about summary refs log tree commit diff
path: root/modules
diff options
context:
space:
mode:
authorazahi <azat@bahawi.net>2024-10-28 02:41:15 +0300
committerazahi <azat@bahawi.net>2024-10-28 02:41:15 +0300
commitdfa3b61db0e5c4ab5d35af1bf06af1fb27ba659a (patch)
tree11641ba75d50b63b14086305196e26a8f5f5e700 /modules
parent2024-10-26 (diff)
2024-10-28
Diffstat (limited to 'modules')
-rw-r--r--modules/common/networking.nix12
-rw-r--r--modules/common/nix.nix10
-rw-r--r--modules/wireguard.nix4
3 files changed, 20 insertions, 6 deletions
diff --git a/modules/common/networking.nix b/modules/common/networking.nix
index b0dd282..f681deb 100644
--- a/modules/common/networking.nix
+++ b/modules/common/networking.nix
@@ -32,9 +32,18 @@ in
           "::1" = mkForce [ ];
         };
 
+        # There's no way[1] to configure DNS server priority in
+        # systemd-resolved. The only solution for dealing with a broken VPN
+        # connection is to delete /etc/systemd/resolved.conf and restart the
+        # systemd-resolved service. Otherwise I'll just end up with a random
+        # server from the list most of the time because systemd-resolved
+        # "conveniently" will manage server priority for me...
+        #
+        # [1]: https://askubuntu.com/questions/1116732/how-do-i-list-dns-server-order-in-systemd-resolve
+        # [2]: https://github.com/systemd/systemd/issues/6076
         nameservers = with my.configurations.manwe.wireguard; [
-          ipv4.address
           ipv6.address
+          ipv4.address
         ];
 
         useDHCP = false;
@@ -111,6 +120,7 @@ in
     services.resolved = {
       llmnr = "false";
       dnsovertls = "opportunistic";
+      dnssec = "allow-downgrade";
       fallbackDns = dns.mkDoT dns.const.quad9.ecs;
     };
 
diff --git a/modules/common/nix.nix b/modules/common/nix.nix
index 0ab2888..58d572f 100644
--- a/modules/common/nix.nix
+++ b/modules/common/nix.nix
@@ -72,14 +72,16 @@ in
 
           keep-going = true;
 
-          trusted-users = [
-            "root"
-            my.username
-          ];
+          trusted-users = [ my.username ];
 
           substituters = [
+            "https://cache.garnix.io"
             "https://cache.tvl.su"
             "https://nix-community.cachix.org"
+            "https://numtide.cachix.org"
+          ];
+          trusted-substituters = [
+            "https://cache.tvl.su"
           ];
           trusted-public-keys = [
             "cache.tvl.su:kjc6KOMupXc1vHVufJUoDUYeLzbwSr9abcAKdn/U1Jk="
diff --git a/modules/wireguard.nix b/modules/wireguard.nix
index f60ea92..3589e12 100644
--- a/modules/wireguard.nix
+++ b/modules/wireguard.nix
@@ -17,6 +17,8 @@ let
     ''
       ${resolvectl} dns ${cfg.interface} ${cfg.server.ipv6.address} ${cfg.server.ipv4.address}
       ${resolvectl} domain ${cfg.interface} ${my.domain.shire}
+      ${resolvectl} dnssec ${cfg.interface} no
+      ${resolvectl} dnsovertls ${cfg.interface} no
     '';
 in
 {
@@ -147,7 +149,7 @@ in
               "${ipv4.address}/16"
               "${ipv6.address}/16"
             ];
-            extraInterfaceConfig = mkIf this.isHeadful ''
+            extraInterfaceConfig = ''
               jc = 228
               jmin = 42
               jmax = 420

Consider giving Nix/NixOS a try! <3