{ config, lib, pkgs, this, ... }: let cfg = config.nixfiles.modules.common.networking; interface = "eth0"; # This assumes `usePredictableInterfaceNames` is false. in { options.nixfiles.modules.common.networking.onlyDefault = lib.mkEnableOption "custom networking settings"; config = lib.mkIf (!cfg.onlyDefault) { ark.directories = with config.networking; lib.optional networkmanager.enable "/etc/NetworkManager/system-connections" ++ lib.optional wireless.iwd.enable "/var/lib/iwd"; networking = lib.mkMerge [ { domain = lib.my.domain.shire; hostName = this.hostname; hostId = lib.substring 0 8 (builtins.hashString "md5" this.hostname); # Remove default hostname mappings. This is required at least by the # current implementation of the monitoring module. hosts = { "127.0.0.2" = lib.mkForce [ ]; "::1" = lib.mkForce [ ]; }; useDHCP = false; nftables.enable = true; firewall = { enable = true; rejectPackets = false; allowPing = true; pingLimit = "1/minute burst 5 packets"; logRefusedConnections = false; logRefusedPackets = false; logRefusedUnicastsOnly = false; logReversePathDrops = false; }; usePredictableInterfaceNames = false; } (lib.mkIf (lib.hasAttr "ipv4" this) { interfaces.${interface}.ipv4.addresses = with this.ipv4; lib.optional (lib.isString address && lib.isInt prefixLength) { inherit address prefixLength; }; defaultGateway = with this.ipv4; lib.mkIf (lib.isString gatewayAddress) { inherit interface; address = gatewayAddress; }; }) (lib.mkIf (lib.hasAttr "ipv6" this) { interfaces.${interface}.ipv6.addresses = with this.ipv6; lib.optional (lib.isString address && lib.isInt prefixLength) { inherit address prefixLength; }; defaultGateway6 = with this.ipv6; lib.mkIf (lib.isString gatewayAddress) { inherit interface; address = gatewayAddress; }; }) (lib.mkIf this.isHeadless { nameservers = with lib.my.configurations.manwe.wireguard; [ ipv6.address ipv4.address ]; }) (lib.mkIf this.isHeadful { networkmanager = { enable = true; wifi.backend = "iwd"; dns = "none"; }; wireless = { enable = false; iwd.enable = lib.mkDefault true; userControlled.enable = true; allowAuxiliaryImperativeNetworks = true; }; resolvconf.extraConfig = '' append_nameservers='127.0.0.1' ''; }) ]; services = lib.mkMerge [ (lib.mkIf this.isHeadless { resolved = { enable = true; llmnr = "false"; dnsovertls = "opportunistic"; dnssec = "allow-downgrade"; fallbackDns = lib.dns.mkDoT lib.dns.const.quad9.ecs; }; }) (lib.mkIf this.isHeadful { resolved.enable = false; dnscrypt-proxy2 = { enable = true; settings = { ipv4_servers = true; ipv6_servers = false; dnscrypt_servers = true; doh_servers = true; odoh_servers = false; require_dnssec = true; require_nolog = true; require_nofilter = true; disabled_server_names = [ "cloudflare" "cloudflare-ipv6" ]; cache = true; cache_size = lib.pow 2 13; }; }; }) ]; environment = { shellAliases = lib.listToAttrs ( map ({ name, value }: lib.nameValuePair name "${pkgs.iproute2}/bin/${value}") [ { name = "bridge"; value = "bridge -color=always"; } { name = "ip"; value = "ip -color=always"; } { name = "tc"; value = "tc -color=always"; } ] ); systemPackages = with pkgs; [ ethtool myip nethogs ]; }; }; }