feat(core): add nixos-nftables-firewall; and move some things from core/default.nix to more approriate locations

flake.nix

@@ -16,6 +16,12 @@
 
     impermanence.url = "github:nix-community/impermanence";
     nixos-hardware.url = "github:NixOS/nixos-hardware";
+
+    nixos-nftables-firewall = {
+      url = "github:thelegy/nixos-nftables-firewall";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
     nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
 
     microvm = {

hosts/common/core/default.nix

@@ -4,17 +4,12 @@
   pkgs,
   config,
   nodeName,
-  nodeSecrets,
   ...
-}: let
+}: {
-  dummyConfig = pkgs.writeText "configuration.nix" ''
-    assert builtins.trace "This is a dummy config, use colmena!" false;
-    { }
-  '';
-in {
   imports = [
     ./inputrc.nix
     ./issue.nix
+    ./net.nix
     ./nix.nix
     ./resolved.nix
     ./ssh.nix
@@ -25,27 +20,31 @@ in {
   ];
 
   # Setup secret rekeying parameters
-  rekey.forceRekeyOnSystem = "x86_64-linux";
+  rekey = {
-  rekey.hostPubkey = let
+    inherit
+      (inputs.self.secrets)
+      masterIdentities
+      extraEncryptionPubkeys
+      ;
+
+    forceRekeyOnSystem = "x86_64-linux";
+    hostPubkey = let
       pubkeyPath = ../.. + "/${nodeName}/secrets/host.pub";
     in
       lib.mkIf (lib.pathExists pubkeyPath || lib.trace "Missing pubkey for ${nodeName}: ${toString pubkeyPath} not found, using dummy replacement key for now." false)
       pubkeyPath;
-  rekey.masterIdentities = inputs.self.secrets.masterIdentities;
+  };
-  rekey.extraEncryptionPubkeys = inputs.self.secrets.extraEncryptionPubkeys;
 
   boot = {
     kernelParams = ["log_buf_len=10M"];
     tmpOnTmpfs = true;
   };
-  environment.etc."nixos/configuration.nix".source = dummyConfig;
 
   # Disable sudo which is entierly unnecessary.
   security.sudo.enable = false;
 
   time.timeZone = lib.mkDefault "Europe/Berlin";
   i18n.defaultLocale = "C.UTF-8";
-
   console.keyMap = "de-latin1-nodeadkeys";
 
   hardware = {
@@ -53,48 +52,7 @@ in {
     enableAllFirmware = true;
   };
 
-  networking = {
-    hostName = lib.mkDefault nodeName;
-    # FIXME: would like to use mkForce false for useDHCP, but nixpkgs#215908 blocks that.
-    useDHCP = true;
-    useNetworkd = true;
-    wireguard.enable = true;
-    dhcpcd.enable = false;
-    nftables.enable = true;
-    firewall.enable = true;
-  };
-
-  # Rename known network interfaces
-  services.udev.packages = let
-    interfaceNamesUdevRules = pkgs.writeTextFile {
-      name = "interface-names-udev-rules";
-      text = lib.concatStringsSep "\n" (lib.mapAttrsToList (
-          interface: attrs: ''SUBSYSTEM=="net", ACTION=="add", ATTR{address}=="${attrs.mac}", NAME:="${interface}"''
-        )
-        nodeSecrets.networking.interfaces);
-      destination = "/etc/udev/rules.d/01-interface-names.rules";
-    };
-  in [interfaceNamesUdevRules];
-
-  nix.nixPath = [
-    "nixos-config=${dummyConfig}"
-    "nixpkgs=/run/current-system/nixpkgs"
-  ];
-
-  system = {
-    extraSystemBuilderCmds = ''
-      ln -sv ${pkgs.path} $out/nixpkgs
-    '';
-
-    stateVersion = "23.05";
-  };
-
   systemd.enableUnifiedCgroupHierarchy = true;
-  systemd.network = {
-    enable = true;
-    wait-online.anyInterface = true;
-  };
-
   users.mutableUsers = false;
 
   home-manager = {

hosts/common/core/net.nix

@@ -0,0 +1,42 @@
+{
+  lib,
+  pkgs,
+  nodeName,
+  nodeSecrets,
+  ...
+}: let
+  inherit
+    (lib)
+    concatStringsSep
+    mapAttrsToList
+    mkDefault
+    mkForce
+    ;
+in {
+  networking = {
+    hostName = mkDefault nodeName;
+    useDHCP = mkForce false;
+    useNetworkd = true;
+    wireguard.enable = true;
+    dhcpcd.enable = false;
+    nftables.enable = true;
+    firewall.enable = true;
+  };
+
+  # Rename known network interfaces
+  services.udev.packages = let
+    interfaceNamesUdevRules = pkgs.writeTextFile {
+      name = "interface-names-udev-rules";
+      text = concatStringsSep "\n" (mapAttrsToList (
+          interface: attrs: ''SUBSYSTEM=="net", ACTION=="add", ATTR{address}=="${attrs.mac}", NAME:="${interface}"''
+        )
+        nodeSecrets.networking.interfaces);
+      destination = "/etc/udev/rules.d/01-interface-names.rules";
+    };
+  in [interfaceNamesUdevRules];
+
+  systemd.network = {
+    enable = true;
+    wait-online.anyInterface = true;
+  };
+}

hosts/common/core/nix.nix

@@ -3,6 +3,11 @@
   pkgs,
   ...
 }: {
+  environment.etc."nixos/configuration.nix".source = pkgs.writeText "configuration.nix" ''
+    assert builtins.trace "This is a dummy config, use colmena!" false;
+    { }
+  '';
+
   nix = {
     settings = {
       auto-optimise-store = true;
@@ -30,6 +35,7 @@
       plugin-files = ${pkgs.nix-plugins}/lib/nix/plugins
       extra-builtins-file = ${../../../nix/extra-builtins.nix}
     '';
+    nixPath = ["nixpkgs=/run/current-system/nixpkgs"];
     optimise.automatic = true;
     gc.automatic = true;
     # Define global flakes for this system
@@ -40,4 +46,11 @@
       templates.flake = inputs.templates;
     };
   };
+
+  system = {
+    extraSystemBuilderCmds = ''
+      ln -sv ${pkgs.path} $out/nixpkgs
+    '';
+    stateVersion = "23.05";
+  };
 }

hosts/nom/net.nix

@@ -20,9 +20,4 @@
       dhcpV6Config.RouteMetric = 40;
     };
   };
-
-  extra.wireguard.vms = {
-    via = "ward";
-    addresses = ["10.0.0.10/32"];
-  };
 }

hosts/ward/net.nix

@@ -22,18 +22,13 @@
     };
   };
 
-  extra.wireguard.vms = {
+  #extra.wireguard.vms = {
-    server = {
+  #  server = {
-      enable = true;
+  #    enable = true;
-      host = "ward";
+  #    host = "192.168.1.231";
-      port = 51822;
+  #    port = 51822;
-      openFirewall = true;
+  #    openFirewall = true;
-      externalPeers = {
+  #  };
-        test1 = ["10.0.0.91/32"];
+  #  addresses = ["10.0.0.1/24"];
-        test2 = ["10.0.0.92/32"];
+  #};
-        test3 = ["10.0.0.93/32"];
-      };
-    };
-    addresses = ["10.0.0.1/24"];
-  };
 }

hosts/zackbiene/net.nix

@@ -17,17 +17,4 @@
       };
     };
   };
-
-  extra.wireguard.vms = {
-    server = {
-      enable = true;
-      host = "vms";
-      port = 51822;
-      openFirewall = true;
-      externalPeers = {
-        zack1 = ["10.0.0.90/32"];
-      };
-    };
-    addresses = ["10.0.0.2/24"];
-  };
 }

modules/wireguard.nix

@@ -102,9 +102,10 @@
               # The allowed ips of a server node are it's own addreses,
               # plus each external peer's addresses,
               # plus each client's addresses that is connected via that node.
-              AllowedIPs =
+              AllowedIPs = snCfg.addresses;
-                snCfg.addresses
+              # TODO this needed? or even wanted at all?
-                ++ attrValues snCfg.server.externalPeers; # TODO ++ map (n: (wgCfgOf n).addresses) snCfg.ourClientNodes;
+              # ++ attrValues snCfg.server.externalPeers;
+              # ++ map (n: (wgCfgOf n).addresses) snCfg.ourClientNodes;
               Endpoint = "${snCfg.server.host}:${toString snCfg.server.port}";
             };
           }) (filterSelf associatedServerNodes)

nix/generate-node.nix

@@ -4,6 +4,7 @@
   home-manager,
   #impermanence,
   nixos-hardware,
+  nixos-nftables-firewall,
   nixpkgs,
   microvm,
   agenix,
@@ -25,6 +26,7 @@ in
       secrets = self.secrets.content;
       nodeSecrets = self.secrets.content.nodes.${nodeName};
       nixos-hardware = nixos-hardware.nixosModules;
+      nixos-nftables-firewall = nixos-nftables-firewall.nixosModules;
       #impermanence = impermanence.nixosModules;
     };
     imports =