diff options
author | azahi <azat@bahawi.net> | 2024-12-17 02:04:27 +0300 |
---|---|---|
committer | azahi <azat@bahawi.net> | 2024-12-17 02:04:27 +0300 |
commit | 1ae038a0a86348074b422ea87c03836b0962af67 (patch) | |
tree | ae56c73c01b4777e3e24a22c2d67943706997cf0 /modules/common/networking.nix | |
parent | 2024-12-02 (diff) |
Diffstat (limited to 'modules/common/networking.nix')
-rw-r--r-- | modules/common/networking.nix | 132 |
1 files changed, 78 insertions, 54 deletions
diff --git a/modules/common/networking.nix b/modules/common/networking.nix index 468bd8b..2e9c218 100644 --- a/modules/common/networking.nix +++ b/modules/common/networking.nix @@ -7,9 +7,12 @@ }: let cfg = config.nixfiles.modules.common.networking; + + interface = "eth0"; # This assumes `usePredictableInterfaceNames` is false. in { - options.nixfiles.modules.common.networking.onlyDefault = lib.mkEnableOption "custom networking settings"; + options.nixfiles.modules.common.networking.onlyDefault = + lib.mkEnableOption "custom networking settings"; config = lib.mkIf (!cfg.onlyDefault) { ark.directories = @@ -31,20 +34,6 @@ in "::1" = lib.mkForce [ ]; }; - # There's no way[1] to configure DNS server priority in - # systemd-resolved. The only solution for dealing with a broken VPN - # connection is to delete /etc/systemd/resolved.conf and restart the - # systemd-resolved service. Otherwise I'll just end up with a random - # server from the list most of the time because systemd-resolved - # "conveniently" will manage server priority for me... - # - # [1]: https://askubuntu.com/questions/1116732/how-do-i-list-dns-server-order-in-systemd-resolve - # [2]: https://github.com/systemd/systemd/issues/6076 - nameservers = with lib.my.configurations.manwe.wireguard; [ - ipv6.address - ipv4.address - ]; - useDHCP = false; nftables.enable = true; @@ -62,45 +51,46 @@ in logRefusedUnicastsOnly = false; logReversePathDrops = false; }; + + usePredictableInterfaceNames = false; } - ( - let - interface = "eth0"; # This assumes `usePredictableInterfaceNames` is false. - in - lib.mkIf (lib.hasAttr "ipv4" this && lib.hasAttr "ipv6" this) { - usePredictableInterfaceNames = false; # NOTE This can break something! - interfaces.${interface} = { - ipv4.addresses = - with this.ipv4; - lib.optional (lib.isString address && lib.isInt prefixLength) { - inherit address prefixLength; - }; - - ipv6.addresses = - with this.ipv6; - lib.optional (lib.isString address && lib.isInt prefixLength) { - inherit address prefixLength; - }; + (lib.mkIf (lib.hasAttr "ipv4" this) { + interfaces.${interface}.ipv4.addresses = + with this.ipv4; + lib.optional (lib.isString address && lib.isInt prefixLength) { + inherit address prefixLength; + }; + defaultGateway = + with this.ipv4; + lib.mkIf (lib.isString gatewayAddress) { + inherit interface; + address = gatewayAddress; }; - defaultGateway = - with this.ipv4; - lib.mkIf (lib.isString gatewayAddress) { - inherit interface; - address = gatewayAddress; - }; - defaultGateway6 = - with this.ipv6; - lib.mkIf (lib.isString gatewayAddress) { - inherit interface; - address = gatewayAddress; - }; - } - ) + }) + (lib.mkIf (lib.hasAttr "ipv6" this) { + interfaces.${interface}.ipv6.addresses = + with this.ipv6; + lib.optional (lib.isString address && lib.isInt prefixLength) { + inherit address prefixLength; + }; + defaultGateway6 = + with this.ipv6; + lib.mkIf (lib.isString gatewayAddress) { + inherit interface; + address = gatewayAddress; + }; + }) + (lib.mkIf this.isHeadless { + nameservers = with lib.my.configurations.manwe.wireguard; [ + ipv6.address + ipv4.address + ]; + }) (lib.mkIf this.isHeadful { networkmanager = { enable = true; - plugins = lib.mkForce [ ]; wifi.backend = "iwd"; + dns = "none"; }; wireless = { @@ -109,15 +99,49 @@ in userControlled.enable = true; allowAuxiliaryImperativeNetworks = true; }; + + resolvconf.extraConfig = '' + append_nameservers='127.0.0.1' + ''; }) ]; - services.resolved = { - llmnr = "false"; - dnsovertls = "opportunistic"; - dnssec = "allow-downgrade"; - fallbackDns = lib.dns.mkDoT lib.dns.const.quad9.ecs; - }; + services = lib.mkMerge [ + (lib.mkIf this.isHeadless { + resolved = { + enable = true; + llmnr = "false"; + dnsovertls = "opportunistic"; + dnssec = "allow-downgrade"; + fallbackDns = lib.dns.mkDoT lib.dns.const.quad9.ecs; + }; + }) + (lib.mkIf this.isHeadful { + resolved.enable = false; + + dnscrypt-proxy2 = { + enable = true; + settings = { + ipv4_servers = true; + ipv6_servers = false; + dnscrypt_servers = true; + doh_servers = true; + odoh_servers = false; + require_dnssec = true; + require_nolog = true; + require_nofilter = true; + + disabled_server_names = [ + "cloudflare" + "cloudflare-ipv6" + ]; + + cache = true; + cache_size = lib.pow 2 13; + }; + }; + }) + ]; environment = { shellAliases = lib.listToAttrs ( |