fw + avahi

modules/nixos/hardware/opengl/default.nix

@@ -1,6 +1,6 @@
 { config, lib, pkgs, namespace, ... }:
 let
-  inherit (lib) mkIf mkForce;
+  inherit (lib) mkIf;
   inherit (lib.${namespace}) mkBoolOpt;
 
   cfg = config.${namespace}.hardware.opengl;

modules/nixos/services/avahi/default.nix

@@ -0,0 +1,27 @@
+{ config, lib, namespace, ... }:
+let
+  inherit (lib) mkIf;
+
+  cfg = config.${namespace}.services.avahi;
+in
+{
+  options.${namespace}.services.avahi = {
+    enable = lib.mkEnableOption "Avahi";
+  };
+
+  config = mkIf cfg.enable {
+    services.avahi = {
+      enable = true;
+      nssmdns4 = true;
+      openFirewall = true;
+      publish = {
+        enable = true;
+        addresses = true;
+        domain = true;
+        hinfo = true;
+        userServices = true;
+        workstation = true;
+      };
+    };
+  };
+}

modules/nixos/services/openiscsi/default.nix

@@ -1,7 +1,7 @@
 { config, pkgs, lib, namespace, host, ... }:
 let
   inherit (lib) types mkIf;
-  inherit (lib.${namespace}) mkOpt;
+  inherit (lib.${namespace}) mkOpt mkBoolOpt;
 
   cfg = config.${namespace}.services.openiscsi;
 in
@@ -9,7 +9,7 @@ in
   options.${namespace}.services.openiscsi = {
     enable = lib.mkEnableOption "Open iSCSI support";
     name = mkOpt types.str "iqn.2025.reichard.io:${host}" "iSCSI name";
-    symlink = mkOpt types.bool false "Create a symlink to the iSCSI binaries";
+    symlink = mkBoolOpt false "Create a symlink to the iSCSI binaries";
   };
 
   config = mkIf cfg.enable {

modules/nixos/services/rke2/default.nix

@@ -1,7 +1,7 @@
 { config, lib, namespace, ... }:
 let
   inherit (lib) types mkIf;
-  inherit (lib.${namespace}) mkOpt;
+  inherit (lib.${namespace}) mkOpt mkBoolOpt;
 
   cfg = config.${namespace}.services.rke2;
 in
@@ -9,6 +9,7 @@ in
   options.${namespace}.services.rke2 = with types; {
     enable = lib.mkEnableOption "Enable RKE2";
     disable = mkOpt (listOf str) [ ] "Disable services";
+    openFirewall = mkBoolOpt true "Open firewall";
   };
 
   config = mkIf cfg.enable {
@@ -16,5 +17,23 @@ in
       enable = true;
       disable = cfg.disable;
     };
+
+    networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [
+      # RKE2 Ports - https://docs.rke2.io/install/requirements#networking
+      6443 # Kubernetes API
+      9345 # RKE2 supervisor API
+      2379 # etcd Client Port
+      2380 # etcd Peer Port
+      2381 # etcd Metrics Port
+      10250 # kubelet metrics
+      9099 # Canal CNI health checks
+    ];
+
+    networking.firewall.allowedUDPPorts = mkIf cfg.openFirewall [
+      # RKE2 Ports - https://docs.rke2.io/install/requirements#networking
+      8472 # Canal CNI with VXLAN
+      # 51820 # Canal CNI with WireGuard IPv4 (if using encryption)
+      # 51821 # Canal CNI with WireGuard IPv6 (if using encryption)
+    ];
   };
 }

modules/nixos/system/networking/default.nix

@@ -1,14 +1,16 @@
 { config, lib, pkgs, namespace, ... }:
 let
-  inherit (lib) mkIf mkForce;
-  inherit (lib.${namespace}) mkBoolOpt;
+  inherit (lib) mkIf mkDefault mkEnableOption;
+  inherit (lib.${namespace}) mkBoolOpt enabled;
 
   cfg = config.${namespace}.system.networking;
 in
 {
   options.${namespace}.system.networking = {
-    enable = lib.mkEnableOption "networking support";
-    enableIWD = mkBoolOpt false "enable iwd";
+    enable = mkEnableOption "Enable Networking";
+    enableIWD = mkEnableOption "Enable IWD";
+    useDHCP = mkBoolOpt true "Use DHCP";
+    useNetworkd = mkBoolOpt false "Use networkd";
   };
 
   config = mkIf cfg.enable {
@@ -21,8 +23,9 @@ in
     reichard.user.extraGroups = [ "network" ];
 
     networking = {
-      firewall.enable = true;
-      usePredictableInterfaceNames = mkForce true;
+      firewall = enabled;
+      useDHCP = mkDefault cfg.useDHCP;
+      useNetworkd = cfg.useNetworkd;
     } // (lib.optionalAttrs cfg.enableIWD) {
       wireless.iwd = {
         enable = true;