Migrate fully to systemd-networkd and nftables

Signed-off-by: Mel <mel@rnrd.eu>
author: Mel <mel@rnrd.eu> 2026-04-24 23:35:19 +0200
committer: Mel <mel@rnrd.eu> 2026-04-24 23:35:19 +0200
commit: 56c22cf8ae9de73bbc1c37ce0b1635ae7af9be64 (patch)
tree: 3ba1ca13dcf1ed9c0013f6bffddaee9392991b16
parent: 127d8ff2c2e77a0cbfc7a2a3c962ef23b5ab7261 (diff)
download: network-56c22cf8ae9de73bbc1c37ce0b1635ae7af9be64.tar.zst
network-56c22cf8ae9de73bbc1c37ce0b1635ae7af9be64.zip
17 files changed, 65 insertions, 149 deletions
diff --git a/machines/corsac/devices.nix b/machines/corsac/devices.nix
index a2215fd..971983b 100644
--- a/machines/corsac/devices.nix
+++ b/machines/corsac/devices.nix
@@ -11,9 +11,6 @@
     initrd.systemd.enable = true;
   };
 
-  networking.useDHCP = false;
-
-  systemd.network.enable = true;
   systemd.network.networks."20-wired" = {
     name = "enp1s0";
     DHCP = "yes";
diff --git a/machines/corsac/hardware.nix b/machines/corsac/hardware.nix
index 8ac85c4..bbb4b30 100644
--- a/machines/corsac/hardware.nix
+++ b/machines/corsac/hardware.nix
@@ -28,12 +28,5 @@
     [ { device = "/dev/disk/by-uuid/ce3c3e2c-1f16-4e37-90f3-9ccfc81ee4c8"; }
     ];
 
-  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
-  # (the default) this is the recommended approach. When using systemd-networkd it's
-  # still possible to use this option, but it's recommended to use it in conjunction
-  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
-  networking.useDHCP = lib.mkDefault true;
-  # networking.interfaces.enp1s0.useDHCP = lib.mkDefault true;
-
   hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }
diff --git a/machines/fourmi/devices.nix b/machines/fourmi/devices.nix
index c8d2e72..56d243f 100644
--- a/machines/fourmi/devices.nix
+++ b/machines/fourmi/devices.nix
@@ -51,18 +51,28 @@
   };
 
   networking = {
-    # todo: configure properly
     firewall.enable = lib.mkForce false;
-
-    useDHCP = true;
     wireless = {
       enable = true;
       interfaces = [ "wlan0" ];
       secretsFile = config.age.secrets.wireless-secrets.path;
-      networks = {
-        # yea this is my home network :3
-        # (my boyfriends brother picked the name)
-        "Das asoziale Netzwerk".pskRaw = "ext:psk_home";
+      networks."Das asoziale Netzwerk".pskRaw = "ext:psk_home";
+    };
+  };
+
+  systemd.network = {
+    networks = {
+      "10-wired" = {
+        name = "end0";
+        DHCP = "yes";
+        dhcpV4Config.RouteMetric = 100;
+        networkConfig.RequiredForOnline = "no";
+      };
+      "20-wireless" = {
+        name = "wlan0";
+        DHCP = "yes";
+        dhcpV4Config.RouteMetric = 600;
+        networkConfig.RequiredForOnline = "no";
       };
     };
   };
diff --git a/machines/fourmi/hardware.nix b/machines/fourmi/hardware.nix
index 1738e23..3395bdf 100644
--- a/machines/fourmi/hardware.nix
+++ b/machines/fourmi/hardware.nix
@@ -20,12 +20,5 @@
 
   swapDevices = [ ];
 
-  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
-  # (the default) this is the recommended approach. When using systemd-networkd it's
-  # still possible to use this option, but it's recommended to use it in conjunction
-  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
-  networking.useDHCP = lib.mkDefault true;
-  # networking.interfaces.end0.useDHCP = lib.mkDefault true;
-  # networking.interfaces.wlan0.useDHCP = lib.mkDefault true;
 
 }
diff --git a/machines/lapin/devices.nix b/machines/lapin/devices.nix
index 450baf3..239242a 100644
--- a/machines/lapin/devices.nix
+++ b/machines/lapin/devices.nix
@@ -15,18 +15,7 @@
     memoryPercent = 50;
   };
 
-  networking = {
-    # Network configuration is managed with networkd.
-    useDHCP = false;
-    nameservers = [
-      "1.1.1.1" "1.0.0.1"
-      "2606:4700:4700::1111" "2606:4700:4700::1001"
-    ];
-  };
-
-  # Static IPv6 network configuration
-  # + soliciting of IPv4 via DHCP.
-  systemd.network.enable = true;
+  # static ipv6 + dhcp ipv4
   systemd.network.networks."10-wan" = {
     name = "enp1s0";
     DHCP = "ipv4";
@@ -35,32 +24,24 @@
   };
 
   services.resolved = {
-    # LLMNR and MulticastDNS both give DNS timeouts.
-    # MDNS specifically for some reason gives Docker bridge interfaces it's scope,
-    # which means every DNS request waits for an answer... from every interface... 
+    # llmnr and multicastdns both give dns timeouts.
+    # mdns specifically for some reason gives docker bridge interfaces it's scope,
+    # which means every dns request waits for an answer... from every interface...
     llmnr = "false";
     extraConfig = "MulticastDNS=no";
-    dnssec = "false"; # DNSSEC breaks IPv6, for some reason :(
-  };
-  
-  virtualisation.docker.daemon.settings = {
-    "experimental" = true;
-    "ipv6" = true;
-    "ip6tables" = true;
-    "fixed-cidr-v6" = "fc00:d0c:b1b1::/48";
-    "bip" = "172.17.0.1/24";
-    "default-address-pools" = [
-      { base = "172.17.0.0/16"; size = 24; }
-      { base = "fc00:d0c::/32"; size = 48; }
-    ];
+    dnssec = "false"; # dnssec breaks ipv6, for some reason :(
   };
 
+
   fileSystems = {
-    # Mount the large-ish service state folder to a regrowable volume. :)
+    # mount the large-ish service state folder to a regrowable volume. :)
     "/srv" = {
       device = "/dev/disk/by-id/scsi-0HC_Volume_101611810";
       fsType = "ext4";
-      options = [ "defaults" "discard" ];
+      options = [
+        "defaults"
+        "discard"
+      ];
     };
   };
 }
diff --git a/machines/lapin/hardware.nix b/machines/lapin/hardware.nix
index cc32191..4d07099 100644
--- a/machines/lapin/hardware.nix
+++ b/machines/lapin/hardware.nix
@@ -25,11 +25,4 @@
 
   swapDevices = [ ];
 
-  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
-  # (the default) this is the recommended approach. When using systemd-networkd it's
-  # still possible to use this option, but it's recommended to use it in conjunction
-  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
-  networking.useDHCP = lib.mkDefault true;
-  # networking.interfaces.enp1s0.useDHCP = lib.mkDefault true;
-
 }
diff --git a/machines/renard/devices.nix b/machines/renard/devices.nix
index aa8d7b9..d952488 100644
--- a/machines/renard/devices.nix
+++ b/machines/renard/devices.nix
@@ -18,9 +18,6 @@
     memoryPercent = 50;
   };
 
-  networking.useDHCP = false;
-
-  systemd.network.enable = true;
   systemd.network.networks."10-wan" = {
     name = "ens18";
     DHCP = "ipv4";
diff --git a/machines/renard/hardware.nix b/machines/renard/hardware.nix
index d79dee9..f7d1d6b 100644
--- a/machines/renard/hardware.nix
+++ b/machines/renard/hardware.nix
@@ -20,11 +20,4 @@
 
   swapDevices = [ ];
 
-  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
-  # (the default) this is the recommended approach. When using systemd-networkd it's
-  # still possible to use this option, but it's recommended to use it in conjunction
-  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
-  networking.useDHCP = lib.mkDefault true;
-  # networking.interfaces.ens18.useDHCP = lib.mkDefault true;
-
 }
diff --git a/machines/taupe/devices.nix b/machines/taupe/devices.nix
index a07f794..22587a9 100644
--- a/machines/taupe/devices.nix
+++ b/machines/taupe/devices.nix
@@ -12,16 +12,7 @@
     memoryPercent = 50;
   };
 
-  networking = {
-    useDHCP = false;
-    nameservers = [
-      "1.1.1.1" "1.0.0.1"
-      "2606:4700:4700::1111" "2606:4700:4700::1001"
-    ];
-  };
-
   # static ipv6 + dhcp ipv4
-  systemd.network.enable = true;
   systemd.network.networks."10-wan" = {
     name = "enp1s0";
     DHCP = "ipv4";
diff --git a/machines/taupe/hardware.nix b/machines/taupe/hardware.nix
index 810fafd..2fb0cf3 100644
--- a/machines/taupe/hardware.nix
+++ b/machines/taupe/hardware.nix
@@ -26,11 +26,4 @@
 
   swapDevices = [ ];
 
-  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
-  # (the default) this is the recommended approach. When using systemd-networkd it's
-  # still possible to use this option, but it's recommended to use it in conjunction
-  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
-  networking.useDHCP = lib.mkDefault true;
-  # networking.interfaces.enp1s0.useDHCP = lib.mkDefault true;
-
 }
diff --git a/machines/taureau/devices.nix b/machines/taureau/devices.nix
index 856dcf1..012b0ce 100644
--- a/machines/taureau/devices.nix
+++ b/machines/taureau/devices.nix
@@ -10,15 +10,6 @@
     kernelModules = [ ];
   };
 
-  networking = {
-    nameservers = [
-      "1.1.1.1" "1.0.0.1"
-    ];
-    # networkd handles our network
-    useDHCP = false;
-  };
-
-  systemd.network.enable = true;
   systemd.network.networks."10-wan" = {
     name = "enp6s16";
     # ipv4 gets it's config through dhcp just fine!
diff --git a/machines/taureau/hardware.nix b/machines/taureau/hardware.nix
index 3c30146..7fbaf1d 100644
--- a/machines/taureau/hardware.nix
+++ b/machines/taureau/hardware.nix
@@ -18,12 +18,5 @@
 
   swapDevices = [ ];
 
-  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
-  # (the default) this is the recommended approach. When using systemd-networkd it's
-  # still possible to use this option, but it's recommended to use it in conjunction
-  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
-  networking.useDHCP = lib.mkDefault true;
-  # networking.interfaces.enp6s16.useDHCP = lib.mkDefault true;
-
   virtualisation.hypervGuest.enable = true;
 }
diff --git a/machines/truite/devices.nix b/machines/truite/devices.nix
index bc432c1..cdc3982 100644
--- a/machines/truite/devices.nix
+++ b/machines/truite/devices.nix
@@ -17,21 +17,13 @@
     memoryPercent = 50;
   };
 
-  networking = {
-    nameservers = [ "1.1.1.1" "1.0.0.1" ];
-    useDHCP = false;
-  };
-
-  systemd.network = {
-    enable = true;
-    networks."10-wan" = {
-      name = "ens18";
+  systemd.network.networks."10-wan" = {
+    name = "ens18";
 
-      address = [ "194.87.197.92/23" "2a00:b700:5::3:1cb/118" ];
-      gateway = [ "194.87.196.1" ];
-      routes = [ { Gateway = "2a00:b700:5::1"; GatewayOnLink = true; } ];
-      DHCP = "no";
-    };
+    address = [ "194.87.197.92/23" "2a00:b700:5::3:1cb/118" ];
+    gateway = [ "194.87.196.1" ];
+    routes = [ { Gateway = "2a00:b700:5::1"; GatewayOnLink = true; } ];
+    DHCP = "no";
   };
 }
 
diff --git a/modules/common.nix b/modules/common.nix
index c363201..9ad59aa 100644
--- a/modules/common.nix
+++ b/modules/common.nix
@@ -28,6 +28,14 @@
 
   networking = {
     hostName = me.name;
+    useDHCP = false;
+    dhcpcd.enable = false;
+    nameservers = [ "1.1.1.1" "1.0.0.1" ];
+
+    nftables = {
+      enable = true;
+      flushRuleset = false;
+    };
 
     firewall = {
       enable = true;
@@ -35,6 +43,15 @@
     };
   };
 
+  systemd.network = {
+    enable = true;
+    wait-online.anyInterface = true;
+  };
+
+  boot.kernel.sysctl = {
+    "net.ipv4.ip_forward" = lib.mkDefault 1;
+  };
+
   services.envfs.enable = true;
 
   virtualisation = {
@@ -86,7 +103,7 @@
     gnupg pinentry-curses age agenix
     inetutils pciutils lshw inxi iw dmidecode
     tcpdump
-    iptables nftables wireguard-tools
+    nftables wireguard-tools
     ffmpeg_7-headless
 
     ripgrep gnumake gdb gcc clang dtc
diff --git a/modules/foundation/services/default.nix b/modules/foundation/services/default.nix
index 8136ce0..4c01bd7 100644
--- a/modules/foundation/services/default.nix
+++ b/modules/foundation/services/default.nix
@@ -13,8 +13,8 @@
     driver = "bridge";
     ipv6 = {
       enable = true;
-      subnet = "2001:d0c:1::/48";
-      gateway = "2001:d0c:1::1";
+      subnet = "fc00:d0c:1::/48";
+      gateway = "fc00:d0c:1::1";
     };
   };
 }
diff --git a/modules/foundation/services/networks.nix b/modules/foundation/services/networks.nix
index 7205ec1..b5f1732 100644
--- a/modules/foundation/services/networks.nix
+++ b/modules/foundation/services/networks.nix
@@ -81,7 +81,7 @@ in
                       Don't set to get a random subnet assigned to you within
                       the subnet defined in `defaultIPv6SubnetPrefix`.
                     '';
-                    example = "2001:d0c:123::/64";
+                    example = "fc00:d0c:123::/64";
                     default = null;
                   };
 
@@ -91,7 +91,7 @@ in
                       IPv6 gateway for this network.
                       Should match the subnet.
                     '';
-                    example = "2001:d0c:123::1";
+                    example = "fc00:d0c:123::1";
                     default = null;
                   };
                 };
@@ -157,7 +157,7 @@ in
           a set subnet.
           Prefix length defined by `defaultIPv6SubnetLength`.
         '';
-        default = "2001:d0c";
+        default = "fc00:d0c";
       };
 
       defaultIPv6SubnetLength = mkOption {
@@ -190,6 +190,8 @@ in
       experimental = true;
       ipv6 = true;
       ip6tables = true;
+      "ip-forward" = true;
+      "firewall-backend" = "nftables";
       fixed-cidr-v6 = "${cfg.defaultIPv6SubnetPrefix}:255::/${toString cfg.defaultIPv6SubnetLength}";
     };
 
@@ -200,24 +202,7 @@ in
     };
 
     networking.firewall = {
-      # both options should work together to let all packets coming from
-      # docker bridges through.
       trustedInterfaces = [ "br-*" ];
-      extraCommands = ''
-        # allow inbound packets
-        ip6tables -A nixos-fw -i br-+ -j nixos-fw-accept 2>/dev/null || true
-
-        # allow outbound to the docker bridge
-        ip6tables -A nixos-fw -o br-+ -j nixos-fw-accept 2>/dev/null || true
-
-        # allow forwarding between bridges+external interfaces
-        ip6tables -I FORWARD -i br-+ -j ACCEPT 2>/dev/null || true
-        ip6tables -I FORWARD -o br-+ -j ACCEPT 2>/dev/null || true
-
-        # allow return traffic
-        # note: nothing works without this!
-        ip6tables -I FORWARD ! -i br-+ -o br-+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 2>/dev/null || true
-      '';
     };
 
     systemd.services =
diff --git a/modules/tunnel/ingress.nix b/modules/tunnel/ingress.nix
index 8a6ae3b..1ea1613 100644
--- a/modules/tunnel/ingress.nix
+++ b/modules/tunnel/ingress.nix
@@ -32,10 +32,6 @@ let
   mtu = 1400;
 in
 {
-  boot.kernel.sysctl = {
-    "net.ipv4.ip_forward" = 1; # allow ipv4 forwarding
-  };
-
   networking.firewall = {
     allowedUDPPorts = map (x: x.port) paths;
     allowedTCPPorts = map (x: x.port) paths;
@@ -118,12 +114,13 @@ in
   # allow forwarding packets between egress and ingress, but avoid any snat,
   # ip should always keep it's origin form, for correct egress routing.
   # also adapt mss to outgoing mss value, so that we don't shatter packets.
-  networking.nftables.ruleset =
+  networking.nftables.tables.tunnel-forward =
     let
       ingressInterfaces = concatImapStringsSep "\", \"" (i: _: ingressName (i - 1)) paths;
     in
-    ''
-      table inet filter {
+    {
+      family = "inet";
+      content = ''
         chain forward {
           type filter hook forward priority 0; policy drop;
 
@@ -132,8 +129,8 @@ in
           iifname { "${ingressInterfaces}" } oifname "${egressName}" accept
           iifname "${egressName}" oifname { "${ingressInterfaces}" } accept
         }
-      }
-    '';
+      '';
+    };
 
   # sing-box is a vpn client supporting various protocols which will allow us
   # to configure it in whichever way we want to avoid russian dpi.
author	Mel <mel@rnrd.eu>	2026-04-24 23:35:19 +0200
committer	Mel <mel@rnrd.eu>	2026-04-24 23:35:19 +0200
commit	56c22cf8ae9de73bbc1c37ce0b1635ae7af9be64 (patch)
tree	3ba1ca13dcf1ed9c0013f6bffddaee9392991b16
parent	127d8ff2c2e77a0cbfc7a2a3c962ef23b5ab7261 (diff)
download	network-56c22cf8ae9de73bbc1c37ce0b1635ae7af9be64.tar.zst network-56c22cf8ae9de73bbc1c37ce0b1635ae7af9be64.zip