move to networkd

flake.nix

@@ -64,7 +64,7 @@
             specialArgs = inputs;
             modules = [
               # box-specific config
-              ./hosts/traffic-stop-box/${toString id}.nix
+              ./hosts/traffic-stop-box/${toString id}
 
               # default modules
               sops-nix.nixosModules.sops
@@ -141,7 +141,7 @@
           specialArgs = inputs;
           modules = [
             microvm.nixosModules.microvm
-            ./hosts/data-hoarder/configuration.nix
+            ./hosts/data-hoarder
           ] ++ data-hoarder-modules;
         };
 
@@ -149,7 +149,7 @@
           system = "x86_64-linux";
           specialArgs = inputs;
           modules = [
-            ./hosts/staging/configuration.nix
+            ./hosts/staging-data-hoarder
             microvm.nixosModules.microvm
           ] ++ data-hoarder-modules;
         };

hardware/dell-wyse-3040.nix

@@ -1,13 +1,23 @@
-{ config, lib, ... }:
+{ config, lib, dump-dvb, ... }:
 
 {
   # The global useDHCP flag is deprecated, therefore explicitly set to false here.
   # Per-interface useDHCP will be mandatory in the future, so this generated config
   # replicates the default behaviour.
-
+  imports = [
+    dump-dvb.nixosModules.disk-module
+  ];
   networking = {
-    interfaces.enp1s0.useDHCP = true;
-    useDHCP = true;
+    interfaces.enp1s0.useDHCP = lib.mkDefault true;
+    useDHCP = lib.mkDefault true;
+  };
+
+  networking.useNetworkd = true;
+  networking.wireguard.enable = true;
+
+  deployment-dvb.net.iface.uplink = {
+    name = lib.mkDefault "enp1s0";
+    useDHCP = lib.mkDefault true;
   };
 
   boot.tmpOnTmpfsSize = "25%";

hardware/rpi-3b-4b.nix

@@ -12,6 +12,11 @@
   networking.useDHCP = lib.mkDefault true;
   networking.interfaces.eth0.useDHCP = lib.mkDefault true;
 
+  deployment-dvb.net.iface.uplink = {
+    name = lib.mkDefault "eth0";
+    useDHCP = lib.mkDefault true;
+  };
+
   sdImage = lib.mkForce {
     populateFirmwareCommands =
       let

hosts/data-hoarder/configuration.nix

@@ -38,18 +38,21 @@
 
   # Set your time zone.
   time.timeZone = "Europe/Berlin";
-  networking.interfaces.eth0 = {
-    useDHCP = false;
-    ipv4.addresses = [
+
+  deployment-dvb.net.iface.uplink = {
+    name = "eth0";
+    addr4 = "172.20.73.69/25";
+    dns = [ "172.20.73.8" "9.9.9.9" ];
+    routes = [
       {
-        address = "172.20.73.69";
-        prefixLength = 25;
+        routeConfig = {
+          Gateway = "172.20.73.1";
+          Destination = "0.0.0.0/0";
+        };
       }
     ];
   };
 
-  networking.defaultGateway = "172.20.73.1";
-  networking.nameservers = [ "172.20.73.8" "9.9.9.9" ];
 
   sops.defaultSopsFile = self + /secrets/data-hoarder/secrets.yaml;
 

hosts/data-hoarder/default.nix

@@ -0,0 +1,6 @@
+{
+  imports = [
+    ./configuration.nix
+    ./wireguard_server.nix
+  ];
+}

hosts/data-hoarder/wireguard_server.nix

@@ -7,71 +7,23 @@ in
 
   networking.firewall.allowedUDPPorts = [ port ];
 
-  networking.wg-quick.interfaces = {
-    wg-dvb = {
-      address = [ "10.13.37.1/32" ];
+    deployment-dvb.net.wg = {
+      ownEndpoint.host = "endpoint.dvb.solutions";
+      ownEndpoint.port = port;
+      addr4 = "10.13.37.1";
+      prefix4 = 24;
       privateKeyFile = config.sops.secrets.wg-seckey.path;
-      listenPort = port;
-      peers = [
+      publicKey = "WDvCObJ0WgCCZ0ORV2q4sdXblBd8pOPZBmeWr97yphY=";
+      extraPeers = [
         {
           # Tassilo
           publicKey = "vgo3le9xrFsIbbDZsAhQZpIlX+TuWjfEyUcwkoqUl2Y=";
-          allowedIPs = [ "10.13.37.2/32" ];
-          persistentKeepalive = 25;
+          addr4 = "10.13.37.2";
         }
         {
           # oxa
           publicKey = "QbaQaGqudRXIh03IbBNATfBZfpMLmwihlwLs6W9+P1c=";
-          allowedIPs = [ "10.13.37.3/32" ];
-          persistentKeepalive = 25;
-        }
-        {
-          # data hoarder staging
-          publicKey = "48hc7DVnUh2DHYhrxrNtNzj05MRecJO52j2niPImvkU=";
-          allowedIPs = [ "10.13.37.5/32" ];
-          persistentKeepalive = 25;
-        }
-        {
-          # traffic-stop-box-0
-          publicKey = "qyStvzZdoqcjJJQckw4ZwvsQUa+8TBWtnsRxURqanno=";
-          allowedIPs = [ "10.13.37.100/32" ];
-          persistentKeepalive = 25;
-        }
-        {
-          # traffic-stop-box-1
-          publicKey = "dOPobdvfphx0EHmU7dd5ihslFzZi17XgRDQLMIUYa1w=";
-          allowedIPs = [ "10.13.37.101/32" ];
-          persistentKeepalive = 25;
-        }
-        {
-          # traffic-stop-box-2
-          publicKey = "4TUQCToGNhjsCgV9elYE/91Vd/RvMgvMXtF/1Dzlvxo=";
-          allowedIPs = [ "10.13.37.102/32" ];
-          persistentKeepalive = 25;
-        }
-        {
-          # traffic-stop-box-3
-          publicKey = "w3AT3EahW1sCK8ZsR7sDTcQj1McXYeWx7fnfQFA7i3o=";
-          allowedIPs = [ "10.13.37.103/32" ];
-          persistentKeepalive = 25;
-        }
-        {
-          # traffic-stop-box-4
-          publicKey = "B0wPH0jUxaatRncHMkgDEQ+DzvlbTBrVJY4etxqQgG8=";
-          allowedIPs = [ "10.13.37.104/32" ];
-          persistentKeepalive = 25;
-        }
-        {
-          # traffic-stop-box-5
-          publicKey = "bGMO3+BuMbNMnqgt+1lEKAwCVi3BrtpcZlVf9ULcmkw=";
-          allowedIPs = [ "10.13.37.105/32" ];
-          persistentKeepalive = 25;
-        }
-        {
-          # traffic-stop-box-6
-          publicKey = "NuLDNmxuHHzDXJSIOPSoihEhLWjARRtavuQvWirNR2I=";
-          allowedIPs = [ "10.13.37.106/32" ];
-          persistentKeepalive = 25;
+          addr4 = "10.13.37.3";
         }
         {
           # traffic-stop-box-7
@@ -82,10 +34,8 @@ in
         {
           # marenz
           publicKey = "XJddbPj6Zdtn4roi6UWGuR2EA81juMmlaUOuMSLi2FM=";
-          allowedIPs = [ "10.13.37.4/32" ];
-          persistentKeepalive = 25;
+          addr4 = "10.13.37.4";
         }
       ];
     };
-  };
 }

hosts/staging-data-hoarder/default.nix

@@ -40,39 +40,41 @@
       }];
   };
 
-  networking.hostName = "staging-data-hoarder"; # Define your hostname.
-  # networking.wireless.enable = true;  # Enables wireless support via wpa_supplicant.
+  networking.hostName = "staging-data-hoarder";
 
-  # Set your time zone.
   time.timeZone = "Europe/Berlin";
-  networking.interfaces.eth0 = {
-    useDHCP = false;
-    ipv4.addresses = [{
-      address = "172.20.73.64";
-      prefixLength = 25;
-    }];
-  };
 
-  networking.defaultGateway = "172.20.73.1";
-  networking.nameservers = [ "172.20.73.8" "9.9.9.9" ];
+  networking.useNetworkd = true;
+
 
   sops.defaultSopsFile = self + /secrets/data-hoarder-staging/secrets.yaml;
+  deployment-dvb.net = {
+    iface.uplink = {
+      name = "eth0";
+      useDHCP = false;
+      addr4 = "172.20.73.69/25";
+      dns = [ "172.20.73.8" "9.9.9.9" ];
+      routes = [
+        {
+          routeConfig = {
+            Gateway = "172.20.73.1";
+            Destination = "0.0.0.0/0";
+          };
+        }
+      ];
+    };
+
+    wg = {
+      addr4 = "10.13.37.5";
+      prefix4 = 24;
+      privateKeyFile = config.sops.secrets.wg-seckey.path;
+      publicKey = "48hc7DVnUh2DHYhrxrNtNzj05MRecJO52j2niPImvkU=";
+    };
 
-  networking.wg-quick.interfaces.wg-dvb = {
-    address = [ "10.13.37.5/32" ];
-    privateKeyFile = config.sops.secrets.wg-seckey.path;
-    postUp = '' ${pkgs.iputils}/bin/ping -c 10 10.13.37.1 || true '';
-    peers = [
-      {
-        publicKey = "WDvCObJ0WgCCZ0ORV2q4sdXblBd8pOPZBmeWr97yphY=";
-        allowedIPs = [ "10.13.37.0/24" ];
-        endpoint = "academicstrokes.com:51820";
-        persistentKeepalive = 25;
-      }
-    ];
   };
 
   deployment-dvb.domain = "staging.dvb.solutions";
+
   # This value determines the NixOS release from which the default
   # settings for stateful data, like file locations and database versions
   # on your system were taken. It‘s perfectly fine and recommended to leave

hosts/traffic-stop-box/0.nix

@@ -1,5 +0,0 @@
-{ self, ... }: {
-  imports = [
-    "${self}/hardware/dell-wyse-3040.nix"
-  ];
-}

hosts/traffic-stop-box/0/default.nix

@@ -0,0 +1,7 @@
+{ self, ... }: {
+  imports = [
+    "${self}/hardware/dell-wyse-3040.nix"
+  ];
+
+  deployment-dvb.net.wg.publicKey = "qyStvzZdoqcjJJQckw4ZwvsQUa+8TBWtnsRxURqanno=";
+}

hosts/traffic-stop-box/1.nix

@@ -1,5 +0,0 @@
-{ self, ... }: {
-  imports = [
-    "${self}/hardware/dell-wyse-3040.nix"
-  ];
-}

hosts/traffic-stop-box/1/default.nix

@@ -0,0 +1,7 @@
+{ self, ... }: {
+  imports = [
+    "${self}/hardware/dell-wyse-3040.nix"
+  ];
+
+  deployment-dvb.net.wg.publicKey = "dOPobdvfphx0EHmU7dd5ihslFzZi17XgRDQLMIUYa1w=";
+}

hosts/traffic-stop-box/2.nix

@@ -1,5 +0,0 @@
-{ self, ... }: {
-  imports = [
-    "${self}/hardware/dell-wyse-3040.nix"
-  ];
-}

hosts/traffic-stop-box/2/default.nix

@@ -0,0 +1,7 @@
+{ self, ... }: {
+  imports = [
+    "${self}/hardware/dell-wyse-3040.nix"
+  ];
+
+  deployment-dvb.net.wg.publicKey = "4TUQCToGNhjsCgV9elYE/91Vd/RvMgvMXtF/1Dzlvxo=";
+}

hosts/traffic-stop-box/3.nix

@@ -1,5 +0,0 @@
-{ self, ... }: {
-  imports = [
-    "${self}/hardware/rpi-3b-4b.nix"
-  ];
-}

hosts/traffic-stop-box/3/default.nix

@@ -0,0 +1,7 @@
+{ self, ... }: {
+  imports = [
+    "${self}/hardware/rpi-3b-4b.nix"
+  ];
+
+  deployment-dvb.net.wg.publicKey = "w3AT3EahW1sCK8ZsR7sDTcQj1McXYeWx7fnfQFA7i3o=";
+}

hosts/traffic-stop-box/4.nix

@@ -1,21 +0,0 @@
-{ self, ... }: {
-  imports = [
-    "${self}/hardware/dell-wyse-3040.nix"
-  ];
-
-              networking = nixpkgs.lib.mkForce {
-                useDHCP = false;
-                defaultGateway = "141.30.30.129";
-                nameservers = [ "141.30.1.1" ];
-                interfaces.enp1s0 = {
-                  useDHCP = false;
-                  ipv4.addresses = [
-                    {
-                      address = "141.30.30.149";
-                      prefixLength = 25;
-                    }
-                  ];
-                };
-              };
-
-}

hosts/traffic-stop-box/4/default.nix

@@ -0,0 +1,28 @@
+{ self, lib, ... }:
+let eth = "enp1s0"; in
+{
+  imports = [
+    "${self}/hardware/dell-wyse-3040.nix"
+  ];
+
+  networking.useDHCP = false;
+  networking.interfaces."${eth}".useDHCP = false;
+
+  deployment-dvb.net.iface.uplink = {
+    name = eth;
+    useDHCP = false;
+    addr4 = "141.30.30.149/25";
+    dns = [ "141.30.1.1" "9.9.9.9" ];
+    routes = [
+      {
+      routeConfig = {
+        Gateway = "141.30.30.129";
+        Destination = "0.0.0.0/0";
+      };
+    }
+    ];
+  };
+
+  deployment-dvb.net.wg.publicKey = "B0wPH0jUxaatRncHMkgDEQ+DzvlbTBrVJY4etxqQgG8=";
+
+}

hosts/traffic-stop-box/6/default.nix

@@ -10,4 +10,6 @@
     "sk-ssh-ed25519@openssh.com aaaagnnrlxnzac1lzdi1nte5qg9wzw5zc2guy29taaaaili3ylty7fwvohtwx8511v+gbtlzzmuv505fi1pj53v6aaaabhnzado="
     "sk-ssh-ed25519@openssh.com aaaagnnrlxnzac1lzdi1nte5qg9wzw5zc2guy29taaaaipzbd00cbfpxzuc8eb6sljaafnf1hgs6vci1rzcncyocaaaabhnzado="
   ];
+
+  deployment-dvb.net.wg.publicKey = "NuLDNmxuHHzDXJSIOPSoihEhLWjARRtavuQvWirNR2I=";
 }

modules/data-hoarder/secrets.nix

@@ -19,7 +19,9 @@ in
   };
 
   sops.secrets = {
-    wg-seckey = { };
+    wg-seckey = {
+      owner = config.users.users.systemd-network.name;
+    };
     postgres_password_hash_salt = {
       owner = clicky-bunty-user;
     };

modules/dump-dvb/net.nix

@@ -1,4 +1,4 @@
-{ lib, config, ... }:
+{ lib, config, checks, utils, ... }:
 let
   cfg = config.deployment-dvb.net;
 in
@@ -6,16 +6,16 @@ in
     options.deployment-dvb.net = with lib; {
       iface.uplink = {
         name = mkOption {
-          type = types.str;
-          default = "";
+          type = types.nullOr types.str;
+          default = null;
         };
         useDHCP = mkOption {
           type = types.bool;
           default = true;
         };
         addr4 = mkOption {
-          type = types.str;
-          default = "";
+          type = types.nullOr types.str;
+          default = null;
           description = "address with prefix in CIDR notation";
         };
         routes =
@@ -23,7 +23,8 @@ in
           with utils.systemdUtils.lib;
           with lib;
           mkOption {
-            type = with types; listOf (submodule routeOptions);
+            #type = with types; listOf (submodule routeOptions);
+            type = types.listOf (types.attrsOf unitOption);
             default = [ ];
             description = "default gateway";
           };
@@ -34,27 +35,24 @@ in
         };
       };
 
-
       config = let
         upname = "30-${cfg.iface.uplink.name}";
         upconf = if cfg.iface.uplink.useDHCP == false then {
-          MatchConfig = { Name = "${cfg.iface.uplink.name}"; };
+          matchConfig = { Name = "${cfg.iface.uplink.name}"; };
           networkConfig = {
             DHCP = "no";
             Address = cfg.iface.uplink.addr4;
-            DNS = cfg.iface.uplink.DNS;
+            DNS = cfg.iface.uplink.dns;
           };
           routes = cfg.iface.uplink.routes;
         } else {
-          MatchConfig = { Name = "${cfg.iface.uplink.name}"; };
+          matchConfig = { Name = "${cfg.iface.uplink.name}"; };
           networkConfig = {
             DHCP = "yes";
           };
         };
-
       in
       {
-        networking.useSystemd = true;
-        systemd.networks.
+        systemd.network.networks."${upname}" = upconf;
       };
     }

modules/dump-dvb/wg.nix

@@ -1,41 +1,122 @@
-{ lib, config, ... }:
+{ lib, config, self, ... }:
 let
   cfg = config.deployment-dvb.net.wg;
-in
-  {
-    options.deployment-dvb.net.wg = {
-      _enable = mkOption {
-        type = types.bool;
-        default = true;
-      };
+in {
+    options.deployment-dvb.net.wg = with lib; {
+
       ownEndpoint.host = mkOption {
-        type = types.str;
-        default = "";
+        type = types.nullOr types.str;
+        default = null;
       };
       ownEndpoint.port = mkOption {
         type = types.port;
+        default = 51820;
       };
-      ownPubkey = mkOption {
+
+      publicKey = mkOption {
         type = types.str;
         default = "";
+        description = "own public key";
       };
       privateKeyFile = mkOption {
         type = types.either types.str types.path;
       };
       addr4 = mkOption {
-        type = types.str;
-        default = "";
-        description = "address with prefix in CIDR notation";
+        type = types.nullOr types.str;
+        default = null;
+      };
+
+      prefix4 = mkOption {
+        type = types.int;
+        default = 24;
+        description = "network prefix";
+      };
+
+      extraPeers = mkOption {
+        description = "extra peers that are not part of the deployment";
+        type = types.listOf (types.submodule {
+          options.addr4 = mkOption {
+            type = types.str;
+            description = "ip _without_ a network prefix";
+          };
+          options.publicKey = mkOption {
+            type = types.str;
+            description = "public key";
+          };
+        });
       };
     };
 
     config = let
-    in {
-      netoworking.useNetworkd = true;
+      # move out as options?
+      dvbwg-name = "wg-ddvb";
+      keepalive = 25;
 
-      systemd.network.netdev.wg-dvb = {
-        type = "wireguard";
-        
+      # helpers
+      peer-systems = (lib.filter (x: (x.config.deployment-dvb.net.wg.addr4 != cfg.addr4) && (!isNull x.config.deployment-dvb.net.wg.addr4))
+      (lib.attrValues self.nixosConfigurations));
+
+      endpoint =
+        let
+          ep = (lib.filter (x:
+          x.config.deployment-dvb.net.wg.addr4 != cfg.addr4
+          && (!isNull x.config.deployment-dvb.net.wg.ownEndpoint.host))
+          (lib.attrValues self.nixosConfigurations));
+        in
+        assert lib.assertMsg (lib.length ep == 1) "there should be exactly one endpoint"; ep;
+
+         peers = map (x: {
+          wireguardPeerConfig = {
+            PublicKey = x.config.deployment-dvb.net.wg.publicKey;
+            AllowedIPs = [ "${x.config.deployment-dvb.net.wg.addr4}/32" ];
+            PersistentKeepalive = keepalive;
+          };
+        }) peer-systems;
+
+        ep = [ {
+          wireguardPeerConfig =
+            let x = lib.elemAt endpoint 0; in {
+            PublicKey = x.config.deployment-dvb.net.wg.publicKey;
+            AllowedIPs = [ "${x.config.deployment-dvb.net.wg.addr4}/${toString cfg.prefix4}" ];
+            Endpoint = with x.config.deployment-dvb.net.wg.ownEndpoint; "${host}:${toString port}";
+            PersistentKeepalive = keepalive;
+          };
+        } ];
+
+      # stuff proper
+      dvbwg-netdev = {
+        Kind = "wireguard";
+        Name = dvbwg-name;
+        Description = "dump-dvb enterprise, highly available, biocomputing-neural-network maintained, converged network";
+      };
+
+      dvbwg-wireguard = {
+        PrivateKeyFile = cfg.privateKeyFile;
+      };
+
+      expeers = map (x: {
+        wireguardPeerConfig = {
+          PublicKey = x.publicKey;
+          AllowedIPs = [ "${x.addr4}/32" ];
+          PersistentKeepalive = keepalive;
+        };
+      }) cfg.extraPeers;
+
+      peerconf = if isNull cfg.ownEndpoint.host then ep else (peers ++ expeers);
+    in
+    lib.mkIf (!isNull cfg.addr4) {
+      networking.wireguard.enable = true;
+
+      systemd.network.netdevs."30-${dvbwg-name}" = {
+        netdevConfig = dvbwg-netdev;
+        wireguardConfig = dvbwg-wireguard;
+        wireguardPeers = peerconf;
+      };
+    systemd.network.networks."30-${dvbwg-name}" = {
+      matchConfig.Name = dvbwg-name;
+      networkConfig = {
+        Address = "${cfg.addr4}/${toString cfg.prefix4}";
       };
     };
-  }
+  };
+}

modules/traffic-stop-box/radio-config.nix

@@ -1,7 +1,7 @@
 { config, lib, self, ... }:
 let
 
-  file = "${self}/configs/config_${toString config.deployment-dvb.systemNumber}.json";
+  file = with config.deployment-dvb; "${self}/hosts/traffic-stop-box/${toString systemNumber}/config_${toString systemNumber}.json";
   receiver_configs = [
     { frequency = 170795000; offset = 19550; device = "hackrf=0"; RF = 14; IF = 8; BB = 42; } # dresden - barkhausen
     { frequency = 170795000; offset = 19400; device = "hackrf=0"; RF = 14; IF = 8; BB = 42; } # dresden - zentralwerk

modules/traffic-stop-box/secrets.nix

@@ -3,6 +3,5 @@
   sops.defaultSopsFile = self + /secrets/traffic-stop-box-${toString config.deployment-dvb.systemNumber}/secrets.yaml;
   sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
 
-  sops.secrets.wg-seckey = { };
   sops.secrets.telegram-decoder-token.owner = config.users.users.telegram-decoder.name;
 }

modules/traffic-stop-box/wireguard-client.nix

@@ -1,19 +1,14 @@
-{ config, pkgs, ... }:
-
+{ config, pkgs, lib, ... }:
+# pubkey of the box goes to hosts/traffic-stop-box/${id}.nix!
 {
-  networking.wg-quick.interfaces.wg-dvb = {
-    address = [ "10.13.37.${toString (config.deployment-dvb.systemNumber + 100)}/32" ];
-    privateKeyFile = config.sops.secrets.wg-seckey.path;
-    postUp = ''
-      ${pkgs.iputils}/bin/ping -c 10 10.13.37.1 || true
-    '';
-
-    peers = [{
-      publicKey = "WDvCObJ0WgCCZ0ORV2q4sdXblBd8pOPZBmeWr97yphY=";
-      allowedIPs = [ "10.13.37.0/24" ];
-      endpoint = "81.201.149.152:51820";
-      persistentKeepalive = 25;
-    }];
+  networking.useNetworkd = lib.mkForce true;
 
+  sops.secrets.wg-seckey = {
+      owner = config.users.users.systemd-network.name;
+  };
+  deployment-dvb.net.wg = {
+    addr4 = lib.mkDefault "10.13.37.${toString (config.deployment-dvb.systemNumber + 100)}";
+    prefix4 = 24;
+    privateKeyFile = lib.mkDefault config.sops.secrets.wg-seckey.path;
   };
 }