Migrate to systemd-networkd

This commit is contained in:
coolneng 2022-12-20 15:04:11 +01:00
parent 5da50e5290
commit 39ff4ee9e8
Signed by: coolneng
GPG Key ID: 9893DA236405AF57
2 changed files with 53 additions and 39 deletions

View File

@ -105,7 +105,11 @@ with pkgs;
# Specify secrets
age = {
secrets.wireguard.file = secrets/wireguard.age;
secrets.wireguard = {
file = secrets/wireguard.age;
owner = "systemd-network";
group = "systemd-network";
};
secrets.syncthing.file = secrets/syncthing.age;
secrets.msmtp.file = secrets/msmtp.age;
secrets.gitea = {

View File

@ -3,23 +3,24 @@
let wireguard_port = 1194;
in {
# Assign a static IP
# Enable systemd-networkd
networking = {
hostName = "zion";
hostId = "4e74ea68";
interfaces.eth0 = {
useDHCP = false;
ipv4.addresses = [{
address = "192.168.13.2";
prefixLength = 24;
}];
};
defaultGateway = {
address = "192.168.13.1";
interface = "eth0";
};
nameservers = [ "51.158.108.203" "137.220.55.93" ];
enableIPv6 = false;
useDHCP = false;
useNetworkd = true;
dhcpcd.enable = false;
};
systemd.services."systemd-networkd-wait-online".enable = false;
# Assign a static IP
systemd.network.networks."24-home" = {
name = "eth0";
matchConfig.Name = "eth0";
address = [ "192.168.13.2/24" ];
gateway = [ "192.168.13.1" ];
dns = [ "51.158.108.203" "137.220.55.93" ];
networkConfig.DNSSEC = "no";
};
# Enable zeroconf
@ -61,38 +62,47 @@ in {
'';
};
# Enable NAT for wireguard
networking.nat = {
enable = true;
externalInterface = "eth0";
internalInterfaces = [ "wg0" ];
# Wireguard setup
systemd.network.netdevs."wg0" = {
netdevConfig = {
Kind = "wireguard";
Name = "wg0";
};
wireguardConfig = {
ListenPort = wireguard_port;
PrivateKeyFile = config.age.secrets.wireguard.path;
};
wireguardPeers = [
# panacea
{
wireguardPeerConfig = {
PublicKey = "XMkTztU2Y8hw6Fu/2o4Gszij+EmNacvFMXuZyHS1n38=";
AllowedIPs = [ "10.8.0.2/32" ];
};
}
# caravanserai
{
wireguardPeerConfig = {
PublicKey = "eeKfAgMisM3K4ZOErev05RJ9LS2NLqL4x9jyi4XhM1Q=";
AllowedIPs = [ "10.8.0.3/32" ];
};
}
];
};
# Wireguard setup
networking.wireguard.interfaces = {
wg0 = {
ips = [ "10.8.0.1/24" ];
listenPort = wireguard_port;
privateKeyFile = config.age.secrets.wireguard.path;
peers = [
# panacea
{
publicKey = "XMkTztU2Y8hw6Fu/2o4Gszij+EmNacvFMXuZyHS1n38=";
allowedIPs = [ "10.8.0.2/32" ];
}
# caravanserai
{
publicKey = "eeKfAgMisM3K4ZOErev05RJ9LS2NLqL4x9jyi4XhM1Q=";
allowedIPs = [ "10.8.0.3/32" ];
}
];
systemd.network.networks."wg0" = {
matchConfig.Name = "wg0";
networkConfig = {
Address = "10.8.0.1/24";
IPForward = true;
IPMasquerade = "ipv4";
};
};
# DNS server with ad-block
services.dnsmasq = {
enable = true;
servers = config.networking.nameservers;
servers = config.systemd.network.networks."24-home".dns;
extraConfig = ''
domain-needed
bogus-priv