added stuff

nyx/modules/options/system/networking/default.nix

@@ -0,0 +1,36 @@
+{lib, ...}: let
+  inherit (lib) mkEnableOption mkOption types;
+in {
+  imports = [
+    ./nftables.nix
+    ./tailscale.nix
+  ];
+  options.modules.system.networking = {
+    nftables.enable = mkEnableOption "nftables firewall";
+    tarpit.enable = mkEnableOption "endlessh-go tarpit";
+    optimizeTcp = mkEnableOption "TCP optimizations";
+
+    wireless = {
+      allowImperative = mkEnableOption ''
+        imperative networking via wpa_cli.
+
+        Enabling this option will make it so that users in the wheel group will
+        be able to manage networking via wpa_cli.
+      '';
+
+      backend = mkOption {
+        type = types.enum ["iwd" "wpa_supplicant"];
+        default = "wpa_supplicant";
+        description = ''
+          Backend that will be used for wireless connections using either
+          `networking.wireless` or `networking.networkmanager.wifi.backend`
+
+          Defaults to wpa_supplicant until iwd is stable.
+        '';
+      };
+    };
+
+    # TODO: optionally use encrypted DNS
+    # encryptDns = mkOption {};
+  };
+}

nyx/modules/options/system/networking/nftables.nix

@@ -0,0 +1,82 @@
+{lib, ...}: let
+  inherit (lib) mkTable mkPrerouteChain mkForwardChain mkOutputChain mkInputChain mkPostrouteChain mkIngressChain;
+in {
+  options.networking.nftables.rules = {
+    # man nft(8)
+    netdev = mkTable "netdev address family netfilter table" {
+      filter.ingress = mkIngressChain "netdev";
+    };
+
+    bridge = mkTable "bridge address family netfilter table" {
+      filter = {
+        prerouting = mkPrerouteChain "bridge";
+        input = mkInputChain "bridge";
+        forward = mkForwardChain "bridge";
+        output = mkOutputChain "bridge";
+        postrouting = mkPostrouteChain "bridge";
+      };
+    };
+
+    inet = mkTable "internet (IPv4/IPv6) address family netfilter table" {
+      filter = {
+        prerouting = mkPrerouteChain "inet";
+        input = mkInputChain "inet";
+        forward = mkForwardChain "inet";
+        output = mkOutputChain "inet";
+        postrouting = mkPostrouteChain "inet";
+      };
+
+      nat = {
+        prerouting = mkPrerouteChain "inet";
+        input = mkInputChain "inet";
+        output = mkOutputChain "inet";
+        postrouting = mkPostrouteChain "inet";
+      };
+    };
+
+    arp = mkTable "ARP (IPv4) address family netfilter table" {
+      filter = {
+        input = mkInputChain "arp";
+        output = mkOutputChain "arp";
+      };
+    };
+
+    ip = mkTable "internet (IPv4) address family netfilter table" {
+      filter = {
+        prerouting = mkPrerouteChain "ip";
+        input = mkInputChain "ip";
+        forward = mkForwardChain "ip";
+        output = mkOutputChain "ip";
+        postrouting = mkPostrouteChain "ip";
+      };
+
+      nat = {
+        prerouting = mkPrerouteChain "ip";
+        input = mkInputChain "ip";
+        output = mkOutputChain "ip";
+        postrouting = mkPostrouteChain "ip";
+      };
+
+      route.output = mkForwardChain "ip";
+    };
+
+    ip6 = mkTable "internet (IPv6) address family netfilter table" {
+      filter = {
+        prerouting = mkPrerouteChain "ip6";
+        input = mkInputChain "ip6";
+        forward = mkForwardChain "ip6";
+        output = mkOutputChain "ip6";
+        postrouting = mkPostrouteChain "ip6";
+      };
+
+      nat = {
+        prerouting = mkPrerouteChain "ip6";
+        input = mkInputChain "ip6";
+        output = mkOutputChain "ip6";
+        postrouting = mkPostrouteChain "ip6";
+      };
+
+      route.output = mkForwardChain "ip6";
+    };
+  };
+}

nyx/modules/options/system/networking/tailscale.nix

@@ -0,0 +1,76 @@
+{
+  config,
+  lib,
+  ...
+}: let
+  inherit (lib) mkEnableOption mkOption types;
+
+  sys = config.modules.system;
+  cfg = sys.networking.tailscale;
+in {
+  options.modules.system.networking.tailscale = {
+    enable = mkEnableOption "Tailscale VPN";
+    autoLogin = mkEnableOption ''
+      systemd-service for bootstrapping a Tailscale connection automatically
+    '';
+
+    endpoint = mkOption {
+      type = types.str;
+      default = "https://hs.notashelf.dev";
+      description = ''
+        The URL of the Tailscale control server to use. In case you
+        would like to use a self-hosted Headscale server, such as
+        the default value, you may change this value accordingly.
+      '';
+    };
+
+    operator = mkOption {
+      type = types.str;
+      default = sys.mainUser;
+      description = ''
+        The name of the Tailscale operator to use. This is used to
+        avoid using sudo in command-line operations and if set, will
+        run the auto-authentication service as the specified user.
+      '';
+    };
+
+    flags = {
+      default = mkOption {
+        type = with types; listOf str;
+        default = ["--ssh"];
+        description = ''
+          A list of command-line flags that will be passed to the Tailscale
+          daemon automatically when it is started, using
+          {option}`config.services.tailscale.extraUpFlags`
+
+          If `isServer` is set to true, the server-specific values will be
+          appended to the list defined in this option.
+        '';
+      };
+    };
+
+    isClient = mkOption {
+      type = types.bool;
+      default = cfg.enable;
+      example = true;
+      description = ''
+        Whether the target host should utilize Tailscale client features";
+
+        This option is mutually exlusive with {option}`tailscale.isServer`
+        as they both configure Taiscale, but with different flags
+      '';
+    };
+
+    isServer = mkOption {
+      type = types.bool;
+      default = false;
+      example = true;
+      description = ''
+        Whether the target host should utilize Tailscale server features.
+
+        This option is mutually exlusive with {option}`tailscale.isClient`
+        as they both configure Taiscale, but with different flags
+      '';
+    };
+  };
+}