config cleanups

modules/nixos/network/default.nix

@@ -20,7 +20,7 @@ let
             autoconnect = profile.autoconnect;
             autoconnect-retries = profile.autoconnect-retries;
             autoconnect-priority = profile.priority;
-            interface-name = cfg.ipv4.interface;
+            interface-name = profile.interface or cfg.ipv4.interface;
           };
           ipv4 = {
             method = cfg.ipv4.method;
@@ -30,7 +30,7 @@ let
               { }
             else
               {
-                address = "${cfg.ipv4.address}\\24";
+                address = cfg.ipv4.address;
                 gateway = cfg.ipv4.gateway;
                 dns = cfg.ipv4.dns;
               }
@@ -42,6 +42,7 @@ let
           wifi = mkIf (profile.type == "wifi") {
             mode = "infrastructure";
             ssid = profile.ssid;
+            roaming = "allowed";
           };
           wifi-security = mkIf (profile.type == "wifi") {
             key-mgmt = profile.keyMgmt;
@@ -128,13 +129,18 @@ in
         trustedInterfaces = cfg.firewall.trustedInterfaces;
 
         # Default port ranges for KDE Connect
-        allowedTCPPortRanges = [
+        allowedTCPPortRanges = lib.mkIf cfg.firewall.kdeConnect.enable [
           {
-            from = 1714;
+            from = cfg.firewall.kdeConnect.tcpRange.from;
-            to = 1764;
+            to = cfg.firewall.kdeConnect.tcpRange.to;
+          }
+        ];
+        allowedUDPPortRanges = lib.mkIf cfg.firewall.kdeConnect.enable [
+          {
+            from = cfg.firewall.kdeConnect.udpRange.from;
+            to = cfg.firewall.kdeConnect.udpRange.to;
           }
         ];
-        allowedUDPPortRanges = config.networking.firewall.allowedTCPPortRanges;
 
         # Extra firewall commands
         extraCommands = lib.mkIf (cfg.extraFirewallCommands != "") cfg.extraFirewallCommands;
@@ -155,7 +161,7 @@ in
         # Use iwd as the WiFi backend when iwd is also enabled
         wifi.backend = mkIf cfg.iwd.enable "iwd";
         wifi.powersave = cfg.networkmanager.powersave;
-        settings.connectivity.uri = mkDefault "http://nmcheck.gnome.org/check_network_status.txt";
+        settings.connectivity.uri = "http://nmcheck.gnome.org/check_network_status.txt";
         plugins = with pkgs; [
           networkmanager-fortisslvpn
           networkmanager-iodine

modules/nixos/network/options.nix

@@ -46,6 +46,36 @@ in
       allowedUDPPorts = mkOpt (types.listOf types.port) [ ] "List of allowed UDP ports.";
 
       trustedInterfaces = mkOpt (types.listOf types.str) [ ] "List of trusted interfaces.";
+
+      kdeConnect = {
+        enable = mkBoolOpt true "Whether to configure firewall ports for KDE Connect.";
+        tcpRange =
+          mkOpt
+            (types.submodule {
+              options = {
+                from = mkOpt types.port 1714 "Start of TCP port range.";
+                to = mkOpt types.port 1764 "End of TCP port range.";
+              };
+            })
+            {
+              from = 1714;
+              to = 1764;
+            }
+            "KDE Connect TCP port range.";
+        udpRange =
+          mkOpt
+            (types.submodule {
+              options = {
+                from = mkOpt types.port 1714 "Start of UDP port range.";
+                to = mkOpt types.port 1764 "End of UDP port range.";
+              };
+            })
+            {
+              from = 1714;
+              to = 1764;
+            }
+            "KDE Connect UDP port range.";
+      };
     };
 
     networkmanager = {
@@ -62,6 +92,10 @@ in
 
                 type = mkOpt types.str "wifi" "type of the network.(wifi/ethernet)";
 
+                interface =
+                  mkOpt types.str "wlan0"
+                    "Interface for this profile (defaults to global ipv4.interface).";
+
                 autoconnect = mkBoolOpt true "autoconnect to this connection";
 
                 autoconnect-retries =
@@ -72,7 +106,9 @@ in
                   mkOpt types.int 0
                     "connection priority in range -999 to 999. The higher number means higher priority.";
 
-                psk = mkOpt types.str "$PSK" "PSK environment variable for the WiFi password.";
+                psk =
+                  mkOpt types.str "$PSK"
+                    "PSK for WiFi connection (set to \$PSK to use SOPS secret 'wifi/PSK').";
 
                 keyMgmt = mkOpt types.str "sae" "Key management type (e.g., sae, wpa-psk).";
               };
@@ -80,10 +116,19 @@ in
           ))
           {
             "Joey's Jungle 6G" = {
-              priority = -900;
+              ssid = "Joey's Jungle 6G";
+              psk = "$PSK";
+              priority = 100;
             };
             "Joey's Jungle 5G" = {
-              priority = -999;
+              ssid = "Joey's Jungle 5G";
+              psk = "$PSK";
+              priority = 50;
+            };
+            "Joey's Jungle 2.5G" = {
+              ssid = "Joey's Jungle 2.5G";
+              psk = "$PSK";
+              priority = 10;
             };
           }
           "network profiles.";
@@ -92,7 +137,7 @@ in
     hostId = mkOpt types.str "" "Host ID for ZFS and other services.";
 
     iwd = {
-      enable = mkBoolOpt false "Whether to enable iwd for wireless networking.";
+      enable = mkBoolOpt true "Whether to enable iwd for wireless networking.";
 
       settings = mkOpt types.attrs { } "Settings for iwd.";
     };

systems/aarch64-linux/macbook-pro-nixos/default.nix

@@ -78,13 +78,16 @@
     };
     network = {
       hostName = "macbook-pro-nixos";
-      iwd.enable = true;
+      ipv4 = {
-      networkmanager.enable = true;
+        method = "auto";
-      extraFirewallCommands = ''
+        interface = "wlan0";
-        iptables -I INPUT -m pkttype --pkt-type multicast -j ACCEPT
+      };
-        iptables -A INPUT -m pkttype --pkt-type multicast -j ACCEPT
+      firewall = {
-        iptables -I INPUT -p udp -m udp --match multiport --dports 1990,2021 -j ACCEPT
+        allowedUDPPorts = [
-      '';
+          1990
+          2021
+        ];
+      };
     };
     services = {
       nebula = {
@@ -113,6 +116,8 @@
     # - CONFIG_ANDROID_BINDERFS is not enabled
   };
 
+  systemd.services.virt-secret-init-encryption.enable = false;
+
   # List packages installed in system profile. To search, run:
   # $ nix search wget
   environment.systemPackages =

systems/aarch64-linux/pi5/default.nix

@@ -133,11 +133,10 @@
         allowedTCPPorts = [ 53 ];
         allowedUDPPorts = [ 53 ];
       };
-      networkmanager = {
+      networkmanager.profiles = {
-        profiles = {
+        "static-end0" = {
-          "static-end0" = {
+          type = "ethernet";
-            type = "ethernet";
+          interface = "end0";
-          };
         };
       };
     };

systems/x86_64-install-iso/graphical/default.nix

@@ -24,6 +24,10 @@
 
     network = {
       hostName = "nixos";
+      ipv4 = {
+        method = "auto";
+        interface = "wlan0";
+      };
       firewall = {
         enable = true;
         allowPing = true;

systems/x86_64-linux/allyx/default.nix

@@ -65,8 +65,10 @@
 
     network = {
       hostName = "allyx";
-      iwd.enable = true;
+      ipv4 = {
-      networkmanager.enable = true;
+        method = "auto";
+        interface = "wlan0";
+      };
     };
 
     services = {

systems/x86_64-linux/jallen-nas/default.nix

@@ -127,6 +127,7 @@ in
         address = "10.0.1.3";
         method = "manual";
         gateway = "10.0.1.1";
+        dns = "1.1.1.1";
         interface = "enp197s0";
       };
       hostId = "4b501480";

systems/x86_64-linux/matt-nixos/default.nix

@@ -75,8 +75,10 @@
 
     network = {
       hostName = "matt-nixos";
-      iwd.enable = true;
+      ipv4 = {
-      networkmanager.enable = true;
+        method = "auto";
+        interface = "wlan0";
+      };
     };
 
     services = {