static networking configuration

.vscode/tasks.json

@@ -0,0 +1,78 @@
+{
+    "version": "2.0.0",
+    "tasks": [
+        {
+            "label": "Nix Flake Check",
+            "type": "shell",
+            "command": "nix",
+            "args": [
+                "flake",
+                "check"
+            ],
+            "group": {
+                "kind": "test",
+                "isDefault": true
+            },
+            "presentation": {
+                "echo": true,
+                "reveal": "always",
+                "focus": false,
+                "panel": "shared"
+            },
+            "problemMatcher": []
+        },
+        {
+            "label": "Build VM",
+            "type": "shell",
+            "command": "nixos-rebuild",
+            "args": [
+                "build-vm",
+                "--flake",
+                ".#matrix"
+            ],
+            "group": {
+                "kind": "build",
+                "isDefault": true
+            },
+            "presentation": {
+                "echo": true,
+                "reveal": "always",
+                "focus": false,
+                "panel": "shared"
+            },
+            "problemMatcher": []
+        },
+        {
+            "label": "Run VM",
+            "type": "shell",
+            "command": "./result/bin/run-matrix-vm",
+            "group": "test",
+            "dependsOn": "Build VM",
+            "presentation": {
+                "echo": true,
+                "reveal": "always",
+                "focus": false,
+                "panel": "shared"
+            },
+            "problemMatcher": []
+        },
+        {
+            "label": "Clean VM",
+            "type": "shell",
+            "command": "rm",
+            "args": [
+                "-f",
+                "./matrix.qcow2"
+            ],
+            "group": "test",
+            "dependsOn": "Build VM",
+            "presentation": {
+                "echo": true,
+                "reveal": "always",
+                "focus": false,
+                "panel": "shared"
+            },
+            "problemMatcher": []
+        }
+    ]
+}

nix/configuration.nix

@@ -2,10 +2,12 @@
 
 {
   imports = [
-    ./users/users.nix
-    ./modules/security.nix
     ./vps/hetzner/hardware-configuration.nix
+    ./modules/networking/networkingA.nix
+    ./modules/security.nix
+    ./users/users.nix
     ./modules/zsh.nix
+    ./modules/vm.nix
    ];
 
   # nix settings
@@ -33,8 +35,6 @@
   boot.initrd.kernelModules = [ "virtio_gpu" ];
   boot.kernelParams = [ "console=tty" ];  
 
-  networking.hostName = "matrix";
-
   # time zone
   time.timeZone = "Europe/Zurich";
 
@@ -60,43 +60,6 @@
   environment.systemPackages = with pkgs; [
   ];
 
-  virtualisation.vmVariant = {
-    # following configuration is added only when building VM with build-vm
-    virtualisation = {
-      memorySize = 4000;
-      cores = 2;
-      graphics = false;
-      diskSize = 5000; # 5GB, needed to prevent docker error running out of space
-
-      # Networking configuration
-      forwardPorts = [
-        { from = "host"; host.port = 2222; guest.port = 22; }
-      ];
-    };
-
-    # this is related to luks remote unlock via ssh
-    # Disable initrd secrets for VM builds to avoid secret error 
-    # Error is not present in real depolyments
-    boot.initrd.secrets = lib.mkForce {};
-
-    # Add VM-specific users
-    users.users.smith = {
-      isNormalUser = true;
-      description = "VM Test User";
-      extraGroups = [ "wheel" "networkmanager" ];
-      shell = pkgs.zsh;
-      initialPassword = "smith";
-      packages = with pkgs; [  ];
-    };
-
-    # VM-specific packages
-    environment.systemPackages = with pkgs; [
-    ];
-
-    # in order to build VM on x86_64 host
-    nixpkgs.hostPlatform = lib.mkForce "x86_64-linux";
-  };
-
   # This value determines the NixOS release from which the default
   # settings for stateful data, like file locations and database versions
   # on your system were taken. It‘s perfectly fine and recommended to leave

nix/modules/networking/networkingA.nix

@@ -0,0 +1,73 @@
+{ config, pkgs, inputs, ... }:
+# this file provides a static networking configuration
+# https://docs.hetzner.com/cloud/servers/static-configuration/
+let
+  # IPv4 configuration
+  ipv4Address = "188.245.32.95";  # Hetzner assigned static IP
+  ipv4Gateway = "172.31.1.1";     # hetzner gateway
+  ipv4Netmask = 32;               # CIDR notation
+  
+  # IPv6 configuration
+  ipv6Address = "2a01:4f8:1c1b:9b71::1";
+  ipv6Gateway = "fe80::1";    # link-local gateway
+  ipv6PrefixLength = 64;
+  
+  # DNS servers
+  # hetzner nameservers
+  nameservers = [ "185.12.64.1" "185.12.64.2" "2a01:4ff:ff00::add:1" "2a01:4ff:ff00::add:2" ];
+
+  # Network interface name
+  interface = "enp1s0";
+
+  hostname = "matrix";
+in
+{
+  networking.hostName = hostname;
+  
+  # Disable DHCP globally
+  networking.useDHCP = false;
+  
+  # Configure network interface
+  networking.interfaces.${interface} = {
+    ipv4.addresses = [{
+      address = ipv4Address;
+      prefixLength = ipv4Netmask;
+    }];
+
+    # Add point-to-point route to gateway
+    # specific requirement of Hetzner
+    ipv4.routes = [{
+      address = ipv4Gateway;
+      prefixLength = 32;
+    }];
+    
+    ipv6.addresses = [{
+      address = ipv6Address;
+      prefixLength = ipv6PrefixLength;
+    }];
+  };
+  
+  # Set default gateway
+  networking.defaultGateway = {
+    address = ipv4Gateway;
+    interface = interface;
+  };
+  
+  networking.defaultGateway6 = {
+    address = ipv6Gateway;
+    interface = interface;
+  };
+  
+  # DNS configuration
+  networking.nameservers = nameservers;
+  
+  # Enable IPv6
+  networking.enableIPv6 = true;
+  
+  # Optional: Disable IPv6 privacy extensions for static config
+  networking.tempAddresses = "disabled";
+
+  # this is needed for remote LUKS unlock via ssh
+  # here we do not actually need a static ip configuration, hetzner will handle this anyway
+  boot.kernelParams = [ "ip=dhcp" ];
+}

nix/modules/security.nix

@@ -39,7 +39,7 @@
   };
 
   # remote unlock for luks via ssh
-  boot.kernelParams = [ "ip=dhcp" ];
+  # https://nixos.wiki/wiki/Remote_disk_unlocking
   boot.initrd = {
     availableKernelModules = [ "virtio-pci" ];
     network = {
@@ -57,7 +57,8 @@
     };
   };
 
-  # Generate SSH host key for initrd
+  # Generate SSH host key for initrd (also LUKS remote unlock)
+  # we make sure it's the same ssh host key for both initrd and normal system
   system.activationScripts.initrd-ssh-key = {
     text = ''
       mkdir -p /etc/secrets/initrd

nix/modules/vm.nix

@@ -0,0 +1,41 @@
+{ config, pkgs, inputs, lib, ... }:
+# this configuration will only be loaded inside of VMs build for testing purposes
+# none of this will be applied to real deployments
+{
+  virtualisation.vmVariant = {
+    # following configuration is added only when building VM with build-vm
+    virtualisation = {
+      memorySize = 4000;
+      cores = 2;
+      graphics = false;
+      diskSize = 5000; # 5GB, needed to prevent docker error running out of space
+
+      # Networking configuration
+      forwardPorts = [
+        { from = "host"; host.port = 2222; guest.port = 22; }
+      ];
+    };
+
+    # this is related to luks remote unlock via ssh
+    # Disable initrd secrets for VM builds to avoid secret error 
+    # Error is not present in real depolyments
+    boot.initrd.secrets = lib.mkForce {};
+
+    # Add VM-specific users
+    users.users.smith = {
+      isNormalUser = true;
+      description = "VM Test User";
+      extraGroups = [ "wheel" "networkmanager" ];
+      shell = pkgs.zsh;
+      initialPassword = "smith";
+      packages = with pkgs; [  ];
+    };
+
+    # VM-specific packages
+    environment.systemPackages = with pkgs; [
+    ];
+
+    # in order to build VM on x86_64 host
+    nixpkgs.hostPlatform = lib.mkForce "x86_64-linux";
+  };
+}