refactor(access): network interface config

modules/nixos/access.nix

@@ -77,6 +77,14 @@ in {
           "fe80::/64"
         ];
       };
+      int = {
+        v4 = [
+          "10.9.1.0/24"
+        ];
+        v6 = [
+          "fd0c::/64"
+        ];
+      };
       tail = mkIf tailscale.enable {
         v4 = [
           "100.64.0.0/10"
@@ -86,6 +94,24 @@ in {
           "fd7a:115c:a1e0:ab12::/64"
         ];
       };
+      allLan = {
+        v4 = cfg.cidrForNetwork.loopback.v4
+          ++ cfg.cidrForNetwork.local.v4
+          ++ cfg.cidrForNetwork.int.v4;
+        v6 = cfg.cidrForNetwork.loopback.v6
+          ++ cfg.cidrForNetwork.local.v6
+          ++ cfg.cidrForNetwork.int.v6;
+      };
+      allLocal = {
+        v4 = mkMerge [
+          cfg.cidrForNetwork.allLan.v4
+          (mkIf tailscale.enable cfg.cidrForNetwork.tail.v4)
+        ];
+        v6 = mkMerge [
+          cfg.cidrForNetwork.allLan.v6
+          (mkIf tailscale.enable cfg.cidrForNetwork.tail.v6)
+        ];
+      };
     };
     localaddrs = {
       nftablesInclude = mkBefore (''

modules/nixos/home-assistant.nix

@@ -7,7 +7,7 @@
   cfg = config.services.home-assistant;
   inherit (lib.modules) mkIf mkMerge mkBefore mkDefault mkOptionDefault;
   inherit (lib.options) mkOption mkEnableOption;
-  inherit (lib.lists) optional optionals elem unique;
+  inherit (lib.lists) optional elem unique;
   inherit (lib.strings) toLower;
 in {
   options.services.home-assistant = with lib.types; {
@@ -118,9 +118,7 @@ in {
           trusted_proxies = let
             inherit (config.networking.access) cidrForNetwork;
           in
-            cidrForNetwork.loopback.all
+            cidrForNetwork.allLocal.all
-            ++ cidrForNetwork.local.all
-            ++ optionals config.services.tailscale.enable cidrForNetwork.tail.all
             ++ [
               "200::/7"
             ];

modules/nixos/network/namespace.nix

@@ -9,11 +9,10 @@
   inherit (lib.options) mkOption mkEnableOption;
   inherit (lib.modules) mkIf mkMerge mkBefore mkAfter mkDefault mkOptionDefault;
   inherit (lib.attrsets) mapAttrs' mapAttrsToList listToAttrs nameValuePair attrValues;
-  inherit (lib.lists) singleton optional optionals filter concatMap;
+  inherit (lib.lists) singleton optional filter concatMap;
   inherit (lib.strings) concatStringsSep escapeShellArg;
   inherit (utils) escapeSystemdExecArg;
   inherit (inputs.self.lib.lib) unmerged;
-  inherit (config.services) tailscale;
   inherit (config) networking;
   inherit (networking) access;
   enabledNamespaces = filter (ns: ns.enable) (attrValues networking.namespaces);
@@ -324,8 +323,8 @@
           ''
         ];
         extraOutput = let
-          addrs4 = access.cidrForNetwork.local.v4 ++ optionals tailscale.enable access.cidrForNetwork.tail.v4;
+          addrs4 = access.cidrForNetwork.allLocal.v4;
-          addrs6 = access.cidrForNetwork.local.v6 ++ optionals tailscale.enable access.cidrForNetwork.tail.v6;
+          addrs6 = access.cidrForNetwork.allLocal.v6;
           daddr4 = ''{ ${concatStringsSep ", " addrs4} }'';
           daddr6 = ''{ ${concatStringsSep ", " addrs6} }'';
         in

modules/nixos/nginx/local.nix

@@ -6,7 +6,6 @@
   inherit (lib.options) mkOption mkEnableOption;
   inherit (lib.modules) mkIf mkMerge mkBefore mkOptionDefault;
   inherit (lib.strings) concatMapStringsSep optionalString;
-  inherit (lib.lists) optionals;
   inherit (config.services) tailscale;
   inherit (config.networking.access) cidrForNetwork localaddrs;
   mkAddrVar = remoteAddr: varPrefix: ''
@@ -29,6 +28,13 @@
     if (${remoteAddr} ~ "^fe80::") {
       set ${varPrefix}lan 1;
     }
+    set ${varPrefix}int 0;
+    if (${remoteAddr} ~ "^10\.9\.1\.[0-9]+") {
+      set ${varPrefix}lan 1;
+    }
+    if (${remoteAddr} ~ "^fd0c::") {
+      set ${varPrefix}int 1;
+    }
     set ${varPrefix}localhost 0;
     if (${remoteAddr} = "::1") {
       set ${varPrefix}localhost 1;
@@ -43,6 +49,9 @@
     if (${varPrefix}lan) {
       set ${varPrefix}client 1;
     }
+    if (${varPrefix}int) {
+      set ${varPrefix}client 1;
+    }
     if (${varPrefix}localhost) {
       set ${varPrefix}client 1;
     }
@@ -79,12 +88,8 @@
     config = {
       extraConfig = let
         mkAllow = cidr: "allow ${cidr};";
-        allowAddresses =
-          cidrForNetwork.loopback.all
-          ++ cidrForNetwork.local.all
-          ++ optionals tailscale.enable cidrForNetwork.tail.all;
         allows =
-          concatMapStringsSep "\n" mkAllow allowAddresses
+          concatMapStringsSep "\n" mkAllow cidrForNetwork.allLocal.all
           + optionalString localaddrs.enable ''
             include ${localaddrs.stateDir}/*.nginx.conf;
           '';

modules/nixos/postgres.nix

@@ -39,6 +39,9 @@
         tailscale = {
           allow = mkEnableOption "tailscale TCP connections";
         };
+        int = {
+          allow = mkEnableOption "internal TCP connections";
+        };
         local = {
           allow = mkEnableOption "local TCP connections";
         };
@@ -55,7 +58,8 @@
         in
           mkMerge [
             (mkIf config.authentication.tailscale.allow cidrForNetwork.tail.all)
-            (mkIf config.authentication.local.allow (cidrForNetwork.loopback.all ++ cidrForNetwork.local.all))
+            (mkIf config.authentication.int.allow cidrForNetwork.int.all)
+            (mkIf config.authentication.local.allow cidrForNetwork.local.all)
           ];
         authentication = mkMerge (map (host: ''
             host ${config.authentication.database} ${config.name} ${formatHost host} ${config.authentication.method}

modules/system/proxmox/container.nix

@@ -0,0 +1,15 @@
+{config, lib, ...}: let
+  inherit (lib.options) mkOption mkEnableOption;
+  cfg = config.proxmox.container;
+in {
+  options.proxmox.container = with lib.types; {
+    enable = mkEnableOption "LXC container";
+    privileged = mkEnableOption "root";
+    lxc = {
+      configJsonFile = mkOption {
+        type = nullOr path;
+        default = null;
+      };
+    };
+  };
+}

modules/system/proxmox/network.nix

@@ -0,0 +1,155 @@
+{config, lib, inputs, ...}: let
+  inherit (inputs.self.lib.lib) unmerged eui64;
+  inherit (lib.options) mkOption mkEnableOption;
+  inherit (lib.modules) mkIf mkMerge mkOptionDefault mkOverride;
+  inherit (lib.attrsets) attrValues;
+  inherit (lib.lists) elem findSingle;
+  inherit (lib.strings) hasPrefix removePrefix replaceStrings;
+  inherit (lib.trivial) toHexString mapNullable;
+  mkAlmostOptionDefault = mkOverride 1250;
+  cfg = config.proxmox.network;
+  internalOffset = 32;
+  networkInterfaceModule = { config, name, system, ... }: {
+    options = with lib.types; {
+      enable = mkEnableOption "network interface" // {
+        default = true;
+      };
+      bridge = mkOption {
+        type = str;
+        default = "vmbr0";
+      };
+      id = mkOption {
+        type = str;
+        default = name;
+      };
+      name = mkOption {
+        type = str;
+      };
+      macAddress = mkOption {
+        type = nullOr str;
+        default = null;
+      };
+      address4 = mkOption {
+        type = nullOr (either (enum [ "auto" ]) str);
+        default = null;
+      };
+      gateway4 = mkOption {
+        type = nullOr str;
+        default = null;
+      };
+      address6 = mkOption {
+        type = nullOr (either (enum [ "auto" "dhcp" ]) str);
+        default = null;
+      };
+      gateway6 = mkOption {
+        type = nullOr str;
+        default = null;
+      };
+      firewall.enable = mkEnableOption "firewall";
+      vm.model = mkOption {
+        type = enum [ "virtio" "e1000" "rtl8139" "vmxnet3" ];
+        default = "virtio";
+      };
+      mdns = {
+        enable = mkEnableOption "mDNS" // {
+          default = system.proxmox.node.name == "reisen" && config.id == "net0";
+        };
+      };
+      slaac = {
+        postfix = mkOption {
+          type = nullOr str;
+        };
+      };
+      internal = {
+        enable = mkEnableOption "internal network interface";
+      };
+      networkd = {
+        enable = mkEnableOption "systemd.network" // {
+          default = true;
+        };
+        networkSettings = mkOption {
+          type = unmerged.types.attrs;
+        };
+      };
+    };
+    config = let
+      conf = {
+        name = mkMerge [
+          (mkIf (hasPrefix "net" config.id && system.proxmox.container.enable) (mkOptionDefault ("eth" + removePrefix "net" config.id)))
+          # VMs have names like `ens18` for net0...
+        ];
+        slaac.postfix = mkOptionDefault (mapNullable eui64 config.macAddress);
+        gateway4 = mkMerge [
+          (mkIf (system.proxmox.node.name == "reisen" && config.bridge == "vmbr0" && config.address4 != null && config.address4 != "auto") (mkAlmostOptionDefault "10.1.1.1"))
+        ];
+        networkd.networkSettings = {
+          name = mkAlmostOptionDefault config.name;
+          matchConfig = {
+            MACAddress = mkIf (config.macAddress != null) (mkOptionDefault config.macAddress);
+            Type = mkOptionDefault "ether";
+          };
+          linkConfig = mkMerge [
+            (mkIf config.mdns.enable { Multicast = mkOptionDefault true; })
+          ];
+          networkConfig = mkMerge [
+            (mkIf (config.address6 == "auto") {
+              IPv6AcceptRA = true;
+            })
+            (mkIf config.mdns.enable {
+              MulticastDNS = true;
+            })
+          ];
+          address = mkMerge [
+            (mkIf (! elem config.address4 [ null "auto" ]) [ config.address4 ])
+            (mkIf (! elem config.address6 [ null "auto" "dhcp" ]) [ config.address6 ])
+          ];
+          gateway = mkMerge [
+            (mkIf (config.gateway4 != null) [ config.gateway4 ])
+            (mkIf (config.gateway6 != null) [ config.gateway6 ])
+          ];
+          DHCP = mkAlmostOptionDefault (
+            if config.address4 == "auto" && config.address6 == "dhcp" then "yes"
+            else if config.address6 == "dhcp" then "ipv6"
+            else if config.address4 == "dhcp" then "ipv4"
+            else "no"
+          );
+        };
+      };
+      confInternal = {
+        name = mkAlmostOptionDefault "eth9";
+        bridge = mkAlmostOptionDefault "vmbr9";
+        address4 = mkAlmostOptionDefault "10.9.1.${toString (system.proxmox.vm.id - internalOffset)}/24";
+        address6 = mkAlmostOptionDefault "fd0c::${toHexString (system.proxmox.vm.id - internalOffset)}/64";
+        macAddress = mkIf (system.proxmox.network.interfaces.net0.macAddress or null != null && hasPrefix "BC:24:11:" system.proxmox.network.interfaces.net0.macAddress) (mkAlmostOptionDefault (
+          replaceStrings [ "BC:24:11:" ] [ "BC:24:19:" ] system.proxmox.network.interfaces.net0.macAddress
+        ));
+        networkd.networkSettings.linkConfig.RequiredForOnline = false;
+      };
+    in mkMerge [
+      conf
+      (mkIf config.internal.enable confInternal)
+    ];
+  };
+in {
+  options.proxmox.network = with lib.types; {
+    interfaces = mkOption {
+      type = attrsOf (submoduleWith {
+        modules = [ networkInterfaceModule ];
+        specialArgs = {
+          system = config;
+        };
+      });
+      default = { };
+    };
+    internal = {
+      interface = mkOption {
+        type = nullOr unspecified;
+      };
+    };
+  };
+  config.proxmox.network = {
+    internal = {
+      interface = mkOptionDefault (findSingle (interface: interface.internal.enable) null (throw "expected only one internal network interface") (attrValues cfg.interfaces));
+    };
+  };
+}

modules/system/proxmox/vm.nix

@@ -0,0 +1,22 @@
+{config, lib, ...}: let
+  inherit (lib.options) mkOption mkEnableOption;
+  cfg = config.proxmox;
+in {
+  options.proxmox = with lib.types; {
+    enabled = mkOption {
+      type = bool;
+      default = cfg.vm.enable || cfg.container.enable;
+      readOnly = true;
+    };
+    vm = {
+      enable = mkEnableOption "QEMU VM";
+      id = mkOption {
+        type = int;
+      };
+    };
+    node.name = mkOption {
+      type = str;
+      default = "reisen";
+    };
+  };
+}

nixos/access/ldap.nix

@@ -7,8 +7,6 @@ let
   inherit (lib.options) mkOption mkEnableOption;
   inherit (lib.modules) mkIf mkMerge;
   inherit (lib.strings) concatMapStringsSep optionalString;
-  inherit (lib.lists) optionals;
-  inherit (config.services) tailscale;
   inherit (config.services.nginx) virtualHosts;
   inherit (config.networking.access) cidrForNetwork localaddrs;
   access = config.services.nginx.access.ldap;
@@ -16,11 +14,7 @@ let
   portSsl = 636;
   allows = let
     mkAllow = cidr: "allow ${cidr};";
-    allowAddresses =
+    allows = concatMapStringsSep "\n" mkAllow cidrForNetwork.allLocal.all + optionalString localaddrs.enable ''
-      cidrForNetwork.loopback.all
-      ++ cidrForNetwork.local.all
-      ++ optionals tailscale.enable cidrForNetwork.tail.all;
-    allows = concatMapStringsSep "\n" mkAllow allowAddresses + optionalString localaddrs.enable ''
       include ${localaddrs.stateDir}/*.nginx.conf;
     '';
   in ''

nixos/kyuuto/opl.nix

@@ -42,10 +42,6 @@ in {
       };
       shares.opl = let
         inherit (config.networking.access) cidrForNetwork;
-        localAddrs =
-          cidrForNetwork.loopback.all
-          ++ cidrForNetwork.local.all
-          ++ lib.optionals config.services.tailscale.enable cidrForNetwork.tail.all;
       in
         mkIf cfg.enable {
           comment = "Kyuuto Media OPL";
@@ -58,7 +54,7 @@ in {
             "@kyuuto-peeps"
           ];
           "strict sync" = false;
-          "hosts allow" = localAddrs;
+          "hosts allow" = cidrForNetwork.allLocal.all;
         };
     };
     services.tmpfiles = let

nixos/kyuuto/samba.nix

@@ -4,14 +4,9 @@
   ...
 }: let
   inherit (lib.modules) mkIf mkMerge mkDefault;
-  inherit (lib.lists) optionals;
   inherit (config.networking.access) cidrForNetwork;
   inherit (config) kyuuto;
   cfg = config.services.samba;
-  localAddrs =
-    cidrForNetwork.loopback.all
-    ++ cidrForNetwork.local.all
-    ++ optionals config.services.tailscale.enable cidrForNetwork.tail.all;
   guestUsers = mkIf cfg.guest.enable [cfg.guest.user];
   kyuuto-media = {
     "create mask" = "0664";
@@ -41,7 +36,7 @@ in {
           ["@peeps"]
         ];
         #"guest only" = true;
-        "hosts allow" = localAddrs;
+        "hosts allow" = cidrForNetwork.allLocal.all;
         "acl group control" = true;
         "create mask" = "0664";
         "force directory mode" = "3000";
@@ -61,7 +56,7 @@ in {
           ];
           "read list" = guestUsers;
           "write list" = ["@kyuuto-peeps"];
-          "hosts allow" = localAddrs;
+          "hosts allow" = cidrForNetwork.allLocal.all;
         }
       ];
       kyuuto-library-net = mkMerge [

nixos/nfs.nix

@@ -23,9 +23,7 @@ in {
       mountdPort = mkDefault 4002;
     };
     export = {
-      flagSets = let
+      flagSets = {
-        localAddrs = cidrForNetwork.loopback.all ++ cidrForNetwork.local.all;
-      in {
         common = [
           "no_subtree_check"
           "anonuid=${toString config.users.users.guest.uid}"
@@ -57,7 +55,7 @@ in {
           "@trusted"
         ];
         tailClients = optionals config.services.tailscale.enable cidrForNetwork.tail.all;
-        localClients = localAddrs ++ flagSets.tailClients;
+        localClients = cidrForNetwork.allLan.all ++ flagSets.tailClients;
         allClients = flagSets.clientGroups ++ flagSets.trustedClients ++ flagSets.localClients;
       };
       root = {

nixos/reisen-ct/internal.nix

@@ -1,48 +0,0 @@
-{
-  config,
-  lib,
-  ...
-}: let
-  inherit (lib.options) mkOption mkEnableOption;
-  inherit (lib.modules) mkIf mkMerge mkDefault mkOptionDefault;
-  inherit (lib.trivial) toHexString;
-  cfg = config.access.internal;
-  offset = 32;
-in {
-  options.access = with lib.types; {
-    internal = {
-      enable = mkEnableOption "eth9";
-      macAddress = mkOption {
-        type = nullOr str;
-        default = null;
-      };
-      vmid = mkOption {
-        type = int;
-      };
-      address4 = mkOption {
-        type = str;
-      };
-      address6 = mkOption {
-        type = str;
-      };
-    };
-  };
-  config.access.internal = {
-    address4 = mkOptionDefault "10.9.1.${toString (cfg.vmid - offset)}";
-    address6 = mkOptionDefault "fd0c::${toHexString (cfg.vmid - offset)}";
-  };
-  config.systemd.network.networks.eth9 = mkIf cfg.enable {
-    mdns.enable = false;
-    name = mkDefault "eth9";
-    matchConfig = {
-      MACAddress = mkIf (cfg.macAddress != null) (mkOptionDefault cfg.macAddress);
-      Type = mkOptionDefault "ether";
-    };
-    linkConfig.RequiredForOnline = mkOptionDefault false;
-    address = mkMerge [
-      ["${cfg.address4}/24"]
-      (mkIf config.networking.enableIPv6 [ "${cfg.address6}/64" ])
-    ];
-    DHCP = "no";
-  };
-}

nixos/reisen-ct/proxmox.nix

@@ -1,9 +1,14 @@
 {
   lib,
+  inputs,
   modulesPath,
+  system,
   ...
 }: let
-  inherit (lib.modules) mkDefault;
+  inherit (inputs.self.lib.lib) unmerged;
+  inherit (lib.modules) mkIf mkMerge mkDefault;
+  inherit (lib.attrsets) mapAttrsToList;
+  inherit (system) proxmox;
 in {
   imports = [
     (modulesPath + "/virtualisation/proxmox-lxc.nix")
@@ -16,4 +21,18 @@ in {
     # nix default is way too big
     GC_INITIAL_HEAP_SIZE = mkDefault "8M";
   };
+
+  proxmoxLXC.privileged = mkIf (proxmox.container.enable && proxmox.container.privileged) true;
+
+  systemd.network = mkIf proxmox.enabled (mkMerge (mapAttrsToList (_: interface: mkIf (interface.enable && interface.networkd.enable) {
+    networks.${interface.name} = unmerged.mergeAttrs interface.networkd.networkSettings;
+  }) proxmox.network.interfaces));
+
+  networking.firewall.interfaces.int = let
+    inherit (proxmox.network.internal) interface;
+  in mkIf (interface != null) {
+    nftables.conditions = [
+      "iifname ${interface.name}"
+    ];
+  };
 }

systems/aya/default.nix

@@ -1,4 +1,7 @@
 _: {
+  imports = [
+    ./proxmox.nix
+  ];
   arch = "x86_64";
   type = "NixOS";
   modules = [

systems/aya/nixos.nix

@@ -31,26 +31,6 @@
     };
     interfaces.eth1 = {};
   };
-  systemd.network.networks.eth0 = {
-    name = "eth0";
-    matchConfig = {
-      MACAddress = "BC:24:11:C4:66:A9";
-      Type = "ether";
-    };
-    address = ["10.1.1.47/24"];
-    gateway = ["10.1.1.1"];
-    DHCP = "no";
-  };
-  systemd.network.networks.eth1 = {
-    name = "eth1";
-    matchConfig = {
-      MACAddress = "BC:24:11:C4:66:AA";
-      Type = "ether";
-    };
-    DHCP = "no";
-    slaac.enable = false;
-    mdns.enable = false;
-  };
 
   sops.defaultSopsFile = ./secrets.yaml;
 

systems/aya/proxmox.nix

@@ -0,0 +1,20 @@
+_: {
+  proxmox = {
+    vm.id = 105;
+    container = {
+      enable = true;
+      lxc.configJsonFile = ./lxc.json;
+    };
+    network.interfaces = {
+      net0 = {
+        macAddress = "BC:24:11:C4:66:A9";
+        address4 = "10.1.1.47/24";
+        address6 = "auto";
+      };
+      net1 = {
+        macAddress = "BC:24:11:C4:66:AA";
+        networkd.networkSettings.linkConfig.RequiredForOnline = false;
+      };
+    };
+  };
+}

systems/freeipa/default.nix

@@ -0,0 +1,15 @@
+_: {
+  type = null;
+  proxmox = {
+    vm = {
+      id = 202;
+      enable = true;
+    };
+    network.interfaces = {
+      net0 = {
+        name = "ens18";
+        macAddress = "BC:24:11:3D:39:91";
+      };
+    };
+  };
+}

systems/freepbx/default.nix

@@ -1,3 +1,14 @@
 _: {
   type = null;
+  proxmox = {
+    vm = {
+      id = 203;
+      enable = true;
+    };
+    network.interfaces = {
+      net0 = {
+        macAddress = "BC:24:11:33:19:04";
+      };
+    };
+  };
 }

systems/hakurei/default.nix

@@ -1,4 +1,7 @@
 _: {
+  imports = [
+    ./proxmox.nix
+  ];
   arch = "x86_64";
   type = "NixOS";
   modules = [

systems/hakurei/nixos.nix

@@ -292,17 +292,6 @@ in {
 
   services.samba.openFirewall = true;
 
-  systemd.network.networks.eth0 = {
-    name = "eth0";
-    matchConfig = {
-      MACAddress = "BC:24:11:C4:66:A7";
-      Type = "ether";
-    };
-    address = ["10.1.1.41/24"];
-    gateway = ["10.1.1.1"];
-    DHCP = "no";
-  };
-
   sops.defaultSopsFile = ./secrets.yaml;
 
   system.stateVersion = "23.11";

systems/hakurei/proxmox.nix

@@ -0,0 +1,16 @@
+_: {
+  proxmox = {
+    vm.id = 103;
+    container = {
+      enable = true;
+      lxc.configJsonFile = ./lxc.json;
+    };
+    network.interfaces = {
+      net0 = {
+        macAddress = "BC:24:11:C4:66:A7";
+        address4 = "10.1.1.41/24";
+        address6 = "auto";
+      };
+    };
+  };
+}

systems/keycloak/default.nix

@@ -1,4 +1,7 @@
 _: {
+  imports = [
+    ./proxmox.nix
+  ];
   arch = "x86_64";
   type = "NixOS";
   modules = [

systems/keycloak/nixos.nix

@@ -38,16 +38,5 @@
 
   sops.defaultSopsFile = ./secrets.yaml;
 
-  systemd.network.networks.eth0 = {
-    name = "eth0";
-    matchConfig = {
-      MACAddress = "BC:24:11:C4:66:AC";
-      Type = "ether";
-    };
-    address = ["10.1.1.48/24"];
-    gateway = ["10.1.1.1"];
-    DHCP = "no";
-  };
-
   system.stateVersion = "23.11";
 }

systems/keycloak/proxmox.nix

@@ -0,0 +1,16 @@
+_: {
+  proxmox = {
+    vm.id = 107;
+    container = {
+      enable = true;
+      lxc.configJsonFile = ./lxc.json;
+    };
+    network.interfaces = {
+      net0 = {
+        macAddress = "BC:24:11:C4:66:AC";
+        address4 = "10.1.1.48/24";
+        address6 = "auto";
+      };
+    };
+  };
+}

systems/kuwubernetes/default.nix

@@ -4,4 +4,19 @@ _: {
   modules = [
     ./nixos.nix
   ];
+  proxmox = {
+    vm = {
+      id = 201;
+      enable = true;
+    };
+    network.interfaces = {
+      net0 = {
+        mdns.enable = false;
+        name = "ens18";
+        macAddress = "BC:24:11:49:FE:DC";
+        address4 = "10.1.1.42/24";
+        address6 = "auto";
+      };
+    };
+  };
 }

systems/litterbox/default.nix

@@ -1,4 +1,7 @@
 _: {
+  imports = [
+    ./proxmox.nix
+  ];
   arch = "x86_64";
   type = "NixOS";
   modules = [

systems/litterbox/nixos.nix

@@ -11,14 +11,5 @@
 
   sops.defaultSopsFile = ./secrets.yaml;
 
-  systemd.network.networks.eth0 = {
-    name = "eth0";
-    matchConfig = {
-      MACAddress = "BC:24:11:C4:66:AB";
-      Type = "ether";
-    };
-    DHCP = "yes";
-  };
-
   system.stateVersion = "23.11";
 }

systems/litterbox/proxmox.nix

@@ -0,0 +1,17 @@
+_: {
+  proxmox = {
+    vm.id = 106;
+    container = {
+      enable = true;
+      lxc.configJsonFile = ./lxc.json;
+    };
+    network.interfaces = {
+      net0 = {
+        mdns.enable = true;
+        macAddress = "BC:24:11:C4:66:AB";
+        address4 = "auto";
+        address6 = "auto";
+      };
+    };
+  };
+}

systems/mediabox/default.nix

@@ -1,4 +1,7 @@
 _: {
+  imports = [
+    ./proxmox.nix
+  ];
   arch = "x86_64";
   type = "NixOS";
   modules = [

systems/mediabox/nixos.nix

@@ -106,22 +106,6 @@ in {
     unitConfig.RequiresMountsFor = mapAttrsToList (path: _: path) plexLibrary;
   };
 
-  systemd.network.networks.eth0 = {
-    name = "eth0";
-    matchConfig = {
-      MACAddress = "BC:24:11:34:F4:A8";
-      Type = "ether";
-    };
-    address = ["10.1.1.44/24"];
-    gateway = ["10.1.1.1"];
-    DHCP = "no";
-  };
-  access.internal = {
-    enable = true;
-    macAddress = "BC:24:19:34:F4:A8";
-    vmid = 102;
-  };
-
   sops.defaultSopsFile = ./secrets.yaml;
 
   system.stateVersion = "21.05";

systems/mediabox/proxmox.nix

@@ -0,0 +1,17 @@
+_: {
+  proxmox = {
+    vm.id = 102;
+    container = {
+      enable = true;
+      lxc.configJsonFile = ./lxc.json;
+    };
+    network.interfaces = {
+      net0 = {
+        macAddress = "BC:24:11:34:F4:A8";
+        address4 = "10.1.1.44/24";
+        address6 = "auto";
+      };
+      net1.internal.enable = true;
+    };
+  };
+}

systems/reimu/default.nix

@@ -1,4 +1,7 @@
 _: {
+  imports = [
+    ./proxmox.nix
+  ];
   arch = "x86_64";
   type = "NixOS";
   modules = [

systems/reimu/nixos.nix

@@ -19,19 +19,6 @@
     beatsaber.enable = false;
   };
 
-  proxmoxLXC.privileged = true;
-
-  systemd.network.networks.eth0 = {
-    name = "eth0";
-    matchConfig = {
-      MACAddress = "BC:24:11:C4:66:A8";
-      Type = "ether";
-    };
-    address = ["10.1.1.45/24"];
-    gateway = ["10.1.1.1"];
-    DHCP = "no";
-  };
-
   sops.defaultSopsFile = ./secrets.yaml;
 
   system.stateVersion = "23.11";

systems/reimu/proxmox.nix

@@ -0,0 +1,17 @@
+_: {
+  proxmox = {
+    vm.id = 104;
+    container = {
+      enable = true;
+      privileged = true;
+      lxc.configJsonFile = ./lxc.json;
+    };
+    network.interfaces = {
+      net0 = {
+        macAddress = "BC:24:11:C4:66:A8";
+        address4 = "10.1.1.45/24";
+        address6 = "auto";
+      };
+    };
+  };
+}

systems/tei/default.nix

@@ -1,4 +1,7 @@
 _: {
+  imports = [
+    ./proxmox.nix
+  ];
   arch = "x86_64";
   type = "NixOS";
   modules = [

systems/tei/nixos.nix

@@ -51,16 +51,5 @@ in {
     ];
   };
 
-  systemd.network.networks.eth0 = {
-    name = "eth0";
-    matchConfig = {
-      MACAddress = "BC:24:11:CC:66:57";
-      Type = "ether";
-    };
-    address = ["10.1.1.39/24"];
-    gateway = ["10.1.1.1"];
-    DHCP = "no";
-  };
-
   system.stateVersion = "23.11";
 }

systems/tei/proxmox.nix

@@ -0,0 +1,16 @@
+_: {
+  proxmox = {
+    vm.id = 101;
+    container = {
+      enable = true;
+      lxc.configJsonFile = ./lxc.json;
+    };
+    network.interfaces = {
+      net0 = {
+        macAddress = "BC:24:11:CC:66:57";
+        address4 = "10.1.1.39/24";
+        address6 = "auto";
+      };
+    };
+  };
+}

systems/utsuho/default.nix

@@ -1,4 +1,7 @@
 _: {
+  imports = [
+    ./proxmox.nix
+  ];
   arch = "x86_64";
   type = "NixOS";
   modules = [

systems/utsuho/nixos.nix

@@ -43,16 +43,5 @@ in {
 
   sops.defaultSopsFile = ./secrets.yaml;
 
-  systemd.network.networks.eth0 = {
-    name = "eth0";
-    matchConfig = {
-      MACAddress = "BC:24:11:C4:66:A6";
-      Type = "ether";
-    };
-    address = ["10.1.1.38/24"];
-    gateway = ["10.1.1.1"];
-    DHCP = "no";
-  };
-
   system.stateVersion = "23.11";
 }

systems/utsuho/proxmox.nix

@@ -0,0 +1,16 @@
+_: {
+  proxmox = {
+    vm.id = 108;
+    container = {
+      enable = true;
+      lxc.configJsonFile = ./lxc.json;
+    };
+    network.interfaces = {
+      net0 = {
+        macAddress = "BC:24:11:C4:66:A6";
+        address4 = "10.1.1.38/24";
+        address6 = "auto";
+      };
+    };
+  };
+}

tree.nix

@@ -60,6 +60,7 @@
     "modules/nixos/steam".functor.enable = true;
     "modules/meta".functor.enable = true;
     "modules/system".functor.enable = true;
+    "modules/system/proxmox".functor.enable = true;
     "modules/home".functor.enable = true;
     "modules/type".functor.enable = true;
     "nixos/*".functor = {