diff --git a/hosts/hermit/configuration.nix b/hosts/hermit/configuration.nix index 7a88c01..33748b6 100644 --- a/hosts/hermit/configuration.nix +++ b/hosts/hermit/configuration.nix @@ -15,6 +15,11 @@ fstrim.enable = lib.mkDefault true; thermald.enable = true; printing.enable = true; + avahi = { + enable = true; + nssmdns4 = true; + openFirewall = true; + }; }; virtualisation.docker.enable = true; diff --git a/modules/system/os/networking/dns.nix b/modules/system/os/networking/dns.nix deleted file mode 100644 index c42be83..0000000 --- a/modules/system/os/networking/dns.nix +++ /dev/null @@ -1,55 +0,0 @@ -{ - config, - lib, - pkgs, - ... -}: let - StateDirectory = "dnscrypt-proxy"; - inherit (lib.modules) mkForce; -in { - networking = { - networkmanager.dns = mkForce "none"; - nameservers = [ - "127.0.0.1" - "::1" - ]; - }; - - # See https://wiki.nixos.org/wiki/Encrypted_DNS - services.dnscrypt-proxy2 = { - enable = true; - # See https://github.com/DNSCrypt/dnscrypt-proxy/blob/master/dnscrypt-proxy/example-dnscrypt-proxy.toml - settings = { - sources.public-resolvers = { - urls = [ - "https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md" - "https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md" - ]; - minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3"; # See https://github.com/DNSCrypt/dnscrypt-resolvers/blob/master/v3/public-resolvers.md - cache_file = "/var/lib/${StateDirectory}/public-resolvers.md"; - }; - - # Use servers reachable over IPv6 -- Do not enable if you don't have IPv6 connectivity - ipv6_servers = true; - - # Server must support DNS security extensions (DNSSEC) - require_dnssec = true; - - # Server must not log user queries (declarative) - require_nolog = true; - - # Server must not enforce its own blocklist (for parental control, ads blocking...) - require_nofilter = true; - - ## Enable *experimental* support for HTTP/3 (DoH3, HTTP over QUIC) - ## Note that, like DNSCrypt but unlike other HTTP versions, this uses - ## UDP and (usually) port 443 instead of TCP. - http3 = false; - - ## Enable a DNS cache to reduce latency and outgoing traffic. - cache = true; - }; - }; - - systemd.services.dnscrypt-proxy2.serviceConfig.StateDirectory = StateDirectory; -} diff --git a/modules/system/os/networking/firewall.nix b/modules/system/os/networking/firewall.nix deleted file mode 100644 index d2c77d0..0000000 --- a/modules/system/os/networking/firewall.nix +++ /dev/null @@ -1,18 +0,0 @@ -{ - config, - lib, - pkgs, - ... -}: let -in { - networking = { - # use nftables over iptables - nftables.enable = true; - - firewall = { - enable = true; - allowPing = false; - logReversePathDrops = true; - }; - }; -} diff --git a/modules/system/os/networking/module.nix b/modules/system/os/networking/module.nix index 00f6b6f..e9f005c 100644 --- a/modules/system/os/networking/module.nix +++ b/modules/system/os/networking/module.nix @@ -3,55 +3,43 @@ in { imports = [ ./networkmanager.nix - ./dns.nix - ./firewall.nix ]; networking = { enableIPv6 = true; - wireless = { - # INFO: This disables wpa_supplicant, - # I use iwd instead. - enable = false; - - # use iwd over wpa_supplicant - iwd = { - enable = true; - settings = { - IPv6 = { - Enabled = true; - }; - Settings = { - AutoConnect = true; - }; - }; - }; - }; + # INFO: This disables wpa_supplicant, + # I use nenetworkmanager instead. + wireless.enable = false; dhcpcd = { # faster boot times wait = "background"; - # do not edit resolv.conf - extraConfig = '' - nohook resolv.conf - ''; + extraConfig = "noarp"; }; - }; - # service discovery on a local network via the mDNS/DNS-SD protocol suite - services.avahi = { + nameservers = [ + # I have choosen Mullvad DNS as my standard DNS provider, + # as Quad9 at some point stopped resolving my universitie's IP address. + # Furthermore, Mullvad has a pretty good reputation when it comes to privacy + "194.242.2.4" + "2a07:e340::4" + ]; + }; + services.resolved = { enable = true; - nssmdns4 = true; - openFirewall = true; + dnssec = "false"; + dnsovertls = "opportunistic"; + fallbackDns = [ + "194.242.2.4" + "2a07:e340::4" + ]; }; - users.users.${username}.extraGroups = ["networkmanager"]; - # faster boot - systemd = { - network = { - enable = true; - wait-online.enable = false; - }; - }; + # systemd = { + # network = { + # enable = true; + # wait-online.anyInterface = true; + # }; + # }; } diff --git a/modules/system/os/networking/networkmanager.nix b/modules/system/os/networking/networkmanager.nix index 3e36fd9..c6e13b9 100644 --- a/modules/system/os/networking/networkmanager.nix +++ b/modules/system/os/networking/networkmanager.nix @@ -1,7 +1,16 @@ -_: { +{lib, ...}: let + inherit (lib.modules) mkForce; +in { networking.networkmanager = { enable = true; + # # Removes about 2GB of stuff we do no need. + # plugins = mkForce []; + dns = "systemd-resolved"; + unmanaged = [ + # DO NOT manage my docker containers, thank you. + "interface-name:docker*" + ]; wifi = { # Generate a randomized value upon each connect macAddress = "random"; @@ -10,11 +19,8 @@ _: { powersave = true; # Backend is either wpa_supplicant or iwd, - # I use iwd. - backend = "iwd"; - - # Whether to enable MAC address randomization of a Wi-Fi device during scanning. - scanRandMacAddress = true; + # I use wpa_supplicant since it is simply more reliable. + backend = "wpa_supplicant"; }; }; } diff --git a/modules/wms/wayland/hyprland/decorations.nix b/modules/wms/wayland/hyprland/decorations.nix index ebf53a8..2355693 100644 --- a/modules/wms/wayland/hyprland/decorations.nix +++ b/modules/wms/wayland/hyprland/decorations.nix @@ -6,7 +6,6 @@ _: { rounding_power = 3; blur = { enabled = true; - xray = true; size = 3; passes = 2; };