refactor(nixosModules): moved networking config to a module

2025-04-28 10:15:52 +08:00 · 2025-04-28 10:15:52 +08:00 · 36b1088d34
commit 36b1088d34
parent cb164afe12
6 changed files with 93 additions and 76 deletions
--- a/configs/networking.nix
+++ b/configs/networking.nix
@ -1,74 +0,0 @@
-{
-  hostname,
-  lib,
-  config,
-  ...
-}:
-{
-  systemd.services.NetworkManager-dispatcher.serviceConfig = {
-    ProtectClock = true; # Prevents the service from changing the system time or timezone.
-    ProtectKernelTunables = true; # Restricts the service's ability to modify kernel parameters via sysctl.
-    ProtectKernelModules = true; # Prevents the service from loading or unloading kernel modules.
-    ProtectKernelLogs = true; # Prevents the service from reading kernel logs directly.
-    SystemCallFilter = "~@clock @cpu-emulation @debug @obsolete @module @mount @raw-io @reboot @swap"; # Whitelists system calls, blocking all others based on specified groups.
-    ProtectControlGroups = true; # Prevents the service from joining or modifying control groups other than its own.
-    RestrictNamespaces = true; # Enforces stricter namespace isolation, preventing user namespace creation/joining.
-    LockPersonality = true; # Disables the `personality()` system call, preventing execution domain changes.
-    MemoryDenyWriteExecute = true; # Prevents the service from mapping memory pages as both writable and executable (W^X).
-    RestrictRealtime = true; # Prevents the service from using real-time scheduling policies.
-    RestrictSUIDSGID = true; # Prevents the service from utilizing setuid/setgid functionality.
-  };
-
-  systemd.services.NetworkManager.serviceConfig = {
-    ProtectClock = true; # Prevents the service from changing the system time or timezone.
-    ProtectKernelTunables = true; # Restricts the service's ability to modify kernel parameters via sysctl.
-    ProtectKernelModules = true; # Prevents the service from loading or unloading kernel modules.
-    ProtectKernelLogs = true; # Prevents the service from reading kernel logs directly.
-    SystemCallFilter = "~@clock @cpu-emulation @debug @obsolete @module @mount @raw-io @reboot @swap"; # Whitelists system calls, blocking all others based on specified groups.
-    ProtectControlGroups = true; # Prevents the service from joining or modifying control groups other than its own.
-    RestrictNamespaces = true; # Enforces stricter namespace isolation, preventing user namespace creation/joining.
-    LockPersonality = true; # Disables the `personality()` system call, preventing execution domain changes.
-    MemoryDenyWriteExecute = true; # Prevents the service from mapping memory pages as both writable and executable (W^X).
-    RestrictRealtime = true; # Prevents the service from using real-time scheduling policies.
-    RestrictSUIDSGID = true; # Prevents the service from utilizing setuid/setgid functionality.
-  };
-
-  networking = {
-    hostName = hostname;
-    useDHCP = lib.mkDefault true;
-    networkmanager.enable = true;
-    networkmanager.wifi.backend = "iwd";
-
-    # Configures a simple stateful firewall.
-    # By default, it doesn't allow any incoming connections.
-    firewall = {
-      enable = true;
-      allowedTCPPorts = [
-        22 # SSH
-        5353 # spotifyd
-      ];
-      allowedUDPPorts = [
-        5353 # spotifyd
-      ];
-    };
-
-    interfaces.enp12s0.wakeOnLan.policy = [
-      "phy"
-      "unicast"
-      "multicast"
-      "broadcast"
-      "arp"
-      "magic"
-      "secureon"
-    ];
-    interfaces.enp12s0.wakeOnLan.enable = true;
-  };
-  services.openssh = {
-    enable = true;
-    settings.PrintMotd = true;
-  };
-  services.tailscale = {
-    enable = true;
-    authKeyFile = config.sops.secrets.ts_auth_key.path;
-  };
-}
--- a/configs/programs/spotifyd.nix
+++ b/configs/programs/spotifyd.nix
@ -10,4 +10,10 @@
      };
    };
  };
+  networking.firewall.allowedTCPPorts = [
+    5353 # spotifyd
+  ];
+  networking.firewall.allowedUDPPorts = [
+    5353 # spotifyd
+  ];
 }
--- a/hosts/common.nix
+++ b/hosts/common.nix
@ -1,10 +1,14 @@
-{ lib, type, ... }:
+{
+  lib,
+  hostname,
+  type,
+  ...
+}:
 {
  imports =
    [
      ../configs/security.nix
      ../configs/users.nix
-      ../configs/networking.nix
      ../configs/shell.nix
      ../configs/programs/stylix.nix
    ]
@ -12,8 +16,10 @@
      ../configs/graphical.nix
    ];
  nixosModules.enable = true;
+  nixosModules.hostname = hostname;
  hmModules.enable = true;
  nix-config.enable = true;
  boot-config.enable = true;
  hardware-config.usbAutoMount = true;
+  nw-config.backend = "networkmanager";
 }
--- a/hosts/nemesis.nix
+++ b/hosts/nemesis.nix
@ -10,4 +10,6 @@
  hardware-config.gpu = "nvidia";
  gaming.steam.enable = true;
  fs-config.mountHeliosData = true;
+  nw-config.wol.enable = true;
+  nw-config.wol.interface = "enp12s0";
 }
--- a/modules/nixos/default.nix
+++ b/modules/nixos/default.nix
@ -14,11 +14,18 @@ in
    ./nix-config.nix
    ./gaming.nix
    ./filesystems.nix
+    ./networking.nix
  ];

  options = {
    "${moduleName}" = {
      enable = lib.mkEnableOption "Enable ${moduleName}.";
+      hostname = lib.mkOption {
+        type = lib.types.str;
+        default = "";
+        example = "goron";
+        description = "The name this machine will be known by.";
+      };
    };
  };

--- a/modules/nixos/networking.nix
+++ b/modules/nixos/networking.nix
@ -0,0 +1,70 @@
+{
+  config,
+  lib,
+  ...
+}:
+let
+  moduleName = "nw-config";
+  cfg = config."${moduleName}";
+in
+{
+  options = {
+    "${moduleName}" = {
+      wol = {
+        enable = lib.mkEnableOption "Enable wake on lan.";
+        interface = lib.mkOption {
+          type = lib.types.str;
+          default = "";
+          example = "enp12s0";
+          description = "What interface to enable wake on lan for.";
+        };
+      };
+      backend = lib.mkOption {
+        type = lib.types.str;
+        default = "";
+        example = "networkmanager";
+        description = "What software to use to manage your networks.";
+      };
+    };
+  };
+
+  config = lib.mkMerge [
+    {
+      networking = {
+        hostName = config.nixosModules.hostname;
+        useDHCP = lib.mkDefault true;
+        firewall.enable = true;
+      };
+    }
+    {
+      services.openssh.enable = true;
+      networking.firewall.allowedTCPPorts = [ 22 ];
+    }
+    {
+      services.tailscale = {
+        enable = true;
+        authKeyFile = config.sops.secrets.ts_auth_key.path;
+      };
+    }
+    (lib.mkIf (cfg.backend == "networkmanager") {
+      networking = {
+        networkmanager.enable = true;
+        networkmanager.wifi.backend = "iwd";
+      };
+    })
+    (lib.mkIf cfg.wol.enable {
+      networking.interfaces."${cfg.wol.interface}".wakeOnLan = {
+        enable = true;
+        policy = [
+          "phy"
+          "unicast"
+          "multicast"
+          "broadcast"
+          "arp"
+          "magic"
+          "secureon"
+        ];
+      };
+    })
+  ];
+}