nixos/modules/system/networking.nix

inputs:
{
  options.nixos.system.networking = let inherit (inputs.lib) mkOption types; in
  {
    hostname = mkOption { type = types.nonEmptyStr; };
    networkManager.enable = mkOption
      { type = types.bool; default = inputs.config.nixos.system.networking.networkd == null; };
    networkd = mkOption
    {
      type = types.nullOr (types.submodule { options =
      {
        dhcp = mkOption { type = types.listOf types.nonEmptyStr; default = []; };
        static = mkOption
        {
          type = types.attrsOf (types.submodule { options =
          {
            ip = mkOption { type = types.nonEmptyStr; };
            mask = mkOption { type = types.ints.unsigned; };
            gateway = mkOption { type = types.nullOr types.nonEmptyStr; default = null; };
            dns = mkOption { type = types.nullOr types.nonEmptyStr; default = null; };
          };});
          default = {};
        };
      };});
      default = null;
    };
    wireless = mkOption { type = types.listOf types.nonEmptyStr; default = []; };
  };
  config = let inherit (inputs.config.nixos.system) networking; in inputs.lib.mkMerge
  [
    # general config
    {
      networking.hostName = networking.hostname;
      boot.kernel.sysctl =
      {
        "net.core.rmem_max" = 67108864;
        "net.core.wmem_max" = 67108864;
        "net.ipv4.tcp_rmem" = "4096 87380 67108864";
        "net.ipv4.tcp_wmem" = "4096 65536 67108864";
        "net.ipv4.tcp_mtu_probing" = inputs.lib.mkDefault true;
        "net.ipv4.tcp_tw_reuse" = true;
        "net.ipv4.tcp_max_syn_backlog" = 8388608;
        "net.core.netdev_max_backlog" = 8388608;
        "net.core.somaxconn" = 8388608;
        "net.ipv4.conf.all.route_localnet" = true;
        "net.ipv4.conf.default.route_localnet" = true;
        "net.ipv4.conf.all.accept_local" = true;
        "net.ipv4.conf.default.accept_local" = true;
        "net.ipv4.ip_forward" = true;
        "net.ipv4.ip_nonlocal_bind" = true;
        "net.bridge.bridge-nf-call-iptables" = false;
        "net.bridge.bridge-nf-call-ip6tables" = false;
        "net.bridge.bridge-nf-call-arptables" = false;
      };
    }
    # networkManager
    (inputs.lib.mkIf networking.networkManager.enable
    {
      networking.networkmanager =
      {
        enable = true;
        settings.device.keep-configuration = "no";
      };
      environment.persistence."${inputs.config.nixos.system.impermanence.persistence}".directories =
        [{ directory = "/etc/NetworkManager/system-connections"; mode = "0700"; }];
    })
    # networkd
    (inputs.lib.mkIf (networking.networkd != null)
    {
      systemd.network =
      {
        enable = true;
        networks = builtins.listToAttrs
        (
          (builtins.map
            (network:
            {
              name = "10-${network}";
              value =
              {
                matchConfig.Name = network;
                networkConfig = { DHCP = "yes"; IPv6AcceptRA = true; };
                linkConfig.RequiredForOnline = "routable";
              };
            })
            networking.networkd.dhcp)
          ++ (builtins.map
            (network:
            {
              name = "10-${network.name}";
              value =
              {
                matchConfig.Name = network.name;
                address = [ "${network.value.ip}/${builtins.toString network.value.mask}" ];
                routes = inputs.lib.mkIf (network.value.gateway != null)
                  [{ Gateway = network.value.gateway; Destination = "0.0.0.0/0"; }];
                linkConfig.RequiredForOnline = "routable";
                dns = inputs.lib.mkIf (network.value.dns != null) [ network.value.dns ];
              };
            })
            (inputs.localLib.attrsToList networking.networkd.static))
        );
      };
      networking =
      {
        networkmanager.unmanaged = with networking.networkd; dhcp ++ (builtins.attrNames static);
        useNetworkd = true;
      };
      # dnsable dns fallback, use provided dns servers or no dns
      services.resolved.fallbackDns = [];
    })
    # wpa_supplicant
    (inputs.lib.mkIf (networking.wireless != [])
    {
      networking.wireless =
      {
        enable = true;
        networks = builtins.listToAttrs (builtins.map
          (network:
          {
            name = network;
            value.psk = "@${builtins.hashString "md5" network}_PSK@";
          })
          networking.wireless);
        environmentFile = inputs.config.sops.templates."wireless.env".path;
      };
      sops =
      {
        templates."wireless.env".content = builtins.concatStringsSep "\n" (builtins.map
          (network: "${builtins.hashString "md5" network}_PSK=${inputs.config.sops.placeholder."wireless/${network}"}")
          networking.wireless);
        secrets = builtins.listToAttrs (builtins.map
          (network: { name = "wireless/${network}"; value = {}; })
          networking.wireless);
      };
    })
  ];
}