hosts/hermit/configuration.nix

@@ -15,6 +15,11 @@
     fstrim.enable = lib.mkDefault true;
     thermald.enable = true;
     printing.enable = true;
+    avahi = {
+      enable = true;
+      nssmdns4 = true;
+      openFirewall = true;
+    };
   };
   virtualisation.docker.enable = true;
 

modules/system/os/networking/dns.nix

@@ -1,55 +0,0 @@
-{
-  config,
-  lib,
-  pkgs,
-  ...
-}: let
-  StateDirectory = "dnscrypt-proxy";
-  inherit (lib.modules) mkForce;
-in {
-  networking = {
-    networkmanager.dns = mkForce "none";
-    nameservers = [
-      "127.0.0.1"
-      "::1"
-    ];
-  };
-
-  # See https://wiki.nixos.org/wiki/Encrypted_DNS
-  services.dnscrypt-proxy2 = {
-    enable = true;
-    # See https://github.com/DNSCrypt/dnscrypt-proxy/blob/master/dnscrypt-proxy/example-dnscrypt-proxy.toml
-    settings = {
-      sources.public-resolvers = {
-        urls = [
-          "https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md"
-          "https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md"
-        ];
-        minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3"; # See https://github.com/DNSCrypt/dnscrypt-resolvers/blob/master/v3/public-resolvers.md
-        cache_file = "/var/lib/${StateDirectory}/public-resolvers.md";
-      };
-
-      # Use servers reachable over IPv6 -- Do not enable if you don't have IPv6 connectivity
-      ipv6_servers = true;
-
-      # Server must support DNS security extensions (DNSSEC)
-      require_dnssec = true;
-
-      # Server must not log user queries (declarative)
-      require_nolog = true;
-
-      # Server must not enforce its own blocklist (for parental control, ads blocking...)
-      require_nofilter = true;
-
-      ## Enable *experimental* support for HTTP/3 (DoH3, HTTP over QUIC)
-      ## Note that, like DNSCrypt but unlike other HTTP versions, this uses
-      ## UDP and (usually) port 443 instead of TCP.
-      http3 = false;
-
-      ## Enable a DNS cache to reduce latency and outgoing traffic.
-      cache = true;
-    };
-  };
-
-  systemd.services.dnscrypt-proxy2.serviceConfig.StateDirectory = StateDirectory;
-}

modules/system/os/networking/firewall.nix

@@ -1,18 +0,0 @@
-{
-  config,
-  lib,
-  pkgs,
-  ...
-}: let
-in {
-  networking = {
-    # use nftables over iptables
-    nftables.enable = true;
-
-    firewall = {
-      enable = true;
-      allowPing = false;
-      logReversePathDrops = true;
-    };
-  };
-}

modules/system/os/networking/module.nix

@@ -3,55 +3,43 @@
 in {
   imports = [
     ./networkmanager.nix
-    ./dns.nix
-    ./firewall.nix
   ];
   networking = {
     enableIPv6 = true;
 
-    wireless = {
-      # INFO: This disables wpa_supplicant,
-      # I use iwd instead.
-      enable = false;
-
-      # use iwd over wpa_supplicant
-      iwd = {
-        enable = true;
-        settings = {
-          IPv6 = {
-            Enabled = true;
-          };
-          Settings = {
-            AutoConnect = true;
-          };
-        };
-      };
-    };
+    # INFO: This disables wpa_supplicant,
+    # I use nenetworkmanager instead.
+    wireless.enable = false;
 
     dhcpcd = {
       # faster boot times
       wait = "background";
-      # do not edit resolv.conf
-      extraConfig = ''
-        nohook resolv.conf
-      '';
+      extraConfig = "noarp";
     };
-  };
 
-  # service discovery on a local network via the mDNS/DNS-SD protocol suite
-  services.avahi = {
+    nameservers = [
+      # I have choosen Mullvad DNS as my standard DNS provider,
+      # as Quad9 at some point stopped resolving my universitie's IP address.
+      # Furthermore, Mullvad has a pretty good reputation when it comes to privacy
+      "194.242.2.4"
+      "2a07:e340::4"
+    ];
+  };
+  services.resolved = {
     enable = true;
-    nssmdns4 = true;
-    openFirewall = true;
+    dnssec = "false";
+    dnsovertls = "opportunistic";
+    fallbackDns = [
+      "194.242.2.4"
+      "2a07:e340::4"
+    ];
   };
-
   users.users.${username}.extraGroups = ["networkmanager"];
 
-  # faster boot
-  systemd = {
-    network = {
-      enable = true;
-      wait-online.enable = false;
-    };
-  };
+  # systemd = {
+  #   network = {
+  #     enable = true;
+  #     wait-online.anyInterface = true;
+  #   };
+  # };
 }

modules/system/os/networking/networkmanager.nix

@@ -1,7 +1,16 @@
-_: {
+{lib, ...}: let
+  inherit (lib.modules) mkForce;
+in {
   networking.networkmanager = {
     enable = true;
+    # # Removes about 2GB of stuff we do no need.
+    # plugins = mkForce [];
 
+    dns = "systemd-resolved";
+    unmanaged = [
+      # DO NOT manage my docker containers, thank you.
+      "interface-name:docker*"
+    ];
     wifi = {
       # Generate a randomized value upon each connect
       macAddress = "random";
@@ -10,11 +19,8 @@ _: {
       powersave = true;
 
       # Backend is either wpa_supplicant or iwd,
-      # I use iwd.
-      backend = "iwd";
-
-      # Whether to enable MAC address randomization of a Wi-Fi device during scanning.
-      scanRandMacAddress = true;
+      # I use wpa_supplicant since it is simply more reliable.
+      backend = "wpa_supplicant";
     };
   };
 }

modules/wms/wayland/hyprland/decorations.nix

@@ -6,7 +6,6 @@ _: {
       rounding_power = 3;
       blur = {
         enabled = true;
-        xray = true;
         size = 3;
         passes = 2;
       };