WIP networking overhaul

2026-02-09 12:29:19 -08:00 · 2021-08-12 03:30:48 +01:00 · 2021-08-12 03:30:48 +01:00 · 2dbe01524d
commit 2dbe01524d
parent 2c512aeb7b
36 changed files with 446 additions and 317 deletions
--- a/depot/hosts/athame/nixos.nix
+++ b/depot/hosts/athame/nixos.nix
@ -63,7 +63,7 @@ with lib;
      enp1s0 = {
        useDHCP = true;
        ipv6.addresses = [{
-          address = "2a01:4f8:c2c:b7a8::1";
+          address = config.network.addresses.public.ipv6.address;
          prefixLength = 64;
        }];
      };
@ -74,6 +74,22 @@ with lib;
    };
  };

+  network = {
+    addresses = {
+      public = {
+        enable = true;
+        ipv4.address = "168.119.126.111";
+        ipv6.address = "2a01:4f8:c2c:b7a8::1";
+      };
+    };
+    yggdrasil = {
+      enable = true;
+      pubkey = "55e3f29c252d16e73ac849a6039824f94df1dee670c030b9e29f90584f935575";
+      listen.enable = true;
+      listen.endpoints = [ "tcp://${config.network.addresses.public.ipv4.address}:52969" "tcp://${config.network.addresses.public.ipv6.address}:52969" ];
+    };
+  };
+
  # Firewall

  kw.fw = {
@ -81,21 +97,6 @@ with lib;
    private.interfaces = singleton "yggdrasil";
  };

-  # Host-specific DNS Config
-
-  kw.dns.ipv4 = "168.119.126.111";
-  kw.dns.ipv6 = (lib.head config.networking.interfaces.enp1s0.ipv6.addresses).address;
-  kw.dns.isPublic = true;
-
-  # Yggdrasil
-
-  network.yggdrasil = {
-    enable = true;
-    pubkey = "55e3f29c252d16e73ac849a6039824f94df1dee670c030b9e29f90584f935575";
-    listen.enable = true;
-    listen.endpoints = [ "tcp://${config.kw.dns.ipv4}:52969" ];
-  };
-
  # State
  system.stateVersion = "20.09";
 }
--- a/depot/hosts/beltane/meta.nix
+++ b/depot/hosts/beltane/meta.nix
@ -8,6 +8,7 @@
          connection = {
            port = 62954;
            host = "192.168.1.223";
+            #host = network.nodes.beltane.network.addresses.private.ipv4.address;
          };
        };
      };
--- a/depot/hosts/beltane/nixos.nix
+++ b/depot/hosts/beltane/nixos.nix
@ -76,10 +76,27 @@ with lib;
    hostName = "beltane";
    hostId = "3ef9a419";
    useDHCP = false;
-    interfaces.eno1.useDHCP = true;
+    interfaces.eno1.ipv4.addresses = singleton {
+      inherit (config.network.addresses.private.ipv4) address;
+      prefixLength = 24;
+    };
+    defaultGateway = config.network.privateGateway;
  };

-  kw.dns.ipv4 = "192.168.1.223";
+  network = {
+    addresses = {
+      private = {
+        ipv4.address = "10.1.2.2";
+        # TODO ipv6.address
+      };
+    };
+    yggdrasil = {
+      enable = true;
+      pubkey = "d3e488574367056d3ae809b678f799c29ebfd5c7151bb1f4051775b3953e5f52";
+      listen.enable = false;
+      listen.endpoints = [ "tcp://0.0.0.0:0" ];
+    };
+  };

  # Firewall

@ -90,13 +107,6 @@ with lib;

  # Yggdrasil

-  network.yggdrasil = {
-    enable = true;
-    pubkey = "d3e488574367056d3ae809b678f799c29ebfd5c7151bb1f4051775b3953e5f52";
-    # if server, enable this and set endpoint:
-    listen.enable = false;
-    listen.endpoints = [ "tcp://0.0.0.0:0" ];
-  };

  # State

--- a/depot/hosts/samhain/nixos.nix
+++ b/depot/hosts/samhain/nixos.nix
@ -103,8 +103,8 @@ in {
    };
    networks.br = {
      matchConfig.Name = "br";
-      address = [ "192.168.1.135/24" ];
-      gateway = [ "192.168.1.254" ];
+      address = singleton "${config.network.addresses.private.ipv4.address}/24" ;
+      gateway = singleton config.network.privateGateway;
    };
    netdevs.br = {
      netdevConfig = {
@ -117,6 +117,21 @@ in {

  services.avahi.enable = true;

+  network = {
+    addresses = {
+      private = {
+        ipv4.address = "10.1.2.3";
+      };
+    };
+    dns.dynamic = true;
+    yggdrasil = {
+      enable = true;
+      pubkey = "a7110d0a1dc9ec963d6eb37bb6922838b8088b53932eae727a9136482ce45d47";
+      listen.enable = false;
+      listen.endpoints = [ "tcp://0.0.0.0:0" ];
+    };
+  };
+
  # Firewall

  kw.fw = {
@ -126,20 +141,6 @@ in {
    };
  };

-  # Host-specific DNS Config
-
-  kw.dns.dynamic = true;
-
-  # Yggdrasil
-
-  network.yggdrasil = {
-    enable = true;
-    pubkey = "a7110d0a1dc9ec963d6eb37bb6922838b8088b53932eae727a9136482ce45d47";
-    # if server, enable this and set endpoint:
-    listen.enable = false;
-    listen.endpoints = [ "tcp://0.0.0.0:0" ];
-  };
-
  # State

  system.stateVersion = "20.09";
--- a/depot/modules/home/default.nix
+++ b/depot/modules/home/default.nix
@ -5,7 +5,7 @@
  imports = with (import (sources.nixexprs + "/modules")).home-manager; [ base16 syncplay konawall i3gopher weechat shell ] ++ [
    ./vim.nix
    ./fvwm.nix
-    ./dns.nix
+    ./network.nix
    ./deploy.nix
    ./theme.nix
    ./secrets.nix
--- a/depot/modules/home/dns.nix
+++ b/depot/modules/home/dns.nix
@ -1,40 +0,0 @@
-{ config, superConfig, lib, tf, ... }:
-
-/*
-This module:
-* Provides options for setting the domain/tld/... used by default in my service configs.
-*/
-
-with lib;
-
-{
-  options.kw.dns = {
-    email = mkOption {
-      type = types.nullOr types.str;
-      default = "";
-    };
-    tld = mkOption {
-      type = types.nullOr types.str;
-      default = "";
-    };
-    domain = mkOption {
-      type = types.nullOr types.str;
-      default = "";
-    };
-    ygg_prefix = mkOption {
-      type = types.nullOr types.str;
-      default = "";
-    };
-    isPublic = mkEnableOption "Provide DNS for the public primary IP addresses of the host";
-    ipv4 = mkOption {
-      type = types.str;
-    };
-    ipv6 = mkOption {
-      type = types.str;
-    };
-    dynamic = mkEnableOption "Enable Glauca Dynamic DNS Updater";
-  };
-  config = {
-    kw.dns = superConfig.kw.dns;
-  };
-}
--- a/depot/modules/home/network.nix
+++ b/depot/modules/home/network.nix
@ -0,0 +1,68 @@
+{ config, superConfig, lib, ... }:
+
+with lib;
+
+{
+  options.network = {
+    addresses = mkOption {
+      type = with types; attrsOf (submodule ({ name, ... }: {
+        options = {
+          enable = mkEnableOption "Is the system a part of the ${name} network?";
+          ipv4 = {
+            enable = mkOption {
+              type = types.bool;
+            };
+            address = mkOption {
+              type = types.str;
+            };
+          };
+          ipv6 = {
+            enable = mkOption {
+              type = types.bool;
+            };
+            address = mkOption {
+              type = types.str;
+            };
+          };
+          prefix = mkOption {
+            type = types.nullOr types.str;
+          };
+          domain = mkOption {
+            type = types.nullOr types.str;
+          };
+        };
+      }));
+    };
+    privateGateway = mkOption {
+      type = types.str;
+    };
+    tf = {
+      enable = mkEnableOption "Was the system provisioned by terraform?";
+      ipv4_attr = mkOption {
+        type = types.str;
+      };
+      ipv6_attr = mkOption {
+        type = types.str;
+      };
+    };
+    dns = {
+      email = mkOption {
+        type = types.nullOr types.str;
+      };
+      tld = mkOption {
+        type = types.nullOr types.str;
+      };
+      domain = mkOption {
+        type = types.nullOr types.str;
+      };
+      dynamic = mkEnableOption "Enable Glauca Dynamic DNS Updater";
+    };
+  };
+
+  config = {
+    network.addresses = superConfig.network.addresses;
+    network.privateGateway = superConfig.network.privateGateway;
+    network.tf = superConfig.network.tf;
+    network.dns = superConfig.network.dns;
+  };
+}
--- a/depot/modules/nixos/default.nix
+++ b/depot/modules/nixos/default.nix
@ -5,9 +5,8 @@
    ./nftables.nix
    ./firewall.nix
    ./deploy.nix
-    ./dns.nix
    ./dyndns.nix
-    ./yggdrasil.nix
+    ./network.nix
    ./secrets.nix
    (sources.tf-nix + "/modules/nixos/secrets.nix")
    (sources.tf-nix + "/modules/nixos/secrets-users.nix")
--- a/depot/modules/nixos/dns.nix
+++ b/depot/modules/nixos/dns.nix
@ -1,65 +0,0 @@
-{ config, lib, tf, ... }:
-
-/*
-This module:
-* Provides options for setting the domain/tld/... used by default in my service configs.
-*/
-
-with lib;
-
-{
-  options.kw.dns = {
-    email = mkOption {
-      type = types.nullOr types.str;
-      default = "";
-    };
-    tld = mkOption {
-      type = types.nullOr types.str;
-      default = "";
-    };
-    domain = mkOption {
-      type = types.nullOr types.str;
-      default = "";
-    };
-    ygg_prefix = mkOption {
-      type = types.nullOr types.str;
-      default = "";
-    };
-    isPublic = mkEnableOption "Provide DNS for the public primary IP addresses of the host";
-    ipv4 = mkOption {
-      type = types.nullOr types.str;
-      default = null;
-    };
-    ipv6 = mkOption {
-      type = types.nullOr types.str;
-      default = null;
-    };
-  };
-
-  config = {
-    # Set these.
-    kw.dns.email = mkDefault "kat@kittywit.ch";
-    kw.dns.tld = mkDefault "kittywit.ch.";
-    kw.dns.ygg_prefix = mkDefault "net";
-
-    # This should be set in host config if it needs to be set for a host. Otherwise, they're retrieved from terraform.
-    kw.dns.ipv4 = mkDefault (mkIf (tf.resources ? config.networking.hostName) (mkOptionDefault (config.deploy.tf.resources."${config.networking.hostName}".refAttr "ipv4_address")));
-    kw.dns.ipv6 = mkDefault (mkIf (tf.resources ? config.networking.hostName) (mkOptionDefault (config.deploy.tf.resources."${config.networking.hostName}".refAttr "ipv6_address")));
-
-    # These are derived.
-    kw.dns.domain = builtins.substring 0 ((builtins.stringLength config.kw.dns.tld) - 1) config.kw.dns.tld;
-
-    deploy.tf.dns.records = lib.mkIf (config.kw.dns.isPublic) {
-      "node_${config.networking.hostName}_v4" = {
-        tld = config.kw.dns.tld;
-        domain = config.networking.hostName;
-        a.address = config.kw.dns.ipv4;
-      };
-      "node_${config.networking.hostName}_v6" = {
-        tld = config.kw.dns.tld;
-        domain = config.networking.hostName;
-        aaaa.address = config.kw.dns.ipv6;
-      };
-    };
-  };
-}
--- a/depot/modules/nixos/dyndns.nix
+++ b/depot/modules/nixos/dyndns.nix
@ -4,10 +4,10 @@ with lib;

 {
  options = {
-    kw.dns.dynamic = mkEnableOption "Enable Glauca Dynamic DNS Updater";
+    network.dns.dynamic = mkEnableOption "Enable Glauca Dynamic DNS Updater";
  };

-  config = mkIf (config.kw.dns.dynamic) {
+  config = mkIf (config.network.dns.dynamic) {
    kw.secrets = [
      "hexdns-key"
      "hexdns-secret"
--- a/depot/modules/nixos/network.nix
+++ b/depot/modules/nixos/network.nix
@ -0,0 +1,148 @@
+{ config, lib, tf, ... }:
+
+with lib;
+
+let
+  cfg = config.network;
+in {
+  options.network = {
+    addresses = mkOption {
+      type = with types; attrsOf (submodule ({ name, options, config, ... }: {
+        options = {
+          enable = mkEnableOption "Is the system a part of the ${name} network?" // {
+            default = config.ipv4.enable || config.ipv6.enable;
+          };
+          ipv4 = {
+            enable = mkOption {
+              type = types.bool;
+              default = options.ipv4.address.isDefined;
+            };
+            address = mkOption {
+              type = types.str;
+            };
+          };
+          ipv6 = {
+            enable = mkOption {
+              type = types.bool;
+              default = options.ipv6.address.isDefined;
+            };
+            address = mkOption {
+              type = types.str;
+            };
+          };
+          prefix = mkOption {
+            type = types.nullOr types.str;
+          };
+          subdomain = mkOption {
+            type = types.nullOr types.str;
+          };
+          domain = mkOption {
+            type = types.nullOr types.str;
+            default = "${config.subdomain}.${cfg.dns.domain}";
+          };
+          out.addressList = mkOption {
+            default = singleton config.domain ++ concatMap (i: optional i.enable i.address) [ config.ipv4 config.ipv6 ];
+          };
+        };
+      }));
+    };
+    privateGateway = mkOption {
+      type = types.str;
+      default = "10.1.2.1";
+    };
+    tf = {
+      enable = mkEnableOption "Was the system provisioned by terraform?";
+      ipv4_attr = mkOption {
+        type = types.str;
+        default = "ipv4_address";
+      };
+      ipv6_attr = mkOption {
+        type = types.str;
+        default = "ipv6_address";
+      };
+    };
+    dns = {
+      email = mkOption {
+        type = types.nullOr types.str;
+      };
+      tld = mkOption {
+        type = types.nullOr types.str;
+      };
+      domain = mkOption {
+        type = types.nullOr types.str;
+      };
+    };
+  };
+
+  config = let
+    networks = cfg.addresses;
+    networksWithDomains = filterAttrs (_: v: v.subdomain != null) networks;
+  in {
+    lib.kw.virtualHostGen = args: virtualHostGen ({ inherit config; } // args);
+
+    network = {
+      dns = {
+        email = "kat@kittywit.ch";
+        tld = "kittywit.ch.";
+        domain = builtins.substring 0 ((builtins.stringLength cfg.dns.tld) - 1) cfg.dns.tld;
+      };
+      addresses = {
+        private = {
+          prefix = "int";
+          subdomain = "${config.networking.hostName}.${cfg.addresses.private.prefix}";
+        };
+        public = mkMerge [
+          (mkIf cfg.tf.enable {
+            ipv4.address = mkIf (cfg.tf.ipv4_attr != null) (tf.resources."${config.networking.hostName}".refAttr config.network.tf.ipv4_attr);
+            ipv6.address = mkIf (cfg.tf.ipv6_attr != null) (tf.resources."${config.networking.hostName}".refAttr config.network.tf.ipv6_attr);
+          })
+          ({
+            subdomain = "${config.networking.hostName}";
+          })
+        ];
+        yggdrasil = mkIf cfg.yggdrasil.enable {
+          ipv6.address = cfg.yggdrasil.address;
+          prefix = "ygg";
+          subdomain = "${config.networking.hostName}.${cfg.addresses.yggdrasil.prefix}";
+        };
+      };
+    };
+
+    networking = mkIf cfg.addresses.private.enable {
+      defaultGateway = cfg.privateGateway;
+    };
+
+    deploy.tf.dns.records = let
+      recordsV4 = mapAttrs' (n: v:
+      nameValuePair "node_${n}_${config.networking.hostName}_v4" {
+        enable = v.ipv4.enable;
+        tld = cfg.dns.tld;
+        domain = v.subdomain;
+        a.address = v.ipv4.address;
+      }) networksWithDomains;
+      recordsV6 = mapAttrs' (n: v:
+      nameValuePair "node_${n}_${config.networking.hostName}_v6" {
+        enable = v.ipv6.enable;
+        tld = cfg.dns.tld;
+        domain = v.subdomain;
+        aaaa.address = v.ipv6.address;
+      }) networksWithDomains;
+    in recordsV4 // recordsV6;
+
+    security.acme.certs = mapAttrs' (n: v:
+    nameValuePair "cert_${n}_${config.networking.hostName}" {
+      inherit (v) domain;
+      dnsProvider = "rfc2136";
+      credentialsFile = config.secrets.files.dns_creds.path;
+      group = "nginx";
+    }) networksWithDomains;
+
+    services.nginx.virtualHosts = mapAttrs' (n: v:
+    nameValuePair v.domain {
+      useACMEHost = "cert_${n}_${config.networking.hostName}";
+      forceSSL = true;
+    }) networksWithDomains;
+
+    _module.args = { inherit (config.lib) kw; };
+  };
+}
--- a/depot/modules/nixos/yggdrasil.nix
+++ b/depot/modules/nixos/yggdrasil.nix
@ -1,30 +0,0 @@
-{ config, lib, ... }:
-
-/*
-This module:
-  * Provides AAAA records on a per-host basis for each yggdrasil enabled host.
-  * Provides certificates for those hosts if they run NGINX.
-*/
-
-with lib;
-
-{
-  config = mkIf (config.network.yggdrasil.enable) {
-    deploy.tf.dns.records."ygg_${config.networking.hostName}" = {
-        tld = config.kw.dns.tld;
-        domain = "${config.networking.hostName}.${config.kw.dns.ygg_prefix}";
-        aaaa.address = config.network.yggdrasil.address;
-      };
-    security.acme.certs."${config.networking.hostName}.${config.kw.dns.ygg_prefix}.${config.kw.dns.domain}" =
-      mkIf (config.services.nginx.enable) {
-        domain = "${config.networking.hostName}.${config.kw.dns.ygg_prefix}.${config.kw.dns.domain}";
-        dnsProvider = "rfc2136";
-        credentialsFile = config.secrets.files.dns_creds.path;
-        group = "nginx";
-      };
-      services.nginx.virtualHosts."${config.networking.hostName}.${config.kw.dns.ygg_prefix}.${config.kw.dns.domain}" = mkIf (config.services.nginx.enable) {
-        useACMEHost = "${config.networking.hostName}.${config.kw.dns.ygg_prefix}.${config.kw.dns.domain}";
-        forceSSL = true;
-    };
-  };
-}
--- a/depot/services/filehost/default.nix
+++ b/depot/services/filehost/default.nix
@ -2,7 +2,7 @@

 {
  services.nginx.virtualHosts = {
-    "files.${config.kw.dns.domain}" = {
+    "files.${config.network.dns.domain}" = {
      root = "/var/www/files";
      enableACME = true;
      forceSSL = true;
@ -10,8 +10,8 @@
  };

  deploy.tf.dns.records.services_filehost = {
-    tld = config.kw.dns.tld;
+    tld = config.network.dns.tld;
    domain = "files";
-    cname.target = "${config.networking.hostName}.${config.kw.dns.tld}";
+    cname.target = "${config.networking.hostName}.${config.network.dns.tld}";
  };
 }
--- a/depot/services/gitea/default.nix
+++ b/depot/services/gitea/default.nix
@ -25,8 +25,8 @@
  services.gitea = {
    enable = true;
    disableRegistration = true;
-    domain = "git.${config.kw.dns.domain}";
-    rootUrl = "https://git.${config.kw.dns.domain}";
+    domain = "git.${config.network.dns.domain}";
+    rootUrl = "https://git.${config.network.dns.domain}";
    httpAddress = "127.0.0.1";
    appName = "kittywitch git";
    ssh = { clonePort = 62954; };
@ -46,7 +46,7 @@
        USER = "gitea@kittywit.ch";
        #SEND_AS_PLAIN_TEXT = true;
        USE_SENDMAIL = false;
-        FROM = "\"kittywitch git\" <gitea@${config.kw.dns.domain}>";
+        FROM = "\"kittywitch git\" <gitea@${config.network.dns.domain}>";
      };
      service = {
        NO_REPLY_ADDRESS = "kittywit.ch";
@ -66,15 +66,15 @@
    ${pkgs.coreutils}/bin/ln -sfT ${./templates} /var/lib/gitea/custom/templates
  '';

-  services.nginx.virtualHosts."git.${config.kw.dns.domain}" = {
+  services.nginx.virtualHosts."git.${config.network.dns.domain}" = {
    enableACME = true;
    forceSSL = true;
    locations = { "/".proxyPass = "http://127.0.0.1:3000"; };
  };

  deploy.tf.dns.records.services_gitea = {
-    tld = config.kw.dns.tld;
+    tld = config.network.dns.tld;
    domain = "git";
-    cname.target = "${config.networking.hostName}.${config.kw.dns.tld}";
+    cname.target = "${config.networking.hostName}.${config.network.dns.tld}";
  };
 }
--- a/depot/services/grafana/default.nix
+++ b/depot/services/grafana/default.nix
@ -12,8 +12,8 @@
  services.grafana = {
    enable = true;
    port = 3001;
-    domain = "graph.${config.kw.dns.domain}";
-    rootUrl = "https://graph.${config.kw.dns.domain}/";
+    domain = "graph.${config.network.dns.domain}";
+    rootUrl = "https://graph.${config.network.dns.domain}/";
    database = {
      type = "postgres";
      host = "/run/postgresql/";
@ -22,15 +22,15 @@
    };
  };

-  services.nginx.virtualHosts."graph.${config.kw.dns.domain}" = {
+  services.nginx.virtualHosts."graph.${config.network.dns.domain}" = {
    enableACME = true;
    forceSSL = true;
    locations = { "/".proxyPass = "http://127.0.0.1:3001"; };
  };

  deploy.tf.dns.records.services_grafana = {
-    tld = config.kw.dns.tld;
+    tld = config.network.dns.tld;
    domain = "graph";
-    cname.target = "${config.networking.hostName}.${config.kw.dns.tld}";
+    cname.target = "${config.networking.hostName}.${config.network.dns.tld}";
  };
 }
--- a/depot/services/jellyfin/default.nix
+++ b/depot/services/jellyfin/default.nix
@ -1,8 +1,9 @@
-{ config, lib, pkgs, ... }:
+{ config, lib, pkgs, kw, ... }:

 {
-  services.nginx.virtualHosts = {
-    "${config.networking.hostName}.${config.kw.dns.ygg_prefix}.${config.kw.dns.domain}".locations = {
+  services.nginx.virtualHosts = kw.virtualHostGen {
+    networkFilter = [ "private" "yggdrasil" ];
+    block.locations = {
        "/jellyfin/".proxyPass = "http://127.0.0.1:8096/jellyfin/";
        "/jellyfin/socket" = {
          proxyPass = "http://127.0.0.1:8096/jellyfin/";
@ -10,17 +11,7 @@
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
          '';
-        };
-    };
-    ${config.kw.dns.ipv4}.locations = {
-        "/jellyfin/".proxyPass = "http://127.0.0.1:8096/jellyfin/";
-        "/jellyfin/socket" = {
-          proxyPass = "http://127.0.0.1:8096/jellyfin/";
-          extraConfig = ''
-            proxy_set_header Upgrade $http_upgrade;
-            proxy_set_header Connection "upgrade";
-          '';
-        };
+      };
    };
  };

--- a/depot/services/kattv/default.nix
+++ b/depot/services/kattv/default.nix
@ -1,6 +1,47 @@
-{ config, pkgs, lib, ... }:
+{ meta, config, pkgs, lib, ... }:

-{
+let
+  env = {
+    FREI0R_PATH = "${pkgs.frei0r}/lib/frei0r-1";
+    GST_PLUGIN_SYSTEM_PATH_1_0 = with pkgs.gst_all_1; lib.makeSearchPath "lib/gstreamer-1.0" [
+      gstreamer
+      gst-plugins-base
+      gst-plugins-good
+      gst-plugins-bad
+      gst-plugins-ugly
+      pkgs.gst-jpegtrunc
+    ];
+  };
+  cameracapture = {
+    element."v4l2src" = {
+      device = "/dev/videomew";
+      saturation = 100;
+      brightness = 100;
+      extra-controls = "c,exposure_auto=3";
+    };
+  };
+  v4l2src = [
+    cameracapture
+    {
+      caps."image/jpeg" = {
+        width = 1280;
+        height = 720;
+        framerate = "30/1"; # "10/1"
+      };
+    }
+  ];
+  pipeline = v4l2src ++ [
+    "jpegtrunc"
+    { element.matroskamux.streamable = true; }
+    {
+      element.tcpclientsink = {
+        host = meta.network.nodes.beltane.network.private.ipv4.address;
+        port = "4953";
+        sync = false;
+      };
+    }
+  ];
+in {
  services.udev.extraRules = ''
    KERNEL=="video[0-9]*", SUBSYSTEM=="video4linux", SUBSYSTEMS=="usb", ATTR{index}=="0", ATTRS{idVendor}=="045e", ATTRS{idProduct}=="0779", SYMLINK+="videomew", TAG+="systemd"
  '';
@ -10,8 +51,8 @@
    after = [ "dev-videomew.device" "nginx.service" ];
    description = "RTMP stream of kat cam";
    bindsTo = [ "dev-videomew.device" ];
-    environment = pkgs.kat-tv.env;
-    script = "exec ${pkgs.gst_all_1.gstreamer.dev}/bin/gst-launch-1.0 -e --no-position ${pkgs.lib.gst.pipelineShellString pkgs.kat-tv.pipeline}";
+    environment = env;
+    script = "exec ${pkgs.gst_all_1.gstreamer.dev}/bin/gst-launch-1.0 -e --no-position ${pipeline}";
    serviceConfig = {
      Restart = "on-failure";
      RestartSec = "10s";
--- a/depot/services/mail/default.nix
+++ b/depot/services/mail/default.nix
@ -10,35 +10,35 @@ with lib;
  ];

  deploy.tf.dns.records.services_mail_mx = {
-    tld = config.kw.dns.tld;
+    tld = config.network.dns.tld;
    domain = "@";
    mx = {
      priority = 10;
-      target = "${config.networking.hostName}.${config.kw.dns.tld}";
+      target = config.network.addresses.public.domain;
    };
  };

  deploy.tf.dns.records.services_mail_spf = {
-    tld = config.kw.dns.tld;
+    tld = config.network.dns.tld;
    domain = "@";
-    txt.value = "v=spf1 ip4:${config.kw.dns.ipv4} ip6:${config.kw.dns.ipv6} -all";
+    txt.value = "v=spf1 ip4:${config.network.addresses.public.ipv4.address} ip6:${config.network.addresses.public.ipv6.address} -all";
  };

  deploy.tf.dns.records.services_mail_dmarc = {
-    tld = config.kw.dns.tld;
+    tld = config.network.dns.tld;
    domain = "_dmarc";
    txt.value = "v=DMARC1; p=none";
  };

  deploy.tf.dns.records.services_mail_domainkey = {
-    tld = config.kw.dns.tld;
+    tld = config.network.dns.tld;
    domain = "mail._domainkey";
    txt.value = tf.variables.mail-domainkey-kitty.ref;
  };

  mailserver = {
    enable = true;
-    fqdn = "${config.networking.hostName}.${config.kw.dns.domain}";
+    fqdn = config.network.addresses.public.domain;
    domains = [ "kittywit.ch" "dork.dev" ];
    # Use Let's Encrypt certificates. Note that this needs to set up a stripped
    # down nginx and opens port 80.
--- a/depot/services/matrix/default.nix
+++ b/depot/services/matrix/default.nix
@ -43,7 +43,7 @@ root:

 disable_existing_loggers: False
    '';
-    server_name = config.kw.dns.domain;
+    server_name = config.network.dns.domain;
    app_service_config_files = [
      "/var/lib/matrix-synapse/telegram-registration.yaml"
      "/var/lib/matrix-synapse/discord-registration.yaml"
@ -78,7 +78,7 @@ disable_existing_loggers: False
    settings = {
      homeserver = {
        address = "http://localhost:8008";
-        domain = config.kw.dns.domain;
+        domain = config.network.dns.domain;
      };
      appservice = {
        provisioning.enabled = false;
@ -86,14 +86,14 @@ disable_existing_loggers: False
        public = {
          enabled = false;
          prefix = "/public";
-          external = "https://${config.kw.dns.domain}/public";
+          external = "https://${config.network.dns.domain}/public";
        };
      };
      bridge = {
        relaybot.authless_portals = false;
        permissions = {
-          "@kat:${config.kw.dns.domain}" = "admin";
-          "${config.kw.dns.domain}" = "full";
+          "@kat:${config.network.dns.domain}" = "admin";
+          "${config.network.dns.domain}" = "full";
        };
      };
    };
@ -143,7 +143,7 @@ disable_existing_loggers: False
    after = [ "network.target" ];
  };

-  services.nginx.virtualHosts."${config.kw.dns.domain}" = {
+  services.nginx.virtualHosts."${config.network.dns.domain}" = {
    # allegedly fixes https://github.com/poljar/weechat-matrix/issues/240
    extraConfig = ''
      keepalive_requests 100000;
@ -152,7 +152,7 @@ disable_existing_loggers: False
    locations = {
      "/_matrix" = { proxyPass = "http://[::1]:8008"; };
      "= /.well-known/matrix/server".extraConfig =
-        let server = { "m.server" = "${config.kw.dns.domain}:443"; };
+        let server = { "m.server" = "${config.network.dns.domain}:443"; };
        in
        ''
          add_header Content-Type application/json;
@ -161,7 +161,7 @@ disable_existing_loggers: False
      "= /.well-known/matrix/client".extraConfig =
        let
          client = {
-            "m.homeserver" = { "base_url" = "https://${config.kw.dns.domain}"; };
+            "m.homeserver" = { "base_url" = "https://${config.network.dns.domain}"; };
            "m.identity_server" = { "base_url" = "https://vector.im"; };
          };
        in
--- a/depot/services/murmur/default.nix
+++ b/depot/services/murmur/default.nix
@ -12,32 +12,32 @@ with lib;

  services.murmur = {
    enable = true;
-    hostName = "voice.${config.kw.dns.domain}";
+    hostName = "voice.${config.network.dns.domain}";
    bandwidth = 130000;
    welcometext = "mew!";
    extraConfig = ''
-      sslCert=/var/lib/acme/voice.${config.kw.dns.domain}/fullchain.pem
-      sslKey=/var/lib/acme/voice.${config.kw.dns.domain}/key.pem
+      sslCert=/var/lib/acme/voice.${config.network.dns.domain}/fullchain.pem
+      sslKey=/var/lib/acme/voice.${config.network.dns.domain}/key.pem
    '';
  };

-  services.nginx.virtualHosts."voice.${config.kw.dns.domain}" = {
+  services.nginx.virtualHosts."voice.${config.network.dns.domain}" = {
    enableACME = true;
    forceSSL = true;
  };

  users.groups."voice-cert".members = [ "nginx" "murmur" ];

-  security.acme.certs = { "voice.${config.kw.dns.domain}" = { group = "voice-cert"; }; };
+  security.acme.certs = { "voice.${config.network.dns.domain}" = { group = "voice-cert"; }; };

  deploy.tf.dns.records.services_murmur = {
-    tld = config.kw.dns.tld;
+    tld = config.network.dns.tld;
    domain = "voice";
-    cname.target = "${config.networking.hostName}.${config.kw.dns.tld}";
+    cname.target = "${config.networking.hostName}.${config.network.dns.tld}";
  };

  deploy.tf.dns.records.services_murmur_tcp_srv = {
-    tld = config.kw.dns.tld;
+    tld = config.network.dns.tld;
    domain = "@";
    srv = {
      service = "mumble";
@ -45,12 +45,12 @@ with lib;
      priority = 0;
      weight = 5;
      port = 64738;
-      target = "voice.${config.kw.dns.tld}";
+      target = "voice.${config.network.dns.tld}";
    };
  };

  deploy.tf.dns.records.services_murmur_udp_srv = {
-    tld = config.kw.dns.tld;
+    tld = config.network.dns.tld;
    domain = "@";
    srv = {
      service = "mumble";
@ -58,7 +58,7 @@ with lib;
      priority = 0;
      weight = 5;
      port = 64738;
-      target = "voice.${config.kw.dns.tld}";
+      target = "voice.${config.network.dns.tld}";
    };
  };
 }
--- a/depot/services/netdata/default.nix
+++ b/depot/services/netdata/default.nix
@ -1,15 +1,14 @@
-{ config, ... }:
+{ config, kw, ... }:

 {
  kw.fw.private.tcp.ports = [ 19999 ];

  services.netdata = { enable = true; };

-  services.nginx = {
-    enable = true;
-    virtualHosts = {
-      "${config.networking.hostName}.${config.kw.dns.ygg_prefix}.${config.kw.dns.domain}" = {
-        locations = { "/netdata" = { proxyPass = "http://[::1]:19999/"; }; };
+  services.nginx.virtualHosts = kw.virtualHostGen {
+    block = {
+      locations."/netdata" = {
+        proxyPass = "http://[::1]:19999/";
      };
    };
  };
--- a/depot/services/nfs/default.nix
+++ b/depot/services/nfs/default.nix
@ -1,4 +1,4 @@
-{ config, ... }:
+{ config, lib, kw, ... }:

 {
  kw.fw = {
@ -9,12 +9,9 @@
  services.nfs.server.enable = true;
  services.nfs.server.exports = "/mnt/zraw/media 192.168.1.0/24(rw) 200::/7(rw) 2a00:23c7:c597:7400::/56(rw)";

-  services.nginx.virtualHosts = {
-    "${config.networking.hostName}.${config.kw.dns.ygg_prefix}.${config.kw.dns.domain}".locations."/" = {
-      alias = "/mnt/zraw/media/";
-      extraConfig = "autoindex on;";
-    };
-    ${config.kw.dns.ipv4}.locations."/" = {
+  services.nginx.virtualHosts = kw.virtualHostGen {
+    networkFilter = [ "private" "yggdrasil" ];
+    block.locations."/" = {
      alias = "/mnt/zraw/media/";
      extraConfig = "autoindex on;";
    };
--- a/depot/services/nginx/default.nix
+++ b/depot/services/nginx/default.nix
@ -39,7 +39,7 @@ with lib;
  };

  security.acme = {
-    email = config.kw.dns.email;
+    email = config.network.dns.email;
    acceptTerms = true;
  };
 }
--- a/depot/services/prometheus/default.nix
+++ b/depot/services/prometheus/default.nix
@ -17,12 +17,12 @@ in
    scrapeConfigs = [
      {
        job_name = "boline";
-        static_configs = [{ targets = [ "boline.${config.kw.dns.ygg_prefix}.${config.kw.dns.domain}:8002" ]; }];
+        static_configs = [{ targets = [ "boline.${config.network.dns.ygg_prefix}.${config.network.dns.domain}:8002" ]; }];
      }
      {
        job_name = "samhain-vm";
        metrics_path = "/metrics";
-        static_configs = [{ targets = [ "samhain.${config.kw.dns.ygg_prefix}.${config.kw.dns.domain}:10445" ]; }];
+        static_configs = [{ targets = [ "samhain.${config.network.dns.ygg_prefix}.${config.network.dns.domain}:10445" ]; }];
      }
    ] ++ mapAttrsToList
      (hostName: prom: {
@ -30,13 +30,13 @@ in
        metrics_path = "/api/v1/allmetrics";
        honor_labels = true;
        params = { format = [ "prometheus" ]; };
-        static_configs = [{ targets = [ "${hostName}.${config.kw.dns.ygg_prefix}.${config.kw.dns.domain}:19999" ]; }];
+        static_configs = [{ targets = [ "${hostName}.${config.network.dns.ygg_prefix}.${config.network.dns.domain}:19999" ]; }];
      })
      nd_configs ++ mapAttrsToList
      (hostName: prom: {
        job_name = hostName;
        static_configs = [{
-          targets = [ "${hostName}.${config.kw.dns.ygg_prefix}.${config.kw.dns.domain}:${toString prom.port}" ];
+          targets = [ "${hostName}.${config.network.dns.ygg_prefix}.${config.network.dns.domain}:${toString prom.port}" ];
        }];
      })
      prom_configs;
--- a/depot/services/promtail/default.nix
+++ b/depot/services/promtail/default.nix
@ -5,7 +5,7 @@ with lib;
 let
  promtail_config = pkgs.writeText "prom-config.json" (builtins.toJSON {
    clients =
-      [{ url = "http://${config.networking.hostName}.${config.kw.dns.ygg_prefix}.${config.kw.dns.domain}:3100/loki/api/v1/push"; }];
+      [{ url = "http://${config.network.addresses.yggdrasil.domain}:3100/loki/api/v1/push"; }];
    positions = { filename = "/tmp/positions.yaml"; };
    scrape_configs = [{
      job_name = "journal";
--- a/depot/services/radicale/default.nix
+++ b/depot/services/radicale/default.nix
@ -21,7 +21,7 @@ in
  };

  services.nginx.virtualHosts = {
-    "cal.${config.kw.dns.domain}" = {
+    "cal.${config.network.dns.domain}" = {
      forceSSL = true;
      enableACME = true;
      locations."/" = {
@ -36,8 +36,8 @@ in
  };

  deploy.tf.dns.records.services_radicale = {
-    tld = config.kw.dns.tld;
+    tld = config.network.dns.tld;
    domain = "cal";
-    cname.target = "${config.networking.hostName}.${config.kw.dns.tld}";
+    cname.target = "${config.networking.hostName}.${config.network.dns.tld}";
  };
 }
--- a/depot/services/syncplay/default.nix
+++ b/depot/services/syncplay/default.nix
@ -12,7 +12,7 @@ with lib;

  users.groups."sync-cert".members = [ "nginx" "syncplay" ];
  security.acme = {
-    certs."sync.${config.kw.dns.domain}" = {
+    certs."sync.${config.network.dns.domain}" = {
      group = "sync-cert";
      postRun = ''
        cp key.pem privkey.pem
@ -23,15 +23,15 @@ with lib;

  kw.fw.public.tcp.ports = singleton 8999;

-  services.nginx.virtualHosts."sync.${config.kw.dns.domain}" = {
+  services.nginx.virtualHosts."sync.${config.network.dns.domain}" = {
    enableACME = true;
    forceSSL = true;
  };

  deploy.tf.dns.records.services_syncplay = {
-    tld = config.kw.dns.tld;
+    tld = config.network.dns.tld;
    domain = "sync";
-    cname.target = "${config.networking.hostName}.${config.kw.dns.tld}";
+    cname.target = "${config.networking.hostName}.${config.network.dns.tld}";
  };

  secrets.files.syncplay-env = {
@ -51,7 +51,7 @@ with lib;
    serviceConfig = {
      EnvironmentFile = config.secrets.files.syncplay-env.path;
      ExecStart =
-        "${pkgs.syncplay}/bin/syncplay-server --port 8999 --tls /var/lib/acme/sync.${config.kw.dns.domain}/ --disable-ready";
+        "${pkgs.syncplay}/bin/syncplay-server --port 8999 --tls /var/lib/acme/sync.${config.network.dns.domain}/ --disable-ready";
      User = "syncplay";
      Group = "sync-cert";
    };
--- a/depot/services/transmission/default.nix
+++ b/depot/services/transmission/default.nix
@ -1,14 +1,13 @@
-{ config, pkgs, ... }:
+{ config, pkgs, lib, kw, ... }:

 {
-  services.nginx.virtualHosts = {
-    "${config.networking.hostName}.${config.kw.dns.ygg_prefix}.${config.kw.dns.domain}".locations."/transmission" = {
-      proxyPass = "http://[::1]:9091";
-      extraConfig = "proxy_pass_header  X-Transmission-Session-Id;";
-    };
-    ${config.kw.dns.ipv4}.locations."/transmission" = {
-      proxyPass = "http://[::1]:9091";
-      extraConfig = "proxy_pass_header  X-Transmission-Session-Id;";
+  services.nginx.virtualHosts = kw.virtualHostGen {
+    networkFilter = [ "private" "yggdrasil" ];
+    block = {
+      locations."/transmission" = {
+        proxyPass = "http://[::1]:9091";
+        extraConfig = "proxy_pass_header  X-Transmission-Session-Id;";
+      };
    };
  };

--- a/depot/services/tvheadend/default.nix
+++ b/depot/services/tvheadend/default.nix
@ -1,4 +1,4 @@
-{ config, pkgs, lib, ... }:
+{ config, pkgs, lib, kw, ... }:

 {
  hardware.firmware = [ pkgs.libreelec-dvb-firmware ];
@ -9,14 +9,13 @@
    tcp.ports = [ 9981 9982 ];
  };

-  services.nginx.virtualHosts = {
-    "${config.networking.hostName}.${config.kw.dns.ygg_prefix}.${config.kw.dns.domain}".locations."/tvheadend" = {
-      proxyPass = "http://127.0.0.1:9981";
-      extraConfig = "proxy_pass_header  X-Transmission-Session-Id;";
-    };
-    ${config.kw.dns.ipv4}.locations."/tvheadend" = {
-      proxyPass = "http://127.0.0.1:9981";
-      extraConfig = "proxy_pass_header  X-Transmission-Session-Id;";
+  services.nginx.virtualHosts = kw.virtualHostGen {
+    networkFilter = [ "private" "yggdrasil" ];
+    block = {
+      locations."/tvheadend" = {
+        proxyPass = "http://127.0.0.1:9981";
+        extraConfig = "proxy_pass_header  X-Transmission-Session-Id;";
+      };
    };
  };

--- a/depot/services/vaultwarden/default.nix
+++ b/depot/services/vaultwarden/default.nix
@ -19,12 +19,12 @@
      rocketPort = 4000;
      websocketEnabled = true;
      signupsAllowed = false;
-      domain = "https://vault.${config.kw.dns.domain}";
+      domain = "https://vault.${config.network.dns.domain}";
      databaseUrl = "postgresql://bitwarden_rs@/bitwarden_rs";
    };
  };

-  services.nginx.virtualHosts."vault.${config.kw.dns.domain}" = {
+  services.nginx.virtualHosts."vault.${config.network.dns.domain}" = {
    enableACME = true;
    forceSSL = true;
    locations = {
@ -35,8 +35,8 @@
  };

  deploy.tf.dns.records.services_vaultwarden = {
-    tld = config.kw.dns.tld;
+    tld = config.network.dns.tld;
    domain = "vault";
-    cname.target = "${config.networking.hostName}.${config.kw.dns.tld}";
+    cname.target = "${config.networking.hostName}.${config.network.dns.tld}";
  };
 }
--- a/depot/services/website/default.nix
+++ b/depot/services/website/default.nix
@ -2,7 +2,7 @@

 {
  services.nginx.virtualHosts = {
-    "${config.kw.dns.domain}" = {
+    "${config.network.dns.domain}" = {
      root = pkgs.kat-website;
      enableACME = true;
      forceSSL = true;
--- a/depot/services/weechat/default.nix
+++ b/depot/services/weechat/default.nix
@ -1,7 +1,7 @@
 { config, pkgs, ... }:

 {
-  services.nginx.virtualHosts."irc.${config.kw.dns.domain}" = {
+  services.nginx.virtualHosts."irc.${config.network.dns.domain}" = {
    enableACME = true;
    forceSSL = true;
    locations = {
@ -14,8 +14,8 @@
  };

  deploy.tf.dns.records.services_weechat = {
-    tld = config.kw.dns.tld;
+    tld = config.network.dns.tld;
    domain = "irc";
-    cname.target = "${config.networking.hostName}.${config.kw.dns.tld}";
+    cname.target = "${config.networking.hostName}.${config.network.dns.tld}";
  };
 }
--- a/depot/services/xmpp/default.nix
+++ b/depot/services/xmpp/default.nix
@ -35,53 +35,53 @@ with lib;
        }
    '';
    virtualHosts = {
-      "xmpp.${config.kw.dns.domain}" = {
-        domain = config.kw.dns.domain;
+      "xmpp.${config.network.dns.domain}" = {
+        domain = config.network.dns.domain;
        enabled = true;
        ssl.cert = "/var/lib/acme/prosody/fullchain.pem";
        ssl.key = "/var/lib/acme/prosody/key.pem";
      };
    };
-    muc = [{ domain = "conference.${config.kw.dns.domain}"; }];
-    uploadHttp = { domain = "upload.${config.kw.dns.domain}"; };
+    muc = [{ domain = "conference.${config.network.dns.domain}"; }];
+    uploadHttp = { domain = "upload.${config.network.dns.domain}"; };
  };

  security.acme.certs.prosody = {
-    domain = "xmpp.${config.kw.dns.domain}";
+    domain = "xmpp.${config.network.dns.domain}";
    group = "prosody";
    dnsProvider = "rfc2136";
    credentialsFile = config.secrets.files.dns_creds.path;
    postRun = "systemctl restart prosody";
    extraDomainNames =
-      [ config.kw.dns.domain "upload.${config.kw.dns.domain}" "conference.${config.kw.dns.domain}" ];
+      [ config.network.dns.domain "upload.${config.network.dns.domain}" "conference.${config.network.dns.domain}" ];
  };

  deploy.tf.dns.records.services_prosody_xmpp = {
-    tld = config.kw.dns.tld;
+    tld = config.network.dns.tld;
    domain = "xmpp";
-    a.address = config.kw.dns.ipv4;
+    a.address = config.network.addresses.public.ipv4.address;
  };

  deploy.tf.dns.records.services_prosody_xmpp_v6 = {
-    tld = config.kw.dns.tld;
+    tld = config.network.dns.tld;
    domain = "xmpp";
-    aaaa.address = config.kw.dns.ipv6;
+    aaaa.address = config.network.addresses.public.ipv6.address;
  };

  deploy.tf.dns.records.services_prosody_upload = {
-    tld = config.kw.dns.tld;
+    tld = config.network.dns.tld;
    domain = "upload";
-    cname.target = "xmpp.${config.kw.dns.tld}";
+    cname.target = "xmpp.${config.network.dns.tld}";
  };

  deploy.tf.dns.records.services_prosody_conference = {
-    tld = config.kw.dns.tld;
+    tld = config.network.dns.tld;
    domain = "conference";
-    cname.target = "xmpp.${config.kw.dns.tld}";
+    cname.target = "xmpp.${config.network.dns.tld}";
  };

  deploy.tf.dns.records.services_prosody_muc = {
-    tld = config.kw.dns.tld;
+    tld = config.network.dns.tld;
    domain = "conference";
    srv = {
      service = "xmpp-server";
@ -89,12 +89,12 @@ with lib;
      priority = 0;
      weight = 5;
      port = 5269;
-      target = "xmpp.${config.kw.dns.tld}";
+      target = "xmpp.${config.network.dns.tld}";
    };
  };

  deploy.tf.dns.records.services_prosody_client_srv = {
-    tld = config.kw.dns.tld;
+    tld = config.network.dns.tld;
    domain = "@";
    srv = {
      service = "xmpp-client";
@ -102,12 +102,12 @@ with lib;
      priority = 0;
      weight = 5;
      port = 5222;
-      target = "xmpp.${config.kw.dns.tld}";
+      target = "xmpp.${config.network.dns.tld}";
    };
  };

  deploy.tf.dns.records.services_prosody_secure_client_srv = {
-    tld = config.kw.dns.tld;
+    tld = config.network.dns.tld;
    domain = "@";
    srv = {
      service = "xmpps-client";
@ -115,12 +115,12 @@ with lib;
      priority = 0;
      weight = 5;
      port = 5223;
-      target = "xmpp.${config.kw.dns.tld}";
+      target = "xmpp.${config.network.dns.tld}";
    };
  };

  deploy.tf.dns.records.services_prosody_server_srv = {
-    tld = config.kw.dns.tld;
+    tld = config.network.dns.tld;
    domain = "@";
    srv = {
      service = "xmpp-server";
@ -128,17 +128,17 @@ with lib;
      priority = 0;
      weight = 5;
      port = 5269;
-      target = "xmpp.${config.kw.dns.tld}";
+      target = "xmpp.${config.network.dns.tld}";
    };
  };

  services.nginx.virtualHosts = {
-    "upload.${config.kw.dns.domain}" = {
+    "upload.${config.network.dns.domain}" = {
      useACMEHost = "prosody";
      forceSSL = true;
    };

-    "conference.${config.kw.dns.domain}" = {
+    "conference.${config.network.dns.domain}" = {
      useACMEHost = "prosody";
      forceSSL = true;
    };
--- a/depot/trusted
+++ b/depot/trusted
@ -1 +1 @@
-Subproject commit fc69a63a4941b1a3672a61d70989383854c98176
+Subproject commit 6708773084feede47c13793902f66b432b12ed19
--- a/pkgs/lib/default.nix
+++ b/pkgs/lib/default.nix
@ -12,6 +12,7 @@
 {
  inherit (colorHelpers) hextorgba;
  hostImport = import ./host-import.nix { inherit lib; };
+  virtualHostGen = import ./virtual-host-gen.nix { inherit lib; };
  domainMerge = import ./domain-merge.nix { inherit lib; };
  modListMerge = import ./intersect-merge.nix { inherit lib; };
  modList = import ./module-list.nix { inherit lib; };
--- a/pkgs/lib/virtual-host-gen.nix
+++ b/pkgs/lib/virtual-host-gen.nix
@ -0,0 +1,9 @@
+{ lib }: { config, networkFilter ? [ ], addresses ? [ ], block }: with lib;
+
+let
+  networks = config.network.addresses;
+  filteredNetworks = filterAttrs (n: v: elem n networkFilter && v.enable) networks;
+  networkValues = attrValues filteredNetworks;
+  addressList = concatMap (n: n.out.addressList) networkValues;
+  hostBlocks = map (host: nameValuePair host block) addressList;
+in listToAttrs hostBlocks