From f9d23bbb12afc3d0b44508143fb690be74427543 Mon Sep 17 00:00:00 2001
From: Ivan Bushchik <ivabus@ivabus.dev>
Date: Wed, 23 Aug 2023 10:36:32 +0300
Subject: [PATCH] Add DoT, networkd

Signed-off-by: Ivan Bushchik <ivabus@ivabus.dev>
---
 common/laptop.nix               |  1 +
 common/networking.nix           | 27 +++++++++++++++++----------
 common/security.nix             | 10 +++++++++-
 machines/celerrime/default.nix  |  3 +++
 machines/celerrime/hardware.nix |  1 -
 machines/example/default.nix    |  2 ++
 machines/stella/default.nix     |  2 ++
 machines/vetus/default.nix      |  2 ++
 machines/vetus/hardware.nix     |  2 --
 roles/gaming.nix                | 11 ++++++++---
 roles/latex.nix                 |  2 +-
 11 files changed, 45 insertions(+), 18 deletions(-)

diff --git a/common/laptop.nix b/common/laptop.nix
index 2772bfe..bc68a54 100644
--- a/common/laptop.nix
+++ b/common/laptop.nix
@@ -8,6 +8,7 @@ in {
   };
 
   config = lib.mkIf (cfg.enable) {
+    networking.wireless.iwd.enable = true;
     environment.systemPackages = with pkgs; [
       lm_sensors
     ];
diff --git a/common/networking.nix b/common/networking.nix
index 0b50979..cc30506 100644
--- a/common/networking.nix
+++ b/common/networking.nix
@@ -1,20 +1,27 @@
-{ pkgs, ... }:
+{ pkgs, lib, ... }:
 
 {
-  networking.wireless.iwd.enable = true;
-  networking.wireless.iwd.settings = {
-    General = {
-      # Enable DHCP in IWD, TODO: don't do it
-      EnableNetworkConfiguration = true;
-    };
+  networking.firewall.allowPing = true;
+  networking.useNetworkd = lib.mkDefault true;
+  systemd.network.wait-online.enable = lib.mkDefault false;
+
+  # Use systemd-resolved for DoT support.
+  services.resolved = {
+    enable = true;
+    dnssec = "false";
+    extraConfig = ''
+      DNSOverTLS=yes
+    '';
   };
 
-  # TODO: setup DoH or DoT
-  networking.nameservers = [ "1.1.1.1" "1.0.0.1" "8.8.8.8" ];
+  # Used by systemd-resolved, not directly by resolv.conf.
+  networking.nameservers = [
+    "8.8.8.8#dns.google"
+    "1.0.0.1#cloudflare-dns.com"
+  ];
 
   networking.enableIPv6 = true;
 
-  services.resolved.enable = true;
   services.avahi = {
     enable = true;
     nssmdns = true;
diff --git a/common/security.nix b/common/security.nix
index 0badcf3..9f9bfe2 100644
--- a/common/security.nix
+++ b/common/security.nix
@@ -18,7 +18,9 @@
 
   boot.kernel.sysctl = {
     "kernel.sysrq" = 0;
+
     "net.ipv4.icmp_ignore_bogus_error_responces" = 1;
+    "net.ipv4.icmp_echo_ignore_broadcasts" = 1;
     "net.ipv4.conf.default.rp_filter" = 1;
     "net.ipv4.conf.all.rp_filter" = 1;
     "net.ipv4.conf.all.accept_source_route" = 0;
@@ -33,12 +35,18 @@
     "net.ipv4.conf.default.secure_redirects" = 0;
     "net.ipv6.conf.all.accept_redirects" = 0;
     "net.ipv6.conf.default.accept_redirects" = 0;
+    "net.ipv4.ip_forward" = 1;
+
+    "net.ipv6.conf.all.accept_ra" = 0;
+    "net.ipv6.conf.default.accept_ra" = 0;
 
     "net.ipv4.tcp_syncookies" = 1;
+    "net.ipv4.conf.default.log_martians" = 1;
+    "net.ipv4.conf.all.log_martians" = 1;
     "net.ipv4.tcp_rfc1337" = 1;
-
     "net.ipv4.tcp_fastopen" = 3;
     "net.ipv4.tcp_congestion_control" = "bbr";
+
     "net.core.default_qdisc" = "cake";
   };
 
diff --git a/machines/celerrime/default.nix b/machines/celerrime/default.nix
index 5339dbe..93de47a 100644
--- a/machines/celerrime/default.nix
+++ b/machines/celerrime/default.nix
@@ -26,6 +26,9 @@ in {
     yggdrasil-client.enable = true;
   };
 
+  networking.useDHCP = true;
+
+
   # Setup asahi-specific things. NOTE: you must copy firmware from ESP to /etc/nixos/asahi/firmware
   hardware.asahi.peripheralFirmwareDirectory = ../../asahi/firmware;
   hardware.asahi.addEdgeKernelConfig = true;
diff --git a/machines/celerrime/hardware.nix b/machines/celerrime/hardware.nix
index 6e63761..131225e 100644
--- a/machines/celerrime/hardware.nix
+++ b/machines/celerrime/hardware.nix
@@ -25,7 +25,6 @@
   swapDevices =
     [ { device = "/dev/disk/by-uuid/272341f1-b083-497e-b129-aef8732b5b50"; }
     ];
-  networking.useDHCP = lib.mkDefault true;
 
   nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
   powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
diff --git a/machines/example/default.nix b/machines/example/default.nix
index 32f83e5..0d93d33 100644
--- a/machines/example/default.nix
+++ b/machines/example/default.nix
@@ -27,6 +27,8 @@ in {
     yggdrasil-client.enable = true;
   };
 
+  networking.useDHCP = true;
+
   system.stateVersion = "23.05";
 }
 
diff --git a/machines/stella/default.nix b/machines/stella/default.nix
index df6591a..1e6c57e 100644
--- a/machines/stella/default.nix
+++ b/machines/stella/default.nix
@@ -33,6 +33,8 @@ in {
     cpuFreqGovernor = "ondemand";
   };
 
+  networking.useDHCP = true;
+
   system.stateVersion = "23.05";
 }
 
diff --git a/machines/vetus/default.nix b/machines/vetus/default.nix
index 94b4b48..9e08074 100644
--- a/machines/vetus/default.nix
+++ b/machines/vetus/default.nix
@@ -25,6 +25,8 @@ in {
     yggdrasil-client.enable = true;
   };
 
+  networking.useDHCP = true;
+
   services.xserver.videoDrivers=["amdgpu"];
   boot.initrd.kernelModules=["amdgpu"];
   
diff --git a/machines/vetus/hardware.nix b/machines/vetus/hardware.nix
index f42033d..2b77266 100644
--- a/machines/vetus/hardware.nix
+++ b/machines/vetus/hardware.nix
@@ -23,8 +23,6 @@
 
   swapDevices = [ ];
 
-  networking.useDHCP = lib.mkDefault true;
-
   nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
   powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
   hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
diff --git a/roles/gaming.nix b/roles/gaming.nix
index b92fb21..509f9ec 100644
--- a/roles/gaming.nix
+++ b/roles/gaming.nix
@@ -4,7 +4,7 @@ let
   cfg = config.my.roles.gaming;
 in {
   options.my.roles.gaming.enable = lib.mkEnableOption "Enable wine & steam";
-  config = lib.mkIf (cfg.enable) (lib.mkMerge {
+  config = lib.mkIf (cfg.enable) ( lib.mkMerge [{
     nixpkgs.config.allowUnfree = true;
     hardware.opengl.driSupport32Bit = true;
     services.pipewire.alsa.support32Bit = true;
@@ -17,6 +17,11 @@ in {
       wineWowPackages.waylandFull
     ];
   }
-  # Enable steam only on x86_64 (since we have hosts with ARM, but I don't think I will enable my.roles.gaming on ARM system soon)
-  (lib.mkIf(pkgs.stdenv.isx86_64) {programs.steam.enable = true;}))
+  # Enable steam only on x86_64 (since I have hosts with ARM, but I don't think I will enable my.roles.gaming on ARM system soon)
+  (lib.mkIf(pkgs.stdenv.isx86_64) {
+    programs.steam.enable = true; # Firewall ports used by Steam in-home streaming.
+    networking.firewall.allowedTCPPorts = [ 27036 27037 ];
+    networking.firewall.allowedUDPPorts = [ 27031 27036 ];
+    })
+  ]);
 }
\ No newline at end of file
diff --git a/roles/latex.nix b/roles/latex.nix
index 58d639e..a12840d 100644
--- a/roles/latex.nix
+++ b/roles/latex.nix
@@ -5,7 +5,7 @@ let
 in {
   options.my.roles.latex.enable = lib.mkEnableOption "Enable latex stuff";
   config = lib.mkIf (cfg.enable){
-    environment.systemPackages = with pkgs;
+    environment.systemPackages = with pkgs; [
       # Maybe I don't need to use -full variant of texlive
       # I should find distribution I actually need
       texlive.combined.scheme-full