From 36b1088d34d82b5095559eaeefc60f21f611631a Mon Sep 17 00:00:00 2001
From: Mohammad Rafiq <mohammadrafiq567@gmail.com>
Date: Mon, 28 Apr 2025 10:15:52 +0800
Subject: [PATCH] refactor(nixosModules): moved networking config to a module

---
 configs/networking.nix        | 74 -----------------------------------
 configs/programs/spotifyd.nix |  6 +++
 hosts/common.nix              | 10 ++++-
 hosts/nemesis.nix             |  2 +
 modules/nixos/default.nix     |  7 ++++
 modules/nixos/networking.nix  | 70 +++++++++++++++++++++++++++++++++
 6 files changed, 93 insertions(+), 76 deletions(-)
 delete mode 100644 configs/networking.nix
 create mode 100644 modules/nixos/networking.nix

diff --git a/configs/networking.nix b/configs/networking.nix
deleted file mode 100644
index 9b05123..0000000
--- a/configs/networking.nix
+++ /dev/null
@@ -1,74 +0,0 @@
-{
-  hostname,
-  lib,
-  config,
-  ...
-}:
-{
-  systemd.services.NetworkManager-dispatcher.serviceConfig = {
-    ProtectClock = true; # Prevents the service from changing the system time or timezone.
-    ProtectKernelTunables = true; # Restricts the service's ability to modify kernel parameters via sysctl.
-    ProtectKernelModules = true; # Prevents the service from loading or unloading kernel modules.
-    ProtectKernelLogs = true; # Prevents the service from reading kernel logs directly.
-    SystemCallFilter = "~@clock @cpu-emulation @debug @obsolete @module @mount @raw-io @reboot @swap"; # Whitelists system calls, blocking all others based on specified groups.
-    ProtectControlGroups = true; # Prevents the service from joining or modifying control groups other than its own.
-    RestrictNamespaces = true; # Enforces stricter namespace isolation, preventing user namespace creation/joining.
-    LockPersonality = true; # Disables the `personality()` system call, preventing execution domain changes.
-    MemoryDenyWriteExecute = true; # Prevents the service from mapping memory pages as both writable and executable (W^X).
-    RestrictRealtime = true; # Prevents the service from using real-time scheduling policies.
-    RestrictSUIDSGID = true; # Prevents the service from utilizing setuid/setgid functionality.
-  };
-
-  systemd.services.NetworkManager.serviceConfig = {
-    ProtectClock = true; # Prevents the service from changing the system time or timezone.
-    ProtectKernelTunables = true; # Restricts the service's ability to modify kernel parameters via sysctl.
-    ProtectKernelModules = true; # Prevents the service from loading or unloading kernel modules.
-    ProtectKernelLogs = true; # Prevents the service from reading kernel logs directly.
-    SystemCallFilter = "~@clock @cpu-emulation @debug @obsolete @module @mount @raw-io @reboot @swap"; # Whitelists system calls, blocking all others based on specified groups.
-    ProtectControlGroups = true; # Prevents the service from joining or modifying control groups other than its own.
-    RestrictNamespaces = true; # Enforces stricter namespace isolation, preventing user namespace creation/joining.
-    LockPersonality = true; # Disables the `personality()` system call, preventing execution domain changes.
-    MemoryDenyWriteExecute = true; # Prevents the service from mapping memory pages as both writable and executable (W^X).
-    RestrictRealtime = true; # Prevents the service from using real-time scheduling policies.
-    RestrictSUIDSGID = true; # Prevents the service from utilizing setuid/setgid functionality.
-  };
-
-  networking = {
-    hostName = hostname;
-    useDHCP = lib.mkDefault true;
-    networkmanager.enable = true;
-    networkmanager.wifi.backend = "iwd";
-
-    # Configures a simple stateful firewall.
-    # By default, it doesn't allow any incoming connections.
-    firewall = {
-      enable = true;
-      allowedTCPPorts = [
-        22 # SSH
-        5353 # spotifyd
-      ];
-      allowedUDPPorts = [
-        5353 # spotifyd
-      ];
-    };
-
-    interfaces.enp12s0.wakeOnLan.policy = [
-      "phy"
-      "unicast"
-      "multicast"
-      "broadcast"
-      "arp"
-      "magic"
-      "secureon"
-    ];
-    interfaces.enp12s0.wakeOnLan.enable = true;
-  };
-  services.openssh = {
-    enable = true;
-    settings.PrintMotd = true;
-  };
-  services.tailscale = {
-    enable = true;
-    authKeyFile = config.sops.secrets.ts_auth_key.path;
-  };
-}
diff --git a/configs/programs/spotifyd.nix b/configs/programs/spotifyd.nix
index ac96fc6..72ff532 100644
--- a/configs/programs/spotifyd.nix
+++ b/configs/programs/spotifyd.nix
@@ -10,4 +10,10 @@
       };
     };
   };
+  networking.firewall.allowedTCPPorts = [
+    5353 # spotifyd
+  ];
+  networking.firewall.allowedUDPPorts = [
+    5353 # spotifyd
+  ];
 }
diff --git a/hosts/common.nix b/hosts/common.nix
index f9f4484..1423679 100644
--- a/hosts/common.nix
+++ b/hosts/common.nix
@@ -1,10 +1,14 @@
-{ lib, type, ... }:
+{
+  lib,
+  hostname,
+  type,
+  ...
+}:
 {
   imports =
     [
       ../configs/security.nix
       ../configs/users.nix
-      ../configs/networking.nix
       ../configs/shell.nix
       ../configs/programs/stylix.nix
     ]
@@ -12,8 +16,10 @@
       ../configs/graphical.nix
     ];
   nixosModules.enable = true;
+  nixosModules.hostname = hostname;
   hmModules.enable = true;
   nix-config.enable = true;
   boot-config.enable = true;
   hardware-config.usbAutoMount = true;
+  nw-config.backend = "networkmanager";
 }
diff --git a/hosts/nemesis.nix b/hosts/nemesis.nix
index a6bbc88..5753c2e 100644
--- a/hosts/nemesis.nix
+++ b/hosts/nemesis.nix
@@ -10,4 +10,6 @@
   hardware-config.gpu = "nvidia";
   gaming.steam.enable = true;
   fs-config.mountHeliosData = true;
+  nw-config.wol.enable = true;
+  nw-config.wol.interface = "enp12s0";
 }
diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix
index 136ca10..21b6df7 100644
--- a/modules/nixos/default.nix
+++ b/modules/nixos/default.nix
@@ -14,11 +14,18 @@ in
     ./nix-config.nix
     ./gaming.nix
     ./filesystems.nix
+    ./networking.nix
   ];
 
   options = {
     "${moduleName}" = {
       enable = lib.mkEnableOption "Enable ${moduleName}.";
+      hostname = lib.mkOption {
+        type = lib.types.str;
+        default = "";
+        example = "goron";
+        description = "The name this machine will be known by.";
+      };
     };
   };
 
diff --git a/modules/nixos/networking.nix b/modules/nixos/networking.nix
new file mode 100644
index 0000000..13edddd
--- /dev/null
+++ b/modules/nixos/networking.nix
@@ -0,0 +1,70 @@
+{
+  config,
+  lib,
+  ...
+}:
+let
+  moduleName = "nw-config";
+  cfg = config."${moduleName}";
+in
+{
+  options = {
+    "${moduleName}" = {
+      wol = {
+        enable = lib.mkEnableOption "Enable wake on lan.";
+        interface = lib.mkOption {
+          type = lib.types.str;
+          default = "";
+          example = "enp12s0";
+          description = "What interface to enable wake on lan for.";
+        };
+      };
+      backend = lib.mkOption {
+        type = lib.types.str;
+        default = "";
+        example = "networkmanager";
+        description = "What software to use to manage your networks.";
+      };
+    };
+  };
+
+  config = lib.mkMerge [
+    {
+      networking = {
+        hostName = config.nixosModules.hostname;
+        useDHCP = lib.mkDefault true;
+        firewall.enable = true;
+      };
+    }
+    {
+      services.openssh.enable = true;
+      networking.firewall.allowedTCPPorts = [ 22 ];
+    }
+    {
+      services.tailscale = {
+        enable = true;
+        authKeyFile = config.sops.secrets.ts_auth_key.path;
+      };
+    }
+    (lib.mkIf (cfg.backend == "networkmanager") {
+      networking = {
+        networkmanager.enable = true;
+        networkmanager.wifi.backend = "iwd";
+      };
+    })
+    (lib.mkIf cfg.wol.enable {
+      networking.interfaces."${cfg.wol.interface}".wakeOnLan = {
+        enable = true;
+        policy = [
+          "phy"
+          "unicast"
+          "multicast"
+          "broadcast"
+          "arp"
+          "magic"
+          "secureon"
+        ];
+      };
+    })
+  ];
+}