diff options
-rw-r--r-- | flake.lock | 85 | ||||
-rw-r--r-- | flake.nix | 2 | ||||
-rw-r--r-- | modules/common/networking.nix | 12 | ||||
-rw-r--r-- | modules/common/nix.nix | 10 | ||||
-rw-r--r-- | modules/wireguard.nix | 4 |
5 files changed, 80 insertions, 33 deletions
diff --git a/flake.lock b/flake.lock index 800a638..8e8b256 100644 --- a/flake.lock +++ b/flake.lock @@ -230,11 +230,11 @@ ] }, "locked": { - "lastModified": 1729712798, - "narHash": "sha256-a+Aakkb+amHw4biOZ0iMo8xYl37uUL48YEXIC5PYJ/8=", + "lastModified": 1730045523, + "narHash": "sha256-W5Avk1THhZALXITHGazKfZbIZ5+Bc4nSYvAYHUn96EU=", "owner": "nix-community", "repo": "disko", - "rev": "09a776702b004fdf9c41a024e1299d575ee18a7d", + "rev": "89e458a3bb3693e769bfb2b2447c3fe72092d498", "type": "github" }, "original": { @@ -281,6 +281,24 @@ "type": "github" } }, + "flake-parts": { + "inputs": { + "nixpkgs-lib": "nixpkgs-lib" + }, + "locked": { + "lastModified": 1727826117, + "narHash": "sha256-K5ZLCyfO/Zj9mPFldf3iwS6oZStJcU4tSpiXTMYaaL0=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "3d04084d54bedc3d6b8b736c70ef449225c361b1", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, "flake-utils": { "inputs": { "systems": "systems_2" @@ -426,11 +444,11 @@ ] }, "locked": { - "lastModified": 1729716953, - "narHash": "sha256-FbRKGRRd0amsk/WS/UV9ukJ8jT1dZ2pJBISxkX+uq6A=", + "lastModified": 1730016908, + "narHash": "sha256-bFCxJco7d8IgmjfNExNz9knP8wvwbXU4s/d53KOK6U0=", "owner": "nix-community", "repo": "home-manager", - "rev": "a4353cc43d1b4dd6bdeacea90eb92a8b7b78a9d7", + "rev": "e83414058edd339148dc142a8437edb9450574c8", "type": "github" }, "original": { @@ -524,11 +542,11 @@ ] }, "locked": { - "lastModified": 1729734363, - "narHash": "sha256-qSAmcOBaCadTe9VkoNHUmgzJoYy42RE9tSgbGIDQ34M=", + "lastModified": 1729993975, + "narHash": "sha256-Z5DQ48PdCo3IyfKbngL62Q/HuA/fsn22bMyPbTQGSKQ=", "owner": "Infinidoge", "repo": "nix-minecraft", - "rev": "f3795fcc37f37ae8c488e70e2cf8a85e43043722", + "rev": "4753ea1f1285e944839cb2ab0b4373eb4e00c12a", "type": "github" }, "original": { @@ -544,11 +562,11 @@ ] }, "locked": { - "lastModified": 1729394935, - "narHash": "sha256-2ntUG+NJKdfhlrh/tF+jOU0fOesO7lm5ZZVSYitsvH8=", + "lastModified": 1729999765, + "narHash": "sha256-LYsavZXitFjjyETZoij8usXjTa7fa9AIF3Sk3MJSX+Y=", "owner": "nix-community", "repo": "nix-index-database", - "rev": "04f8a11f247ba00263b060fbcdc95484fd046104", + "rev": "0e3a8778c2ee218eff8de6aacf3d2fa6c33b2d4f", "type": "github" }, "original": { @@ -601,11 +619,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1729755165, - "narHash": "sha256-6IpnOHWsaSSjT3yvqlrWfHW6HVCT+wOAlUpcooGJ+FQ=", + "lastModified": 1729980323, + "narHash": "sha256-eWPRZAlhf446bKSmzw6x7RWEE4IuZgAp8NW3eXZwRAY=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "cabaf14d3e69c9921d7acedf5d7d60bb2b90be02", + "rev": "86e78d3d2084ff87688da662cf78c2af085d8e73", "type": "github" }, "original": { @@ -646,13 +664,25 @@ "type": "github" } }, + "nixpkgs-lib": { + "locked": { + "lastModified": 1727825735, + "narHash": "sha256-0xHYkMkeLVQAMa7gvkddbPqpxph+hDzdu1XdGPJR+Os=", + "type": "tarball", + "url": "https://github.com/NixOS/nixpkgs/archive/fb192fec7cc7a4c26d51779e9bab07ce6fa5597a.tar.gz" + }, + "original": { + "type": "tarball", + "url": "https://github.com/NixOS/nixpkgs/archive/fb192fec7cc7a4c26d51779e9bab07ce6fa5597a.tar.gz" + } + }, "nixpkgs-master": { "locked": { - "lastModified": 1729808856, - "narHash": "sha256-es7qdVSyBe52caRzOD4JMc0JVQVeNIHmSZ6hhIK2uGs=", + "lastModified": 1730047773, + "narHash": "sha256-oNzx2k7lmdRO9WAY176pTo76kN1PtT02QyTz1N/tpWE=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "bc1400c95a65022d7e1ccb39c495c50b521a0ef1", + "rev": "2ba15d4f55c092002f792a8e7af585bbf3277e63", "type": "github" }, "original": { @@ -664,11 +694,11 @@ }, "nixpkgs-stable": { "locked": { - "lastModified": 1729805696, - "narHash": "sha256-FArm/EIAbykrhtWxWKT1QXIg+dD44joehXZWdY12WKc=", + "lastModified": 1730039714, + "narHash": "sha256-T/UCiOaxNBvqeQMOkQq89Ni7W0XTvDxCe+7TFpQ2QE0=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "50286248f2d7283682bdd47ba14af33a9233b88b", + "rev": "5e34aff468a6cfd6c2b02cbb4a8d2d8643feaade", "type": "github" }, "original": { @@ -719,6 +749,7 @@ "disko": "disko", "dns": "dns", "flake-compat": "flake-compat", + "flake-parts": "flake-parts", "flake-utils": "flake-utils", "git-hooks": "git-hooks", "home-manager": "home-manager", @@ -784,11 +815,11 @@ "tinted-tmux": "tinted-tmux" }, "locked": { - "lastModified": 1729380793, - "narHash": "sha256-TV6NYBUqTHI9t5fqNu4Qyr4BZUD2yGxAn3E+d5/mqaI=", + "lastModified": 1729963473, + "narHash": "sha256-uGjTjvvlGQfQ0yypVP+at0NizI2nrb6kz4wGAqzRGbY=", "owner": "danth", "repo": "stylix", - "rev": "fb9399b7e2c855f42dae76a363bab28d4f24aa8d", + "rev": "04afcfc0684d9bbb24bb1dc77afda7c1843ec93b", "type": "github" }, "original": { @@ -919,11 +950,11 @@ ] }, "locked": { - "lastModified": 1729734515, - "narHash": "sha256-KGE6Exd1NAhTo806QUqK3oCk40L7spjfEpHnrNNkFD4=", + "lastModified": 1729994042, + "narHash": "sha256-raAG3cW29BRYmu3Pxej65QgnNi88bGUqlqMkuaJRF8s=", "owner": "nix-community", "repo": "nix-vscode-extensions", - "rev": "087ec37265ff1c8641086ee2a51450963494cdeb", + "rev": "88bf73817636e232513bff1f3a071b3ae2bcfd14", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index ec432c3..c621f04 100644 --- a/flake.nix +++ b/flake.nix @@ -10,6 +10,8 @@ nixpkgs-master.url = "github:NixOS/nixpkgs/master"; nixpkgs-stable.url = "github:NixOS/nixpkgs/release-24.05"; + flake-parts.url = "github:hercules-ci/flake-parts"; + # TODO Upstream this? nixpkgs-amneziawg.url = "github:azahi/nixpkgs/amneziawg"; diff --git a/modules/common/networking.nix b/modules/common/networking.nix index b0dd282..f681deb 100644 --- a/modules/common/networking.nix +++ b/modules/common/networking.nix @@ -32,9 +32,18 @@ in "::1" = mkForce [ ]; }; + # There's no way[1] to configure DNS server priority in + # systemd-resolved. The only solution for dealing with a broken VPN + # connection is to delete /etc/systemd/resolved.conf and restart the + # systemd-resolved service. Otherwise I'll just end up with a random + # server from the list most of the time because systemd-resolved + # "conveniently" will manage server priority for me... + # + # [1]: https://askubuntu.com/questions/1116732/how-do-i-list-dns-server-order-in-systemd-resolve + # [2]: https://github.com/systemd/systemd/issues/6076 nameservers = with my.configurations.manwe.wireguard; [ - ipv4.address ipv6.address + ipv4.address ]; useDHCP = false; @@ -111,6 +120,7 @@ in services.resolved = { llmnr = "false"; dnsovertls = "opportunistic"; + dnssec = "allow-downgrade"; fallbackDns = dns.mkDoT dns.const.quad9.ecs; }; diff --git a/modules/common/nix.nix b/modules/common/nix.nix index 0ab2888..58d572f 100644 --- a/modules/common/nix.nix +++ b/modules/common/nix.nix @@ -72,14 +72,16 @@ in keep-going = true; - trusted-users = [ - "root" - my.username - ]; + trusted-users = [ my.username ]; substituters = [ + "https://cache.garnix.io" "https://cache.tvl.su" "https://nix-community.cachix.org" + "https://numtide.cachix.org" + ]; + trusted-substituters = [ + "https://cache.tvl.su" ]; trusted-public-keys = [ "cache.tvl.su:kjc6KOMupXc1vHVufJUoDUYeLzbwSr9abcAKdn/U1Jk=" diff --git a/modules/wireguard.nix b/modules/wireguard.nix index f60ea92..3589e12 100644 --- a/modules/wireguard.nix +++ b/modules/wireguard.nix @@ -17,6 +17,8 @@ let '' ${resolvectl} dns ${cfg.interface} ${cfg.server.ipv6.address} ${cfg.server.ipv4.address} ${resolvectl} domain ${cfg.interface} ${my.domain.shire} + ${resolvectl} dnssec ${cfg.interface} no + ${resolvectl} dnsovertls ${cfg.interface} no ''; in { @@ -147,7 +149,7 @@ in "${ipv4.address}/16" "${ipv6.address}/16" ]; - extraInterfaceConfig = mkIf this.isHeadful '' + extraInterfaceConfig = '' jc = 228 jmin = 42 jmax = 420 |