dotfiles/systems/ceres/config/networking.nix

{
  lib,
  flake,
  ...
}:
let
  inherit (flake.config.machines.devices) ceres;
  inherit (flake.config.services) instances;
  wireguardService = instances.wireGuard;
in
{
  # Enable microVM host
  microvm.host.enable = true;

  # # systemd-networkd for bridge management
  # # NOTE: Not needed for macvtap - only enable if using TAP interfaces
  # # TAP requires a bridge on the host, macvtap connects directly to physical interface
  # systemd.network.enable = true;

  # # Bridge configuration for microVMs (only needed for TAP interfaces)
  # systemd.network.netdevs."10-br-vms" = {
  #   netdevConfig = {
  #     Name = "br-vms";
  #     Kind = "bridge";
  #   };
  # };

  # # Attach physical interface and tap interfaces to bridge
  # systemd.network.networks."20-lan" = {
  #   matchConfig.Name = [
  #     "enp10s0"
  #     "vm-*"
  #   ];
  #   networkConfig = {
  #     Bridge = "br-vms";
  #   };
  # };

  # # Bridge gets the host IP
  # systemd.network.networks."30-br-vms" = {
  #   matchConfig.Name = "br-vms";
  #   networkConfig = {
  #     Address = "192.168.50.240/24";
  #     Gateway = "192.168.50.1";
  #     DNS = [ "192.168.50.1" ];
  #   };
  #   linkConfig.RequiredForOnline = "routable";
  # };

  networking = {
    hostName = ceres.name;
    # NetworkManager disabled - using declarative networking
    networkmanager.enable = false;
    nftables.enable = true;
    useDHCP = false;

    # Declarative interface configuration for the host
    interfaces.enp10s0 = {
      useDHCP = false;
      ipv4.addresses = [
        {
          address = "192.168.50.240";
          prefixLength = 24;
        }
      ];
    };
    defaultGateway = "192.168.50.1";
    nameservers = [ "192.168.50.1" ];

    firewall = {
      enable = true;
      allowedTCPPorts = [
        22 # SSH
        25 # SMTP
        139 # SMTP
        587 # SMTP
        2525 # SMTP
        9999 # NC
        wireguardService.ports.port0 # WireGuard
      ];
      allowedUDPPorts = [
        wireguardService.ports.port0 # WireGuard
        wireguardService.ports.port1 # WireGuard
      ];
    };
  };

  services = {
    avahi = {
      enable = true;
      openFirewall = true;
      nssmdns4 = true;
      publish = {
        enable = true;
        userServices = true;
      };
    };
    sshd.enable = true;
    openssh = {
      enable = true;
      settings.PasswordAuthentication = false;
    };
  };
}
chore: init 2025-10-01 19:51:55 -05:00			`{`
			`lib,`
			`flake,`
			`...`
			`}:`
			`let`
			`inherit (flake.config.machines.devices) ceres;`
chore: moved wireguard config 2025-11-06 16:35:10 -06:00			`inherit (flake.config.services) instances;`
			`wireguardService = instances.wireGuard;`
chore: init 2025-10-01 19:51:55 -05:00			`in`
			`{`
test: vaultwarden microVM 2025-11-07 23:54:02 -06:00			`# Enable microVM host`
			`microvm.host.enable = true;`

test: vaultwarden microVM 2025-11-08 00:25:44 -06:00			`# # systemd-networkd for bridge management`
test: vaultwarden microVM 2025-11-08 00:57:17 -06:00			`# # NOTE: Not needed for macvtap - only enable if using TAP interfaces`
			`# # TAP requires a bridge on the host, macvtap connects directly to physical interface`
test: vaultwarden microVM 2025-11-08 00:25:44 -06:00			`# systemd.network.enable = true;`
test: vaultwarden microVM 2025-11-07 23:54:02 -06:00
test: vaultwarden microVM 2025-11-08 00:57:17 -06:00			`# # Bridge configuration for microVMs (only needed for TAP interfaces)`
test: vaultwarden microVM 2025-11-08 00:25:44 -06:00			`# systemd.network.netdevs."10-br-vms" = {`
			`# netdevConfig = {`
			`# Name = "br-vms";`
			`# Kind = "bridge";`
			`# };`
			`# };`
test: vaultwarden microVM 2025-11-07 23:54:02 -06:00
test: vaultwarden microVM 2025-11-08 00:25:44 -06:00			`# # Attach physical interface and tap interfaces to bridge`
			`# systemd.network.networks."20-lan" = {`
			`# matchConfig.Name = [`
			`# "enp10s0"`
			`# "vm-*"`
			`# ];`
			`# networkConfig = {`
			`# Bridge = "br-vms";`
			`# };`
			`# };`
test: vaultwarden microVM 2025-11-07 23:54:02 -06:00
test: vaultwarden microVM 2025-11-08 00:25:44 -06:00			`# # Bridge gets the host IP`
			`# systemd.network.networks."30-br-vms" = {`
			`# matchConfig.Name = "br-vms";`
			`# networkConfig = {`
			`# Address = "192.168.50.240/24";`
			`# Gateway = "192.168.50.1";`
			`# DNS = [ "192.168.50.1" ];`
			`# };`
			`# linkConfig.RequiredForOnline = "routable";`
			`# };`
test: vaultwarden microVM 2025-11-07 23:54:02 -06:00
chore: init 2025-10-01 19:51:55 -05:00			`networking = {`
			`hostName = ceres.name;`
test: vaultwarden microVM 2025-11-08 00:57:17 -06:00			`# NetworkManager disabled - using declarative networking`
fix: unfucked the network 2025-11-06 18:20:03 -06:00			`networkmanager.enable = false;`
chore: init 2025-10-01 19:51:55 -05:00			`nftables.enable = true;`
test: vaultwarden microVM 2025-11-08 00:57:17 -06:00			`useDHCP = false;`

			`# Declarative interface configuration for the host`
			`interfaces.enp10s0 = {`
			`useDHCP = false;`
			`ipv4.addresses = [`
			`{`
			`address = "192.168.50.240";`
			`prefixLength = 24;`
			`}`
			`];`
			`};`
			`defaultGateway = "192.168.50.1";`
			`nameservers = [ "192.168.50.1" ];`

chore: init 2025-10-01 19:51:55 -05:00			`firewall = {`
			`enable = true;`
			`allowedTCPPorts = [`
			`22 # SSH`
			`25 # SMTP`
			`139 # SMTP`
			`587 # SMTP`
			`2525 # SMTP`
feat: opened a port for nc 2025-11-03 02:39:55 -06:00			`9999 # NC`
chore: moved wireguard config 2025-11-06 16:35:10 -06:00			`wireguardService.ports.port0 # WireGuard`
			`];`
			`allowedUDPPorts = [`
			`wireguardService.ports.port0 # WireGuard`
			`wireguardService.ports.port1 # WireGuard`
chore: init 2025-10-01 19:51:55 -05:00			`];`
			`};`
			`};`
chore: moved wireguard config 2025-11-06 17:47:14 -06:00
chore: init 2025-10-01 19:51:55 -05:00			`services = {`
			`avahi = {`
			`enable = true;`
			`openFirewall = true;`
			`nssmdns4 = true;`
			`publish = {`
			`enable = true;`
			`userServices = true;`
			`};`
			`};`
			`sshd.enable = true;`
			`openssh = {`
			`enable = true;`
			`settings.PasswordAuthentication = false;`
			`};`
			`};`
			`}`