fw + avahi

modules/home/programs/graphical/ghostty/config/ghostty.conf

@@ -16,8 +16,8 @@ keybind = ctrl+left=goto_split:left
 keybind = ctrl+right=goto_split:right
 keybind = ctrl+up=goto_split:up
 keybind = ctrl+down=goto_split:down
-keybind = ctrl+]=next_tab
+keybind = ctrl+]=goto_split:next
-keybind = ctrl+[=previous_tab
+keybind = ctrl+[=goto_split:previous
 
 # Keybindings - Navigation - Tabs
 keybind = ctrl+1=goto_tab:1

modules/home/user/default.nix

@@ -5,6 +5,7 @@ let
     mkIf
     mkDefault
     mkMerge
+    mkEnableOption
     ;
   inherit (lib.${namespace}) mkOpt;
 
@@ -20,7 +21,7 @@ let
 in
 {
   options.${namespace}.user = {
-    enable = mkOpt types.bool false "Whether to configure the user account.";
+    enable = mkEnableOption "Whether to configure the user account.";
     email = mkOpt types.str "evan@reichard.io" "The email of the user.";
     fullName = mkOpt types.str "Evan Reichard" "The full name of the user.";
     home = mkOpt (types.nullOr types.str) home-directory "The user's home directory.";

modules/nixos/hardware/opengl/default.nix

@@ -1,6 +1,6 @@
 { config, lib, pkgs, namespace, ... }:
 let
-  inherit (lib) mkIf mkForce;
+  inherit (lib) mkIf;
   inherit (lib.${namespace}) mkBoolOpt;
 
   cfg = config.${namespace}.hardware.opengl;

modules/nixos/services/avahi/default.nix

@@ -0,0 +1,27 @@
+{ config, lib, namespace, ... }:
+let
+  inherit (lib) mkIf;
+
+  cfg = config.${namespace}.services.avahi;
+in
+{
+  options.${namespace}.services.avahi = {
+    enable = lib.mkEnableOption "Avahi";
+  };
+
+  config = mkIf cfg.enable {
+    services.avahi = {
+      enable = true;
+      nssmdns4 = true;
+      openFirewall = true;
+      publish = {
+        enable = true;
+        addresses = true;
+        domain = true;
+        hinfo = true;
+        userServices = true;
+        workstation = true;
+      };
+    };
+  };
+}

modules/nixos/services/openiscsi/default.nix

@@ -1,7 +1,7 @@
 { config, pkgs, lib, namespace, host, ... }:
 let
   inherit (lib) types mkIf;
-  inherit (lib.${namespace}) mkOpt;
+  inherit (lib.${namespace}) mkOpt mkBoolOpt;
 
   cfg = config.${namespace}.services.openiscsi;
 in
@@ -9,7 +9,7 @@ in
   options.${namespace}.services.openiscsi = {
     enable = lib.mkEnableOption "Open iSCSI support";
     name = mkOpt types.str "iqn.2025.reichard.io:${host}" "iSCSI name";
-    symlink = mkOpt types.bool false "Create a symlink to the iSCSI binaries";
+    symlink = mkBoolOpt false "Create a symlink to the iSCSI binaries";
   };
 
   config = mkIf cfg.enable {

modules/nixos/services/rke2/default.nix

@@ -1,7 +1,7 @@
 { config, lib, namespace, ... }:
 let
   inherit (lib) types mkIf;
-  inherit (lib.${namespace}) mkOpt;
+  inherit (lib.${namespace}) mkOpt mkBoolOpt;
 
   cfg = config.${namespace}.services.rke2;
 in
@@ -9,6 +9,7 @@ in
   options.${namespace}.services.rke2 = with types; {
     enable = lib.mkEnableOption "Enable RKE2";
     disable = mkOpt (listOf str) [ ] "Disable services";
+    openFirewall = mkBoolOpt true "Open firewall";
   };
 
   config = mkIf cfg.enable {
@@ -16,5 +17,23 @@ in
       enable = true;
       disable = cfg.disable;
     };
+
+    networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [
+      # RKE2 Ports - https://docs.rke2.io/install/requirements#networking
+      6443 # Kubernetes API
+      9345 # RKE2 supervisor API
+      2379 # etcd Client Port
+      2380 # etcd Peer Port
+      2381 # etcd Metrics Port
+      10250 # kubelet metrics
+      9099 # Canal CNI health checks
+    ];
+
+    networking.firewall.allowedUDPPorts = mkIf cfg.openFirewall [
+      # RKE2 Ports - https://docs.rke2.io/install/requirements#networking
+      8472 # Canal CNI with VXLAN
+      # 51820 # Canal CNI with WireGuard IPv4 (if using encryption)
+      # 51821 # Canal CNI with WireGuard IPv6 (if using encryption)
+    ];
   };
 }

modules/nixos/system/networking/default.nix

@@ -1,14 +1,16 @@
 { config, lib, pkgs, namespace, ... }:
 let
-  inherit (lib) mkIf mkForce;
+  inherit (lib) mkIf mkDefault mkEnableOption;
-  inherit (lib.${namespace}) mkBoolOpt;
+  inherit (lib.${namespace}) mkBoolOpt enabled;
 
   cfg = config.${namespace}.system.networking;
 in
 {
   options.${namespace}.system.networking = {
-    enable = lib.mkEnableOption "networking support";
+    enable = mkEnableOption "Enable Networking";
-    enableIWD = mkBoolOpt false "enable iwd";
+    enableIWD = mkEnableOption "Enable IWD";
+    useDHCP = mkBoolOpt true "Use DHCP";
+    useNetworkd = mkBoolOpt false "Use networkd";
   };
 
   config = mkIf cfg.enable {
@@ -21,8 +23,9 @@ in
     reichard.user.extraGroups = [ "network" ];
 
     networking = {
-      firewall.enable = true;
+      firewall = enabled;
-      usePredictableInterfaceNames = mkForce true;
+      useDHCP = mkDefault cfg.useDHCP;
+      useNetworkd = cfg.useNetworkd;
     } // (lib.optionalAttrs cfg.enableIWD) {
       wireless.iwd = {
         enable = true;

systems/aarch64-linux/mbp-nixos/default.nix

@@ -31,6 +31,10 @@ in
       };
     };
 
+    services = {
+      avahi = enabled;
+    };
+
     security = {
       sops = {
         enable = true;

systems/x86_64-vmware/rke2-node/default.nix

@@ -8,6 +8,16 @@ in
   ];
 
   config = {
+    # Basic System
+    system.stateVersion = "24.11";
+    time.timeZone = "UTC";
+
+    fileSystems."/" = {
+      device = "/dev/disk/by-label/nixos";
+      fsType = "ext4";
+      autoResize = true;
+    };
+
     reichard = {
       nix = enabled;
 
@@ -16,9 +26,15 @@ in
           enable = true;
           xenGuest = true;
         };
+        networking = {
+          enable = true;
+          useDHCP = false;
+          useNetworkd = true;
+        };
       };
 
       services = {
+        avahi = enabled;
         openssh = enabled;
         cloud-init = enabled;
         rke2 = {
@@ -39,50 +55,6 @@ in
       };
     };
 
-    # Basic System
-    system.stateVersion = "24.11";
-    time.timeZone = "UTC";
-
-    fileSystems."/" = {
-      device = "/dev/disk/by-label/nixos";
-      fsType = "ext4";
-      autoResize = true;
-    };
-
-    # Network Configuration
-    networking = {
-      hostName = lib.mkForce "";
-      useNetworkd = true;
-      useDHCP = false;
-
-      firewall = {
-        enable = true;
-
-        allowedTCPPorts = [
-          # RKE2 Ports - https://docs.rke2.io/install/requirements#networking
-          6443 # Kubernetes API
-          9345 # RKE2 supervisor API
-          2379 # etcd Client Port
-          2380 # etcd Peer Port
-          2381 # etcd Metrics Port
-          10250 # kubelet metrics
-          9099 # Canal CNI health checks
-        ];
-
-        allowedUDPPorts = [
-          # RKE2 Ports - https://docs.rke2.io/install/requirements#networking
-          8472 # Canal CNI with VXLAN
-          # 51820 # Canal CNI with WireGuard IPv4 (if using encryption)
-          # 51821 # Canal CNI with WireGuard IPv6 (if using encryption)
-        ];
-
-        # Allow Multicast
-        extraCommands = ''
-          iptables -A INPUT -m pkttype --pkt-type multicast -j ACCEPT
-        '';
-      };
-    };
-
     systemd.services = {
       # RKE2 - Wait Cloud Init
       rke2-server = {
@@ -112,7 +84,6 @@ in
       };
     };
 
-    # System Packages
     environment = {
       systemPackages = with pkgs; [
         htop