From dfa3b61db0e5c4ab5d35af1bf06af1fb27ba659a Mon Sep 17 00:00:00 2001 From: azahi Date: Mon, 28 Oct 2024 02:41:15 +0300 Subject: 2024-10-28 --- modules/common/networking.nix | 12 +++++++++++- modules/common/nix.nix | 10 ++++++---- modules/wireguard.nix | 4 +++- 3 files changed, 20 insertions(+), 6 deletions(-) (limited to 'modules') diff --git a/modules/common/networking.nix b/modules/common/networking.nix index b0dd282..f681deb 100644 --- a/modules/common/networking.nix +++ b/modules/common/networking.nix @@ -32,9 +32,18 @@ in "::1" = mkForce [ ]; }; + # There's no way[1] to configure DNS server priority in + # systemd-resolved. The only solution for dealing with a broken VPN + # connection is to delete /etc/systemd/resolved.conf and restart the + # systemd-resolved service. Otherwise I'll just end up with a random + # server from the list most of the time because systemd-resolved + # "conveniently" will manage server priority for me... + # + # [1]: https://askubuntu.com/questions/1116732/how-do-i-list-dns-server-order-in-systemd-resolve + # [2]: https://github.com/systemd/systemd/issues/6076 nameservers = with my.configurations.manwe.wireguard; [ - ipv4.address ipv6.address + ipv4.address ]; useDHCP = false; @@ -111,6 +120,7 @@ in services.resolved = { llmnr = "false"; dnsovertls = "opportunistic"; + dnssec = "allow-downgrade"; fallbackDns = dns.mkDoT dns.const.quad9.ecs; }; diff --git a/modules/common/nix.nix b/modules/common/nix.nix index 0ab2888..58d572f 100644 --- a/modules/common/nix.nix +++ b/modules/common/nix.nix @@ -72,14 +72,16 @@ in keep-going = true; - trusted-users = [ - "root" - my.username - ]; + trusted-users = [ my.username ]; substituters = [ + "https://cache.garnix.io" "https://cache.tvl.su" "https://nix-community.cachix.org" + "https://numtide.cachix.org" + ]; + trusted-substituters = [ + "https://cache.tvl.su" ]; trusted-public-keys = [ "cache.tvl.su:kjc6KOMupXc1vHVufJUoDUYeLzbwSr9abcAKdn/U1Jk=" diff --git a/modules/wireguard.nix b/modules/wireguard.nix index f60ea92..3589e12 100644 --- a/modules/wireguard.nix +++ b/modules/wireguard.nix @@ -17,6 +17,8 @@ let '' ${resolvectl} dns ${cfg.interface} ${cfg.server.ipv6.address} ${cfg.server.ipv4.address} ${resolvectl} domain ${cfg.interface} ${my.domain.shire} + ${resolvectl} dnssec ${cfg.interface} no + ${resolvectl} dnsovertls ${cfg.interface} no ''; in { @@ -147,7 +149,7 @@ in "${ipv4.address}/16" "${ipv6.address}/16" ]; - extraInterfaceConfig = mkIf this.isHeadful '' + extraInterfaceConfig = '' jc = 228 jmin = 42 jmax = 420 -- cgit 1.4.1