From ed2d612b5e37bb8aa1696a8223a59ae5fbf0cf65 Mon Sep 17 00:00:00 2001
From: Julien Malka <julien@malka.sh>
Date: Sat, 25 May 2024 19:11:23 +0200
Subject: [PATCH] chore: rework lisa's networking to use networkd

---
 machines/lisa/default.nix | 99 +++++++++++++++++++++++++--------------
 1 file changed, 63 insertions(+), 36 deletions(-)

diff --git a/machines/lisa/default.nix b/machines/lisa/default.nix
index 2e8c1c3..cb99804 100644
--- a/machines/lisa/default.nix
+++ b/machines/lisa/default.nix
@@ -26,44 +26,65 @@
   services.fail2ban.enable = true;
 
   networking.hostName = "lisa";
-  networking.useDHCP = false;
-  networking.interfaces.ens20.useDHCP = false;
-  networking.interfaces.ens20.mtu = 1420;
-  networking.interfaces.ens20.ipv4.addresses = [
-    {
-      address = "212.129.40.11";
-      prefixLength = 32;
-    }
-  ];
-  networking.interfaces.ens18.useDHCP = true;
-  networking.defaultGateway.interface = "ens20";
-  networking.defaultGateway.address = "212.129.40.11";
-  networking.interfaces.ens19.useDHCP = false;
-  networking.interfaces.ens19.ipv6.addresses = [
-    {
-      address = "2a01:e0a:5f9:9681:5880:c9ff:fe9f:3dfb";
-      prefixLength = 120;
-    }
-  ];
 
   networking.hostId = "fbb334ae";
-  services.zfs.autoSnapshot.enable = true;
-  services.zfs.autoScrub.enable = true;
 
-  networking.wireguard.interfaces = {
-    wg0 = {
-      ips = [ "fd85:27e8:fc9::6/128" ];
-      listenPort = 51820;
-      privateKeyFile = "/root/wg-private";
+  networking.useNetworkd = true;
+  systemd.network = {
+    enable = true;
 
-      peers = [
-        {
-          allowedIPs = [ "fd85:27e8:fc9::/48" ];
-          publicKey = "ZO8j0AwssAERtyJQO+o11pWAFKzkxTI5hmqHsfEy5Bo=";
-          endpoint = "core01.rz.ens.wtf:51820";
-          persistentKeepalive = 25;
-        }
-      ];
+    networks = {
+      "10-wan" = {
+        matchConfig.Name = "ens20";
+        address = [ "212.129.40.11/32" ];
+        routes = [
+          {
+            routeConfig = {
+              Gateway = "212.129.40.11";
+              Destination = "0.0.0.0/0";
+            };
+          }
+        ];
+        linkConfig.RequiredForOnline = "routable";
+      };
+      "20-wan" = {
+        matchConfig.Name = "ens18";
+        networkConfig.DHCP = "yes";
+        linkConfig.RequiredForOnline = "routable";
+      };
+      wg0 = {
+        matchConfig.Name = "wg0";
+        address = [
+          "10.100.45.1/24"
+          "fc00::1/64"
+        ];
+        networkConfig = {
+          IPMasquerade = "ipv4";
+          IPForward = true;
+        };
+      };
+    };
+
+    netdevs = {
+      "50-wg0" = {
+        netdevConfig = {
+          Kind = "wireguard";
+          Name = "wg0";
+          MTUBytes = "1300";
+        };
+        wireguardConfig = {
+          PrivateKeyFile = "/srv/wg-private";
+          ListenPort = 51821;
+        };
+        wireguardPeers = [
+          {
+            wireguardPeerConfig = {
+              PublicKey = "axigTezuClSoQlxWvpdzXKXUDjrrQlswE50ox0uDLR0=";
+              AllowedIPs = [ "10.100.45.2/32" ];
+            };
+          }
+        ];
+      };
     };
   };
 
@@ -74,8 +95,14 @@
     MaxAuthTries 20
   '';
 
-  networking.firewall.allowedTCPPorts = [ 51821 ];
-  networking.firewall.allowedUDPPorts = [ 51821 ];
+  networking.firewall.allowedTCPPorts = [
+    51820
+    51821
+  ];
+  networking.firewall.allowedUDPPorts = [
+    51820
+    51821
+  ];
 
   system.stateVersion = "21.11";
 }