heimdall: Switch to sudo-rs

heimdall: Use systemd-networkd
2024-03-07 16:35:29 +01:00 · 2024-03-07 16:35:16 +01:00
1 changed files with 50 additions and 36 deletions
--- a/machines/heimdall/configuration.nix
+++ b/machines/heimdall/configuration.nix
@ -31,42 +31,49 @@
    hostName = "heimdall";
    domain = "datarift.nl";

-    nameservers = [ "8.8.8.8" ];
-    defaultGateway = "172.31.1.1";
-    defaultGateway6 = {
-      address = "fe80::1";
-      interface = "eth0";
-    };
-    dhcpcd.enable = false;
    usePredictableInterfaceNames = lib.mkForce false;
-    interfaces = {
-      eth0 = {
-        ipv4.addresses = [
+    useDHCP = false;
+    networkmanager.enable = false;
+    useNetworkd = true;
+    firewall.trustedInterfaces = [ "tailscale0" ];
+  };
+
+  systemd.network = {
+    enable = true;
+
+    networks = {
+      "40-eth0" = {
+        matchConfig = {
+          Name = "eth0";
+        };
+
+        networkConfig = {
+          Address = [
+            "159.69.211.175/32"
+            "2a01:4f8:1c1e:5fb2::1/64"
+            "fe80::9400:2ff:fe12:a2eb/64"
+          ];
+          DHCP = "no";
+          Gateway = [
+            "172.31.1.1"
+            "fe80::1"
+          ];
+        };
+
+        routes = [
          {
-            address = "159.69.211.175";
-            prefixLength = 32;
-          }
-        ];
-        ipv6.addresses = [
-          {
-            address = "2a01:4f8:1c1e:5fb2::1";
-            prefixLength = 64;
+            routeConfig = {
+              Destination = "172.31.1.1/32";
+              Scope = "link";
+              Protocol = "static";
+            };
          }
          {
-            address = "fe80::9400:2ff:fe12:a2eb";
-            prefixLength = 64;
-          }
-        ];
-        ipv4.routes = [
-          {
-            address = "172.31.1.1";
-            prefixLength = 32;
-          }
-        ];
-        ipv6.routes = [
-          {
-            address = "fe80::1";
-            prefixLength = 128;
+            routeConfig = {
+              Destination = "fe80::1/128";
+              Scope = "link";
+              Protocol = "static";
+            };
          }
        ];
      };
@ -134,11 +141,18 @@
    };
  };

-  security.apparmor = {
-    enable = true;
-    killUnconfinedConfinables = true;
+  security = {
+    sudo-rs = {
+      enable = true;
+    };
+    sudo.enable = false;
+
+    apparmor = {
+      enable = true;
+      killUnconfinedConfinables = true;
+    };
+    protectKernelImage = true;
  };
-  security.protectKernelImage = true;

  sops.defaultSopsFile = ./secrets.yaml;
  sops.secrets = {
Author	SHA1	Message	Date
Erwin Boskma	63d110acfe	heimdall: Switch to sudo-rs	2024-03-07 16:35:29 +01:00
Erwin Boskma	e279ac6b65	heimdall: Use systemd-networkd	2024-03-07 16:35:16 +01:00