mirror of
https://gitlab.com/upRootNutrition/dotfiles.git
synced 2025-12-07 21:42:16 -06:00
104 lines
2.4 KiB
Nix
Executable file
104 lines
2.4 KiB
Nix
Executable file
{
|
|
lib,
|
|
flake,
|
|
...
|
|
}:
|
|
let
|
|
inherit (flake.config.machines.devices) ceres;
|
|
inherit (flake.config.services) instances;
|
|
wireguardService = instances.wireGuard;
|
|
in
|
|
{
|
|
# Enable microVM host
|
|
microvm.host.enable = true;
|
|
|
|
# # systemd-networkd for bridge management
|
|
# # NOTE: Not needed for macvtap - only enable if using TAP interfaces
|
|
# # TAP requires a bridge on the host, macvtap connects directly to physical interface
|
|
# systemd.network.enable = true;
|
|
|
|
# # Bridge configuration for microVMs (only needed for TAP interfaces)
|
|
# systemd.network.netdevs."10-br-vms" = {
|
|
# netdevConfig = {
|
|
# Name = "br-vms";
|
|
# Kind = "bridge";
|
|
# };
|
|
# };
|
|
|
|
# # Attach physical interface and tap interfaces to bridge
|
|
# systemd.network.networks."20-lan" = {
|
|
# matchConfig.Name = [
|
|
# "enp10s0"
|
|
# "vm-*"
|
|
# ];
|
|
# networkConfig = {
|
|
# Bridge = "br-vms";
|
|
# };
|
|
# };
|
|
|
|
# # Bridge gets the host IP
|
|
# systemd.network.networks."30-br-vms" = {
|
|
# matchConfig.Name = "br-vms";
|
|
# networkConfig = {
|
|
# Address = "192.168.50.240/24";
|
|
# Gateway = "192.168.50.1";
|
|
# DNS = [ "192.168.50.1" ];
|
|
# };
|
|
# linkConfig.RequiredForOnline = "routable";
|
|
# };
|
|
|
|
networking = {
|
|
hostName = ceres.name;
|
|
# NetworkManager disabled - using declarative networking
|
|
networkmanager.enable = false;
|
|
nftables.enable = true;
|
|
useDHCP = false;
|
|
|
|
# Declarative interface configuration for the host
|
|
interfaces.enp10s0 = {
|
|
useDHCP = false;
|
|
ipv4.addresses = [
|
|
{
|
|
address = "192.168.50.240";
|
|
prefixLength = 24;
|
|
}
|
|
];
|
|
};
|
|
defaultGateway = "192.168.50.1";
|
|
nameservers = [ "192.168.50.1" ];
|
|
|
|
firewall = {
|
|
enable = true;
|
|
allowedTCPPorts = [
|
|
22 # SSH
|
|
25 # SMTP
|
|
139 # SMTP
|
|
587 # SMTP
|
|
2525 # SMTP
|
|
9999 # NC
|
|
wireguardService.ports.port0 # WireGuard
|
|
];
|
|
allowedUDPPorts = [
|
|
wireguardService.ports.port0 # WireGuard
|
|
wireguardService.ports.port1 # WireGuard
|
|
];
|
|
};
|
|
};
|
|
|
|
services = {
|
|
avahi = {
|
|
enable = true;
|
|
openFirewall = true;
|
|
nssmdns4 = true;
|
|
publish = {
|
|
enable = true;
|
|
userServices = true;
|
|
};
|
|
};
|
|
sshd.enable = true;
|
|
openssh = {
|
|
enable = true;
|
|
settings.PasswordAuthentication = false;
|
|
};
|
|
};
|
|
}
|