From 2940b85b60b0236565234fcc7173718c7f4d53d8 Mon Sep 17 00:00:00 2001
From: Geir Okkenhaug Jerstad <geokkjer@gmail.com>
Date: Thu, 5 Jun 2025 14:54:27 +0200
Subject: [PATCH] Restructure networking configuration to per-machine modules

- Move networking configs to modules/network/ directory
- Create network-<machine-name>.nix files for each machine
- Add common.nix for shared networking configuration
- Update import paths in machine configurations
- Reduce duplication by using common networking settings

Network modules:
- modules/network/common.nix: Shared settings (nftables, SSH, tailscale)
- modules/network/network-congenital-optimist.nix: Workstation specific
- modules/network/network-sleeper-service.nix: File server specific
---
 .../congenital-optimist/configuration.nix     |  2 +-
 machines/sleeper-service/configuration.nix    | 16 +--------
 modules/network/common.nix                    | 33 +++++++++++++++++++
 .../network/network-congenital-optimist.nix   | 27 +++++++++++++++
 modules/network/network-sleeper-service.nix   | 21 ++++++++++++
 modules/system/network.nix                    | 26 ---------------
 .../system}/transmission.nix                  |  2 +-
 7 files changed, 84 insertions(+), 43 deletions(-)
 create mode 100644 modules/network/common.nix
 create mode 100644 modules/network/network-congenital-optimist.nix
 create mode 100644 modules/network/network-sleeper-service.nix
 delete mode 100644 modules/system/network.nix
 rename {machines/sleeper-service => modules/system}/transmission.nix (87%)

diff --git a/machines/congenital-optimist/configuration.nix b/machines/congenital-optimist/configuration.nix
index 939ef19..649aefb 100644
--- a/machines/congenital-optimist/configuration.nix
+++ b/machines/congenital-optimist/configuration.nix
@@ -7,10 +7,10 @@
 }: {
   imports = [
     ./hardware-configuration.nix
+    ../../modules/network/network-congenital-optimist.nix
     
     # System modules
     ../../modules/system/fonts.nix
-    ../../modules/system/network.nix
     ../../modules/system/applications.nix
     
     # Hardware modules
diff --git a/machines/sleeper-service/configuration.nix b/machines/sleeper-service/configuration.nix
index 3a18959..c12f2e6 100644
--- a/machines/sleeper-service/configuration.nix
+++ b/machines/sleeper-service/configuration.nix
@@ -1,6 +1,7 @@
 { config, pkgs, inputs, unstable, ... }: {
   imports = [
     ./hardware-configuration.nix
+    ../../modules/network/network-sleeper-service.nix
   ];
 
   # Boot configuration
@@ -11,12 +12,6 @@
     devices = [ "nodev" ];
   };
 
-  # Network configuration
-  networking.hostName = "sleeper-service";
-  networking.networkmanager.enable = true;
-  services.tailscale.enable = true;
-  networking.firewall.enable = true;
-
   # Time and locale
   time.timeZone = "Europe/Oslo";
   i18n.defaultLocale = "en_US.UTF-8";
@@ -30,15 +25,6 @@
   # Enable unfree packages
   nixpkgs.config.allowUnfree = true;
 
-  # SSH access (headless server)
-  services.openssh = {
-    enable = true;
-    settings = {
-      PermitRootLogin = "no";
-      PasswordAuthentication = false;
-    };
-  };
-
   # Basic system packages
   environment.systemPackages = with pkgs; [
     wget
diff --git a/modules/network/common.nix b/modules/network/common.nix
new file mode 100644
index 0000000..ccb21da
--- /dev/null
+++ b/modules/network/common.nix
@@ -0,0 +1,33 @@
+# Common Network Configuration
+# Shared networking settings across all machines
+{ config, pkgs, ... }:
+
+{
+  # Common networking settings
+  networking = {
+    # Enable nftables by default for all machines
+    nftables.enable = true;
+    
+    # Common firewall settings
+    firewall = {
+      enable = true;
+      # SSH is allowed by default on all machines
+      allowedTCPPorts = [ 22 ];
+    };
+  };
+
+  # Common services available on all machines
+  services = {
+    # Tailscale VPN for secure remote access
+    tailscale.enable = true;
+    
+    # SSH access with secure defaults
+    openssh = {
+      enable = true;
+      settings = {
+        PermitRootLogin = "no";
+        PasswordAuthentication = false;
+      };
+    };
+  };
+}
\ No newline at end of file
diff --git a/modules/network/network-congenital-optimist.nix b/modules/network/network-congenital-optimist.nix
new file mode 100644
index 0000000..9e2e2be
--- /dev/null
+++ b/modules/network/network-congenital-optimist.nix
@@ -0,0 +1,27 @@
+# Networking Configuration - congenital-optimist
+# AMD Threadripper workstation network setup
+{ config, pkgs, ... }:
+
+{
+  imports = [
+    ./common.nix
+  ];
+
+  # Machine-specific network configuration
+  networking = {
+    hostName = "congenital-optimist";
+    hostId = "8425e349";
+    networkmanager.enable = true;
+    
+    # Additional firewall ports for workstation services
+    firewall.allowedTCPPorts = [ 
+      9091  # Transmission RPC
+    ];
+  };
+
+  # ZFS services for this machine
+  services.zfs = {
+    autoScrub.enable = true;
+    trim.enable = true;
+  };
+}
diff --git a/modules/network/network-sleeper-service.nix b/modules/network/network-sleeper-service.nix
new file mode 100644
index 0000000..8b75879
--- /dev/null
+++ b/modules/network/network-sleeper-service.nix
@@ -0,0 +1,21 @@
+# Networking Configuration - sleeper-service
+# Xeon file server network setup  
+{ config, pkgs, ... }:
+
+{
+  imports = [
+    ./common.nix
+  ];
+
+  # Machine-specific network configuration
+  networking = {
+    hostName = "sleeper-service";
+    networkmanager.enable = true;
+    
+    # Additional firewall ports for file server services
+    # (Add specific ports as needed for file sharing services)
+    firewall.allowedTCPPorts = [ 
+      # Add additional ports here as needed
+    ];
+  };
+}
diff --git a/modules/system/network.nix b/modules/system/network.nix
deleted file mode 100644
index 9ce4b11..0000000
--- a/modules/system/network.nix
+++ /dev/null
@@ -1,26 +0,0 @@
-{ config, pkgs, ... }: {
-  # Network configuration
-  networking = {
-    hostName = "congenital-optimist";
-    hostId = "8425e349";
-    networkmanager.enable = true;
-    nftables.enable = true;
-    
-    # Firewall configuration
-    firewall = {
-      enable = true;
-      allowedTCPPorts = [ 22 ];
-      allowedUDPPorts = [ 22 ];
-    };
-  };
-
-  # VPN and remote access
-  services.tailscale.enable = true;
-  services.openssh.enable = true;
-
-  # ZFS services
-  services.zfs = {
-    autoScrub.enable = true;
-    trim.enable = true;
-  };
-}
\ No newline at end of file
diff --git a/machines/sleeper-service/transmission.nix b/modules/system/transmission.nix
similarity index 87%
rename from machines/sleeper-service/transmission.nix
rename to modules/system/transmission.nix
index 473b724..fe00573 100644
--- a/machines/sleeper-service/transmission.nix
+++ b/modules/system/transmission.nix
@@ -14,7 +14,7 @@
       download-dir = "/mnt/storage";
       #rpc-whitelist-enabled = true;
       rpc-whitelist = "127.0.0.1,10.0.0.*,100.*.*.*";
-      rpc-host-whitelist = "idea,files,nixos-work,server1";
+      rpc-host-whitelist = "congenital-optimist,localhost";
     };
   };
 }