diff --git a/hosts/hermit/configuration.nix b/hosts/hermit/configuration.nix index 33748b6..7a88c01 100644 --- a/hosts/hermit/configuration.nix +++ b/hosts/hermit/configuration.nix @@ -15,11 +15,6 @@ fstrim.enable = lib.mkDefault true; thermald.enable = true; printing.enable = true; - avahi = { - enable = true; - nssmdns4 = true; - openFirewall = true; - }; }; virtualisation.docker.enable = true; diff --git a/modules/system/os/networking/dns.nix b/modules/system/os/networking/dns.nix new file mode 100644 index 0000000..c42be83 --- /dev/null +++ b/modules/system/os/networking/dns.nix @@ -0,0 +1,55 @@ +{ + config, + lib, + pkgs, + ... +}: let + StateDirectory = "dnscrypt-proxy"; + inherit (lib.modules) mkForce; +in { + networking = { + networkmanager.dns = mkForce "none"; + nameservers = [ + "127.0.0.1" + "::1" + ]; + }; + + # See https://wiki.nixos.org/wiki/Encrypted_DNS + services.dnscrypt-proxy2 = { + enable = true; + # See https://github.com/DNSCrypt/dnscrypt-proxy/blob/master/dnscrypt-proxy/example-dnscrypt-proxy.toml + settings = { + sources.public-resolvers = { + urls = [ + "https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md" + "https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md" + ]; + minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3"; # See https://github.com/DNSCrypt/dnscrypt-resolvers/blob/master/v3/public-resolvers.md + cache_file = "/var/lib/${StateDirectory}/public-resolvers.md"; + }; + + # Use servers reachable over IPv6 -- Do not enable if you don't have IPv6 connectivity + ipv6_servers = true; + + # Server must support DNS security extensions (DNSSEC) + require_dnssec = true; + + # Server must not log user queries (declarative) + require_nolog = true; + + # Server must not enforce its own blocklist (for parental control, ads blocking...) + require_nofilter = true; + + ## Enable *experimental* support for HTTP/3 (DoH3, HTTP over QUIC) + ## Note that, like DNSCrypt but unlike other HTTP versions, this uses + ## UDP and (usually) port 443 instead of TCP. + http3 = false; + + ## Enable a DNS cache to reduce latency and outgoing traffic. + cache = true; + }; + }; + + systemd.services.dnscrypt-proxy2.serviceConfig.StateDirectory = StateDirectory; +} diff --git a/modules/system/os/networking/firewall.nix b/modules/system/os/networking/firewall.nix new file mode 100644 index 0000000..d2c77d0 --- /dev/null +++ b/modules/system/os/networking/firewall.nix @@ -0,0 +1,18 @@ +{ + config, + lib, + pkgs, + ... +}: let +in { + networking = { + # use nftables over iptables + nftables.enable = true; + + firewall = { + enable = true; + allowPing = false; + logReversePathDrops = true; + }; + }; +} diff --git a/modules/system/os/networking/module.nix b/modules/system/os/networking/module.nix index e9f005c..00f6b6f 100644 --- a/modules/system/os/networking/module.nix +++ b/modules/system/os/networking/module.nix @@ -3,43 +3,55 @@ in { imports = [ ./networkmanager.nix + ./dns.nix + ./firewall.nix ]; networking = { enableIPv6 = true; - # INFO: This disables wpa_supplicant, - # I use nenetworkmanager instead. - wireless.enable = false; + wireless = { + # INFO: This disables wpa_supplicant, + # I use iwd instead. + enable = false; + + # use iwd over wpa_supplicant + iwd = { + enable = true; + settings = { + IPv6 = { + Enabled = true; + }; + Settings = { + AutoConnect = true; + }; + }; + }; + }; dhcpcd = { # faster boot times wait = "background"; - extraConfig = "noarp"; + # do not edit resolv.conf + extraConfig = '' + nohook resolv.conf + ''; }; + }; - nameservers = [ - # I have choosen Mullvad DNS as my standard DNS provider, - # as Quad9 at some point stopped resolving my universitie's IP address. - # Furthermore, Mullvad has a pretty good reputation when it comes to privacy - "194.242.2.4" - "2a07:e340::4" - ]; - }; - services.resolved = { + # service discovery on a local network via the mDNS/DNS-SD protocol suite + services.avahi = { enable = true; - dnssec = "false"; - dnsovertls = "opportunistic"; - fallbackDns = [ - "194.242.2.4" - "2a07:e340::4" - ]; + nssmdns4 = true; + openFirewall = true; }; + users.users.${username}.extraGroups = ["networkmanager"]; - # systemd = { - # network = { - # enable = true; - # wait-online.anyInterface = true; - # }; - # }; + # faster boot + systemd = { + network = { + enable = true; + wait-online.enable = false; + }; + }; } diff --git a/modules/system/os/networking/networkmanager.nix b/modules/system/os/networking/networkmanager.nix index c6e13b9..3e36fd9 100644 --- a/modules/system/os/networking/networkmanager.nix +++ b/modules/system/os/networking/networkmanager.nix @@ -1,16 +1,7 @@ -{lib, ...}: let - inherit (lib.modules) mkForce; -in { +_: { networking.networkmanager = { enable = true; - # # Removes about 2GB of stuff we do no need. - # plugins = mkForce []; - dns = "systemd-resolved"; - unmanaged = [ - # DO NOT manage my docker containers, thank you. - "interface-name:docker*" - ]; wifi = { # Generate a randomized value upon each connect macAddress = "random"; @@ -19,8 +10,11 @@ in { powersave = true; # Backend is either wpa_supplicant or iwd, - # I use wpa_supplicant since it is simply more reliable. - backend = "wpa_supplicant"; + # I use iwd. + backend = "iwd"; + + # Whether to enable MAC address randomization of a Wi-Fi device during scanning. + scanRandMacAddress = true; }; }; } diff --git a/modules/wms/wayland/hyprland/decorations.nix b/modules/wms/wayland/hyprland/decorations.nix index 2355693..ebf53a8 100644 --- a/modules/wms/wayland/hyprland/decorations.nix +++ b/modules/wms/wayland/hyprland/decorations.nix @@ -6,6 +6,7 @@ _: { rounding_power = 3; blur = { enabled = true; + xray = true; size = 3; passes = 2; };