about summary refs log tree commit diff
diff options
context:
space:
mode:
authorazahi <azat@bahawi.net>2024-10-28 02:41:15 +0300
committerazahi <azat@bahawi.net>2024-10-28 02:41:15 +0300
commitdfa3b61db0e5c4ab5d35af1bf06af1fb27ba659a (patch)
tree11641ba75d50b63b14086305196e26a8f5f5e700
parent2024-10-26 (diff)
2024-10-28
Diffstat (limited to '')
-rw-r--r--flake.lock85
-rw-r--r--flake.nix2
-rw-r--r--modules/common/networking.nix12
-rw-r--r--modules/common/nix.nix10
-rw-r--r--modules/wireguard.nix4
5 files changed, 80 insertions, 33 deletions
diff --git a/flake.lock b/flake.lock
index 800a638..8e8b256 100644
--- a/flake.lock
+++ b/flake.lock
@@ -230,11 +230,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1729712798,
-        "narHash": "sha256-a+Aakkb+amHw4biOZ0iMo8xYl37uUL48YEXIC5PYJ/8=",
+        "lastModified": 1730045523,
+        "narHash": "sha256-W5Avk1THhZALXITHGazKfZbIZ5+Bc4nSYvAYHUn96EU=",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "09a776702b004fdf9c41a024e1299d575ee18a7d",
+        "rev": "89e458a3bb3693e769bfb2b2447c3fe72092d498",
         "type": "github"
       },
       "original": {
@@ -281,6 +281,24 @@
         "type": "github"
       }
     },
+    "flake-parts": {
+      "inputs": {
+        "nixpkgs-lib": "nixpkgs-lib"
+      },
+      "locked": {
+        "lastModified": 1727826117,
+        "narHash": "sha256-K5ZLCyfO/Zj9mPFldf3iwS6oZStJcU4tSpiXTMYaaL0=",
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "rev": "3d04084d54bedc3d6b8b736c70ef449225c361b1",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "type": "github"
+      }
+    },
     "flake-utils": {
       "inputs": {
         "systems": "systems_2"
@@ -426,11 +444,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1729716953,
-        "narHash": "sha256-FbRKGRRd0amsk/WS/UV9ukJ8jT1dZ2pJBISxkX+uq6A=",
+        "lastModified": 1730016908,
+        "narHash": "sha256-bFCxJco7d8IgmjfNExNz9knP8wvwbXU4s/d53KOK6U0=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "a4353cc43d1b4dd6bdeacea90eb92a8b7b78a9d7",
+        "rev": "e83414058edd339148dc142a8437edb9450574c8",
         "type": "github"
       },
       "original": {
@@ -524,11 +542,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1729734363,
-        "narHash": "sha256-qSAmcOBaCadTe9VkoNHUmgzJoYy42RE9tSgbGIDQ34M=",
+        "lastModified": 1729993975,
+        "narHash": "sha256-Z5DQ48PdCo3IyfKbngL62Q/HuA/fsn22bMyPbTQGSKQ=",
         "owner": "Infinidoge",
         "repo": "nix-minecraft",
-        "rev": "f3795fcc37f37ae8c488e70e2cf8a85e43043722",
+        "rev": "4753ea1f1285e944839cb2ab0b4373eb4e00c12a",
         "type": "github"
       },
       "original": {
@@ -544,11 +562,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1729394935,
-        "narHash": "sha256-2ntUG+NJKdfhlrh/tF+jOU0fOesO7lm5ZZVSYitsvH8=",
+        "lastModified": 1729999765,
+        "narHash": "sha256-LYsavZXitFjjyETZoij8usXjTa7fa9AIF3Sk3MJSX+Y=",
         "owner": "nix-community",
         "repo": "nix-index-database",
-        "rev": "04f8a11f247ba00263b060fbcdc95484fd046104",
+        "rev": "0e3a8778c2ee218eff8de6aacf3d2fa6c33b2d4f",
         "type": "github"
       },
       "original": {
@@ -601,11 +619,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1729755165,
-        "narHash": "sha256-6IpnOHWsaSSjT3yvqlrWfHW6HVCT+wOAlUpcooGJ+FQ=",
+        "lastModified": 1729980323,
+        "narHash": "sha256-eWPRZAlhf446bKSmzw6x7RWEE4IuZgAp8NW3eXZwRAY=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "cabaf14d3e69c9921d7acedf5d7d60bb2b90be02",
+        "rev": "86e78d3d2084ff87688da662cf78c2af085d8e73",
         "type": "github"
       },
       "original": {
@@ -646,13 +664,25 @@
         "type": "github"
       }
     },
+    "nixpkgs-lib": {
+      "locked": {
+        "lastModified": 1727825735,
+        "narHash": "sha256-0xHYkMkeLVQAMa7gvkddbPqpxph+hDzdu1XdGPJR+Os=",
+        "type": "tarball",
+        "url": "https://github.com/NixOS/nixpkgs/archive/fb192fec7cc7a4c26d51779e9bab07ce6fa5597a.tar.gz"
+      },
+      "original": {
+        "type": "tarball",
+        "url": "https://github.com/NixOS/nixpkgs/archive/fb192fec7cc7a4c26d51779e9bab07ce6fa5597a.tar.gz"
+      }
+    },
     "nixpkgs-master": {
       "locked": {
-        "lastModified": 1729808856,
-        "narHash": "sha256-es7qdVSyBe52caRzOD4JMc0JVQVeNIHmSZ6hhIK2uGs=",
+        "lastModified": 1730047773,
+        "narHash": "sha256-oNzx2k7lmdRO9WAY176pTo76kN1PtT02QyTz1N/tpWE=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "bc1400c95a65022d7e1ccb39c495c50b521a0ef1",
+        "rev": "2ba15d4f55c092002f792a8e7af585bbf3277e63",
         "type": "github"
       },
       "original": {
@@ -664,11 +694,11 @@
     },
     "nixpkgs-stable": {
       "locked": {
-        "lastModified": 1729805696,
-        "narHash": "sha256-FArm/EIAbykrhtWxWKT1QXIg+dD44joehXZWdY12WKc=",
+        "lastModified": 1730039714,
+        "narHash": "sha256-T/UCiOaxNBvqeQMOkQq89Ni7W0XTvDxCe+7TFpQ2QE0=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "50286248f2d7283682bdd47ba14af33a9233b88b",
+        "rev": "5e34aff468a6cfd6c2b02cbb4a8d2d8643feaade",
         "type": "github"
       },
       "original": {
@@ -719,6 +749,7 @@
         "disko": "disko",
         "dns": "dns",
         "flake-compat": "flake-compat",
+        "flake-parts": "flake-parts",
         "flake-utils": "flake-utils",
         "git-hooks": "git-hooks",
         "home-manager": "home-manager",
@@ -784,11 +815,11 @@
         "tinted-tmux": "tinted-tmux"
       },
       "locked": {
-        "lastModified": 1729380793,
-        "narHash": "sha256-TV6NYBUqTHI9t5fqNu4Qyr4BZUD2yGxAn3E+d5/mqaI=",
+        "lastModified": 1729963473,
+        "narHash": "sha256-uGjTjvvlGQfQ0yypVP+at0NizI2nrb6kz4wGAqzRGbY=",
         "owner": "danth",
         "repo": "stylix",
-        "rev": "fb9399b7e2c855f42dae76a363bab28d4f24aa8d",
+        "rev": "04afcfc0684d9bbb24bb1dc77afda7c1843ec93b",
         "type": "github"
       },
       "original": {
@@ -919,11 +950,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1729734515,
-        "narHash": "sha256-KGE6Exd1NAhTo806QUqK3oCk40L7spjfEpHnrNNkFD4=",
+        "lastModified": 1729994042,
+        "narHash": "sha256-raAG3cW29BRYmu3Pxej65QgnNi88bGUqlqMkuaJRF8s=",
         "owner": "nix-community",
         "repo": "nix-vscode-extensions",
-        "rev": "087ec37265ff1c8641086ee2a51450963494cdeb",
+        "rev": "88bf73817636e232513bff1f3a071b3ae2bcfd14",
         "type": "github"
       },
       "original": {
diff --git a/flake.nix b/flake.nix
index ec432c3..c621f04 100644
--- a/flake.nix
+++ b/flake.nix
@@ -10,6 +10,8 @@
     nixpkgs-master.url = "github:NixOS/nixpkgs/master";
     nixpkgs-stable.url = "github:NixOS/nixpkgs/release-24.05";
 
+    flake-parts.url = "github:hercules-ci/flake-parts";
+
     # TODO Upstream this?
     nixpkgs-amneziawg.url = "github:azahi/nixpkgs/amneziawg";
 
diff --git a/modules/common/networking.nix b/modules/common/networking.nix
index b0dd282..f681deb 100644
--- a/modules/common/networking.nix
+++ b/modules/common/networking.nix
@@ -32,9 +32,18 @@ in
           "::1" = mkForce [ ];
         };
 
+        # There's no way[1] to configure DNS server priority in
+        # systemd-resolved. The only solution for dealing with a broken VPN
+        # connection is to delete /etc/systemd/resolved.conf and restart the
+        # systemd-resolved service. Otherwise I'll just end up with a random
+        # server from the list most of the time because systemd-resolved
+        # "conveniently" will manage server priority for me...
+        #
+        # [1]: https://askubuntu.com/questions/1116732/how-do-i-list-dns-server-order-in-systemd-resolve
+        # [2]: https://github.com/systemd/systemd/issues/6076
         nameservers = with my.configurations.manwe.wireguard; [
-          ipv4.address
           ipv6.address
+          ipv4.address
         ];
 
         useDHCP = false;
@@ -111,6 +120,7 @@ in
     services.resolved = {
       llmnr = "false";
       dnsovertls = "opportunistic";
+      dnssec = "allow-downgrade";
       fallbackDns = dns.mkDoT dns.const.quad9.ecs;
     };
 
diff --git a/modules/common/nix.nix b/modules/common/nix.nix
index 0ab2888..58d572f 100644
--- a/modules/common/nix.nix
+++ b/modules/common/nix.nix
@@ -72,14 +72,16 @@ in
 
           keep-going = true;
 
-          trusted-users = [
-            "root"
-            my.username
-          ];
+          trusted-users = [ my.username ];
 
           substituters = [
+            "https://cache.garnix.io"
             "https://cache.tvl.su"
             "https://nix-community.cachix.org"
+            "https://numtide.cachix.org"
+          ];
+          trusted-substituters = [
+            "https://cache.tvl.su"
           ];
           trusted-public-keys = [
             "cache.tvl.su:kjc6KOMupXc1vHVufJUoDUYeLzbwSr9abcAKdn/U1Jk="
diff --git a/modules/wireguard.nix b/modules/wireguard.nix
index f60ea92..3589e12 100644
--- a/modules/wireguard.nix
+++ b/modules/wireguard.nix
@@ -17,6 +17,8 @@ let
     ''
       ${resolvectl} dns ${cfg.interface} ${cfg.server.ipv6.address} ${cfg.server.ipv4.address}
       ${resolvectl} domain ${cfg.interface} ${my.domain.shire}
+      ${resolvectl} dnssec ${cfg.interface} no
+      ${resolvectl} dnsovertls ${cfg.interface} no
     '';
 in
 {
@@ -147,7 +149,7 @@ in
               "${ipv4.address}/16"
               "${ipv6.address}/16"
             ];
-            extraInterfaceConfig = mkIf this.isHeadful ''
+            extraInterfaceConfig = ''
               jc = 228
               jmin = 42
               jmax = 420

Consider giving Nix/NixOS a try! <3