2025-10-01 19:51:55 -05:00
|
|
|
{
|
|
|
|
|
lib,
|
|
|
|
|
flake,
|
|
|
|
|
...
|
|
|
|
|
}:
|
|
|
|
|
let
|
|
|
|
|
inherit (flake.config.machines.devices) ceres;
|
2025-11-06 16:35:10 -06:00
|
|
|
inherit (flake.config.services) instances;
|
|
|
|
|
wireguardService = instances.wireGuard;
|
2025-10-01 19:51:55 -05:00
|
|
|
in
|
|
|
|
|
{
|
|
|
|
|
networking = {
|
|
|
|
|
hostName = ceres.name;
|
2025-11-06 16:35:10 -06:00
|
|
|
networkmanager.enable = true;
|
2025-10-01 19:51:55 -05:00
|
|
|
nftables.enable = true;
|
|
|
|
|
useDHCP = lib.mkDefault true;
|
|
|
|
|
firewall = {
|
|
|
|
|
enable = true;
|
|
|
|
|
allowedTCPPorts = [
|
|
|
|
|
22 # SSH
|
|
|
|
|
25 # SMTP
|
|
|
|
|
139 # SMTP
|
|
|
|
|
587 # SMTP
|
|
|
|
|
2525 # SMTP
|
2025-11-03 02:39:55 -06:00
|
|
|
9999 # NC
|
2025-11-06 16:35:10 -06:00
|
|
|
wireguardService.ports.port0 # WireGuard
|
|
|
|
|
];
|
|
|
|
|
allowedUDPPorts = [
|
|
|
|
|
wireguardService.ports.port0 # WireGuard
|
|
|
|
|
wireguardService.ports.port1 # WireGuard
|
2025-10-01 19:51:55 -05:00
|
|
|
];
|
|
|
|
|
};
|
|
|
|
|
};
|
2025-11-06 17:47:14 -06:00
|
|
|
|
|
|
|
|
# Remote rebuild safeguards:
|
|
|
|
|
# These settings prevent network services from restarting during nixos-rebuild,
|
|
|
|
|
# which would otherwise drop SSH connections when done remotely.
|
|
|
|
|
# The bridge configuration changes enp10s0, so we need to prevent systemd-networkd
|
|
|
|
|
# and NetworkManager from restarting to maintain connectivity.
|
|
|
|
|
|
|
|
|
|
# Prevent SSH connections from being killed during network reconfiguration
|
|
|
|
|
systemd.services.sshd = {
|
|
|
|
|
stopIfChanged = false;
|
|
|
|
|
reloadIfChanged = true;
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
# Prevent systemd-networkd from restarting during switches to avoid dropping SSH
|
|
|
|
|
systemd.services.systemd-networkd = {
|
|
|
|
|
stopIfChanged = false;
|
|
|
|
|
restartTriggers = lib.mkForce [ ];
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
# Prevent NetworkManager from restarting during config changes
|
|
|
|
|
systemd.services.NetworkManager = {
|
|
|
|
|
stopIfChanged = false;
|
|
|
|
|
reloadIfChanged = true;
|
|
|
|
|
};
|
|
|
|
|
|
2025-10-01 19:51:55 -05:00
|
|
|
services = {
|
|
|
|
|
avahi = {
|
|
|
|
|
enable = true;
|
|
|
|
|
openFirewall = true;
|
|
|
|
|
nssmdns4 = true;
|
|
|
|
|
publish = {
|
|
|
|
|
enable = true;
|
|
|
|
|
userServices = true;
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
sshd.enable = true;
|
|
|
|
|
openssh = {
|
|
|
|
|
enable = true;
|
|
|
|
|
settings.PasswordAuthentication = false;
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
}
|
