + # panacea + { + wireguardPeerConfig = { + PublicKey = "XMkTztU2Y8hw6Fu/2o4Gszij+EmNacvFMXuZyHS1n38="; + AllowedIPs = [ "10.8.0.2/32" ]; + }; + } + # caravanserai + { + wireguardPeerConfig = { + PublicKey = "eeKfAgMisM3K4ZOErev05RJ9LS2NLqL4x9jyi4XhM1Q="; + AllowedIPs = [ "10.8.0.3/32" ]; + }; + } + ]; }; - # Wireguard setup - networking.wireguard.interfaces = { - wg0 = { - ips = [ "10.8.0.1/24" ]; - listenPort = wireguard_port; - privateKeyFile = config.age.secrets.wireguard.path; - peers = [ - # panacea - { - publicKey = "XMkTztU2Y8hw6Fu/2o4Gszij+EmNacvFMXuZyHS1n38="; - allowedIPs = [ "10.8.0.2/32" ]; - } - # caravanserai - { - publicKey = "eeKfAgMisM3K4ZOErev05RJ9LS2NLqL4x9jyi4XhM1Q="; - allowedIPs = [ "10.8.0.3/32" ]; - } - ]; + systemd.network.networks."wg0" = { + matchConfig.Name = "wg0"; + networkConfig = { + Address = "10.8.0.1/24"; + IPForward = true; + IPMasquerade = "ipv4"; }; }; # DNS server with ad-block services.dnsmasq = { enable = true; - servers = config.networking.nameservers; + servers = config.systemd.network.networks."24-home".dns; extraConfig = '' domain-needed bogus-priv