From 25580ded3bbb9ff805e036fb32b62d2205570315 Mon Sep 17 00:00:00 2001
From: Dominik Polakovics <dominik.polakovics@cloonar.com>
Date: Sun, 1 Feb 2026 14:23:27 +0100
Subject: [PATCH] feat: nb change networking and add projects

---
 hosts/nb/configuration.nix             | 31 +------------
 hosts/nb/modules/networking.nix        | 63 ++++++++++++++++++++++++++
 hosts/nb/users/configs/project_history |  3 ++
 hosts/nb/users/dominik.nix             |  2 +
 4 files changed, 69 insertions(+), 30 deletions(-)
 create mode 100644 hosts/nb/modules/networking.nix

diff --git a/hosts/nb/configuration.nix b/hosts/nb/configuration.nix
index 8b20710..57ba254 100644
--- a/hosts/nb/configuration.nix
+++ b/hosts/nb/configuration.nix
@@ -40,6 +40,7 @@ in {
       # ./modules/steam.nix
       ./modules/fingerprint.nix
       ./modules/set-nix-channel.nix
+      ./modules/networking.nix
 
       ./hardware-configuration.nix
     ];
@@ -249,36 +250,6 @@ in {
     };
   };
 
-  networking.wireguard.interfaces = {
-    wg0 = {
-      ips = [ "10.42.98.201/32" ];
-      # publicKey: YdlRGsjh4hS3OMJI+t6SZ2eGXKbs0wZBXWudHW4NyS8=
-      privateKeyFile = config.sops.secrets.wg-cloonar-key.path;
-
-      peers = [
-        {
-          publicKey = "TKQVDmBnf9av46kQxLQSBDhAeaK8r1zh8zpU64zuc1Q=";
-          allowedIPs = [
-            "10.42.96.0/20"
-            # wohnservice-wien
-            "10.254.240.0/24"
-            "10.254.235.0/24"
-            # epicenter.works
-            "10.14.0.0/16"
-            "10.25.0.0/16"
-            "188.34.191.144/32" # web-arm
-            "91.107.201.241" # mail
-          ];
-          endpoint = "vpn.cloonar.com:51820"; # ToDo: route to endpoint not automatically configured https://wiki.archlinux.org/index.php/WireGuard#Loop_routing https://discourse.nixos.org/t/solved-minimal-firewall-setup-for-wireguard-client/7577
-          persistentKeepalive = 25;
-        }
-      ];
-      postSetup = ''
-        printf "nameserver 10.42.97.1\nsearch cloonar.com" | ${pkgs.openresolv}/bin/resolvconf -a wg0 -m 0 -x
-      '';
-    };
-  };
-
   # pgp
   services.pcscd.enable = true;
   programs.gnupg.agent = {
diff --git a/hosts/nb/modules/networking.nix b/hosts/nb/modules/networking.nix
new file mode 100644
index 0000000..0bf1995
--- /dev/null
+++ b/hosts/nb/modules/networking.nix
@@ -0,0 +1,63 @@
+{ config, lib, pkgs, ... }:
+
+{
+  # Enable systemd-resolved with split DNS for ddev.site
+  services.resolved = {
+    enable = true;
+    dnssec = "false";
+    extraConfig = ''
+      DNS=127.0.0.1:5353
+      Domains=~ddev.site
+    '';
+  };
+
+  # Integrate NetworkManager with systemd-resolved
+  networking.networkmanager.dns = "systemd-resolved";
+
+  # Local dnsmasq for .ddev.site resolution only (port 5353)
+  services.dnsmasq = {
+    enable = true;
+    settings = {
+      port = 5353;
+      listen-address = "127.0.0.1";
+      bind-interfaces = true;
+      no-resolv = true;
+      address = "/.ddev.site/127.0.0.1";
+    };
+  };
+
+  # WireGuard VPN configuration
+  networking.wireguard.interfaces = {
+    wg0 = {
+      ips = [ "10.42.98.201/32" ];
+      # publicKey: YdlRGsjh4hS3OMJI+t6SZ2eGXKbs0wZBXWudHW4NyS8=
+      privateKeyFile = config.sops.secrets.wg-cloonar-key.path;
+
+      peers = [
+        {
+          publicKey = "TKQVDmBnf9av46kQxLQSBDhAeaK8r1zh8zpU64zuc1Q=";
+          allowedIPs = [
+            "10.42.96.0/20"
+            # wohnservice-wien
+            "10.254.240.0/24"
+            "10.254.235.0/24"
+            # epicenter.works
+            "10.14.0.0/16"
+            "10.25.0.0/16"
+            "188.34.191.144/32" # web-arm
+            "91.107.201.241" # mail
+          ];
+          endpoint = "vpn.cloonar.com:51820"; # ToDo: route to endpoint not automatically configured https://wiki.archlinux.org/index.php/WireGuard#Loop_routing https://discourse.nixos.org/t/solved-minimal-firewall-setup-for-wireguard-client/7577
+          persistentKeepalive = 25;
+        }
+      ];
+
+      # Use resolvectl for systemd-resolved integration
+      # Note: No postDown needed - systemd-resolved automatically handles interface removal
+      postSetup = ''
+        ${pkgs.systemd}/bin/resolvectl dns wg0 10.42.97.1
+        ${pkgs.systemd}/bin/resolvectl domain wg0 cloonar.com
+      '';
+    };
+  };
+}
diff --git a/hosts/nb/users/configs/project_history b/hosts/nb/users/configs/project_history
index b38e27f..ec0ad0b 100644
--- a/hosts/nb/users/configs/project_history
+++ b/hosts/nb/users/configs/project_history
@@ -1,3 +1,6 @@
+/home/dominik/projects/infrastructure/actions
+/home/dominik/projects/infrastructure/forgejo-mcp
+
 /home/dominik/projects/cloonar/chatgpt.vim
 /home/dominik/projects/cloonar/ai.nvim
 /home/dominik/projects/cloonar/gitea.nvim
diff --git a/hosts/nb/users/dominik.nix b/hosts/nb/users/dominik.nix
index b9fc281..34c0b2d 100644
--- a/hosts/nb/users/dominik.nix
+++ b/hosts/nb/users/dominik.nix
@@ -620,6 +620,8 @@ in
       git clone gitea@git.cloonar.com:ScanA11y/sa-core.git ${persistHome}/projects/scana11y/sa-core 2>/dev/null
       git clone gitea@git.cloonar.com:Cloonar/ai-image-alt.git ${persistHome}/projects/cloonar/ai-image-alt 2>/dev/null
       git clone gitea@git.cloonar.com:Cloonar/bookmap.git ${persistHome}/projects/cloonar/bookmap 2>/dev/null
+      git clone gitea@git.cloonar.com:infrastructure/actions.git ${persistHome}/projects/infrastructure/actions 2>/dev/null
+      git clone ssh://git@codeberg.org/razormind/forgejo-mcp.git ${persistHome}/projects/infrastructure/forgejo-mcp 2>/dev/null
 
 
       git clone gitea@git.cloonar.com:dominik.polakovics/typo3-basic.git ${persistHome}/cloonar/typo3-basic 2>/dev/null