about summary refs log tree commit diff
path: root/modules/common/networking.nix
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--modules/common/networking.nix132
1 files changed, 78 insertions, 54 deletions
diff --git a/modules/common/networking.nix b/modules/common/networking.nix
index 468bd8b..2e9c218 100644
--- a/modules/common/networking.nix
+++ b/modules/common/networking.nix
@@ -7,9 +7,12 @@
 }:
 let
   cfg = config.nixfiles.modules.common.networking;
+
+  interface = "eth0"; # This assumes `usePredictableInterfaceNames` is false.
 in
 {
-  options.nixfiles.modules.common.networking.onlyDefault = lib.mkEnableOption "custom networking settings";
+  options.nixfiles.modules.common.networking.onlyDefault =
+    lib.mkEnableOption "custom networking settings";
 
   config = lib.mkIf (!cfg.onlyDefault) {
     ark.directories =
@@ -31,20 +34,6 @@ in
           "::1" = lib.mkForce [ ];
         };
 
-        # There's no way[1] to configure DNS server priority in
-        # systemd-resolved. The only solution for dealing with a broken VPN
-        # connection is to delete /etc/systemd/resolved.conf and restart the
-        # systemd-resolved service. Otherwise I'll just end up with a random
-        # server from the list most of the time because systemd-resolved
-        # "conveniently" will manage server priority for me...
-        #
-        # [1]: https://askubuntu.com/questions/1116732/how-do-i-list-dns-server-order-in-systemd-resolve
-        # [2]: https://github.com/systemd/systemd/issues/6076
-        nameservers = with lib.my.configurations.manwe.wireguard; [
-          ipv6.address
-          ipv4.address
-        ];
-
         useDHCP = false;
 
         nftables.enable = true;
@@ -62,45 +51,46 @@ in
           logRefusedUnicastsOnly = false;
           logReversePathDrops = false;
         };
+
+        usePredictableInterfaceNames = false;
       }
-      (
-        let
-          interface = "eth0"; # This assumes `usePredictableInterfaceNames` is false.
-        in
-        lib.mkIf (lib.hasAttr "ipv4" this && lib.hasAttr "ipv6" this) {
-          usePredictableInterfaceNames = false; # NOTE This can break something!
-          interfaces.${interface} = {
-            ipv4.addresses =
-              with this.ipv4;
-              lib.optional (lib.isString address && lib.isInt prefixLength) {
-                inherit address prefixLength;
-              };
-
-            ipv6.addresses =
-              with this.ipv6;
-              lib.optional (lib.isString address && lib.isInt prefixLength) {
-                inherit address prefixLength;
-              };
+      (lib.mkIf (lib.hasAttr "ipv4" this) {
+        interfaces.${interface}.ipv4.addresses =
+          with this.ipv4;
+          lib.optional (lib.isString address && lib.isInt prefixLength) {
+            inherit address prefixLength;
+          };
+        defaultGateway =
+          with this.ipv4;
+          lib.mkIf (lib.isString gatewayAddress) {
+            inherit interface;
+            address = gatewayAddress;
           };
-          defaultGateway =
-            with this.ipv4;
-            lib.mkIf (lib.isString gatewayAddress) {
-              inherit interface;
-              address = gatewayAddress;
-            };
-          defaultGateway6 =
-            with this.ipv6;
-            lib.mkIf (lib.isString gatewayAddress) {
-              inherit interface;
-              address = gatewayAddress;
-            };
-        }
-      )
+      })
+      (lib.mkIf (lib.hasAttr "ipv6" this) {
+        interfaces.${interface}.ipv6.addresses =
+          with this.ipv6;
+          lib.optional (lib.isString address && lib.isInt prefixLength) {
+            inherit address prefixLength;
+          };
+        defaultGateway6 =
+          with this.ipv6;
+          lib.mkIf (lib.isString gatewayAddress) {
+            inherit interface;
+            address = gatewayAddress;
+          };
+      })
+      (lib.mkIf this.isHeadless {
+        nameservers = with lib.my.configurations.manwe.wireguard; [
+          ipv6.address
+          ipv4.address
+        ];
+      })
       (lib.mkIf this.isHeadful {
         networkmanager = {
           enable = true;
-          plugins = lib.mkForce [ ];
           wifi.backend = "iwd";
+          dns = "none";
         };
 
         wireless = {
@@ -109,15 +99,49 @@ in
           userControlled.enable = true;
           allowAuxiliaryImperativeNetworks = true;
         };
+
+        resolvconf.extraConfig = ''
+          append_nameservers='127.0.0.1'
+        '';
       })
     ];
 
-    services.resolved = {
-      llmnr = "false";
-      dnsovertls = "opportunistic";
-      dnssec = "allow-downgrade";
-      fallbackDns = lib.dns.mkDoT lib.dns.const.quad9.ecs;
-    };
+    services = lib.mkMerge [
+      (lib.mkIf this.isHeadless {
+        resolved = {
+          enable = true;
+          llmnr = "false";
+          dnsovertls = "opportunistic";
+          dnssec = "allow-downgrade";
+          fallbackDns = lib.dns.mkDoT lib.dns.const.quad9.ecs;
+        };
+      })
+      (lib.mkIf this.isHeadful {
+        resolved.enable = false;
+
+        dnscrypt-proxy2 = {
+          enable = true;
+          settings = {
+            ipv4_servers = true;
+            ipv6_servers = false;
+            dnscrypt_servers = true;
+            doh_servers = true;
+            odoh_servers = false;
+            require_dnssec = true;
+            require_nolog = true;
+            require_nofilter = true;
+
+            disabled_server_names = [
+              "cloudflare"
+              "cloudflare-ipv6"
+            ];
+
+            cache = true;
+            cache_size = lib.pow 2 13;
+          };
+        };
+      })
+    ];
 
     environment = {
       shellAliases = lib.listToAttrs (

Consider giving Nix/NixOS a try! <3