feat: schizo networking

2025-05-08 19:51:32 +02:00 · 2025-05-08 19:51:32 +02:00 · c5898e58d0
commit c5898e58d0
parent 92bb3f929b
5 changed files with 116 additions and 42 deletions
--- a/hosts/hermit/configuration.nix
+++ b/hosts/hermit/configuration.nix
@ -15,11 +15,6 @@
    fstrim.enable = lib.mkDefault true;
    thermald.enable = true;
    printing.enable = true;
-    avahi = {
-      enable = true;
-      nssmdns4 = true;
-      openFirewall = true;
-    };
  };
  virtualisation.docker.enable = true;

--- a/modules/system/os/networking/dns.nix
+++ b/modules/system/os/networking/dns.nix
@ -0,0 +1,55 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: let
+  StateDirectory = "dnscrypt-proxy";
+  inherit (lib.modules) mkForce;
+in {
+  networking = {
+    networkmanager.dns = mkForce "none";
+    nameservers = [
+      "127.0.0.1"
+      "::1"
+    ];
+  };
+
+  # See https://wiki.nixos.org/wiki/Encrypted_DNS
+  services.dnscrypt-proxy2 = {
+    enable = true;
+    # See https://github.com/DNSCrypt/dnscrypt-proxy/blob/master/dnscrypt-proxy/example-dnscrypt-proxy.toml
+    settings = {
+      sources.public-resolvers = {
+        urls = [
+          "https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md"
+          "https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md"
+        ];
+        minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3"; # See https://github.com/DNSCrypt/dnscrypt-resolvers/blob/master/v3/public-resolvers.md
+        cache_file = "/var/lib/${StateDirectory}/public-resolvers.md";
+      };
+
+      # Use servers reachable over IPv6 -- Do not enable if you don't have IPv6 connectivity
+      ipv6_servers = true;
+
+      # Server must support DNS security extensions (DNSSEC)
+      require_dnssec = true;
+
+      # Server must not log user queries (declarative)
+      require_nolog = true;
+
+      # Server must not enforce its own blocklist (for parental control, ads blocking...)
+      require_nofilter = true;
+
+      ## Enable *experimental* support for HTTP/3 (DoH3, HTTP over QUIC)
+      ## Note that, like DNSCrypt but unlike other HTTP versions, this uses
+      ## UDP and (usually) port 443 instead of TCP.
+      http3 = false;
+
+      ## Enable a DNS cache to reduce latency and outgoing traffic.
+      cache = true;
+    };
+  };
+
+  systemd.services.dnscrypt-proxy2.serviceConfig.StateDirectory = StateDirectory;
+}
--- a/modules/system/os/networking/firewall.nix
+++ b/modules/system/os/networking/firewall.nix
@ -0,0 +1,18 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: let
+in {
+  networking = {
+    # use nftables over iptables
+    nftables.enable = true;
+
+    firewall = {
+      enable = true;
+      allowPing = false;
+      logReversePathDrops = true;
+    };
+  };
+}
--- a/modules/system/os/networking/module.nix
+++ b/modules/system/os/networking/module.nix
@ -3,43 +3,55 @@
 in {
  imports = [
    ./networkmanager.nix
+    ./dns.nix
+    ./firewall.nix
  ];
  networking = {
    enableIPv6 = true;

+    wireless = {
      # INFO: This disables wpa_supplicant,
-    # I use nenetworkmanager instead.
-    wireless.enable = false;
+      # I use iwd instead.
+      enable = false;
+
+      # use iwd over wpa_supplicant
+      iwd = {
+        enable = true;
+        settings = {
+          IPv6 = {
+            Enabled = true;
+          };
+          Settings = {
+            AutoConnect = true;
+          };
+        };
+      };
+    };

    dhcpcd = {
      # faster boot times
      wait = "background";
-      extraConfig = "noarp";
+      # do not edit resolv.conf
+      extraConfig = ''
+        nohook resolv.conf
+      '';
+    };
  };

-    nameservers = [
-      # I have choosen Mullvad DNS as my standard DNS provider,
-      # as Quad9 at some point stopped resolving my universitie's IP address.
-      # Furthermore, Mullvad has a pretty good reputation when it comes to privacy
-      "194.242.2.4"
-      "2a07:e340::4"
-    ];
-  };
-  services.resolved = {
+  # service discovery on a local network via the mDNS/DNS-SD protocol suite
+  services.avahi = {
    enable = true;
-    dnssec = "false";
-    dnsovertls = "opportunistic";
-    fallbackDns = [
-      "194.242.2.4"
-      "2a07:e340::4"
-    ];
+    nssmdns4 = true;
+    openFirewall = true;
  };
+
  users.users.${username}.extraGroups = ["networkmanager"];

-  # systemd = {
-  #   network = {
-  #     enable = true;
-  #     wait-online.anyInterface = true;
-  #   };
-  # };
+  # faster boot
+  systemd = {
+    network = {
+      enable = true;
+      wait-online.enable = false;
+    };
+  };
 }
--- a/modules/system/os/networking/networkmanager.nix
+++ b/modules/system/os/networking/networkmanager.nix
@ -1,16 +1,7 @@
-{lib, ...}: let
-  inherit (lib.modules) mkForce;
-in {
+_: {
  networking.networkmanager = {
    enable = true;
-    # # Removes about 2GB of stuff we do no need.
-    # plugins = mkForce [];

-    dns = "systemd-resolved";
-    unmanaged = [
-      # DO NOT manage my docker containers, thank you.
-      "interface-name:docker*"
-    ];
    wifi = {
      # Generate a randomized value upon each connect
      macAddress = "random";
@ -19,8 +10,11 @@ in {
      powersave = true;

      # Backend is either wpa_supplicant or iwd,
-      # I use wpa_supplicant since it is simply more reliable.
-      backend = "wpa_supplicant";
+      # I use iwd.
+      backend = "iwd";
+
+      # Whether to enable MAC address randomization of a Wi-Fi device during scanning.
+      scanRandMacAddress = true;
    };
  };
 }