Add DoT, networkd

Signed-off-by: Ivan Bushchik <ivabus@ivabus.dev>
2024-11-22 16:35:06 +03:00 · 2023-08-23 10:36:32 +03:00 · 2023-08-23 10:36:32 +03:00 · f9d23bbb12
commit f9d23bbb12
parent 86b8eed465
11 changed files with 45 additions and 18 deletions
--- a/common/laptop.nix
+++ b/common/laptop.nix
@ -8,6 +8,7 @@ in {
  };
  config = lib.mkIf (cfg.enable) {
    networking.wireless.iwd.enable = true;
    environment.systemPackages = with pkgs; [
      lm_sensors
    ];
--- a/common/networking.nix
+++ b/common/networking.nix
@ -1,20 +1,27 @@
-{ pkgs, ... }:
+{ pkgs, lib, ... }:
 {
-  networking.wireless.iwd.enable = true;
+  networking.firewall.allowPing = true;
-  networking.wireless.iwd.settings = {
+  networking.useNetworkd = lib.mkDefault true;
-    General = {
+  systemd.network.wait-online.enable = lib.mkDefault false;
-      # Enable DHCP in IWD, TODO: don't do it
+
-      EnableNetworkConfiguration = true;
+  # Use systemd-resolved for DoT support.
-    };
+  services.resolved = {
    enable = true;
    dnssec = "false";
    extraConfig = ''
      DNSOverTLS=yes
    '';
  };
-  # TODO: setup DoH or DoT
+  # Used by systemd-resolved, not directly by resolv.conf.
-  networking.nameservers = [ "1.1.1.1" "1.0.0.1" "8.8.8.8" ];
+  networking.nameservers = [
    "8.8.8.8#dns.google"
    "1.0.0.1#cloudflare-dns.com"
  ];
  networking.enableIPv6 = true;
  services.resolved.enable = true;
  services.avahi = {
    enable = true;
    nssmdns = true;
--- a/common/security.nix
+++ b/common/security.nix
@ -18,7 +18,9 @@
  boot.kernel.sysctl = {
    "kernel.sysrq" = 0;
    "net.ipv4.icmp_ignore_bogus_error_responces" = 1;
    "net.ipv4.icmp_echo_ignore_broadcasts" = 1;
    "net.ipv4.conf.default.rp_filter" = 1;
    "net.ipv4.conf.all.rp_filter" = 1;
    "net.ipv4.conf.all.accept_source_route" = 0;
@ -33,12 +35,18 @@
    "net.ipv4.conf.default.secure_redirects" = 0;
    "net.ipv6.conf.all.accept_redirects" = 0;
    "net.ipv6.conf.default.accept_redirects" = 0;
    "net.ipv4.ip_forward" = 1;
    "net.ipv6.conf.all.accept_ra" = 0;
    "net.ipv6.conf.default.accept_ra" = 0;
    "net.ipv4.tcp_syncookies" = 1;
    "net.ipv4.conf.default.log_martians" = 1;
    "net.ipv4.conf.all.log_martians" = 1;
    "net.ipv4.tcp_rfc1337" = 1;
    "net.ipv4.tcp_fastopen" = 3;
    "net.ipv4.tcp_congestion_control" = "bbr";
    "net.core.default_qdisc" = "cake";
  };
--- a/machines/celerrime/default.nix
+++ b/machines/celerrime/default.nix
@ -26,6 +26,9 @@ in {
    yggdrasil-client.enable = true;
  };
  networking.useDHCP = true;
  # Setup asahi-specific things. NOTE: you must copy firmware from ESP to /etc/nixos/asahi/firmware
  hardware.asahi.peripheralFirmwareDirectory = ../../asahi/firmware;
  hardware.asahi.addEdgeKernelConfig = true;
--- a/machines/celerrime/hardware.nix
+++ b/machines/celerrime/hardware.nix
@ -25,7 +25,6 @@
  swapDevices =
    [ { device = "/dev/disk/by-uuid/272341f1-b083-497e-b129-aef8732b5b50"; }
    ];
  networking.useDHCP = lib.mkDefault true;
  nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
  powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
--- a/machines/example/default.nix
+++ b/machines/example/default.nix
@ -27,6 +27,8 @@ in {
    yggdrasil-client.enable = true;
  };
  networking.useDHCP = true;
  system.stateVersion = "23.05";
 }
--- a/machines/stella/default.nix
+++ b/machines/stella/default.nix
@ -33,6 +33,8 @@ in {
    cpuFreqGovernor = "ondemand";
  };
  networking.useDHCP = true;
  system.stateVersion = "23.05";
 }
--- a/machines/vetus/default.nix
+++ b/machines/vetus/default.nix
@ -25,6 +25,8 @@ in {
    yggdrasil-client.enable = true;
  };
  networking.useDHCP = true;
  services.xserver.videoDrivers=["amdgpu"];
  boot.initrd.kernelModules=["amdgpu"];
--- a/machines/vetus/hardware.nix
+++ b/machines/vetus/hardware.nix
@ -23,8 +23,6 @@
  swapDevices = [ ];
  networking.useDHCP = lib.mkDefault true;
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
  powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
--- a/roles/gaming.nix
+++ b/roles/gaming.nix
@ -4,7 +4,7 @@ let
  cfg = config.my.roles.gaming;
 in {
  options.my.roles.gaming.enable = lib.mkEnableOption "Enable wine & steam";
-  config = lib.mkIf (cfg.enable) (lib.mkMerge {
+  config = lib.mkIf (cfg.enable) ( lib.mkMerge [{
    nixpkgs.config.allowUnfree = true;
    hardware.opengl.driSupport32Bit = true;
    services.pipewire.alsa.support32Bit = true;
@ -17,6 +17,11 @@ in {
      wineWowPackages.waylandFull
    ];
  }
-  # Enable steam only on x86_64 (since we have hosts with ARM, but I don't think I will enable my.roles.gaming on ARM system soon)
+  # Enable steam only on x86_64 (since I have hosts with ARM, but I don't think I will enable my.roles.gaming on ARM system soon)
-  (lib.mkIf(pkgs.stdenv.isx86_64) {programs.steam.enable = true;}))
+  (lib.mkIf(pkgs.stdenv.isx86_64) {
    programs.steam.enable = true; # Firewall ports used by Steam in-home streaming.
    networking.firewall.allowedTCPPorts = [ 27036 27037 ];
    networking.firewall.allowedUDPPorts = [ 27031 27036 ];
    })
  ]);
 }
--- a/roles/latex.nix
+++ b/roles/latex.nix
@ -5,7 +5,7 @@ let
 in {
  options.my.roles.latex.enable = lib.mkEnableOption "Enable latex stuff";
  config = lib.mkIf (cfg.enable){
-    environment.systemPackages = with pkgs;
+    environment.systemPackages = with pkgs; [
      # Maybe I don't need to use -full variant of texlive
      # I should find distribution I actually need
      texlive.combined.scheme-full