faukah/nichts
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Compare commits

base: faukah:fcc8a5a10276bdcee2543611974b3077a326c474
Branches Tags
faukah:main
faukah:website
..
compare: faukah:92bb3f929b75bc3205da5c5877e2b50d3131b790
Branches Tags
faukah:main
faukah:website

No commits in common. "fcc8a5a10276bdcee2543611974b3077a326c474" and "92bb3f929b75bc3205da5c5877e2b50d3131b790" have entirely different histories.
fcc8a5a102 ... 92bb3f929b

6 changed files with 42 additions and 117 deletions
Download patch file Download diff file Expand all files Collapse all files

5
hosts/hermit/configuration.nix
View file

@ -15,6 +15,11 @@
fstrim.enable = lib.mkDefault true; fstrim.enable = lib.mkDefault true;
thermald.enable = true; thermald.enable = true;
printing.enable = true; printing.enable = true;
avahi = {
enable = true;
nssmdns4 = true;
openFirewall = true;
};
}; };
virtualisation.docker.enable = true; virtualisation.docker.enable = true;

55
modules/system/os/networking/dns.nix
View file

@ -1,55 +0,0 @@
{
config,
lib,
pkgs,
...
}: let
StateDirectory = "dnscrypt-proxy";
inherit (lib.modules) mkForce;
in {
networking = {
networkmanager.dns = mkForce "none";
nameservers = [
"127.0.0.1"
"::1"
];
};
# See https://wiki.nixos.org/wiki/Encrypted_DNS
services.dnscrypt-proxy2 = {
enable = true;
# See https://github.com/DNSCrypt/dnscrypt-proxy/blob/master/dnscrypt-proxy/example-dnscrypt-proxy.toml
settings = {
sources.public-resolvers = {
urls = [
"https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md"
"https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md"
];
minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3"; # See https://github.com/DNSCrypt/dnscrypt-resolvers/blob/master/v3/public-resolvers.md
cache_file = "/var/lib/${StateDirectory}/public-resolvers.md";
};
# Use servers reachable over IPv6 -- Do not enable if you don't have IPv6 connectivity
ipv6_servers = true;
# Server must support DNS security extensions (DNSSEC)
require_dnssec = true;
# Server must not log user queries (declarative)
require_nolog = true;
# Server must not enforce its own blocklist (for parental control, ads blocking...)
require_nofilter = true;
## Enable *experimental* support for HTTP/3 (DoH3, HTTP over QUIC)
## Note that, like DNSCrypt but unlike other HTTP versions, this uses
## UDP and (usually) port 443 instead of TCP.
http3 = false;
## Enable a DNS cache to reduce latency and outgoing traffic.
cache = true;
};
};
systemd.services.dnscrypt-proxy2.serviceConfig.StateDirectory = StateDirectory;
}

18
modules/system/os/networking/firewall.nix
View file

@ -1,18 +0,0 @@
{
config,
lib,
pkgs,
...
}: let
in {
networking = {
# use nftables over iptables
nftables.enable = true;
firewall = {
enable = true;
allowPing = false;
logReversePathDrops = true;
};
};
}

60
modules/system/os/networking/module.nix
View file

@ -3,55 +3,43 @@
in { in {
imports = [ imports = [
./networkmanager.nix ./networkmanager.nix
./dns.nix
./firewall.nix
]; ];
networking = { networking = {
enableIPv6 = true; enableIPv6 = true;
wireless = {
# INFO: This disables wpa_supplicant, # INFO: This disables wpa_supplicant,
# I use iwd instead. # I use nenetworkmanager instead.
enable = false; wireless.enable = false;
# use iwd over wpa_supplicant
iwd = {
enable = true;
settings = {
IPv6 = {
Enabled = true;
};
Settings = {
AutoConnect = true;
};
};
};
};
dhcpcd = { dhcpcd = {
# faster boot times # faster boot times
wait = "background"; wait = "background";
# do not edit resolv.conf extraConfig = "noarp";
extraConfig = ''
nohook resolv.conf
'';
};
}; };
# service discovery on a local network via the mDNS/DNS-SD protocol suite nameservers = [
services.avahi = { # I have choosen Mullvad DNS as my standard DNS provider,
# as Quad9 at some point stopped resolving my universitie's IP address.
# Furthermore, Mullvad has a pretty good reputation when it comes to privacy
"194.242.2.4"
"2a07:e340::4"
];
};
services.resolved = {
enable = true; enable = true;
nssmdns4 = true; dnssec = "false";
openFirewall = true; dnsovertls = "opportunistic";
fallbackDns = [
"194.242.2.4"
"2a07:e340::4"
];
}; };
users.users.${username}.extraGroups = ["networkmanager"]; users.users.${username}.extraGroups = ["networkmanager"];
# faster boot # systemd = {
systemd = { # network = {
network = { # enable = true;
enable = true; # wait-online.anyInterface = true;
wait-online.enable = false; # };
}; # };
};
} }

18
modules/system/os/networking/networkmanager.nix
View file

@ -1,7 +1,16 @@
_: { {lib, ...}: let
inherit (lib.modules) mkForce;
in {
networking.networkmanager = { networking.networkmanager = {
enable = true; enable = true;
# # Removes about 2GB of stuff we do no need.
# plugins = mkForce [];
dns = "systemd-resolved";
unmanaged = [
# DO NOT manage my docker containers, thank you.
"interface-name:docker*"
];
wifi = { wifi = {
# Generate a randomized value upon each connect # Generate a randomized value upon each connect
macAddress = "random"; macAddress = "random";
@ -10,11 +19,8 @@ _: {
powersave = true; powersave = true;
# Backend is either wpa_supplicant or iwd, # Backend is either wpa_supplicant or iwd,
# I use iwd. # I use wpa_supplicant since it is simply more reliable.
backend = "iwd"; backend = "wpa_supplicant";
# Whether to enable MAC address randomization of a Wi-Fi device during scanning.
scanRandMacAddress = true;
}; };
}; };
} }

1
modules/wms/wayland/hyprland/decorations.nix
View file

@ -6,7 +6,6 @@ _: {
rounding_power = 3; rounding_power = 3;
blur = { blur = {
enabled = true; enabled = true;
xray = true;
size = 3; size = 3;
passes = 2; passes = 2;
}; };